Tag: WIM

The Ten Things to Do First for Windows 7 – Part 2

The first part of this article are here.

6. Prepare for distributed security.

During your initial strategy meeting, set aside time to discuss how you want to handle the many distributed security features in Windows 7. You’ll want to determine a course of action early in the project because those decisions will have a substantial impact on your test matrix.

First, consider whether you want turn on the desktop firewall. When OS-based desktop firewalls were first introduced in XP SP1, many organizations turned them off with a Group Policy and that was that. The firewall in Windows 7 is much more flexible and warrants reconsideration. You can turn off the firewall while the machine is connected to the domain and turn it on when the machine is connected to a home/work network or to the Internet. You can define granular exclusions, too. Try a mix of options with the first wave of pilot users; take their feedback, along with input from your security team, to make a final decision on firewall settings. They’re completely configurable by Group Policy.

Second, do you want to use AppLocker to restrict applications permitted to run on your desktops? AppLocker allows you to put together a whitelist of approved executables that you can select individually by file hash, in groups by location or in groups by publisher (that is, signed by the publisher’s certificate). Once configured, these rules are downloaded by Windows 7 clients running the Application Identity service. From that point forward, only the whitelisted apps can execute. All other executables are forced to sit on the sidelines, kind of like me during my high-school athletic career.
Because AppLocker permissions are applied via Group Policy, you can tightly target the rules to computers based on OU, group membership or WMI filters.

Sifting through a mountain of applications trying to determine which should be on an AppLocker whitelist doesn’t sound like much fun, but the situation shouldn’t come to that. Most line-of-business machines have a fixed and limited suite of apps. Start there. After all, if you can keep the night crews from plugging flash drives into your factory kiosk machines to run games rather than build widgets, you’ve solved quite a few operational problems. Deal with the back-office machines later. Read More»

Posted in Windows 7 | 1 Comment »

Windows 7 Automatic Installation Kit

The Windows Automated Installation Kit (AIK or WAIK) is among the free tools of choice when it comes down to building custom Windows 7 images and deploying them in a specific environment. But as much as the Windows Automated Installation Kit is capable of streamlining the installation process of custom-built Windows 7 images, it does come with a few limitations that IT administrators should be aware of. For example, they could find that it is impossible to put together an unattend.xml file from within the Microsoft Deployment Toolkit 2010 for a custom Windows 7 x32 image.

The reason is related to the limitations of WAIK. Specifically, “if you run Windows 7 x32 and WAIK x32 you can create unattends for both x64 and x32 custom images. If you run Windows 7 x64 and WAIK x64 you can not create unattends for x32 custom images. Running x32 WAIK on Windows 7 x64 is not supported,” revealed Richard Trusson, a senior consultant with Microsoft Services, UK.

Essentially, admins that are running 64-bit computers will only be able to build catalogs for x64 WIM’s. This limitation dates back to the Windows Vista period. Microsoft explained that WAIK in Vista leveraged the servicing stack binaries in the image in order to create the catalog. In this context, Microsoft did not see it necessary to include the binaries in WAIK. But the decision ended up impacting WAIK. Read More»

Posted in Windows 7 | No Comments »