New Desktop Virtualization Zone on TechNet

NOTE FROM THE EDITOR Welcome to October! The big news this month is the Springboard Series Tour. Kicking off on October 25th, we'll be visiting Amsterdam, Stockholm, Helsinki, Reading, Rome, and Vienna, and concluding in Berlin, Germany at Tech•Ed Europe 2010. I am very excited to get a chance to meet with many of you. For those of you who cannot make the trip, make sure to check out the Springboard Series Blog for videos and recaps from each stop on the tour! We are announcing here first that the first 150 registered attendees that attend each event will receive a free copy of Microsoft Office 2010 Professional. Also, if you are coming to Tech•Ed EMEA, make sure to stop by the booth and let us know you're a Springboard Series Insider. We may just have a special prize for you. We received some great feedback from many of you on the Windows 7 Deployment Learning Portal. If you haven't checked it out yet, the portal is designed to help you identify the strengths and gaps in your knowledge around Windows 7 deployment and provide some targeted learning to help you reach the top of your game. If you have downloaded or plan to download Internet Explorer 9 Beta, make sure to visit the new Internet Explorer 9 Beta spotlight in the right rail of the Windows 7 TechCenter for an overview of the Beta, an FAQ, a video demonstration, and other resources created specifically for IT professionals. They are great tools for ensuring you get the most from your beta experience. If you're still using Internet Explorer 6 and want to know more about migration and assessing compatibility when moving to Windows 7 and Internet Explorer 8, watch the replay of last week's roundtable where myself and a panel comprised of your IT pro peers plus subject matter experts answered questions submitted by our live audience on a variety of topics from compatibility assessment tools to recommendations on policy, code, and virtualization solutions to mitigate compatibility issues. Finally, for those of you who have successfully deployed Windows 7 in your organization, or who are making your final preparations to do so, this month's newsletter is focused on security and locking down your desktop. From deploying BitLocker without a Trusted Platform Module (TPM) chip to best practices around securing Office 2010, I think we have some cool stuff for you this month. As always, feel free to send you comments, questions and feedback to me. Have a great month and I hope to see you in Berlin! Stephen Rose Sr. Community Manager, Microsoft Windows Client IT Pro stephen.rose@microsoft.com

NEW RESOURCES New Desktop Virtualization Zone on TechNet Created in direct response to feedback from our IT pros worldwide, the Springboard Series Desktop Virtualization zone provides you with a one-stop shop for technical guidance, video tutorials, and the latest news about Microsoft Desktop Virtualization solutions like Virtual Desktop Infrastructure (VDI), Microsoft Enterprise Desktop Virtualization (MED-V), Microsoft Application Virtualization (App-V) Folder Redirection, and more. Want details on the useful IT applications of Microsoft Desktop Virtualization solutions? Check out Skand Mittal's "Something to Blog About" post below. Migrating from Internet Explorer 6 to Internet Explorer 8? Learn from the Pros! Get expert advice on migration strategies, standards, and support options for organizations moving from Internet Explorer 6 on Windows XP to Internet Explorer 8 on Windows 7. Learn about the causes of, and solutions for, application compatibility issues then explore the tools and best practices that can help you achieve a successful migration. This panel discussion features Microsoft specialists, industry experts, and IT professionals sharing tips, tricks, and lessons from their real-world migration experiences. Internet Explorer 9 Beta Technical Overview Explore the features in Internet Explorer 9 that can add value for you as an IT pro then gain an understanding of how to install and deploy Internet Explorer 9 Beta in pilot scenarios with Windows 7. This article also covers new Group Policy settings that are available for managing the web browser, and guidance on how the browser can affect new and ongoing Windows 7 deployment projects. Internet Explorer 9 Beta Frequently Asked Questions Get answers to frequently asked questions about Internet Explorer 9 Beta. Internet Explorer 9 Beta Video Demonstration Explore the features then get a step-by-step demonstration on how to pilot Internet Explorer 9 Beta in your organization, plus information on new Group Policy settings to help you manage it. Windows PowerShell: The Many Options for Out There are more ways to generate output using Windows PowerShell than you may think. Read this TechNet Magazine article for some that have recently come to light.

