IT Showcase On: Deploying Windows 8 Release Preview
How Microsoft IT Deployed Windows 8 and Internet Explorer 10 Release Preview
Quick Reference Guide
Windows 8 is reimagined and reinvented from a solid core of Windows 7 speed and reliability with an all-new touch interface. MSIT has created a seamless user experience with improved image creation, deployment processes and a community based support model called //Pointers.
Quick Reference Guide, 157 KB, Microsoft Word file
Situation: With the release of Windows® 8 and Microsoft® Internet Explorer® 10 Release Preview, Microsoft IT wanted to lay the groundwork for a successful Windows adoption and rollout in the enterprise space while demonstrating best practices for a seamless and frictionless deployment.
Microsoft IT identified key areas that needed improvement. Areas that were previously either pain points from actively deploying Windows 7 in an enterprise environment or areas they felt could benefit, cost-wise, from a smoother deployment process. These focus areas became the key drivers for the Microsoft IT Windows 8 and Internet Explorer 10 Release Preview deployment.
Why You Should Care:
- Operating systems and browsers are a very important component of a corporate infrastructure.
- Planning, LOB testing, and readiness are all critical parts to the successful deployment.
- Innovation in processes and tools can help streamline the deployments, improve the user experience, and reduce support costs.
- Successful deployment can lower the bar on acceptance and adoption by your employees.
- Microsoft IT needed to plan the project carefully and methodically to ensure that they focused on the correct areas based on previous deployments. They identified line of business applications, deployment, and user experience and their primary focus areas. Coordination between a variety of teams was needed to ensure that the deployment is as efficient as possible and that it ultimately provides a good end-user experience.
- Microsoft IT wanted to improve on the overall user installation experience by reducing the need for users to make decisions on hardware and software compatibility, data migration, security, operating system installation, and how to join the domain by creating tools to automate the process.
- Another key focus was on their operating system installation technologies. Microsoft IT created a profile of the users based on types of network connectivity. This allowed them to start planning not only the means by which users would install the product but also the tools that would be developed (such as IT Easy Installer) to provide a good, seamless user experience.
Application Compatibility Testing
- For the Windows 8 and Internet Explorer 10 Release Preview deployment, Microsoft IT focused on compatibility with internal web-based and Microsoft .NET-based LOB applications.
- Microsoft IT partnered with the internal Microsoft Agile Labs service to provide the VMs for testing. This enabled them to increase their capacity for testing, accommodating testers from across Microsoft, and allowing testers to self-provision one or more VMs any time of day.
- A new scorecard was created leveraging Microsoft SQL Server® Reporting Services that allowed key test managers to monitor the progress of their test teams in real time.
- The number of unique applications that they tested was around 350. In-depth resting was required for Primary (business-critical) applications. For Secondary (voluntary) applications, in-depth testing was highly encouraged but not enforced. Recommendation for testing:
- Apply the Microsoft ASP.NET update (http://support.microsoft.com/kb/2600100) to websites so that Internet Explorer 10 is correctly interpreted as a newer browser.
- Applications that rely on Microsoft Silverlight® controls for navigation or ones that rely on Microsoft ActiveX® to transfer data from within the application to a database will require some code changes to make them compatible with the Modern Browser.
- Microsoft IT released an internal website, http://BuildModernApps, designed to help internal engineering teams understand what is meant by building or updating their application for the Windows 8 and Internet Explorer 10 platform, and to be compatible with the Classic and Modern Browsers, and modernized where applicable.
- A modern app is an app that is plug-in free; does not use deprecated features; detects Features rather than User Agents; follows Modern design principles; leverages new Internet Explorer 10 Scenarios including Touch First, performance Improvements, and offline data; and is compelling to your business needs.
- To be able to consume internal applications written for the Modern desktop, enterprise customers need to address two key requirements: all app packages require PKI signing component to sign code, and the Windows SKU must be an enterprise SKU and not a retail SKU. Two additional requirements are that the PKI trusted root needs to be in the client certificate cache, and a group policy must be put in place to allow trusted apps to install.
