77645.book Page xv Wednesday, April 16, 2008 10:22 PM

Contents

Introduction xxiii

Chapter 1 Deploying Windows with Style: Windows Deployment Services (WDS), and Deployment Toolkit 2008 1 It’s All About Imaging 2 High-Level Imaging Process 2 Imaging Software Isn’t about Speed 5 Windows Deployment Services (WDS) 6 Inside WDS 7 Setting Up the WDS Server 8 Managing the WDS Server 13 WDS Specifics for Windows Server 2008 15 Installing and Managing Clients via WDS 16 Utilizing Multicast Deployment with WDS and Windows Server 2008 24 Beyond the Basics: Care and Feeding of WDS and Your Images 30 Troubleshooting WDS 46 Microsoft Deployment Toolkit 2008 (MDT), Formerly Known as BDD 50 Understanding Microsoft Deployment Toolkit 2008 50 WDS vs. Microsoft Deployment Toolkit 2008 (Better Together?) 54 Setting Up Microsoft Deployment Toolkit 2008 56 Beyond the Microsoft Deployment Toolkit 2008 Basics 70 Troubleshooting Microsoft Deployment Toolkit 2008 74 Final Thoughts 78

Chapter 2 Profiles: Local, Roaming, and Mandatory 79 What Is a User Profile? 80 The NTUSER.DAT File 80 COPYRIGHTEDProfile Folders for Type 1 MATERIAL Computers (Windows 2000, Windows 2003, and Windows XP) 81 Profile Folders for Type 2 Computers ( and Windows 2008) 83 The Default Local User Profile 88 The Default Domain User Profile 91 Roaming Profiles 95 Setting Up Roaming Profiles 97 Testing Roaming Profiles 102

77645.book Page xvi Wednesday, April 16, 2008 10:22 PM

xvi Contents

Migrating Local Profiles to Roaming Profiles 105 Roaming and Nonroaming Folders 107 Managing Roaming Profiles 110 Manipulating Roaming Profiles with Computer Settings 113 Manipulating Roaming Profiles with User Group Policy Settings 124 Mandatory Profiles 128 Establishing Mandatory Profiles from a Local Profile 129 Mandatory Profiles from an Established Roaming Profile 131 Forced Mandatory Profiles (Super-Mandatory) 133 Final Thoughts 133

Chapter 3 Implementing a Managed Desktop, Part 1: Redirected Folders, Offline Files, and the Synchronization Manager 137 Overview of Change and Configuration Management 138 Redirected Folders 140 Available Folders to Redirect 140 Redirected Documents/My Documents 142 Redirecting the Start Menu and the Desktop 159 Redirecting the Application Data 160 Group Policy Setting for Folder Redirection 160 Troubleshooting Redirected Folders 161 Offline Files and Synchronization 164 Making Offline Files Available 165 Inside Windows XP Synchronization 170 Inside Windows Vista File Synchronization 174 Handling Conflicts 180 Client Configuration of Offline Files 182 Using Folder Redirection and Offline Files over Slow Links 197 Synchronizing over Slow Links with Redirected My Documents 198 Synchronizing over Slow Links with Public Shares 199 Using Group Policy to Configure Offline Files (User and Computer Node) 207 Using Group Policy to Configure Offline Files (Exclusive to the Computer Node) 216 Troubleshooting Sync Center 222 Turning off Folder Redirection for Desktops 223 Final Thoughts 230

77645.book Page xvii Wednesday, April 16, 2008 10:22 PM

Contents xvii

Chapter 4 The Managed Desktop, Part 2: Software Deployment via Group Policy 233 Group Policy Software Installation (GPSI) Overview 233 The Windows Installer Service 235 Understanding .MSI Packages 236 Utilizing an Existing .MSI Package 236 Assigning and Publishing Applications 240 Assigning Applications 241 Publishing Applications 241 Rules of Deployment 242 Package-Targeting Strategy 243 Understanding .ZAP Files 252 Testing Publishing Applications to Users 254 Application Isolation 256 Advanced Published or Assigned 257 The General Tab 259 The Deployment Tab 259 The Upgrades Tab 264 The Categories Tab 266 The Modifications Tab 266 The Security Tab 272 Default Group Policy Software Installation Properties 273 The General Tab 273 The Advanced Tab 274 The File Extensions Tab 275 The Categories Tab 275 Removing Applications 276 Users Can Manually Change or Remove Applications 276 Automatically Removing Assigned or Published .MSI Applications 277 Forcefully Removing Assigned or Published .MSI Applications 278 Removing Published .ZAP Applications 279 Troubleshooting the Removal of Applications 279 Using Group Policy Software Installation over Slow Links 280 Assigning Applications to Users over Slow Links Using Windows 2000 282 Assigning Applications to Users over Slow Links Using Windows XP, Windows Vista, and Windows 2003 284 Managing .MSI Packages and the Windows Installer 284 Inside the MSIEXEC Tool 285 Affecting Windows Installer with Group Policy 288

