It’s been a very exciting several of months for us here at Microsoft, and for many of our customers and partners, sharing the excitement of Windows 7. Since its release to manufacturing in July, through this week at TechEd Europe, we’ve had a lot of Windows 7 and MDOP activities, including countless in-person launch events held around the world. We’ve also had an estimated one in two IT Professionals worldwide try Windows 7, we’ve seen hundreds of community led events, and millions of you have visited us on the Springboard Series on TechNet to get information, tools and guidance for migrating to Windows 7.

I have personally visited 12 countries in the last 2 months and had the chance to speak with many customers and partners to learn about your experiences with Windows 7. Several themes are consistent. You tell me your users are incredibly excited about the performance and productivity improvements of Windows 7 and your IT organizations are seeing great value in the enhanced security and management. I am hearing how you can both pull cost out of your organization and provide greater productivity to your users. It is very encouraging to hear this positive impact you’re seeing with Windows 7 in your organization.

You heard from some of our customers during the TechEd keynote, and we thought you might like to hear the experiences of several other customers that we have worked with and how they realized and quantified significant cost savings. We have also included some useful guidance below to help you with your deployment planning

• International energy company Statoil is deploying Windows 7 along with Windows Server 2008 R2 to provide their travelling employees with seamless access, improve information access in their branch offices, and further enhance their IT security. By using DirectAccess, BranchCache, and BitLocker, Statoil is able to provide their users with mobile and remote access as well as the satisfaction that their data is protected. Check out this Q&A with Statoil for more on their Windows 7 deployment.
• F. Hoffmann-La Roche, a Switzerland-based healthcare company, is working towards their goal of deploying Windows 7 to 5,000 of their PCs to take advantage of BitLocker’s ability to protect data stored on hard drives as well as removable USB sticks. Roche is working closely with Microsoft Services to plan and deploy their new Active Directory infrastructure as well as their Group Policy management rollout.
• The Ministry of Defense in the Netherlands is working to upgrade 50,000 of their PCs to Windows 7 through 2010. By starting their application compatibility testing early – on Windows Vista last year – they were able to get a jump start on their Windows 7 deployment plans and begin their pilot of 200 users, who have expressed excitement over the enhanced user interface and their ease of data access wherever they are.

You can hear from more customers during our live monthly Webcasts on the Windows Enterprise website. For more information specifically on cost savings early Windows 7 adopters have experienced, visit the following total cost of ownership studies:

• Getronics is seeing direct IT labor savings of $111 per PC per year
• Baker Tilly is reducing their IT labor costs by $191 per PC per year
• City of Miami is reducing their IT labor costs by $148 per PC per year

So how can we help your organization realize the benefits of Windows 7? Microsoft has an extensive set of partners that are trained and ready to help you with your deployment planning and migration to Windows 7 - since January this year we have trained more than 110K partner individuals on Windows 7 worldwide. These partners can help you assess your readiness for a Windows 7 migration, they are able to help you develop a deployment plan and can provide services to assist you in the deployment, migration and ongoing management and support of your environment.

Additionally, Microsoft Services has consultants and support professionals in 82 countries to help you out. They offer specialized services based on best practices developed in coordination with product groups and early adopter customers to help you test your applications and jumpstart your deployment, including:

• Desktop Planning and Deployment services, which provide a framework for planning and deployment of Windows 7 operating system and desktop applications. It includes planning and architecture design, proof of concept, and pilot deployment that determines the optimal way to deploy Windows 7 and Microsoft Office based on customer business requirements and organizational readiness.
• Microsoft Services Desktop Application Compatibility offering provides an end-to-end application compatibility solution to ensure that business applications and data can be used more effectively in the new desktop environment with Windows 7, Internet Explorer 8 and the latest version of Microsoft Office.
• Desktop Image Engineering creates a standardized corporate desktop image that takes into account hardware, security, performance and localization requirements, in addition to applications, deployment and management. Consultants also give your team guidance on future maintenance and change management.
• Desktop Deployment Jumpstart helps you understand the costs of developing an enterprise-capable desktop, including a current state assessment, gathering requirements, and a gap analysis against a Microsoft referent deployment solution architecture.