- For Windows 8 and Internet Explorer 10 Release Preview, Microsoft IT used a mix of proven communication channels and new communication channels, all rebranded with a Modern look and feel. Communication channels included email, the ITWeb portal which provided a simple, guided Getting Started experience, Work Smart guides which provided an overview of the new features and user interface and instructions for installing using the IT Easy Installer, three Work Smart videos (What to Expect with Windows 8 Release Preview, a demo of the new IT Easy Installer tool, and a "True Confessions" style humorous marketing video), and email signatures. Finally, Microsoft Mobi Tags provided users a way to view installation instructions and the demo video via their mobile device. Work Smart content was promoted through social/community channels such as the internal community, OfficeTalk, and http://pointers. The new Dogfood Central app was deployed as part of the Microsoft IT Windows 8 image also includes Work Smart content and news about Windows 8 and other dogfood programs.
- The global readiness team delivered productivity and product overview sessions, launch events to promote adoption, and all promotional and marketing material to remote sites so they could reuse or localize the content and incorporate it into their local promo channels to provide a consistent message.
- Global readiness is also responsible for global testing of images before and at release, along with the validation of deployment infrastructure to guarantee a good user experience. In the Windows 8 deployment Microsoft Field IT managers discovered localization errors (for example, keyboard errors in the localized version of the software).
Deployment Methods and Tools
Image Deployment Goals
- Microsoft IT uses Distributed File System Replication (DFS-R) for image replication, which they realized did not handle large files well. What Microsoft IT found was that because the content size was so large and they had a fixed replication window, the replication to smaller sites would not complete within the time windows and would the need to restart the next night. Replication could take up to 6 weeks to get the image out to all of the end points.
- To address this issue, Microsoft IT looked optimizing both their images and the replication infrastructure.
- In the past, Microsoft IT created a custom solution for operating system deployments. With Windows 8 Release Preview, Microsoft IT chose to use the Microsoft Deployment Toolkit (MDT). It is a solution accelerator available for operating system and application deployment. It can be used as a stand-alone installer, or it can sit on top of Microsoft System Center Configuration Manager, which allows packaging of an operating system or application for deployment.
- The Windows base images include only the required files for all machines. Other components, such as the large driver library, were pulled out into a folder. And then logic is applied to determine what drivers are required, making the image smaller and the install times shorter (between 25 to 30 minutes).
- Another way that Microsoft IT optimized their images was to separate the build process from the image distribution process to ensure that they achieved optimum performance.
- Microsoft IT evaluated and updated their replication infrastructure, moving from Windows 2003 used in Windows 7 deployment to Windows 2008 R2 in the Windows 8 deployment. They also looked at DFS-R, which is used for image replication. Microsoft IT:
- Optimized their three (3) builds and brought it down to a single, base build that is replicated and then processed into ISO files and WDS images on the local servers.
- They split up the large files into smaller files (200 MB), replicate the files over the WAN, and then reassemble back into the original files, using public domain utilities and custom scripts they created.
- Optimized DFS-R server-to-server communication by tuning the service for maximum performance in a distributed environment.
- Optimized replication by replicating only the changed files and not the whole build as they had done in the past.
- The result of optimizing the infrastructure for the Windows 8 deployment was that replication time went from several weeks to 3 days.
- IT Easy Installer streamlines the user install experience by automating everything for the user to migrate to Windows 8. The key components of the tool are:
- Hardware compliance and guidance scans the user's machine and confirms if the system meets the Windows 8 minimum system requirements, provides Microsoft IT recommended configuration for each requirement, checks if the system is a Microsoft IT standard hardware, checks if Trusted Platform Module (TPM) is available for provisioning Windows 8 DirectAccess (DA), provides driver coverage information for the standard and non-standard hardware by displaying the missing driver information, and provides Windows experience index scores.
- Software guidance scans the user's machine for all installed software (Microsoft products and third party) and provides Windows 8 compatibility guidance for each installed software.
- LOB guidance provides guidance on compatibility status of the business critical and widely used internal line-of-business websites (MSW, ITWeb, HRWeb, LCAWeb, and so on) that are tested by Microsoft IT and allows users to report new applications that can be considered to be tested in the future.
- Data migration solution allows users to migrate their data and settings and provides options to migrate during installation (in-place) or migrate to local or network storage provided by Microsoft IT prior to the installation and restore afterwards.
- Create bootable media allows users to download and copy the flat setup files from \\products file share or Windows Azure™ and create a bootable USB that can be used to install Windows 8 on any machine.
