Windows 7

Windows 7 Deployment Considerations

Originally as devised at Sydney Boys High School

Get Windows 7 Enterprise Media

Your region cannot supply Windows 7 media for the foreseeable present. That said it’s not that difficult to get real media.

Activation

Windows 7, like Windows Vista, has volume activation. DET have Key Management Servers set up now for Windows Server 2008 in schools and the Windows 7 laptops. With the appropriate DNS settings, Windows will automatically connect to KMS servers for activation.

Microsoft’s recommendations for KMS deployment is simply that enterprises deploy two servers, However in a defined rollout of Windows 7 in schools, DET may wish to distribute the design with site-specific KMSes.

A KMS-activated install needs to contact the KMS periodically. A Multiple Activation Key (MAK) activated install doesn’t need to, but MAK keys are a massive headache in a large and fragmented organisation, so I’d never expect to see a MAK key.

Group Policy

Windows 7 significantly expands Group Policy settings. There are major changes in management from Windows XP as well as several important areas of settings to configure:

Group Policy Management

Windows Vista introduced .admx and .adml files replacing .adm for Group Policy definitions. Windows Server 2008 introduced the central policy store in the ActiveDirectory SYSVOL. If you don’t have any Windows Server 2008 infrastructure in place, you’ll need to continue to use the local group policy store which is now in %systemroot%\PolicyDefinitions rather than %systemroot%\Inf. To manage Group Policies using .admx templates you need the Group Policy Management Console on a Windows Vista/Server 2008 or newer machine. So that probably means you’ll want to use Windows 7 to edit the Group Policies for Windows 7.

Group Policy Preferences Bug

If you use Group Policy Preferences you’ll probably come across a bug in Windows 7 RTM which causes the extension processor to crash in applying machine preferences that use Item Level Targeting of the computer’s security group. This is rectified by the update KB976399.

User Account Control (UAC)

This is a policy decision as to what UAC settings are appropriate. You have the option to, inter alia:

• turn it off
• turn off the secure desktop
• auto-elevate administrators
• automatically deny standard user elevation

We picked the latter two. Unprompted admin elevation was needed for compatibility reasons. We deny non-admin elevation requests (results in an ugly dialog). This results in an environment that is functionally similar to Windows XP but which still has UAC enabled.

Restrictions on display settings

Windows 7 seems to behave a bit differently in applying display settings for users. The settings specified in the Default User profile don’t seem to apply. Also, you’ll need to let users apply visual themes and change the desktop background to even apply these by group policy.

Enabling Aero is a per-user setting

Either it needs to be enabled in the default user profile or you need to specify the %systemroot%\Resources\Themes\aero.theme theme file in the appropriate settings in the User\Admin Templates\Control Panel\Personalization section of a group policy

Printer driver download

Windows Vista changed and Windows 7 changes further the way printer drivers are downloaded from the print server. You will need to relax some “Point and Print Restrictions” in Computer\Admin Templates\Printers via Group Policy if you deploy printers (I believe via any method – script, group policy, GPPE – wherever drivers need to be downloaded). Specifically:

• When installing drivers for a new connection: Do not show warning or prompt
• When installing drivers for existing connection: Do not show warning or prompt

Software Deployment Systems

If you use a Software Deployment System, you need to ensure it will work with Windows 7.

Zenworks

Zenworks 7 does not work with Vista or 7. Zenworks 10 is supported on Vista, but Windows 7 is not currently supported. Zenworks 10.2.2 will support it by the end of the year. We use 10.2.1. This works fine with the exception, for us, of imaging PCs with Windows 7. Something in the Novell process causes the machine to crash during Sysprep. Hopefully this will be fixed. Other people have reported other imaging issues with Zenworks and Windows 7.

SCCM 2007 R2

Windows 7 is supported by SCCM 2007 R2, but you won’t get SCCM for now. (or ever?)

SMS 2003

Apparently(!) it works.

Altiris

I know nothing. I'm sure some version of the Altiris suite is supported on Windows 7 and a few revisions further back probably even work...

Software Compatibility

Compatibility is not as bad as a lot of people seem to think it will be. Really you need to produce a list of all the software in use anywhere in your school and then test it. In the end you should have a list of what works, what only partially works and what doesn’t work.

We found even ancient software with ancient video codec requirements worked fine once Quicktime 2 (or whatever as applicable) was installed. 16-bit programs function fine on 32-bit Windows 7 as they did XP (they no longer have program icons though). Old scanners that barely worked for standard users under Windows XP could be a problem.