SOMETHING TO BLOG ABOUT Microsoft Desktop Virtualization – From the Operating System to the Application and Beyond By Skand Mittal, Product Manager - Desktop Virtualization, Windows Client Division, Microsoft Hello! I am very excited to announce the release of the new Desktop Virtualization Top Task on the Springboard Series. Are you migrating to Windows 7? Do you want to virtualize your corporate applications? Are you looking to virtualize your desktops? You have come to the right place! Companies are increasingly turning to virtualization as the answer to their desktop challenges. Desktop virtualization involves decoupling the different computing layers and storing some or all of them in a data center. Through virtualization, employees can access their applications and data very safely over a network, minimizing the risk of data loss. On the IT side, virtualization accelerates deployment of new capabilities without needing to acquire new hardware and configure components. It also helps reduce application testing requirements and compatibility issues and simplifies disaster recovery and compliance. With Microsoft Desktop Virtualization, we have broken the bonds between the OS, application, and data and user settings by providing solutions in all of these areas, enabling you to deploy the best mix for your organization's needs. Here is the short list of Microsoft Desktop Virtualization solutions and how you can use them in your organization: VDI: Enables users to access their personalized Windows desktops hosted on servers. For many organizations, virtualizing desktops within the datacenter is seen as an excellent means to provide a centrally-managed Windows desktop to connected users. Session Virtualization: Makes it possible for you to run an application or an entire desktop in one location, but have it be controlled in another. Session virtualization allows you to install and manage session-based desktops and applications, or virtual-machine based desktops on centralized servers in the datacenter; deliver images to users, and send keystrokes and mouse movements from user client machines, in turn, back to the server. From a user perspective, applications are integrated seamlessly—looking, feeling, and behaving like local applications. MED-V: Provides you with the ability to deploy and manage virtual Windows desktops to help enterprises upgrade to the latest version of Windows, without having to worry about application compatibility. MED-V provides organizations the ability to run two operating systems on one device, adding virtual image delivery, policy-based provisioning, and centralized management. App-V: Helps you make business applications available to end users on any authorized PC. App-V decouples applications from the OS and helps to eliminate application-to-application incompatibility, as applications are no longer installed on the local client machine. In addition, application streaming expedites the application delivery process so that your IT department no longer needs to install applications locally on every machine. RemoteApp: Enables programs that are accessed remotely through Terminal Services to appear as if they are running on the end user's local computer. Users can run RemoteApp programs side by side with their local programs. A user can minimize, maximize, and resize the program window, and can easily start multiple programs at the same time. If a user is running more than one RemoteApp program on the same terminal server, the RemoteApp programs will share the same Terminal Services session. Data and User Settings: Utilizes folder redirection and roaming profiles to enable you to make the user's personal profile and data available dynamically on any authorized PC, and to back up personal profiles and data to the datacenter. Find guidance on how to deploy and configure all of these solutions—bookmark Desktop Virtualization on TechNet and check back often for new resources! Microsoft Office 2010 Advances in Security – Keeping Data Safe By Joe D'Elia, Senior Product Manager, Microsoft Office You've secured your Windows 7 desktop, now it's time to lock down Office 2010. Office security has become more important over the last several years as malicious programmers have increasingly turned their attention from the operating system to applications and web properties. Prior to the Office 2010 release, designing a secure Office configuration that limited business risk often resulted in significantly compromised functionality or a terrible user experience. You could minimize the attack surface of desktop applications by disabling potentially risky functionality, but the loss in functionality usually meant less productivity and thus a negative effect on your organization's overall performance. When confronted with this situation, most organizations chose to allow information workers to make critical security decisions. If a document contained ActiveX controls or macros from an unknown source, users were prompted about whether they wanted to enable the controls, and they were not allowed to access the document until they responded. Office 2010 significantly changes that user experience paradigm with important functionality like Protected View, based on Microsoft's Practical Windows Sandboxing techniques. Protected View acts as a "peephole" for users to view documents BEFORE the trust decision has to be made. This new capability has been so well received that Office is already responding to requests from other application providers to help them improve the security profile of their applications. Protected View is just one of the many new or updated capabilities that you'll need to be aware of in order to manage your environment. Other prominent topics include File Validation, CNG Cryptography, File Blocking, and Password Complexity. For good background on these and other Office 2010 security topics, visit this good set of blog posts put together by the Office Trustworthy Computing team. The single most important thing you can do to prepare yourself, and to stay current, is to check out these resources. Here you'll always find the latest Office 2010 security guidance and related blog posts, plus a great video on "Advances in Office Security" from Tech•Ed North America 2010. Maybe most importantly, you can download the Beta for the Office 2010 Security Baseline, which also includes the Office 2010 Security Guide. The baseline and guide provide prescriptive guidance in the form of Group Policy setting recommendations, best practices, and step-by-step procedures to help you plan for and secure the Office 2010 release.