- Install Windows 8 provides integrated installation experience that interfaces with all operating system deployment delivery channels (Windows Deployment Services (WDS), Operating System Deployment (OSD) through System Center Configuration Manager, //products file share, and Azure) and automatically selects the best suitable delivery channel based on the user's connectivity profile and location.
- Offline domain join provides the option to join corporate domain after the Windows 8 installation is complete.
- Windows To Go provides the ability to create Windows To Go devices from the existing Windows 8 machine.
- To provide a complete data migration and protection strategy for the Windows 8 Release Preview, Microsoft IT implemented File History, a new, built-in Windows 8 feature that protects user files by periodically scanning the computer's file system for changes stored in libraries and in the user's Desktop, Favorites, and Contacts folders and copying them to a Microsoft IT managed network drive configured as their backup storage area.
- The solution provides enterprise customers with a customizable solution that they can implement in their environment.
New Windows 8 Security Features
- Microsoft IT identified the new security features of Windows 8 that needed to be validated as part of the deployment. For example:
- Secure Boot requires hardware and firmware updates (Windows 8 Logo certified hardware), but Microsoft IT did want to validate the scenario.
- Prepare deployment images so new features, such as the ability to synchronize settings with the cloud or linking to a Microsoft Account (a.k.a Windows Live® ID), would not compromise privacy.
- Microsoft IT needed to make sure that Microsoft BitLocker® worked on Windows 8. What they found was that the Microsoft BitLocker Administration and Monitoring (MBAM) tool they use for compliance and enforcement was not yet completely compatible with Windows 8.
- Microsoft IT is also validating other new BitLocker features that included Network Key Protector Unlock that allows BitLocker to automatically unlock the drive when the machine is plugged into the corporate network; BitLocker pre-provisioning that allows Microsoft IT to script their installation to include the drive encryption step.
- Microsoft IT is performing a limited pilot on approximately 1,000 machines to evaluate changes in the way DirectAccess works, including validating virtual smart cards which use your Trusted Platform Module (TPM) chip—a chip that supports BitLocker and, in Windows 8, protects the virtual smart card certificate's private key.
- Measured Boot can use an Attestation Solution to report health of the machine based off measurements that are taken when the machine boots. This enables the reporting of health in a secure way that is measured by hardware at boot time providing a high degree of confidence that the measurement can be trusted. Microsoft IT plans to use a remote health attestation via a NAP Custom System Health Agent to ensure security health of managed Windows 8 DirectAccess systems.
- Remote Domain Join is the ability to take a remote machine that is connected to Internet and have it remotely join the domain—no need to use VPN. Microsoft IT plans to allow remotely provisioned machines to support Domain Join and DirectAccess enablement.
- Secure Boot, part of the UEFI 2.3.1 specification, validates the integrity of the entire boot process, including the hardware, boot loader, kernel, boot-related system files, and drivers. Antimalware is loaded in advance of all non-critical Windows components. This means that malware, such as rootkits, are less able to hijack the boot process, or hide from antimalware software.
Windows To Go
- Windows To Go is a Windows 8 desktop/computing experience that is available on a USB flash drive (WTG compliant devices). The Windows 8 desktop boots and runs from a USB flash drive, protected by BitLocker Drive Encryption using a new Password Protector (no TPM chip required).
- Windows To Go is self-contained on a USB device but can take advantage of any devices made available on the host computer, or across the enterprise network. A Windows To Go workspace works with any host desktop or laptop computer—including tablet or slate—that supports the BIOS startup option "Boot To USB Hard Disk Drive"
- Windows To Go scenarios include providing a managed corporate desktop when the host computers are unmanaged or not domain-joined.
- Microsoft IT provisioned 75 devices with Windows To Go and made them available to senior staff, engineers, and architects that wanted to evaluate Windows 8. This allowed different OEM machines (slate, laptop, and desktop) with different configurations of screen, keyboard, and touch to have a machine-specific experience that was highly transportable between host machines.
- Windows To Go is targeted at Windows 8 Enterprise Edition SKUs (utilizing that edition's license structure) and requires a Windows To Go creator/provisioning tool to create the Windows To Go device.
Internet Explorer 10
- Internet Explorer 10 is built into Windows 8, removing the requirement to create a separate deployment. IT professionals continue to enjoy extensive management and configuration support in Internet Explorer 10, making Internet Explorer 10 the browser of choice for enterprise.
