MDM & GP Tips Blog

The Office 2010 deployment story using Group Policy doesn’t get any better than Office 2007. You could argue it gets worse. There is no longer any possible way to deploy Office 2007 via Group Policy (outside of 3rd party tools like Specops Deploy.)

I found this plucky little document entitled “Deployment Options for Microsoft Office 2010” found here http://tinyurl.com/yfredq2.

In short, there’s a PDF, Visio and XPS document showing Microsoft’s sanctioned ways to deploy Office. Yes, Group Policy is on the list, but it’s the same way as Office 2007: Group Policy using Startup Scripts.

Just for fun, I tried deploying Office 2010 using Group Policy Software Installation. No dice. There’s a single error message in the event log with a non-obvious message about the failure.

Great.

So, here are the official steps (which will work for both Office 2007 and Office 2010). This is my suggested method for deploying, since the other options are spendy.. (click MORE) to read the answer.

Step 1: Create a config.xml File
We saw the Office 2007 version of this earlier. It’s the same idea in Office 2010. It’s used when clients initially install Office 2010. You can set the installation to be silent, for instance.
At last check the Config.xml file for Office 2010 was documented here… Shortened to http://tinyurl.com/ye4sorx.

Step 2: Create a Custom MSP File
Like Office 2007, the Office 2010 config.xml file in Step 1 can only take us so far. Again, to create more Office simply run setup.exe /admin, and-voila!-the Office 2010 customization tool.
At last check the Office Customization Tool (OCT) can be found here: Shortened to http://tinyurl.com/ybtkxen
Again, it produces .MSP files.

Step 3: Place your MSP in the “Updates” folder
At installation time, you can have clients embrace the customizations you set in Step 2. Simply put the MSP file in the “Updates” folder on the network installation point of Office.

Step 4: Use Startup Scripts to Deploy Office 2007 or Office 2010
Use this suggested start up script to kick off you Office 2007 or Office 2010 installation: http://go.microsoft.com/fwlink/?LinkID=94264
You can use the script to ensure that you’re selecting the proper config.xml file you created in Step 1.

Optional: Re-Patch Your Target Machines
You can always create a specific MSP file for a specific machine or two using the OCT. For instance, maybe you just want one or two machines to not have Microsoft Access 2010.
After creating the MSP file, use the information about msiexec /p I detailed in the section “Using MSIEXEC to Patch a Distribution Point” in my book.

Except you don’t update the distribution point. Instead, you patch the specific machines, individually.

You’ll likely need another startup script to figure this out if you want to target specific machines.

If you’ve found a creative way to work around these Office 2007 or Office 2010 issues, I want to hear about it. Be sure to e-mail me and let me know your best techniques for deploying a customized Office 2007 or Office 2010 installation using Group Policy.

I read the paper every day. I get the Wall Street Journal delivered to my house.

Say what you will about the Wall Street Journal, but there’s some (usually) great stuff in there.

Anyway, on Monday there was an article called

“It’s a FREE country… so why can’t we pick the technology we use in the office?”

You can catch up with the article here…

But I think the WSJ missed the point. The article’s premise about why we (IT) continues to use older technology.

First off, if you look at the “Green IT” picture they have (with the birds) you can see that’s an Amiga 500 keyboard with a drawn-in monitor on top.

Heh.

Anyway..

Here’s the premise (quoted directly from the article):

“
Companies now have an array of technologies at their disposal to give employees greater freedom without breaking the bank or laying out a welcome mat for hackers. “Virtual machine” software, for example, lets companies install a package of essential work software on a computer and wall it off from the rest of the system. So, employees can install personal programs on the machine with minimal interference with the work software.
…
In my case, I’ve installed a search engine called Google Desktop that lets me quickly scour my hard drive for files, and a product by Xobni Corp. that does something similar for Outlook email, even though neither is approved by my IT department. And those programs have made a world of difference. In a simple test, it took Outlook two minutes to track down an email from a few months ago, based on a few search terms. Xobni found the message before I finished typing the words.
“

Ow. Sorry, WSJ, you’re missing it guys.

I’m not exactly sure where to start, or how long I want to rant here, so, I’ll just tackle one or two points here.
Here’s the “Jeremy Op-Ed” part…

These “let users do what they will” strategies may, yes, may indeed work out. But not in all cases. They do certainly work out great in “free-wheeling” offices with low numbers of users, and tech-savvy users. They can work where users are willing to partially pay for the direct and indirect costs involved.

