Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

7 Things to look for in Windows 7 PC Hardware

With Windows Vista amounting to a 31% market share in enterprise environments, many big companies will be making to switch from Windows XP to Windows 7 directly. In the eight years between their respective launches, a lot has changed in the world. Not just in the world we know, but also in the world of hardware. Windows Vista and Windows 7 support a lot of these new technologies and even build upon them to provide functionality not found in previous versions of Windows.

To benefit from some of Windows’ functionality you’ll need specific hardware. This post shows you the system specifications to look for in future standardized workstations and laptops. It may help you to determine whether those old crusty workstations will be prime targets for your Windows 7 deployment project…

    

1. Smooth operation

Ram Windows XP is not a memory-hungry Operating System by todays standards. Running an Operating System smoothly with 512MB RAM is not something Windows Vista or Windows 7 pull off. But at least with Windows 7 you can get by with less RAM, to make a system open and manipulate Office files and have a couple of other applications open, compared to the 2GBs of RAM you’d need in a Windows Vista rig to get equal ratings on the quality of the IT environment from your colleagues.

Together with some colleagues I’ve performed my own tests and came to the following conclusions:

  • Windows 7 and 1GB RAM work together for light and medium office purposes
    (2-6 applications open at the same time)
  • Most new PCs nowadays are sold with 2 GB RAM.

When you’re running more demanding programs, even on rigs with 2 GB RAM, you’re likely to run into a performance bottleneck. When Windows needs to allocate more RAM than is physically available, it will use the page file on the hard disk. Since disk storage is slower than RAM, this significantly hits performance. Adding RAM solves this problem.

usb_flash_driveAlso, ReadyBoost, a feature that has been around since Windows Vista, can be used. Instead of using the page file on disk to expand RAM, first a file on a flash drive will be used. Flash drives are most commonly faster than disk storage.  When using USB media, make sure it’s at least 256MB in size, USB 2.0 compatible and plugged into an USB 2.0 socket.

      

2. BitLocker Drive Encryption

RequiresBitlocker Drive Encryption

  • a Trusted Platform Module (TPM) chip on the motherboard (version 1.2 or later), or USB support in the system BIOS
    (and USB media you’re destined to lose…).
  • Windows 7 Enterprise
  • Optional: Active Directory schema update

One of the most promising features in Windows Vista Enterprise and Windows 7 Enterprise is the BitLocker functionality. In Windows Vista with Service Pack 1 and later it allows for encryption of the contents of the partitions on the hard disk. In Windows 7 it also allows for encryption of removable storage, which is called BitLocker-to-go. BitLocker can be enabled in many ways, but the most robust way requires a Trusted Platform Module (TPM) chip on the motherboard. The chip needs to be version 1.2 or later.

Without a suitable TPM chip BitLocker can only be used to encrypt the contents of the hard disk using a USB device, containing a startup key. This mode requires that the BIOS on the protected machine supports the reading of USB devices in the pre-OS environment, which would be an alternative system requirement to the TPM chip requirement.

An Active Directory schema update and accompanying tools are available to store recovery keys in Active Directory to allow central recovery of data on unbootable systems due to corrupted USB devices and messed-up TPM ownership.

    

3. Windows XP mode and MED-V

Windows XP ModeRequires

  • a CPU with
    • Intel® Virtualization Technology or
    • AMD-V™ features
  • Virtualization features enabled in the system BIOS
  • 1,5 GB of additional hard disk space
  • 512 MB of additional RAM
  • Windows 7 Professional, Windows 7 Enterprise or Windows 7 Ultimate

Recommended

  • Windows 7 licenses with Software Assurance and Microsoft Desktop Optimization Pack for Software Assurance (MDOP) licenses for large-scale deployments

For 100% 32bit Windows XP compatibility in Windows 7 Professional and Windows 7 Enterprise Microsoft offers a feature called Windows XP Mode. Leveraging the power of Windows Virtual Pc (the successor to Virtual PC 2007) it simultaneously  boots up a virtualized and optimized instance of Windows XP. The built-in USB support allows the virtualized Windows XP instance access to USB devices, which can be used with legacy Windows XP drivers. Using the Application Publishing functionality, programs installed in the virtualized Windows XP instance show up in the Start Menu of the Windows 7 host.

imageWhere Windows XP Mode can be used on an ad-hoc basis to address specific compatibility needs, Microsoft Enterprise Desktop Virtualization (MED-V) can be used for large-scale, centrally manageable deployments, when a Windows 7-compatible version of MED-V is released. (v1.0 SP1 should do the trick) and be part of the Microsoft Desktop Optimization Pack for Software Assurance (MDOP).

Microsoft Enterprise Desktop Virtualization (MED-V) is a compatibility solution based on policies to deploy, stream, secure, expire and update virtualized Windows installations on top of Windows Virtual PC. MED-V is based on technology from Kidaro, a 2008 Microsoft acquisition.

    

4. Multi Touch

tablet Requires

  • a Multi Touch capable screen or touchpad
  • Windows 7, Home Premium, Professional, Enterprise or Ultimate.

Windows Touch has been around for a while now, and even had its own Windows edition in its heydays (Windows XP Tablet PC Edition). But the Touch interface as it’s found in Tablet PCs has had a major upgrade, with the arrival of Multi Touch functionality in Windows 7.