TIPS AND TRICKS 7 Useful Policies and Practices to Ensure a Safer, More Controlled Desktop Environment By Ran Oelgiesser, Sr. Product Manager, Security - Windows Division, Microsoft Corporation Moving to Windows 7 enables organizations to realize great user productivity and IT benefits. In this article, I wanted to share information about the security benefits, and specifically, seven practices and easy to configure policies that can make your desktop environment safer and more controlled. 1.     Control your desktop network access. Windows 7 enhances the firewall and provides granular control over inbound and outbound connections based on where the user is: domain (work), private (home), and public, including determining notification levels for the user. A little-known fact is that, with Windows7, there is a new capability that enables having more than one profile active. Because users typically connect to both local network (work or home) as well as the Internet (public), different rules should apply. Simply type "Windows Firewall with Advanced Security" on your Start menu to see the options. All firewalls events can be viewed in the monitoring tab and aggregated through Windows Event Log. Learn more > 2.     Fine-tune wireless network settings. Another very useful, albeit not new, network setting is specific to Wireless Networks. You can control the wireless networks that corporate laptops can access, setting the configuration for preferred networks and prohibiting "risky" connections to ad hoc (computer-to-computer) networks in public places, thereby preventing the use of Internet Connection Sharing on your corporate network. Learn more > 3.     Block access to devices. Another good existing policy is the ability to control device installation on desktops. You can set pre-approved devices and block everything else. Learn more > 4.     Forcing encryption on removable drives is another extremely useful capability that can be implemented in conjunction with the previous policy. Many people know about BitLocker Drive Encryption, which allows you to encrypt the hard drive to protect data in the case of laptop theft or loss. BitLocker To Go (newly available in Windows 7 Enterprise) extends that by letting you encrypt removable drives. Plus, you can set a policy that stops data writes to removable drives unless they are first encrypted. A password will be required to access the data, so that users can share data with colleagues and others securely, with no concerns of losing the drive. Learn more > 5.     Standard user is now feasible for most users. Previous versions of Windows offered a limited experience for standard users. In Windows 7, most users can do just fine as standard users. They can still connect to new networks, change display settings and time zones, and even install printers and Internet Explorer plug-ins. Windows 7 users will typically need administrator rights only for installing new applications, aside from legacy applications that "require" administrative rights to operate (and those can be addressed with various compatibility solutions). 6.     User Account Control (UAC) is better than you think. Even if a user needs administrator rights, UAC will keep most programs running without administrator privileges, and will prompt user for approval when a program requires an escalation. The amount of prompt has been greatly reduces in Windows 7. Even better, instead of assigning administrative rights to the domain user, create a second local administrator account. This way Windows will prompt for the administrator credentials every time it needs to escalate (e.g., when installing an application). The user will be more cautious about typing those credentials than simply clicking Yes as with the first option. Learn more > 7.     AppLocker – control the applications users install. Assuming your users (or a subset of them) really need to download and install applications on their own, you should consider limiting those with AppLocker (available on Windows 7 Enterprise). The rules are flexible: from allowing specific applications and versions, to any program that's from a known vendor. When rules are based on vendors, the learning curve is rather low as there is usually a rather small number of vendors that you would want to let users install. For the rest, it is better that they contact you. For internal applications (even executables), you can easily create a certificate and sign them with signtool.exe (included in the Windows SDK. Documentation on MSDN). Learn more > Ran Oelgiesser is a Senior Product Manager in the Windows Client team leading product management for Windows Security. Ran has 12 years of experience in information security and enterprise IT solutions.