This relates to my world. Heck — I actually use Xobni too, and it’s great. But it didn’t work for a while, and I had to figure out how spend my own time on to fix it.

But this strategy is simply not for everyone.

Ultimately, giving up control to the users means more work for an already-overworked IT department.

Giving choice to users means, opens up scenarios that most IT departments would not like to think about.

“Sir, are you running IE, Firefox, Opera or Safari? Great. Um, let me Google, er, Bing to see how to clear out the cache.. hang on.”

(Meanwhile that support call cost the company $125 in hard or soft dollars.)

Ow.

I’m all for giving users what they want — if they can support it themselves and not drain IT resources. But the reality is in most enterprises, giving users “more stuff” end up meaning “MORE WORK” for us, the IT department.

The WSJ goes on to detail one company (Kraft) which allows employees to choose non-standard Macs instead of PCs.

PS: I’m NOT anti-Mac, by the way.. I’m anti-de-standardization. (Hey, I just made up a word!) ?

“
Employees who choose Macs are expected to solve technical problems by consulting an online discussion group at Kraft, rather than going through the help desk, which deals mainly with Windows users.
“

Is this the right solution to the problem? Can users be self-supporting in a complex environment like yours?

And what about virtualization? The WSJ’s idea that you can just give em a VPC and go seems shortsighted to me. Those machines still need patching, lest they get infected and spit evil goo upon other virtual and real machines. There’s no mention of the enterprise-wide virtual desktop issue.. Things that Microsoft Med-V and VMware’s ACE try to solve.

Long story short… I think the WSJ missed the point.

We (IT) don’t control because we WANT to. We control because we HAVE to.

Group Policy is the “in the box” way to control Windows machines. We make things “more standard” to make them “more supportable.” More supportable means that we, in IT have a limited set of issues to troubleshoot, instead of an UNLIMITED set to troubleshoot. (At least we hope.)

I’m all for more freedom, if it doesn’t take US and OUR EYES away from the prize.

What’s the right way to handle this?

Maybe we should all be running Amiga 500s. (I kid.. I kid.. I’m a kidder.)

Comment on my BLOG to continue the discussion.

The link is here:

http://dev.gpanswers.com/blog/617-the-wsj-missed-the-point.html

Thanks team!

Thing 4: Gold for the Price of Silver (Repeat from Monday!)
——

I am running a little “Special” on my Group Policy Online University classes. I have exactly SIX people I can offer this deal to, so here goes:

-You get the GOLD kit for the price of the SILVER kit.

What’s in the GOLD kit? Check out
http://dev.gpanswers.com/training/online-training-faq.html
and read item #10 for what, exactly, is in the box.

Oh, and you get FIVE “mentoring credits” to use with me — for your own personal course troubleshooting.

And, longer view times, extra perks, yada yada yada…

So, if you’ve always wanted the killer GOLD kit,
but wish it was at a discount,
I have exactly SIX gold kits I can do this for.

So, head over to
http://dev.gpanswers.com/training/online-class-signup.html
click the GOLD kit.

Then, at checkout time, use coupon code
GOLD4SILVER
for your “Gold for the price of Silver” kit.

Note the discount taken off means you’ll still have to pay for shipping ($50); the deal is good, but hey, I’m not crazy.

Again, six kits only at this price. When they’re gone, they’re gone. Don’t delay if you’ve always wanted one !

This just in from someone who finished the GPU online courses:

“
Jeremy is absolutely the best presenter and instructor I have seen. I really would like to get the same type of instruction for other IT courses. He has a wonderful way of sharing his knowledge in a simple, effective way that leaves you thinking “Wow! That makes so much sense. ” After taking his “Group Policy Online University” courses and reading his books I feel like a pro — truly understanding Group Policy. And whenever I have a question, Jeremy is always there to help. I really liked the fact you can review the online course TWICE. It’s almost like getting TWO courses in one. Add in his weekly tips and simply you can’t go wrong. Thanks Jeremy — and your staff for creating a great learning experience that I benefit from every day.
“
— Glen Morris, Network Administrator, Mondial Assistance

Thanks Glen ! Glad you’ve got that “GP stuff” handled at this point and ready to make your company more productive!