What are YOUR next steps? Here’s some deployment planning guidance which might help you:

• If your organization is still running Windows 2000, we recommend that you begin your application testing on Windows 7 and begin your deployment planning.
  • If you’ve already started a migration to Windows Vista, continue that deployment, as it will help you get ready for Windows 7 when the time is right for you.
• If your organization is on Windows XP, we recommend that you also begin your application compatibility testing on Windows 7 and begin your deployment planning.
  • If you’ve already started a migration to Windows Vista, continue that deployment, as it will help you get ready for Windows 7 when the time is right for you.
  • If you’re in the early stages of planning a Windows Vista deployment, we recommend that you test your applications and infrastructure on Windows 7 and our advice is to change to Windows 7.
• If you have just deployed Windows Vista, we recommend that you begin evaluating Windows 7, and consider Windows 7 as you refresh your hardware or deploy it to the users who’d benefit the most from its features.
• Don’t have access to Windows 7 Enterprise edition? If you’re an IT professional and don’t already have access to Windows 7 Enterprise edition, you can download the 90 day evaluation SKU here. This will allow you to begin testing the final released code with your hardware and application portfolio.
• Already running Windows 7? Tell us what you think! You can join the conversation at www.talkingaboutwindows.com.

Today at TechEd Europe 2009, one of our Windows 7 enterprise customers, Petter Wersland, Lead Architect at Statoil, participated in a panel discussion with Stephen Elop, President of Microsoft’s Business Division as a part of the keynote presentation. We caught up with Petter Wersland just before this appearance to get more information on their Windows 7 deployment.

Rich Reynolds: Tell me about Statoil and your role at the company.

Petter Wersland: Statoil is an international energy company based in Stavanger, Norway. We operate in 40 countries with 30,000 employees with an additional 10,000 consultants. With roughly 40,000 desktops under management, we have a significant IT team.

I’m the lead advisor within the IT infrastructure area covering the Windows ecosystem and storage solutions. I’ve been at the company since 1991, covering several positions in IT and Windows infrastructure.

We’re moving from Windows XP to Windows 7 and are looking forward to using the new functionality introduced in Windows 7. We’re preparing a rollout that includes a hardware replacement of most of the PCs in the entire company.

Rich Reynolds: How are you driving productivity in the organization? What results are you seeing with Windows 7?

Petter Wersland: We’re expecting productivity gains with Windows 7 and Unified Communication. The efficiencies we expect include enhancing the end users’ ability to collaborate across the organization and across borders. With Windows 7 we’re seeing three really great benefits: enhanced IT security, faster file access for traveling users within the company, and improved remote connectivity from Internet. For security, we’re implementing the Standard User security level and BitLocker for drive encryption. Because of these features, we’ll be able to eliminate the encryption software we currently use and expect to save $330,000 based on our current number of portable computers.

For our increasingly mobile workforce, we’re taking advantage of DirectAccess. With DirectAccess the users will have a seamless access to corporate services whether the users are connected to the corporate network or connected to Internet. We can therefore eliminate VPN for most users. Also the client management tool we use, System Center Configuration Manager, can maintain the PCs with updates and security patching while they are outside the corporate network.

We’re also hearing from employees that Windows 7 just makes their PCs snappier and more responsive– especially for laptop users. Employees who are already on Windows 7 are telling us that it is easier to move between meetings and start and stop laptops.

Rich Reynolds: What advice would you give to IT Pros?

Petter Wersland: I recommend IT professionals educate themselves on the enterprise functionality in Windows 7, Windows Server 2008 R2 and other Microsoft products. Features like DirectAccess, BranchCache, App Locker and other security features are important tools for implementation of Windows and can really benefit your organization.

Rich Reynolds: How do you approach getting approval on new projects? Any lessons learned?

Petter Wersland: In these economic times it is hard to get approval and it takes time for a significant project like this. We have noticed financial restrictions on new projects and in some cases projects have been postponed, but we’re balancing that with investments for the future of our IT infrastructure. For example, the PC replacements we are planning company-wide were originally scheduled for this year, but now we have postponed them to next year. When moving to a new version of the Operating System, you’ll need to plan time for application testing. We have about 1000 applications we support on the Windows Client and all of them needed to go through a formal testing process.