If you have a program which does not work, you can use the Windows Application Compatibility Toolkit (ACT) – a free download from Microsoft – to try to cajole it into working. That’s a big area in itself so I won’t say any more about it.

Support infrastructure

Antivirus

As has been said, Symantec Antivirus 10 is not supported on Windows 7. You need Symantec Endpoint Protection 11. You can download it from Software Services. It’s a nicer product anyway. You’ll need a management server to manage SEP11 clients and updates: the SAV server on the CPC won’t do it.

WSUS

The DET regional and CPC WSUS servers do not supply updates for Windows Server 2008 R2 and Windows 7. You can’t leave the computers in a state where they won’t get security updates, so there are two options:

1. Direct the clients to Windows Update for their updates. This is OK for a trial of a few machines. It’s hardly ideal for a larger deployment.
2. Set up your own WSUS server. You can select the products a server offers updates for. So to cut down on the unnecessary WAN transfer and the disk space you need to provision, you may choose to only run WSUS for Windows 7, Server 2008 R2 and any Microsoft Update products that will run on Windows 7 (e.g. Office).

Image Creation and Deployment

This is complicated because it’s all new compared to Windows XP. For image creation you really have to use Sysprep. For one thing it’s now the only way to copy a profile to the Default profile. Sysprep is now always included in Windows and lives in %systemroot%\System32\Sysprep. You’d normally execute it in the fashion

 sysprep /generalize /oobe /shutdown /unattend:<unattendfile>

For that unattend file you at least need the Windows Automated Installer Kit (AIK) which is a free download from Microsoft. You also need the install.wim file from a Windows 7 DVD.

When you install it, you get one very important tool, the Windows System Image Manager (SIM). Using this you prepare an answer file much like the unattend.ini file for Windows XP. Windows 7 applies the configuration in “phases” and different settings apply to different phases. There’s a mass of literature on unattended Windows Vista and Windows 7 deployment.

The Windows AIK also includes the Windows PE. This replaces DOS as the pre-install environment. You can use it to run imagex.exe which can capture and deploy images. It can be booted from CD or USB stick. If you want PXE boot you need to use the Microsoft Deployment Toolkit.

The Microsoft Deployment Toolkit (MDT) 2010 is another free tool which may be important. This complements Windows Deployment Services (i.e. do PXE boot by loading the customised boot image WIM in WDS and leave the rest of to MDT2010) and is what you can use to capture and deploy images, apply specific customisations etc. It reduces the need to use the Windows SIM to produce answer files. SCCM integrates with it, so you’ve seen it in action if you’ve watched your TSO re-image a T1 machine. By itself the MDT can do PXE boot, but you have to manually start it off before it will do any imaging work. The MDT uses task sequences to deploy and configure images. It allows you to dynamically apply drivers to images and various neat things like that. However you can just have it apply plain .wim images too.

Zenworks 10 has limited Window PE and .wim imaging support – it can’t use MDT task sequences. But it can capture to and deploy from plain .wim images.

Once a .wim image is captured, you can service it offline. You do this by using the DISM.exe command line tool which is a part of the Windows AIK. This tool allows you to firstly mount a .wim image to a folder. You can then alter the files in it (including the registry). DISM also has specific commands to apply .msu update files and .inf drivers to the image, all while it’s offline. This makes it much easier to service images and reduces the number you need. Once serviced, you commit the image back to the .wim file and it’s ready to deploy.

Driver Situation

Out-of-the-box you’d expect Windows 7 has good driver support. It does generally, but the biggest weakness is sound drivers. Windows 7 has generic AC97 and HDA drivers. The problem is they tend not to work. For example:

• 2005-model T4L ASI – sound drivers work.
• 2005-model TAFE Acer – drivers installed but fail to initialise (Code 10). Using the current Realtek HDA drivers fixes the problem, but they’re not signed for the exact model of sound chip in the machine, so Windows will never automatically pick it over the non-signed version.
• 2008-model T4L Lenovo – drivers installed fine but fail to detect an audio endpoint (ie the internal speakers). The ADI drivers for this sound chip are signed, so Windows will pick it over the generic driver once the driver is injected in the image.

Windows 7 also doesn’t have drivers, as an example, for the serial port (of all things) on the 2008 Lenovo (probably because the machine doesn’t have a standard LPC bus).

Aero

The integrated graphics of the Intel 945G chipset and newer support Aero. This chipset was introduced in 2005 and is present on T4L 2006 rollout desktop machines. With upgraded RAM, nothing prevents you installing Windows 7 on a T4L 2005 machine or older, but there will be no Aero theme.