Who’s ready to learn and be like Glen ? Is it you?

Click:
http://dev.gpanswers.com/training/online-class-signup.html

Use:
GOLD4SILVER at checkout time.

I’m practically handing you over the keys to car. Get smarter starting today.

Jeremy Moskowitz
GPanswers.com (Group Policy Community)
PolicyPak.com    (PolicyPak Software)

Today’s the day where you’re going to start to be bombarded with bajillions of messages about  how Windows 7 is the best operating system ever produced.

Look, that’s not for me to say — history will shake out and tell us all over time. It  might end up being the best selling operating system ever produced; and it might have  already even hit that mark for all I know, but that’s another topic.

Here’s my 2¢ of Jeremy wisdom (if there is such a thing)..

In the coming days, weeks, and possibly months, you’re going to hear about every  possible Windows 7 feature under the sun to “make your life better” and “more  wonderful” and “Oh, look! Shiny shiny shiny.”

I don’t have any beef with features like Multi-Touch, or Aeropeek or Aeroshake.

(Okay, well, maybe Aeroshake…  I’ve turned it off.)

But as IT Pros and managers, we need to be focused and ready to understand what’s  important to US and our businesses, versus all the gook from TV advertisements, Twitter tweets, and fancy-pants demos.

Indeed, Microsoft’s pseudo-tagline for Windows 7 is “A billion options.”

Ow. That kind of hurts my brain.

I guess what I’m trying to say is: It’s ALL good stuff. But, in the words of the late Clara Peller, “Where’s the beef?

And here’s the good news: there IS beef there. It’s just that we, as IT geeks, need to be conscientious and thoughtful about discerning and filtering out the incoming “shiny, shiny, shiny” messages from the “what really matters” of Windows 7.

So, in the days and weeks to come, with all the hubbub about Windows 7, we should try to focus in on key points where Windows 7’s new technologies can help our business grow,and be prosperous.

If I had to pick three areas to focus on initially (to get the most bang for the buck)  I would focus on…

Management: Group Policy improvements, GP Prefs improvements

Efficiency: GP + Powershell, Powershell for other non-GP tasks, DirectAccess

Security: AppLocker for system protection, Bitlocker for whole drive encryption

That’s not to say there aren’t OTHER areas to possibly focus on; these are just my opinions.

So, welcome Windows 7. It’s shiny. It’s beefy.

Let’s eat !

PS: This blog entry is on the home page of GPanswers.com. Re-Tweet if you like!

PS: Tip… Online Group Policy Training at www.GPanswers.com/training gets you a jump on Windows 7 today.

PPS: Note… I have one seat left for the live Orlando class next week. If you think you can make a miracle happen and join us, you HAVE TO CALL us at 302-351-4903. No more seats available thru the website

Team:

Check this out.

Let’s say you had a Windows 7 management machine and also a Windows Server 2008 (or 2008 R2) as your management machine.(In “Jeremy-parlance” a “management machine” is where you run the GPMC from.)

Turns out that on Windows Server 2008 and 2008 / R2, there’s a gaggle of “extra” policy settings !

Seriously, this is weird, so stick with me.

Click here:
…and you’ll see the Windows 7 management machine view of the Computer Configuration | Policies | Administrative Templates | System | Group Policy node.

Click here:
…and you’ll see shows the same thing, except seen from a Windows Server 2008 management machine.

So, what are these “missing” definitions?

These are the settings used to control, manage and monitor the Group Policy Preferences settings. The very “way” GP Prefs “operates.” You’ll see specific Group Policy Preferences items like “Printers Policy Processing”, “Shortcuts Policy Processing”, “Start Menu Policy Processing” and all sorts of other Group Policy Preferences-specific settings.

And my favorite strangeness in this area is “Registry Policy Processing” (with an upper case P in Policy) right next to its cousin “Registy policy processing” (with a lower case P in policy.) The lower case P policy (Registry policy Processing) is about how we handle the stuff inside the “Administrative Templates” node; ya know – “normal” Group Policy settings like “Prevent Access to the Control Panel.” The upper case P policy setting (Registry Policy Processing) is about the “Registry node” in the Group Policy Preferences (Chapter 10 in the Green book)

Bizzaro, but now at least it’s understandable.