As we’ve been saying for a while, we continue hearing feedback from our customers that they are excited to test and deploy Windows 7. Baker Tilly, an accountancy firm in the UK, has taken this to the next level and has already completed deploying Windows 7 across their infrastructure. I chatted with Simon Harding-Rolls, Director of IT at Baker Tilly, to get more information on their Windows 7 deployment.

Rich Reynolds: What operating system was Baker Tilly using before their Windows 7 deployment?

Simon Harding-Rolls: Windows XP. This formed the basis of what we called "Standard Build 4" which was deployed to all desktops and laptops used throughout the firm. 

We have a policy to standardise and commoditise the provision of IT as much as possible hence the imaginatively named "Standard Build."

Rich Reynolds: Why did Baker Tilly choose to deploy Windows 7?

Simon Harding-Rolls: We needed to change, feeling that there was little more business benefit we could squeeze out of XP. After evaluating the beta versions of Windows 7 we found it to be robust, compatible with the vast majority of our applications and delivering greater performance. This was the platform we needed for (an also imaginatively named) "Standard Build 5."

Rich Reynolds: How many seats of Windows 7 did you deploy?

Simon Harding-Rolls: We have deployed to 2,318 seats over some 30 sites.

Rich Reynolds: When did you complete your deployment?

Simon Harding-Rolls: Deployment was organised by site with the last being "hit" on 17th July.

Rich Reynolds: What version of Windows 7 are you running? Assuming you’re using Windows 7 RC, when will you upgrade to the final version of Windows 7?

Simon Harding-Rolls: We have based our "Standard Build 5" on the Enterprise Edition of Windows 7 and deployed using build number 7201. This contains a number of improvements on the standard RC and was released just in time for us to deploy - but only just! A little midnight oil was required to assimilate it into our build and complete our regression testing. We plan to deploy the final version of Windows 7 during November at the same time we are rolling out Windows Server 2008 R2.

Rich Reynolds: How long did it take you to deploy Windows 7?

Simon Harding-Rolls: We deployed the system to the first site on 22nd June, so the whole task took exactly four weeks.  All the work was done outside of normal office hours so as to minimise the disruption to our users. About three hours of evening effort was required for a site of about 100 users.

Rich Reynolds: I believe Baker Tilly has a strong partnership with Dell; how did this partnership enhance your Windows 7 deployment experience? 

Simon Harding-Rolls: Our relationship with Dell was absolutely crucial in that it gave us access to the technical resources and knowledge we needed to ensure the project's success.

Rich Reynolds: What steps did you take before deploying Windows 7? Any application compatibility testing? Did you have an IT Solutions provider help outline your deployment process?

Simon Harding-Rolls: Preparation started in February and involved detailed planning, prioritising which benefits we were attempting to realise for our users, developing test builds, deploying these to a selection of users representative of the different disciplines within the firm as well as our own formal testing.  Application testing started early by completing the tests and developing regression test plans under Vista. These were then ported to the release candidate when it became available.  We have a long tradition of "self sufficiency" and therefore did not employ an "IT Solutions Provider.”

Rich Reynolds: Did you use any tools to help deploy Windows 7 across your infrastructure?

Simon Harding-Rolls: CA's Unicenter, which we have used for many years.

Rich Reynolds: Did you encounter any issues with your Windows 7 deployment? How did you overcome them?

Simon Harding-Rolls: We didn't hit any significant issues during the deployment itself. This was almost entirely down to the amount of testing we had performed prior to pressing the "green button.” Prior to the deployment there were, as you would expect, a number of issues particularly with the early builds of Windows 7: functionality not behaving quite as expected and some application compatibility issues. The former were overcome with assistance from Dell and Microsoft and the latter issues have mostly been resolved in more recent builds of Windows 7. Where this has not proved possible in the time allowed, we have deployed Terminal Server based solutions as a temporary measure to cover a couple of apps whilst the suppliers are making their software fully compatible.

