Export (0) Print
Expand All

Maturing Deployment Methodology Yields Streamlined Windows 7 Deployment

Published: October 2009

Windows 7 deployment goals have been exceeded and Helpdesk call volume is below anticipated levels. Microsoft IT delivered on a Windows 7 deployment plan that minimized end user disruption. Investments in communications and productivity materials support a prepared end user population.


Intended Audience Products & Technologies

Download Article

Download Video

  • IT Managers and IT Professionals
  • Microsoft Windows 7
  • Windows Server 2008 R2
  • Windows Update
  • Microsoft Office SharePoint Server 2007
  • Microsoft System Center Configuration Manager 2008 R2
  • User State Migration Tool, version 4.0
  • Token activation feature in Windows 7
  • BranchCache technology in Windows 7 and Windows Server 2008 R2
  • BitLocker Drive Encryption technology in Windows 7 and Windows Server 2008 R2
  • Web Slices feature in Windows Internet Explorer 8


The goal for the Windows 7 deployment was to make it very easy for users to self-install the operating system. This article explains how MSIT uses key new technologies to achieve Windows 7 deployment goals with minimal disruption to end users.

The Image Build Process

To create images, MSIT takes advantage of Windows Update, a task sequencer, multiple images, token activation, and the User State Migration Tool.

Windows Update and the Task Sequencer

Microsoft IT (MSIT) learned a great deal from the Windows Vista® deployments, most of which required HelpDesk assistance. To make it easy for users to install Windows 7, MSIT integrates the OEM drivers and applications into the images. As part of that strategy, MSIT strongly leverages Windows Update. Users get 70 percent of the OEM drivers through Windows Update. MSIT uses a task sequencer to install the remaining OEM drivers and applications. The task sequencer installs a core desktop business productivity suite consisting of Microsoft® Office, Connection Manager, Microsoft Office Communicator 2007, and other key applications that employees use on a regular basis.

Multiple Images and Token Activation

For Windows Vista, there was only one image. With Windows 7, MSIT has different scenarios for large campuses, small campuses, and remote users. The scenarios use Microsoft technologies such as Windows Deployment Services (WDS), the Operating Deployment Services (OSD) feature in Microsoft System Center Configuration Manager (SCCM) 2008 R2, and bootable media options.

MSIT integrates token activation into the vanilla image for remote users. With token activation, a remote user doesn't have to connect to the Microsoft network after installing the image. When Windows 7 pops up the activation token, the user activates the operating system online using a smart card so it isn't necessary to go back to the enterprise network.

In-Place Migration Using the User State Migration Tool

MSIT embraced the User State Migration Tool (USMT) version 4.0 for the Windows 7 image set. USMT version 4.0 has significant new features that make it very easy to migrate users to a clean installation. The key feature MSIT uses is in-place migration. Previously, users had to spend two or three hours to back up their files, and then two or three more hours to migrate all of the files to the new system. When the user does a clean installation with version 4.0, USMT indexes the hard drive, creates an index of where the files are on the drive, and creates hard-link indexes of the user state. It finishes by migrating the user files and settings. It adds only about five minutes to the installation process for standard WDS and ISO images. USMT is a key strategy for migrating Windows Vista users and the few remaining Windows XP users at Microsoft.

New Features in WDS and SCCM 2008 R2

"USMT is a key strategy for migrating Windows Vista users and the few remaining Windows XP users at Microsoft."

MSIT takes advantage of many new WDS features.

Distribution Services

MSIT uses both push and pull technologies. Many users in the enterprise like to pull, install, and self-host to be part of the development process. A very robust Windows Distribution Services architecture across the enterprise enables users to pull builds whenever they want. To push operating systems to users, MSIT uses the new Operating System Deployment feature in SCCM 2008 R2. SCCM OSD is a key technology because it allows MSIT to control the environment in a much cleaner way than in the past.

Multi-Cast, Multi-Band, and IP Clustering

"MSIT set a goal of 100 percent compliance for LOB applications. All of the applications must pass free and clear, so that when Windows 7 is released to manufacturing, or before, MSIT is ready to deploy across the enterprise and enterprises that have similar applications."

Microsoft has 40,000 users in Redmond. With up to 40,000 users hitting and downloading a build simultaneously, the system can get very stressed. MSIT takes advantage of the multi-cast, multi-band, and IP clustering features in Windows Server® 2008 R2 in both standard and virtual machines across the enterprise. By using these features, MSIT can upload 800+ PCs per day with the new operating system.

How MSIT Structures the WDS Environment

MSIT uses a hub and spoke model for its WDS infrastructure. The hub consists of 20 to 30 core sites across the world. The spokes are universal service platforms—virtual WDS servers that all integrate into a network of image distribution and services across the enterprise. MSIT added more servers to develop a virtual platform of distribution services. As a result, MSIT can service people in remote regions as well as core regions every day with all of the new operating systems.