COMMUNITY UPDATE Configuring BitLocker on Machines Without a Trusted Platform Module (TPM) By Andy Malone, Microsoft MVP - Enterprise Security Much has been written about the Windows 7 BitLocker Drive Encryption solution. For maximum protection, Microsoft recommends that BitLocker is deployed on systems which are fitted with a Trusted Platform Module (TPM) and there are many articles on both TechNet and influencer sites that endorse this as a best practice approach. While I am in completely agreement, evidence also suggests that huge numbers of machines are shipped without a TPM module installed. I am often approached by customers who want the benefits of drive encryption, but are confused and unsure on how to deploy it in an insecure environment or on sensitive machines. In this short article, I aim to address these issues and, at the same time, suggest a few best practices. Firstly in order to use BitLocker you must have either the Enterprise or Ultimate edition of Windows 7. Although installed as part of the operating system (OS), BitLocker is disabled by default. To enable the feature, simply go to Control Panel | System and Security | BitLocker. Here you can select the disk to encrypt, turn on BitLocker, and follow the wizard. As shown in the figure above, you are then prompted to either enter a password (preferably complex) or use a smart card. If you choose the latter a personal Identification (PIN) number will also be required. Once encrypted, BitLocker asks if you would like to back up your recovery key. This is critical in case you forget your password. You can either print your key or back it up to a file for archiving. In enterprise environments, recovery keys can be archived in Active Directory and managed via Group Policy (as shown below). It should be noted that, in the above scenarios where BitLocker is deployed without a TPM, the BitLocker keys remain vulnerable in RAM and, as such, could be exposed to potential threats, including RAM theft and rootkits. With a RAM attack, a hacker must be able to gain physical access to a machine in order to perform the attack. A possible scenario here could be a malicious employee who has industrial espionage on their mind. I am often therefore asked, "I want to use BitLocker but don't have a TPM, what can I do?" Before anything, you need to reduce the risk of attack. This can be done by following a few simple procedures. First, disable Hibernation. This is a Windows Power Management feature which essentially dumps the contents of RAM to a file on the root of your hard disk called Hiberfill.sys. The benefits of this technology include faster shutdown and start up times. Now we seem to have a tradeoff situation—speed vs. security. In order to mitigate this vulnerability, you could do one of the following: 1.     Disable the computer's ability to hibernate and physically shut the machine down. This can be done in Windows Power Options | Edit Plan Settings | Advanced Settings as shown below: 2.     Another way to accomplish this is to use the Windows Power Configuration tool. To do this, open a command prompt and type Powercfg –h off Remember that BitLocker is a data at rest (DAR) encryption solution and, as such, will not protect you from every threat. But, with a little planning, you can significantly reduce risks. Another potential vulnerability is the ability for a hacker to access sensitive documents on a BitLocker encrypted volumes by mapping network drives. In order to mitigate this threat, you can combine BitLocker with another Windows 7 encryption feature, Encrypting File System (EFS). To enable EFS, follow these steps: 1.     Encrypt your drive with BitLocker as shown using the steps above. 2.     Place your sensitive data in a folder structure on the encrypted volume. 3.     Right click the folder and click Advanced. 4.     Click Encrypt contents to secure data. In conclusion, BitLocker combined with a TPM provides a rock solid DAR solution. However, in circumstances organizations or individuals that want to use BitLocker technologies, but have computers which are not fitted with a TPM module, can take a few additional steps to help ensure better security. Andy Malone is the CEO of Quality Training Ltd and founder of both the Dive Deeper Technology and Cybercrime Security events. Based in Scotland, Andy is a popular international event speaker and technology evangelist with over 15 years' experience delivering technical and security content to thousands of IT pros worldwide at various technical conferences, such as Microsoft Tech•Ed, IT Pro-Connections and Tech-days. Andy will be speaking at both Tech•Ed Africa in Durban in October and Tech•Ed Europe in Berlin in November. You can check out his blog at http://quality-training.co.uk/blog/.

TWEET ALERT In support of our efforts to stay on top of the latest tips and trends, here is who we are following for our summer Twitter reading list: @DougHolland – Architect Evangelist for Microsoft with commentary and insights on trends in Windows and the world of Web development. @OReillyMedia – Spreading the knowledge of innovators through technology books, online services, and tech conferences. @deployjeremy (Jeremy Chapman) – Travel, gadget, car, and computer automation freak all-in-one. @majornelson (Larry Hyrb) – Go inside Xbox with Xbox Live's Director of Programming. @energizedtech (Sean Kearney) – Windows PowerShell MVP and all-around tech enthusiast who is in love with Windows 7, Monty Python, Star Trek, and Doctor Who. If you would like to be considered for this column, send a message to Stephen Rose via Twitter @stephenlrose and tell him, in 140 characters or less, why we should feature you next month. Also, for the latest information on what's going on here at Microsoft follow the Springboard Series @MSSpringboard.