Look closely, and you’ll also see another whole node within the Group Policy node called “Logging and tracing.”

Okay, so what gives?

I’ll go more into this at another time, but since you can’t wait that long, here’s the abbreviated version. In short the “definitions” of what’s possible in Group Policy-land are stored in ADMX files Turns out, though that Windows 7’s RSAT and Windows Server 2008 don’t ship with the exact same definitions.

Kooky. The “missing” Group Policy settings are only available in Windows Server 2008’s “set” of definitions. And, yes, that set is downloadable if you don’t want to rip it out of an existing Windows Server 2008 machine.

To catch-up your “Windows 7 management machine” download and utilize the files here http://tinyurl.com/mb6x5v (though there are sure to be updates for Windows Server 2008 R2, so, I would try to track those down when available.)

Don’t be caught off guard if a GP Prefs problem occurs… now you’re in the know!

Some discount seats left for the Group Policy Master Class training in Orlando.

Sign up at https://www.gpanswers.com/training/live-courses.html

Use Coupon code NEXTSIXORLANDO to get $200 off the whole week !

Great News!  The Windows 7 and Windows Server 2008 R2 Group Policy spreadsheets have been released! 

Microsoft has also placed all of the spreadsheets into one download page for easier access.

Click here to access the download page.

Let's go right to the punchline: Overall; positive.

Okay, now let's get to what's great, what's not and what's just weird.

Actually, before we do that, let's start off with my new hardware. If you know me, you know I love to do demos. I do demos left and right in my training courses, at WinConnections and TechEd, and other sundry events.

And, of course, I need to use a laptop lug around and do that. My laptop of choice has always been Dell. I've been a Dell man, since, well, Dell Laptops had TRACKBALLS in them, and not touchpads.

Yes, _that_ long.

Now, for the first time ever I went Lenovo. Honestly, the new Dell E series just seemed too "humongo" for me. The whole package, including the power supply just looked too.. Bulky.

Yep, that was my "very technical reason" for not getting another Dell. I'm sure they're great inside, but their aesthetics (at least compared to my Dell D620) was not an improvement (to me, anyway.) So, I got a Lenovo T500. The name alone makes me feel like I'm perpetually the star in my own personal Terminator film. I bought it cheap from the "Lenovo outlet store." It has a T9600 Core2Duo processor on board, and I fitted it myself with (oh drool!) 8GB RAM and 500GB hard drive @ 7200RPM (killer!)

Then I waited to get my hot little hands on Windows 7. I was in the beta program, so I got a "free key" to use when the beta ended.

Last Thursday night, I installed Windows 7, 64-Bit edition on my new monster laptop.

Before that, I had previously went to Lenovo's website and downloaded ANYTHING associated with the T500 + Vista. That is to say, since all Vista drivers are "upward" compatbile to Windows 7, having them "at the ready" seemed to be a good idea. I put them on an external USB disk.

My first 24 hours wasn't great. I installed Windows 7. I took all the updates. Then I installed all the T500 / Vista drivers. I rebooted when necessary. Finally, when I installed the video driver software, Windows 7 just hung and hung and hung and hung at the "Please wait" page.

Arrrgh. And this was AFTER I had already activated Windows 7 (Stupid, Stupid, Moskowitz.)

Well, I knew I could boot to Safe Mode and hack and slash my way out of this. But the more I thought about it.. why was I installing drivers for something that was, well, working already?

So I didn't.

I re-formatted and re-installed Windows 7. In my experience, more manufacturer software equals slower and more unstable machine. Said another way, if I can "get away with" the drivers that are included as part of Windows 7, I should have a faster and more stable system overall ... instead of having to know exactly WHICH drivers and in WHAT ORDER I should be installing them.

So that's what I did. I loaded Windows 7, I took all of Windows' updates (it had several driver updates for my system.) There were two devices Windows didn't have "built in drivers" for, and I did, indeed, install those from the Lenovo website. And that was it. I was done.

That being said, it wasn't totally a bed of roses.

This T500 system has this newfangled idea of having TWO video chips instead of just one. Let's call these two chips the "Good one" and the "Awesome one." Honestly, I don't ever, ever need the "Awesome one." I don't play games, so I don't need "awesomeness." "Awesome graphics" don't make my demos any faster, and honestly, that's all I care about for this machine.