Rich Reynolds: What benefits are you expecting from Windows 7? Cost savings? Energy efficiencies?

Simon Harding-Rolls: While there will be cost and energy savings, these are not our prime drivers. Windows 7 delivers greater performance and flexibility to our users. That means they can do more, wherever and whenever is most appropriate to meet the needs of our clients.

Rich Reynolds: Have you seen any benefits from your Windows 7 deployment already?

Simon Harding-Rolls: Thus far we have received over 300 emails from users. Over 70% have mentioned improved performance. That's without any prompting!

Rich Reynolds: Are there specific features you expect may save your company money?

Simon Harding-Rolls: We will be deploying DirectAccess, BitLocker and BranchCache later this year. Again, rather than pure cost saving, we will be looking to maximise the performance and flexibility of the system for our users enabling them to be more responsive to our clients' needs.

Rich Reynolds: What is your favourite Windows 7 feature?

Simon Harding-Rolls: As a partner: more productive members of staff. As Director of IT: a system that is manageable. As a user: I just love the uncluttered task bar!

Rich Reynolds: Are you using Windows Server 2008 or planning to migrate to Windows Server 2008 R2?

Simon Harding-Rolls: We are currently using both 2008 and 2008 R2 for specific production tasks. We plan to standardise our estate on R2 with the migration projects currently in development / testing with deployment planned for November.

Rich Reynolds: Are you using Internet Explorer 8?

Simon Harding-Rolls: Yes - and the users love it, both for its speed and tabbed browsing.

Rich Reynolds: What advice would you give to another corporation looking to move to Windows 7?

Simon Harding-Rolls: I'd love to say "go for it,” but every corporation's needs will be different as will their resources. For us, having seen the results of our initial evaluation, the decision was a no-brainer. In our case, programme and project risk was identified as coming from the scale of the enterprise and NOT from the fact that we were deploying new or "bleeding edge" technology.  If you do "go for it,” at the risk of stating the obvious: plan, develop, test, test again and DON’T take steps that are too big – it’s just like climbing Everest really!

Rich Reynolds: Thanks for your time, Simon!

To the other Windows 7 early adopters out there: leave a comment and let us know how you’re deployment is going. We love hearing from you and would be happy to share your story.

Hi, I’m Rich Reynolds and I am the General Manager for the Windows Commercial Marketing organization. I lead the team that drives the marketing efforts for Windows for our business customers across the Enterprise, Mid-Market and Small Business segments, along with IT Pro community engagement.

More than a week ago we shipped the Windows 7 Release Candidate to IT pros and developers, and have been taking in lots of great feedback since then. Our number one priority all along has been to deliver a well-planned, high-quality Windows release that delivers what our business customers want. The team and I have been focused on identifying and building a product that addresses our customers’ needs, and based on customer feedback, we believe we’re on the right track.

Today my boss, Bill Veghte, announced our plans to accelerate the timeframe for making Windows 7 available at retail to all customers in time for the holiday shopping season. With Windows 7 coming soon, I encourage you to download and test the Windows 7 Release Candidate in your environment and let us know your feedback. I talk to customers every day, and I wanted to share a few themes are coming through loud and clear.

Customers are telling us they worry about costs, keeping up with compliance requirements, and about the demands that mobility trends put on their infrastructure as they try to balance users’ productivity with the need to maintain efficiency and security. At its most basic level, they expect an operating system that works great. For an enterprise that means it delivers advanced security and data protection, is easy to deploy and manage, and introduces innovation to make people more productive while also retaining compatibility with hundreds or even thousands of business-critical third-party and LOB applications. Of course, these economic conditions bring unique challenges as well – such as tight budgets, and the need to be as efficient as possible.