Ensuring Line-of-Business Application Compatibility

Line-of-business (LOB) applications are a core issue for many companies and they were a key area of focus for Windows Vista. With Windows 7, MSIT created a LOB test pass. MSIT identified a suite of about 4000 applications and pared it down to a list of LOB applications that Microsoft couldn't do without. MSIT put these applications in the LOB test pass and ran 1 to 5 test passes through the lifecycle of a product, testing specific core functionality. For example, Windows Internet Explorer 8 has great features with a lot of functionality. Which of MSIT's LOB applications could go up against that productivity application profile? After MSIT made that comparison, they brought in the application owners, the business units, and the business community as partners to drive and resolve those test passes across the enterprise. MSIT set a goal of 100 percent compliance for LOB applications. All of the applications must pass free and clear, so that when Windows 7 is released to manufacturing, or before, MSIT is ready to deploy across the enterprise and enterprises that have similar applications.

Integrating Internet Explorer 8 Web Slices with SharePoint

Microsoft uses Office SharePoint Server 2007 as its key document-management solution across the enterprise. Microsoft has a very robust SharePoint solution with several terabytes of data. One of the key features in Internet Explorer 8 (IE8) is Web Slices. MSIT integrated Web Slices successfully with its SharePoint solution across the enterprise.

Leveraging BranchCache to Reduce Bandwidth

BranchCache™ is Microsoft's version of peer-to-peer networking. BranchCache offers a potentially large cost savings because it cuts bandwidth and drives network sharing across the enterprise.

MSIT is using and testing two BranchCache scenarios:

  • With the peer-to-peer scenario, clients rely on other clients to manage the packet correspondence back and forth and move the bits faster. This improves performance on the client and saves bandwidth because the client doesn't have to go all the way back to the enterprise, just to the nearest client.

"Enabling BitLocker for all Microsoft users will be a great win for Microsoft since it will provide Sarbanes Oxley compliance and will help protect Microsoft assets."

The other scenario is "server-side cache." With server-side cache, there is a dedicated distribution point or server that acts as an intermediary. For example, a user in Europe has a distribution point in Germany that acts as a pass-through server to host the bits.

MSIT is testing both scenarios at 30+ sites across the enterprise, monitoring the traffic to find the best cost savings and to build out a network analysis. MSIT is integrating the branch office service architecture by aligning the site taxonomy. The taxonomy will indicate whether peer-to-peer is a good solution for a particular type of site, under particular network bandwidth restrictions, and with a particular user base and setup. Other enterprises can leverage this site taxonomy. For a given type of architecture, you can identify four or five key business points and then leverage peer-to-peer networking to reduce costs, increase performance, and increase client satisfaction.

MSIT is also using BranchCache for remote sites that don't have adequate connectivity. For example, BranchCache has the potential to solve network latency issues for users in South America.

Enabling BitLocker Drive Encryption for all Microsoft Employees

BitLocker™ Drive Encryption is a core security feature that was first included with Windows Vista. Enabling BitLocker has traditionally been a user-driven event. With Windows 7, MSIT wants to turn BitLocker on by default for all users at Microsoft. MSIT is putting scripting around tools in Windows 7 to fully automate the deployment, with just a few reboots. It's a fairly easy task. The biggest time hit is the user interface. Windows 7 includes code to enable the Trusted Platform Module (TPM), turn on the BitLocker feature, and do the encryption. With the new process, the user can walk away while BitLocker is enabled.

MSIT has been working on the TPM with OEMs since Windows Vista. MSIT changed the standard for purchased products so that the TPM is turned on by default. As a result, Microsoft has a three-year install base with the TPM already turned on, so the Microsoft network is primed and ready to go.

Enabling BitLocker for all Microsoft users will be a great win for Microsoft since it will provide Sarbanes Oxley compliance and will help protect Microsoft assets. There are many intellectual properties across Microsoft that are being leveraged in day-to-day business, so everyone at Microsoft will benefit from having BitLocker enabled.

Windows Server 2008 R2 Provides Scalability for Print Servers

As with the WDS services, MSIT is updating all of the print servers with the beta build of Windows Server 2008 R2. MSIT is seeing better scalability than with the previous version of the server.


MSIT uses Windows Update, a task sequencer, multiple images, the token activation feature in Windows 7, and the User State Migration Tool to provide a self-service deployment for Windows 7. MSIT ensures compatibility of LOB applications through a rigorous LOB test pass. These technologies and processes enable users to self-install Windows 7 with minimal disruption.

MSIT uses both push and pull technologies to distribute the operating system and by taking advantage of the new WDS features in Windows Server 2008 R2, MSIT is able to upload the operating system to 800+ machines per day. MSIT is also leveraging the new BranchCache technology to decrease network bandwidth and drive network sharing across the enterprise, and in order to protect intellectual property and provide Sarbanes Oxley compliance, MSIT created scripts to enable BitlLocker Drive Encryption for all Microsoft employees.

For More Information

Please visit http://technet.microsoft.com/video/maturing-deployment-methodology-yields-streamlined-windows-7-deployment.aspx/ to see a multimedia presentation on the content of this article.

For additional IT Showcase Windows 7 content, please visit http://technet.microsoft.com/en-us/library/bb687804.aspx#7.

For additional IT Showcase Content, please visit http://www.microsoft.com/technet/itshowcase

For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information through the World Wide Web, go to:


© 2009 Microsoft Corporation. All rights reserved.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, BitLocker, BranchCache, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2014 Microsoft