77645.book Page xviii Wednesday, April 16, 2008 10:22 PM

xviii Contents

Do You Need a “Big Management Tool” for Your Environment? 297 SMS vs. GPOs: A Comparison Rundown 297 GPSI and SMS Coexistence 300 Final Thoughts 301

Chapter 5 Application Virtualization and SoftGrid Essentials 303 About Application Virtualization 304 Why Would We Need Application Virtualization? 305 How Does Application Virtualization Solve the Aforementioned Problems? 306 How Does Application Virtualization Work? 308 Good and Bad Applications to Virtualize 308 Who Makes Application Virtualization Solutions? 309 SoftGrid Architecture and Server-Side Installation 310 SoftGrid Components and Requirements 310 SoftGrid Files and Theory FAQ 311 SoftGrid Accounts and Shares 315 Installing SoftGrid Server 316 Launching the SoftGrid Console for the First Time 322 Configuring the Sample SoftGrid Application 324 Installing and Using the SoftGrid Client 327 Installing the SoftGrid Client by Hand 327 Testing the Default Application 328 SoftGrid Sequencing 331 Creating the Ideal SoftGrid Sequencing Station 332 Sequencing Your First Application 333 Delivering SoftGrid Applications 343 Changing the Default Content Path 343 Adding a Sequenced Package to SoftGrid 344 Testing out Your Application 346 SoftGrid Troubleshooting 101 348 No Icons at All 348 Application Fails to Launch 351 Deploying Your Applications to the Masses 352 Using Group Membership to Deliver a SoftGrid Application 352 Using the SoftGrid SMS Connector to Deliver a SoftGrid Application 353 Using an .MSI Package to Deliver SoftGrid Applications (via Group Policy and Other Methods) 353 Final Thoughts 366

77645.book Page xix Wednesday, April 16, 2008 10:22 PM

Contents xix

Chapter 6 SoftGrid—Beyond the Basics 367 SoftGrid Management Console 367 SoftGrid Administrators Node 369 Applications Node 372 File Type Associations Node 377 Packages Node 378 Application Licenses Node 382 Server Groups Node 387 Provider Policies 392 Account Authorities Node 397 Reports Node 398 SoftGrid Client Management Console 407 General Properties of the SoftGrid Client Management Tool 408 Client Applications Node 419 Client File Type Associations Node 423 Desktop Configuration Servers Node 426 Remotely Managing Another Client 430 SoftGrid Client Applet 433 Refresh Applications 433 Load Applications 433 Message History 434 Work Offline 435 Final Thoughts 437

Chapter 7 SoftGrid Sequencing Secrets 439 Inside the SoftGrid Sequencer 440 Before Sequencing an Application 440 After Sequencing an Application 448 Advanced Sequencing 454 Web-based Applications 455 Upgrading an Application Using an Active Upgrade 461 Creating an Application Suite 465 Package Branching 468 Sequence Troubleshooting 473 Accessing the Q: Drive from Internet Explorer 473 Using Process Monitor to Troubleshoot a Sequence 476 Troubleshooting Sequences by Modifying the .OSD File 478 Final Thoughts 484

Chapter 8 Client Security with WSUS 3.0 and MBSA 487 Patch Management’s Cast of Characters: WU, MU, MBSA, WSUS, SCE, and SCCM 488