This newfangled idea of two chips sounds great, but for me it just wasn't working perfectly with my total re-install. Every time I closed the lid and re-opened it, it thought my laptop display was "Display 2." All the stuff I was working on just disappeared.

You could say: "Well, Moskowitz, if you installed the drivers from Lenovo, you wouldn't be having this problem." Except, remember .. when I did install the drivers, that's exactly when the machine went into "mega hang" mode.

So, I needed a Plan B.

To fix this, I adjusted the T500's bios to say "Kill the Awesome chip. Only let me use the Good chip." And magically, all my troubles went away.

I'm sure, really, really sure, this is because I didn't choose to install Lenovo's "mega video driver" or something for the secondary video driver chips.

But I'm okay with that. I honestly need my laptop to do EXACTLY two things: display on the panel when I want to, and display outward on the VGA port for projecting when I want to.

Nothing fancy. So, no "awesome chip settings with crazy drivers" for me, thank you very much.

So, how is my overall experience with Windows 7 compared to Windows Vista? Well, my biggest problem with Windows Vista was that it was slow. Yes, lots of people complained about it being slow, but I tried to take an empirical approach and learn WHY my experience with Vista was slow.

For me, personally, I learned the "slow culprit" was the "Windows Search" service. On my previous laptop, the D620, where I tried to run Vista, every time I ran Filemon / Procmon, I could see it. Spinning it's wheels, doing it's thing -- ALL THE TIME and slowing me down.

As for Windows 7, I'm sad to say, that my initial experience is the same in this particular regard. Windows 7 still appears to (at least with my files) churn and churn and churn.

Maybe I haven't given it a fair shake. It's true, I didn't let it "settle in for three days" before getting frustrated and turning it off. I do have 60GB of "data" for it to pour over. So, in fairness, I'm going away next weekend, and I'm planning on turning ON the search service BEFORE I LEAVE, and see what happens when I return.

But for now, I have uninstalled the Windows 7 search feature, and you also (oddly) seem to need
to DISABLE the search service to really kill it (according to my Procmon traces.)

Here's the payoff though: Man, is this lappy fast! Right now, I'm really happy with the speed. Applications pop. Demos snap. Everything is like a crisp clean spring morning. Between a new processor, new OS, the 64-bits, 8GB of RAM and a 7200 RPM HD, darn tootin' this thing better fly.

Here are some miscellaneous notes about my first 7 days, in no particular order:

• I have a wacky wacky "Cannon" all-in-one printer, fax, scanner thing. And that driver was included in Windows 7. And, it even shows me the "ink levels" while printing; just like the driver I previously needed to download from Cannon then hand-install on XP. Neat.
• I'm pretty "keyboard centric." So about 1000 times a day, I type the following key sequence when working on XP: Ctl-Esc, R, cmd, enter. In XP, this would open the Start menu, R would hit the Run command, and CMD would get me to a command prompt. Now on Win 7, the same sequence makes NOTHING happen, because (even though I've put RUN back on the Start menu) there's no keyboard shortcut for 'R'un. gRRRR.  PS: My lappy has a WIN key, so Win+R work, but my external keyboard doesn't, so I'm stuck.
• I have ONE piece of hardware that, darn it, I cannot use, and man, I'm disappointed. It's a USB-connected phone system that's voice activated and hooks into Outlook. It just crashes every time it runs. Just flat out crashes. Can't really get to the bottom of this. If anyone else has this device, it's called ArialPhone, and I'd love to hear if it's working for anyone out there on Win 7 or even Vista. (PS: Even "XP compatibility mode" likely won't get me out of this one; unless I want to run a copy of Outlook *INSIDE* that fake XP machine, which I don't.)
• I have two other Outlook plug-ins which worked great on XP, but won't do their magic on Windows 7. Oddly, two *OTHER* Outlook plug-ins are working swimmingly. So, I don't know where the problem is. Still hacking on this one.
• The Beta for the App-V client 4.6 is out, and includes 64-bit support. Honestly, the thing seems ROCK SOLID to me, but my understanding is that it's planned to be Beta for a while before it goes gold. AppV Applications in cache seem to run WAY WAY faster than they did in AppV 4.5. It took me about an hour to convert all my existing 4.5 sequenced apps to 4.6.
• My wife walked behind me to see what I was working on. And it was my Windows 7 desktop. She saw the huge, huge icons that Windows 7 defaults with and asked "Are you in safe mode?" I can totally see her confusion, as Windows 7, in my opinion, looks totally bizzare with those big honkin' icons. The fix? While on the desktop, hold down Control and use the scroll wheel of your mouse to adjust. Kooky.
• Lots of people seem to be all "gaga" about the new taskbar. Honestly, I don't love the "mixed metaphor" of applications running and applications' icons all jumbled together. I've reset it act a little more like XP did, and I'm a little saner now.