From the initial planning of Windows 7 through to delivery of the Release Candidate, we have been deeply engaged with partners and early adopter customers to ensure we are listening to your needs and delivering a high quality product. We are working with early adopters that represent a range of global industries. These include Del Monte, BAA, Transelectrica, Continental Airlines, Pella Corporation, Bombardier Aerospace, the City of Miami, and T-Systems (Deutsche Telekom’s corporate customer unit). Partners like Intel, Dimension Data and Getronics have also helped us develop Windows 7 for their customers and also plan to deploy in their own corporate environments. Overall, we’re hearing good things. Here are a few examples:

• Headquartered in Montreal, Canada, Bombardier Aerospace designs and manufactures products in the aerospace and rail transportation sectors. They’re very interested in MDOP and BitLocker – here’s what their CTO, Pietro Greco, has to say: “We are interested in Windows 7 for its enhanced security and improved manageability which will allow us to create a more productive and efficient environment.”
• Pella Corporation, based in Iowa, designs, manufactures and installs windows and doors. They’re moving from Windows XP to Windows 7. Here’s what Jim Thomas, director of IT Operations and Infrastructure, has to say – early in the process – about their deployment: “From initial testing of Windows 7 in our environment, we’ve already uncovered reasons to believe our investments in time and resources for Windows 7 will be worth it.”
• Continental Airlines’ Managing Director, Global Infrastructure, Eric Craig says: “Continental depends upon technology, but we’re not a technology company, we’re an airline.  If my team can provide an easily managed, low cost, and functionally rich infrastructure, then Continental can focus its technology resources on business specific services.  We do this with the most modern Windows environment.”
• The City of Miami is putting Windows 7 through its paces. Like many of our customers, they like the manageability and security features. They recently held a technology day, where they demoed Windows 7 and Manuel A. Diaz, the Mayor of Miami’s question was “How soon can I get it on my desktop?” We hope that’s what a lot of people will be saying soon!

We’re encouraged by the customer and partner feedback we’re receiving and will continue to work hard to deliver a very high quality product that meets our customers demanding business needs.

More customer insight can be found at our Talking About Windows site. Check it out to hear the back stories from the engineers who developed Windows 7, and the early adoption experiences from IT professionals like you. It’s a place for you to find out more about Windows 7, join the conversation and ask questions. We’d love to hear your feedback.

To give you a sense for some of the features are customers are excited about – a customer in the manufacturing industry in Europe was particularly interested in the DirectAccess capability (also delivered via Windows 7 and Windows Server 2008 R2, with IPsec and IPv6 implementation). This technology allows users to access corporate resources from the road without having to start a VPN connection. Coupled with Federated Search capability, this customer saw the opportunity to provide easier access to the information that their people need from wherever they are, while at the same time offsetting costs associated with their existing VPN solution today.

From a technology perspective, BranchCache is also getting a lot of attention. A few weeks ago I talked to a big US retailer and they were thrilled about BranchCache. This capability, delivered by Windows 7 and Windows Server 2008 R2, allows the caching of frequently accessed data locally in a branch office. This reduces user wait time, saves network bandwidth, and reduces the need for servers in multiple branch offices. They liked the idea of their employees spending less time in the office and more time serving customers on the store floor.

And almost universally, business customers are excited about the BitLocker To Go capability. This not only allows users to easily encrypt the USB drives, it also provides an ability to enforce encryption on removable storage devices. A European bank was telling me how excited they are about this capability to protect their data, and they saw the opportunity to offset costs associated with their existing encryption solution.

I’m anxious to hear about your experiences using Windows 7. As you try it out, chime in below and let us know what you think. For business customers who have not yet started, I recommend you download and test the Windows 7 Release Candidate. The final version is coming soon and we want you not only to be excited about it, but prepared. At this site you’ll be able to download the Release Candidate and take advantage of a whole host of tools and guidance for IT Professionals to help you prepare. We look forward to your feedback.

Along with 17,000+ other security- minded professionals, I’m at RSA in San Francisco this week. For those who are not familiar with the RSA Conference, it’s the premier information security conference of the year. It attracts the best and brightest security folks from around the world. In addition, it is a great place to keep up with what’s going on in the information security marketplace. I’m at RSA to not only see what’s going on in the industry, but to also talk about some of the cool new security features in Windows 7.

We’re really excited about Windows 7’s new security features. This next OS is built upon the proven security technologies in Windows Vista and provides a fundamentally secure computing platform. We not only utilized enhanced Security Development Lifecycle (SDL) process during planning, development and testing but we also have worked to make the security features more discoverable, usable and manageable. These enhancements give Windows 7 the expanded security offerings to provide the necessary security controls to help mobile workers access the information they need to be productive, wherever and whenever they need it.