To take advantage of Windows Multi Touch, the computer needs to be equipped with a Multi Touch capable touchscreen or trackpad. Although, the multi touch touchscreen delivers the richest (Microsoft Surface-like) experience, a multi touch trackpad can also deliver the multi touch functionality needed for some business cases.

Note:
While Windows Multi-Touch offers capturing multiple concurrent touches, an application running on top of Windows will also need to offer this functionality.

      

Power Options5. Sleep

Requires

  • a Windows 7-compatible ACPI BIOS
  • Windows 7 compatible drivers
  • Windows 7 Home Basic, Home Premium, Professional, Enterprise or Ultimate.

One of the big and direct money-saving features in Windows Vista and Windows 7 is the way the computer will go to (hybrid) sleep when not used. Estimates on the impact of this feature, enabled by default, range from €60 per year per PC to comparing migrating Windows XP to Windows Vista or Windows 7 to cutting the emission of 10 average cars…

To stay asleep all connected devices need to work together. An USB mouse should not wake up the PC when the mouse is barely touched. To resume from sleep successfully, the BIOS of the PC should have a Windows 7-compliant ACPI, which means it should support ACPI revision 4.0, dated June 16, 2009.

     

6. DirectAccess

Requires

  • Windows 7 Enterprise or Windows 7 Ultimate
  • A server, installed with Windows Server 2008 R2, with two Network Interface Cards (NICs), configured as DirectAccess server and a member of the Active Directory infrastructure, placed on the perimeter network (also known as DMZ). One of the NICs of the DirectAccess server needs to be connected directly to the Internet, the other NIC needs to be connected to the intranet. On the DirectAccess server, at least two consecutive, public IPv4 addresses need to be assigned to the NIC connected to the Internet.
  • At least one server configured as a web server.
  • IPv6 connectivity on the corporate network (intranet) or a server configured with Microsoft Forefront Unified Access Gateway (UAG) configured as an IPv6/IPv4DNS and IPv6/IPv4NAT to provide access to IPv4-only hosts.
  • Active Directory infrastructure with at least one Domain Controller running Windows Server 2008 with Service Pack 2 or Windows Server 2008 R2.

Recommended

  • Active Directory Certificate Services recommended (certificates are required if the DirectAccess server needs to enforce client health)
  • Use of smartcards recommended, requiring a smartcard and smartcard reader per DirectAccess user.

Laptops and other domain-joined portables are hard to manage when they’re not connected to the corporate network. Also, in these situations, line of business (LOB) applications are unusable most of the time, except when a VPN or dial-up connection is in use.

With DirectAccess domain-joined computers can be connected to the corporate network whenever an Internet connection is available. There’s no need to VPN into the corporate network, since DirectAccess is configured centrally and settings are figured out automatically by the client.

When a computer is connected through DirectAccess, it is manageable. Group Policies can be used when the minimum amount of bandwidth is available. (slow link detection)

Smartcard To make DirectAccess truly secure, use it in combination with Network Access Protection (NAP). For this to work you will need to work with certificates and the only truly secure way to store user certificates is to use smartcards. Many laptops have built-in smartcard readers. If you’re looking to deploy DirectAccess with vision, look for equipment with built-in smartcard readers (for laptops) or USB-attached smartcard readers (for desktops).

        

windowsanytime 7. Future upgrades

Remember when Windows Server was a 32bit Operating System? With Windows Server 2008 R2 only 64bit versions of the Windows Server Operating System are available. Two questions remain at the end of the day when discussing Windows client upgrades:

  1. Will the 32bit version of the next Windows client be a mainstream version in terms of software compatibility, software deployment and support?
  2. Is there any reason not to deploy Windows 7 as a 64bit client in terms of software compatibility, software deployment and support in your current environment?

I guess the answer to the first question is ‘yes’. In most cases I think the answer to the second question is also ‘yes’, especially since some PCs already come with an amount of RAM not fully supported by a 32bit Windows client installation: 4GB.

If you’re looking to keep your options open for future upgrades, deploy 64bit installations of Windows 7. Remember though: 64bit Windows installations will only accept signed drivers.

Posted: Friday, December 18, 2009 11:12 PM by Sander Berkouwer

Comments

nielsb said:

Hi Sander,

Since you wrote about Direct Access as a new feature in Windows 7 I was wondering why you didn't write anything about the Branch Cache. Granted, it doesn't impact the hardware configuration, but neither does Direct Access. Branch Cache isn't as sexy a feature as Direct Access but for environments with small branch offices it can be an extremely usefull feature and maybe even a reason to switch to Windows 7 (in combination with a Windows 2008R2 fileserver that is). Or am I now breaking you 7 points with fit so nicely with the Windows 7 name :-)

Kind regards,

Niels Ballis

# December 21, 2009 7:30 AM

Sander Berkouwer said:

Hoi Niels,

You're right. DirectAccess doesn't require any specific hardware, when deployed in its simplest form. However, DirectAccess may require smartcards and smartcard readers when additional security is needed.

BranchCache does not have any hardware needs. The basis of BranchCache is version 2.1 of the SMB protocol. This means, that, eventually, even a Linux server running samba may be able to serve as a BranchCache host. For now, Windows Server 2008 R2 is needed as a file server in BranchCache scenarios. Now, Deploying BranchCache with Linux fileservers would make BranchCache sexy, wouldn't it? ;-)

# December 21, 2009 1:00 PM
Anonymous comments are disabled