But, all around, 95% of my applications are working. Everything that's "broken" seems to be revolved around Outlook in some way. Everything else is working great. So, I'm not sure if I can blame Windows or what here. Regardless, I'll get to the bottom of these and shake out my final bugs.

But in short, my first week -- pretty solid after getting thru the bumps. I do have that "last mile" to push through, and I'll keep you posted as things progress.

Let's go right to the punchline: Overall; positive.

Okay, now let's get to what's great, what's not and what's just weird.

Actually, before we do that, let's start off with my new hardware. If you know me, you know I love to do demos. I do demos left and right in my training courses, at WinConnections and TechEd, and other sundry events.

And, of course, I need to use a laptop lug around and do that. My laptop of choice has always been Dell. I've been a Dell man, since, well, Dell Laptops had TRACKBALLS in them, and not touchpads.

Yes, _that_ long.

Now, for the first time ever I went Lenovo. Honestly, the new Dell E series just seemed too "humongo" for me. The whole package, including the power supply just looked too.. Bulky.

Yep, that was my "very technical reason" for not getting another Dell. I'm sure they're great inside, but their asthetics (at least compared to my Dell D620) was not an improvement (to me, anyway.) So, I got a Lenovo T500. The name alone makes me feel like I'm perpetually the star in my own personal Terminator film.  I bought it cheap from the "Lenovo outlet store." It has a T9600 Core2Duo processor on board, and I fitted it myself with (oh drool!) 8GB RAM and 500GB hard  drive @ 7200RPM (killer!)

Then I waited to get my hot little hands on Windows 7. I was in the beta program, so I got a "free key" to use when the beta ended.

Last Thursday night, I installed Windows 7, 64-Bit edition on my new monster laptop.

Before that, I had previously went to Lenovo's website and downloaded ANYTHING associated with the T500 + Vista. That is to say, since all Vista drivers are "upward" compatbile to Windows 7, having them "at the ready" seemed to be a good idea. I put them on an external USB disk.

My first 24 hours wasn't great. I installed Windows 7. I took all the updates. Then I installed all the T500 / Vista drivers. I rebooted when necessary. Finally, when I installed the video driver software, Windows 7 just hung and hung and hung and hung at the "Please wait" page.

Arrrgh. And this was AFTER I had already activated Windows 7 (Stupid, Stupid, Moskowitz.)

Well, I knew I could boot to Safe Mode and hack and slash my way out of this. But the more I thought about it.. why was I installing drivers for something that was, well, working already?

So I didn't.

I re-formatted and re-installed Windows 7. In my experience, more manufacturer software equals slower and more unstable machine. Said another way, if I can "get away with" the drivers that are included as part of Windows 7, I should have a faster and more stable system overall ... instead of having to know exactly WHICH drivers and in WHAT ORDER I should be installing them.

So that's what I did. I loaded Windows 7, I took all of Windows' updates (it had several driver updates for my system.) There were two devices Windows didn't have "built in drivers" for, and I did, indeed, install those from the Lenovo website.  And that was it. I was done.

That being said, it wasn't totally a bed of roses.

This T500 system has this newfangled idea of having TWO video chips instead of just one. Let's call these two chips the "Good one" and the  "Awesome one." Honestly, I don't ever, ever need the "Awesome one." I don't play games, so I don't need "awesomeness." "Awesome graphics" don't make my demos any faster, and honestly, that's all I care about for this machine.

This newfangled idea of two chips sounds great, but for me it just wasn't working perfectly with my total re-install. Every time I closed the lid and re-opened it, it thought my laptop display was "Display 2." All the stuff I was working on just disappeared.

You could say: "Well, Moskowitz, if you installed the drivers from Lenovo, you wouldn't be having this problem." Except, remember .. when I did install the drivers, that's exactly when the machine went into "mega hang" mode.