There is a lot of new stuff in Windows 7, but let me highlight some of those things that go into helping the mobile worker…

Multiple Active Firewall Policies

In Windows Vista, firewall policy is based on the “type” of network connection established—such as Home, Work, Public, or Domain (the fourth, hidden type.) This can be a security problem for IT professionals since mobile users will connect to multiple networks while on the road. For example, let’s say I get connected to the Internet through a “Public” network. As a result, the “Public” firewall policy is applied to the computer. Now, if I want to connect to the Microsoft corporate network via my VPN, the IT configured firewall settings for accessing the “Domain” corporate network cannot be applied because the first network type (and thus the firewall settings) had already been set.

Windows 7 gets rid of this IT pain through support for multiple active firewall policies. This enables my PC to obtain and apply domain firewall profile information regardless of other networks that may be active on the PC. Now IT Pros can simplify connectivity and security policies by maintaining a single set of rules for both remote clients and clients that are physically connected to the corporate network and know that the rules are appropriately applied.

DirectAccess

When I travel or am day-extending by working from home, I tend to need a lot of access to the corporate Intranet. As you can imagine, we use SharePoint a lot and a large number of our Line of Business applications are all Web- enabled. The result: I have to use our corporate VPN a lot. Unfortunately, it’s always an interruption for me to stop what I am doing and to fire up my VPN connection.

Windows 7 works in conjunction with Windows Server 2008 R2 to make working outside of the office simpler and less frustrating with DirectAccess. DirectAccess works by automatically establishing a bi-directional connection from client computers to the corporate network. As a result, as a remote user I have seamless, secure access to the corporate network anytime I am connected to the Internet, without having to manually initiate a traditional VPN connection. This helps make me more productive and allows me to focus on my work and not the remote access technology. Now whenever and wherever I travel, I can not only access my corporate email, but also open Intranet sites, shared drives, use line-of-business applications, and have full access to corporate resources that I need to do my job without having to manually create my VPN tunnel.

From a security perspective, DirectAccess is built on a foundation of proven, standards-based technologies like IPv6 and IPSec. IPsec is utilized to authenticate both the computer and user. This allows IT the capability to manage the computer even before I log on. IT can also optionally require me to authenticate with a smart card. IPsec is also utilized to provide encryption for communications across the Internet with encryption algorithms such as AES.

DirectAccess also has a cool benefit for IT Pros as well, since it provides an always on, secure mechanism to remotely manage and update the PCs of their mobile workforce. Whenever my laptop has Internet connectivity it is directly connected to the Microsoft corporate network. This gives IT more opportunity to distribute software updates and policies to me and other mobile workers and helps keep our machines free of malware and other unwanted software.

BranchCache

DirectAccess is great for the mobile worker, but what about the remote worker who works out in a branch office location? I’ve worked in many a branch office and the one thing they all seem to have in common is limited network bandwidth. Accessing large files in a branch office is always a slow, frustrating affair for me. I, like most users, prefer a snappy network and quick downloads. All the waiting that I have to do-- or you have to do -- is just lost productivity that, at the end of the day, can hurt the company’s bottom line.

Windows 7 incorporates BranchCache, another technology that works in conjunction with Windows Server 2008 R2, which helps make network responsiveness of applications and data housed within your data center feel snappy. This gives users in remote, branch offices the experience of working as if they were on the local area network (LAN) of the server they are accessing.

BranchCache also helps reduce the utilization of the wide area network (WAN). When BranchCache is enabled, a copy of any data accessed from Intranet Web sites and/or file servers is cached locally within the branch office. When another client on the same network requests the file, the client downloads it from the local cache without downloading the same content across the WAN.

The key thing for me is that it makes access to static data quick and it is all done without decreasing the security of that data. Access controls are enforced on cached files in the same way they are on original files.