77645.book Page xx Wednesday, April 16, 2008 10:22 PM

xx Contents

Understanding the Components of WSUS 490 Installation Requirements and Prerequisites 493 WSUS Architectures 494 Simple 495 Simple with Groups 495 Centralized 495 Distributed 496 Disconnected 496 Roaming 497 High Availability 497 Installing the WSUS Server 497 Installing WSUS Prerequisites 498 Installing WSUS 3.0 SP1 498 Windows Server Update Services Configuration Wizard 500 Distributing the Windows Update Agent 502 WSUS and Group Policy 502 Computer Configuration Settings 503 User Configuration Settings 506 Client Targeting (aka Group Assignment) 506 Setting Up Our Example Environment 508 The WSUS Console 510 Computers 510 Updates 512 Downstream Servers 514 Synchronizations 514 Reports 515 Options 516 Troubleshooting WSUS 517 Event Logs and Log Files 517 Patch Distribution and Network Usage Issues 520 WSUS from the Command Line 521 Shell Commands 521 WSUS Scripts 522 Tips and Tricks for a Smooth WSUS Experience 524 Implementing WSUS Reporters 524 Implementing Network Load Balancing 525 Implementing Intranetwork Roaming 526 Hacking WSUS’s Database 527 Best Practices in Patch Management 528 Considerations for Desktops 528 Considerations for Servers 530 The Microsoft Baseline Security Analyzer 530 Performing Scans 531 MBSA at the Command Line 532

77645.book Page xxi Wednesday, April 16, 2008 10:22 PM

Contents xxi

Interpreting Scan Results 533 Troubleshooting MBSA 534 Final Thoughts 534

Chapter 9 Network Access Protection with Group Policy 535 Network Policy Services and Network Access Protection 535 How You Can Use NAP 538 Setting up a Quick NAP Test Lab with Specific Goals in Mind 540 Configuring NAP via the NAP Wizard 544 Inspecting Our Wizard Work 548 Setting Up the Windows System Health Validators 549 Configuring DHCP to Use NAP 551 Testing NAP with Non-NAP-Enabled Clients 554 Preparing for Domain-Joined NAP-Capable Machines 556 NAP Clients in a Domain-Joined Environment 560 Testing out Auto-Remediation of a NAP Client 563 Turning Off Auto-Remediation and Forcing the Users to Get Help (Just for Fun) 565 Troubleshooting NAP 567 Domain-Joining Issues When NAP Is Engaged 568 Group Policy RSoP 570 Client Logs 571 Server Logs 571 Tracing 572 NPS Configuration 572 Final Thoughts 573

Chapter 10 Finishing Touches with Group Policy: Controlling Hardware, Deploying Printers, and Implementing Shadow Copies 575 Restricting Access to Hardware via Group Policy 576 Devices Extension 577 Restricting Driver Access with Policy Settings for Windows Vista (and Windows Server 2008) 581 Getting a Handle on Classes and IDs 582 Restricting or Allowing Your Hardware via Group Policy 584 Understanding the Remaining Policy Settings for Hardware Restrictions 588 Assigning Printers via Group Policy 589 Using the Printers Group Policy Preference Extensions 590 Using the Printers Snap-in and pushprinterconnections.exe 597 Final Thoughts on Zapping Printers Using the Printers Snap-in 606

77645.book Page xxii Wednesday, April 16, 2008 10:22 PM

xxii Contents

Shadow Copies (aka Previous Versions) 606 Setting up and Using Shadow Copies for Local Windows Vista Machines 607 Setting up Shadow Copies on the Server 607 Delivering Shadow Copies to the Client 609 Restoring Files with the Shadow Copies Client 610 Final Thoughts 613

Chapter 11 Full Lockdown with Windows SteadyState 615 Windows SteadyState Concepts and Installation 616 SteadyState Concepts 616 Preparing for Windows SteadyState 618 Installing Windows SteadyState 619 Configuring Windows SteadyState (for Nondomain-Joined Computers) 622 User Settings 622 Global Computer Settings 627 Application Installation Strategy (for Nondomain-Joined Windows SteadyState Machines) 633 Multi-Tier Access Environments 636 Configuring Windows SteadyState (for Domain-Joined Computers) 638 Joining the Computer to the Domain and Moving It into Its OU 640 Create GPOs That Will Affect All Users Who Use the Computer 641 Testing Your Group Policy 646 Turning on Windows Disk Protection 646 Deciding When to Clean Up 648 Deploying Software When Using Windows SteadyState 652 Remotely Updating the Custom Updates Script 654 Final Thoughts for This Chapter and for the Book 656

Index 659