EVENTS AND TRAINING Springboard Series Tour: Deployment Workshops for Windows, Office and Microsoft Desktop Optimization Pack (MDOP) October 25–November 5, 2010 – Multiple cities across Europe Are you looking to pilot or deploy Windows 7, Office 2010, or MDOP technologies? Join us for a series of workshops will cover key deployment strategies and show you the value of getting trained and certified in these key products. Give us five hours, and you will have a clear understanding of the tools, tips, and tricks you need to jumpstart the successful deployment and management of your Windows desktop environment today. The first 150 registered attendees that attend the event will receive a free copy of Microsoft Office 2010 Professional edition. Don't miss your chance to attend a workshop in the 2010 Springboard Series Tour. Register today at www.springboardseriestour.com. Microsoft Certified Career Conference—Advance your Career with Windows 7 Expertise Thursday, November 18, 2010 – Virtual online event Join thousands of IT professionals and employers at the first Microsoft Certified Career Conference. This 24-hour virtual event enables you to attend Windows 7 sessions based on Microsoft Official Courses, sharpen your interview skills, network with hiring managers and fellow IT pros, and meet real-life experts. Register by October 18th for "early bird" discounts!

UPCOMING WEBCASTS Business Insights Webcast: Windows Deployment (Level 100) Wednesday, October 20, 2010 11:00 AM Pacific Time Windows operating system deployment has evolved in all areas, making it possible to have faster and more flexible image creation, automated software composition depending on specific user needs, and faster and more robust data migration from previous environments. Tune in for an explanation and demonstration of tools, processes, tips, and what to expect when moving to the Windows 7 operating system and a more optimized desktop standard. MSDN Webcast: Integrating Sensor and Location Support (Level 200) Tuesday, November 09, 2010 10:00 AM Pacific Time The Windows 7 Sensor and Location platform makes it possible for your applications to adapt to the environment and change the way the applications look or behave. In this webcast, we dive into the software development kit (SDK) and walk through some code to demonstrate how to implement this light sensor scenario. In addition, we show you how to use location to build better applications. MSDN Webcast: Using Pinned Sites in Internet Explorer 9 on Windows 7 (Level 200) Monday, November 15, 2010 12:00 PM Pacific Time Attend this webcast to learn how you can use the Pinned Sites feature to access your favorite websites directly from the Windows taskbar without having to first open your browser. With Pinned Sites, your standards-compliant web application is at the center of the user experience. After this webcast, you should know how to turn your application into a pinned site and how you can use simple JavaScript to enhance the experience for your customers. MSDN Webcast: Better User Experience with Windows 7 Multitouch and Gestures (Level 200) Thursday, November 18, 2010 10:00 AM Pacific Time Developers can take advantage of the new multitouch support in the Windows 7 operating system to create amazing experiences and natural interactions. In this webcast, we demonstrate the power of multitouch and dive into code. We also explore the support for applications written before the release of Windows 7, the gesture-level APIs, and the raw-touch APIs. TechNet Simulcast Event: Windows 7 Deployment Firestarter (Level 200) Wednesday, December 01, 2010 6:00 AM Pacific Time Attend this free, full-day simulcast event and hear firsthand how to upgrade from Windows XP and solve your application compatibility issues. Learn about finding, testing, and fixing applications on Windows 7 with the Application Compatibility Toolkit and end the day with some advanced deployment scenarios using the Microsoft Deployment Toolkit (MDT).

SNEAK PEEK: FOR INSIDERS ONLY The following resources will be released in September on the Springboard Series on TechNet. Bookmark or subscribe to the Windows Client Headlines feed and receive automatic notification when these and other resources, announcements, and downloads are released. New guidance to support Microsoft Enterprise Desktop Virtualization (MED-V) deployment. Answers to frequently asked questions on Internet Explorer 6 migration.