BitLocker To Go

While here at RSA, it is inevitable that I will need to share data with one of my trusted partners or customers. My primary method of transferring data is to use one of the half dozen or so USB sticks I carry around in my backpack. Over time, these USB sticks end up with all sorts of different data and documents on them. As a security guy, I worry about what would happen if I lost one of these USB sticks. What if I have some confidential or customer data on one of them?

Windows 7 helps address the continued threat of data leakage with introduction of BitLocker To Go: an extension to BitLocker in Windows Vista that allows me to encrypt the disk volume of removable storage devices with a password and/or a digital certificate stored on a smart card.

BitLocker To Go was designed to facilitate the secure sharing of data on removable storage devices and was designed to work on any standard removable storage device. No special, proprietary hardware is required. So now, whether you are traveling with your laptop, sharing large files with a trusted partner, or taking work home, you can feel secure that your data is safe. Both traditional BitLocker and BitLocker To Go protected devices help ensure that only authorized users can read the data, even if the media is lost, stolen, or misused.

One last thing worth mentioning -- I can use BitLocker To Go to share data with a Windows user who is running Windows Vista or Windows XP through the BitLocker To Go Reader. This application is installed by default on removable storage volumes and allows read-only access on older versions of Windows while still allowing you to help protect your USB sticks.

AppLocker

While I feel good about protecting my data with BitLocker in case it is lost or stolen, data can still be lost due to malware or other unwanted software. When I talk to customers about keeping malware off of their systems, we always end up talking about desktop lockdown and the first topic of desktop lockdown is always removing administrative access from a majority of users. This is a great first step for any organization to take; however, workers today bring software from home, download applications from the Internet (intentional and unintentional), and access new programs through email. Many of these applications don’t need system- wide, administrative access to install or run. The result is a higher incidence of malware infections, more help desk calls, and difficulty in ensuring that only approved, licensed software is installed and utilized.

Windows 7 has a new application control solution in AppLocker. AppLocker gives control back to IT administrators and helps them eliminate unknown and unwanted software in their environment. AppLocker can be configured through Group Policy and can help manage those applications that run on corporate PCs, helping keep your organization’s data safe and your enterprise PCs manageable. AppLocker works by intercepting kernel calls that try to create new processes or load libraries and making sure that the code in question has been allowed to execute.

AppLocker just might be my favorite security feature in Windows 7, for it not only provides security protections but as an ex-IT Pro I really appreciate the operational and compliance benefits as well. Things like:

• Keeping unlicensed, vulnerable software from running in the desktop environment, including stopping workers from running applications that needlessly use consumer network bandwidth or otherwise impact the enterprise computing environment.
• Easing enterprise software deployments and maintenance through effective desktop configuration management.
• AppLocker allows users to install and run approved applications and software updates based upon their business needs.
• Helping ensure a company’s desktop environment is in compliance with corporate policies and industry regulations such as PCI DSS, Sarbanes-Oxley, HIPAA, Basel II, and others.

More to Come

This is just a small part of what’s in Windows 7 from a security perspective, and just the tip of the iceberg for the features I’ve described. Stay tuned for more information on what’s going on at RSA and more information on the cool new security technologies in Windows.

RSA is here again, and presents a great opportunity to discuss the security in Windows 7: specifically how certain features in the OS address key security-related enterprise scenarios. In today’s economic times, businesses and their shareholders need to know that when they make an investment in a product, they are doing so responsibly and securely, and the investment is sound. Windows 7 is this sound investment: it includes features that allow workers to work anywhere, while leaving IT Pros confident that business-related data and content are secure.

The world has changed a great deal in the last decade. Information workers interact with their computers in new ways and have incorporated technology into everything they do, as a result the security landscape has greatly evolved. For example, in 2001, mobile and wireless workers weren’t impacting IT decision making; today, they make up more than a quarter of the workforce. In 2008, laptops made up more than half of all devices purchased in the enterprise. With Windows Vista, we made significant investments to address many of these security concerns and developed the most secure OS to date. With Windows 7, we are carrying forward that investment.

When we began developing for Windows 7, we decided to approach our security feature enhancements in terms of user type and scenarios. We looked at a few types of workers - the mobile worker on the go, the remote worker in a branch office, the IT Pro and the security expert. All have unique needs, pain points, and styles of work - and we’re addressing each in Windows 7.