So, I needed a Plan B.

To fix this, I adjusted the T500's bios to say "Kill the Awesome chip. Only let me use the Good  chip." And magically, all my troubles went away.

I'm sure, really, really sure, this is because I didn't choose to install Lenovo's "mega driver" or something for the secondary video driver chips.

But I'm okay with that. I honestly need my laptop to do EXACTLY two things: display on the panel when I want to, and display outward on the VGA port for projecting when I want to.

Nothing fancy. So, no "awesome chip settings with crazy drivers" for me, thank you very much.

So, how is my overall experience with Windows 7 compared to Windows Vista? Well, my biggest problem with Windows Vista was that it was slow. Yes, lots of people complained about it being slow, but I tried to take an empirical approach and learn WHY my experience with Vista was slow.

For me, personally, I learned the "slow culprit" was the "Windows Search" service. On my previous laptop, the D620, where I tried to run Vista, every time I ran Filemon / Procmon, I could see it. Spinning it's wheels, doing it's thing -- ALL THE TIME and slowing me down.

As for Windows 7, I'm sad to say, that my initial experience is the same in this particular regard. Windows 7 still appears to (at least with my files) churn and churn and churn.

Maybe I haven't given it a fair shake. It's true, I didn't let it "settle in for three days" before getting frustrated and turning it off. I do have 60GB of "data" for it to pour over. So, in fairness, I'm going away for the next weekend, and I'm planning on turning ON the search service BEFORE I LEAVE, and see what happens when I return.

But for now, I have uninstalled the Windows 7 search feature, and you also (oddly) seem to need
to DISABLE the search service to really kill it (according to my Procmon traces.)

Here's the payoff though: Man, is this lappy fast! Right now, I'm really happy with the speed. Applications pop. Demos snap. Everything is like a crisp clean spring morning. Between a new processor, new OS, the 64-bits, 8GB of RAM and a 7200 RPM HD, darn tootin' this thing better fly.

Here are some miscellaneous notes about my first 7 days, in no particular order:

- I have a wacky wacky "Cannon" all-in-one printer, fax, scanner thing. And that driver was included in Windows 7. And, it even shows me the "ink levels" while printing; just like the driver I previously needed to download from Cannon then hand-install on XP. Neat.

- I'm pretty "keyboard centric." So about 1000 times a day, I type the following key sequence when working on XP: Ctl-Esc, R, cmd, enter. In XP, this would open the Start menu, R would hit the Run command, and CMD would get me to a command prompt. Now on Win 7, the same sequence makes NOTHING happen, because (even though I've put RUN back on the Start menu) there's no keyboard shortcut for 'R'un. gRRRR.

- I have ONE piece of hardware that, darn it, I cannot use, and man, I'm disappointed. It's a phone system that's voice activated and hooks into Outlook. It just crashes every time it runs. Can't really get to the bottom of this. If anyone else has this device, it's called ArialPhone, and I'd love to hear if it's working for anyone out there on Win 7 or even Vista.

- I have two other Outlook plug-ins which worked great on XP, but won't do their magic on Windows 7. Oddly, two *OTHER* Outlook plug-ins are working swimmingly. So, I don't know where the problem is. Still hacking on this one.

- The Beta for the App-V client 4.6 is out, and includes 64-bit support. Honestly, the thing seems ROCK SOLID to me, but my understanding is that it's planned to be Beta for a while before it goes gold. AppV Applications in cache seem to run WAY WAY faster than they did in AppV 4.5. It took me about an hour to convert all my existing 4.5 sequenced apps to 4.6.

- My wife walked behind me to see what I was working on. And it was my Windows 7 desktop. She saw the huge, huge icons that Windows 7 defaults with and asked "Are you in safe mode?" I can totally see her confusion, as Windows 7, in my opinion, looks totally bizzare with those big honkin' icons. The fix? While on the desktop, hold down Control and use the scroll wheel of your mouse to adjust. Kooky.

- Lots of people seem to be all "gaga" about the new taskbar. Honestly, I don't love the "mixed metaphor" of applications running and applications' icons all jumbled together. I've reset it act a little more like XP did, and I'm a little saner now.