- Internet Explorer 10 in Windows 8 brings a more full-featured Modern style experience to browsing.
- Internet Explorer 10 provides enhanced security and privacy features to help keep the browsing experience safe. One of those features is Tracking Protection, an opt-in mechanism that enables users to identify and block many forms of undesired tracking.
- One lesson learned by Microsoft IT was that lack of user awareness/knowledge of how to use the Modern interface generated additional support calls. Microsoft IT realized that they needed to ramp up support through more self-help content to help drive user awareness and acceptance of Internet Explorer 10/Modern Browser.
- The Windows 8 Release Preview deployment was fully supported by Microsoft IT. To ensure that users had options that enabled them to get help when they needed it and also to capture any issues to help drive product improvement, multiple support channels were made available, including self-help channels (such as Windows 8 Work Smart Guides, application compatibility results, and frequently asked questions), community-driven support, and traditional, assisted support.
- To ensure a smooth transition for end users, the Microsoft Helpdesk was kept up to date on the deployment process, was provided readiness training that contained the key differences between Windows 8/Internet Explorer 10 and previous versions of Windows and Internet Explorer, and was provided information about the new features and a troubleshooting guide with tips and tricks on how to resolve common issues.
- To ensure that the correct information was captured so that the Supportability team had the data needed to influence Windows 8 product quality, an Operating Level Agreement (OLA) was created for the helpdesk that defined ticket documentation requirements and a plan to ensure and track ticket documentation compliance. This OLA defined roles and responsibilities, standards for daily and weekly ticket audits, and KPI checkpoints.
- As the culture at Microsoft lends itself well to social networking, Microsoft IT decided to leverage that channel for support by piloting a new moderated forum, http://pointers. http://pointers is an internal Microsoft web application built on web standards and Microsoft technology using HTML5, the Microsoft .NET Framework, and SQL Server data management software, http://pointers provides:
- A moderated community support forum that addresses some of the top feedback from users in prior early adopter programs.
- Real-time, dynamic, searchable, and archived forum content.
- A new avenue to hear rich, real-time user feedback, not commonly seen in traditional channels.
- Valuable collaboration and knowledge sharing between groups (IT and users).
- A scalable solution to serve the whole company, covering a variety of Microsoft products and IT services.
- Microsoft IT looked at ways they could contribute to improving the overall user experience in Windows 8. One of those ways was to improve the installation process by creating new tools that would automate the process for the end user. Another was to validate Windows 8 and Internet Explorer features to help improve the product.
- One of the benefits of the Windows 8 Release Preview installation process was that it greatly reduced the input required from the user. During the standard Windows 7 install, the user was required to interact and make decisions along the installation path many times. That generated many support requests. IT Easy Installer in Windows 8 reduced the requirement for user interaction so that the user has to do one click and provide minimum input. Another piece that was optimized was that most questions and decision points for the install process were frontloaded so that after the install starts, the user can sit back until it's completed. This is a big win for user productivity and also in reducing support costs for desk-side support (a support technician no longer has to stay for the whole install process; they can help the user answer the first questions and then walk away).
- Using careful planning and lessons learned from previous deployments, Microsoft IT deployed the Windows 8 and Internet Explorer 10 Release Preview to over 28,000 systems with more than 21,000 unique users globally in the first few weeks of deployment, tracking at over 1,000 new users a day.
- A new, open testing model and use of Agile Labs enabled Microsoft IT to increase their capacity for testing LOB application compatibility.
- Targeted user profiles reduced the size and number of images required for deployment.
- New communication channels provided consistent messaging and enabled IT managers and users to prepare for the Windows 8 deployment at both the Microsoft corporate office as well as remote sites globally.
- Streamlined images and improved replication process reduced image replication from several weeks with Windows 7 to three (3) days for Windows 8, replicating to 236 servers.
- New and innovative tools such as IT Easy Installer and the IT Enhanced Data Mover improved the overall user experience.
- New and innovative support channels, such as http://pointers, empowered users to seek help and to have increased user productivity, reducing time for users to get answers on Windows 8 issues, and capturing broader product feedback.
- Windows 8 Release Preview
- Windows 8 and Internet Explorer for Developers
- Internet Explorer 10 Test Drive
- Dev Center for Modern style apps
- Compatibility testing white paper
- How Microsoft IT Manages a Private Cloud for Microsoft Research & Development