Consider being a mobile worker. The challenge for you is connectivity and access. Meanwhile, your IT Pro at the office is worried about balancing those with data protection and network security. With Windows 7, we focused on a few key features to address this scenario, and to build confidence in enterprises trying to get the most out of a mobile workforce.

• DirectAccess lets mobile workers connect quickly and securely to a corporate network over any Internet connection, without having to manually access their virtual private network. IT can leverage DirectAccess to manage the Group Policy settings and deliver updates to mobile computers, even if the user is not logged on.
• BitLocker, introduced in Windows Vista, now allows end users to right-click on a drive to quickly enable it, making it more intuitive and easier to use.
• BitLocker To Go now extends support of BitLocker drive encryption to USB removable storage devices – like our mobile worker’s flash drive (see this Springboard Series Video). Theft and loss of proprietary data from mobile devices is a great expense for businesses. However, the loss of integrity is even harder to recover.

The remote worker scenario has similar challenges to the mobile worker, but requires ease of access on a more regular basis. According to a recent study, 91% of employees work away from the corporate headquarters, with the bulk of these working in branch offices. These workers often face difficulties and long wait times accessing information off the corporate drive. With this pain point in mind, we introduced BranchCache, which lets users access information more quickly. For IT Pros, this means the assurance that branch machines maintain the same security protocols as the home office.

For home-use scenarios, employees expect the same level of connectivity and access they would have in the office. In Windows Vista, the firewall policy was based on the type of network connection established – such as Home or Work. This created an obstacle when workers logged on at home, using a Home connection and virtual private networking (VPN), because firewall settings were not set up appropriately for this scenario. So we made changes. With Windows 7, enterprises will be able to simplify their connectivity and security policies by maintaining a single set of rules for both remote clients and clients physically connected to the corporate network.

And businesses will have confidence that all remote users – whether branch office or mobile - will benefit from key improvements in IE8, including protection against XSS threats, identity theft, and new types of phishing attacks like Clickjacking. I think the work we did in IE 8 really helps put people in control of their online safety and privacy.

Finally, let’s take a look at issues people face when trying to manage these environments. Not surprisingly, IT Pros and security experts have daunting missions: they enable secure access to data for mobile, remote and local users; keep systems up to date; and track accessed data– all while attempting to drive new value for the business - it’s enough to cause IT Pro insomnia. As such, we continue to develop a range of security solutions to address evolving IT needs.

Some key examples of user scenarios empowering technology:

• AppLocker: We received feedback that workers today put software from home on their PCS, download applications from the Internet, and access programs through email. As a result, there’s a higher difficulty ensuring PCs in the enterprise environment are running only approved, licensed software. AppLocker solves this issue; it’s an administered mechanism that allows a business’ security expert to specify what is allowed to run on each user’s PC.
• Network Access Protection: This allows IT Pros to create solutions to validate computers that connect to their network and limit the access or communication of noncompliant computers.
• Microsoft Asset Inventory Service: Part of Microsoft Desktop Optimization, complements the OS security and compliance technologies by allowing our IT Pro a comprehensive view of the enterprise desktop software environment.
• User Account Control: We heard loud and clear that end-users wanted fewer UAC prompts and more control over what items they are prompted for, but we know IT Pros still need control over what’s installed or run on a machine. As a result, in Windows 7, we made specific changes to enhance the user experience, while still ensuring the same level of security.

The enterprise security features we’re discussing today are the product of hard engineering work coupled with an understanding of our customers and the security landscape. It’s important to keep in mind that some of these features only work when partnered with Windows Server; for an optimal experience, we recommend businesses use Windows 7 and Windows Server 2008 R2 together upon their availability.

We recognize the enterprise customer for Windows has evolved dramatically over the years and we’ve created solutions to address the needs of varying enterprise scenarios. It’s important to note our work is never finished! We are constantly hearing from our customers about ways to make their machines more secure and productive in their environments. We continue to listen to this feedback and apply it to our technologies. It’s our goal to build technology that lets businesses prosper in a consistently changing security landscape.