But, all around, 95% of my applications are working. Everything that's "broken" seems to be revolved around Outlook in some way. Everything else is working great. So, I'm not sure if I can blame Windows or what here. Regardless, I'll get to the bottom of these and shake out my final bugs.

But in short, my first week -- pretty solid after getting thru the bumps.

Part 1: My First 7 days with Windows 7
------------------------------------------------------

Let's go right to the punchline: Overall; positive.

Okay, now let's get to what's great, what's not and what's just weird.

Actually, before we do that, let's start off with my new hardware. If you know me, you know I love to do demos. I do demos left and right in my training courses, at WinConnections and TechEd, and other sundry events.

And, of course, I need to use a laptop lug around and do that. My laptop of choice has always been Dell. I've been a Dell man, since, well, Dell Laptops had TRACKBALLS in them, and not touchpads.

Yes, _that_ long.

Now, for the first time ever I went Lenovo. Honestly, the new Dell E series just seemed too "humongo" for me. The whole package, including the power supply just looked too.. Bulky.

Yep, that was my "very technical reason" for not getting another Dell. I'm sure they're great inside, but their aesthetics (at least compared to my Dell D620) was not an improvement (to me, anyway.) So, I got a Lenovo T500. The name alone makes me feel like I'm perpetually the star in my own personal Terminator film. I bought it cheap from the "Lenovo outlet store." It has a T9600 Core2Duo processor on board, and I fitted it myself with (oh drool!) 8GB RAM and 500GB hard drive @ 7200RPM (killer!)

Then I waited to get my hot little hands on Windows 7. I was in the beta program, so I got a "free key" to use when the beta ended.

Last Thursday night, I installed Windows 7, 64-Bit edition on my new monster laptop.

Before that, I had previously went to Lenovo's website and downloaded ANYTHING associated with the T500 + Vista. That is to say, since all Vista drivers are "upward" compatbile to Windows 7, having them "at the ready" seemed to be a good idea. I put them on an external USB disk.

My first 24 hours wasn't great. I installed Windows 7. I took all the updates. Then I installed all the T500 / Vista drivers. I rebooted when necessary. Finally, when I installed the video driver software, Windows 7 just hung and hung and hung and hung at the "Please wait" page.

Arrrgh. And this was AFTER I had already activated Windows 7 (Stupid, Stupid, Moskowitz.)

Well, I knew I could boot to Safe Mode and hack and slash my way out of this. But the more I thought about it.. why was I installing drivers for something that was, well, working already?

So I didn't.

I re-formatted and re-installed Windows 7. In my experience, more manufacturer software equals slower and more unstable machine. Said another way, if I can "get away with" the drivers that are included as part of Windows 7, I should have a faster and more stable system overall ... instead of having to know exactly WHICH drivers and in WHAT ORDER I should be installing them.

So that's what I did. I loaded Windows 7, I took all of Windows' updates (it had several driver updates for my system.) There were two devices Windows didn't have "built in drivers" for, and I did, indeed, install those from the Lenovo website. And that was it. I was done.

That being said, it wasn't totally a bed of roses.

This T500 system has this newfangled idea of having TWO video chips instead of just one. Let's call these two chips the "Good one" and the "Awesome one." Honestly, I don't ever, ever need the "Awesome one." I don't play games, so I don't need "awesomeness." "Awesome graphics" don't make my demos any faster, and honestly, that's all I care about for this machine.

This newfangled idea of two chips sounds great, but for me it just wasn't working perfectly with my total re-install. Every time I closed the lid and re-opened it, it thought my laptop display was "Display 2." All the stuff I was working on just disappeared.

You could say: "Well, Moskowitz, if you installed the drivers from Lenovo, you wouldn't be having this problem." Except, remember .. when I did install the drivers, that's exactly when the machine went into "mega hang" mode.

So, I needed a Plan B.

To fix this, I adjusted the T500's bios to say "Kill the Awesome chip. Only let me use the Good chip." And magically, all my troubles went away.

I'm sure, really, really sure, this is because I didn't choose to install Lenovo's "mega video driver" or something for the secondary video driver chips.

But I'm okay with that. I honestly need my laptop to do EXACTLY two things: display on the panel when I want to, and display outward on the VGA port for projecting when I want to.

Nothing fancy. So, no "awesome chip settings with crazy drivers" for me, thank you very much.

So, how is my overall experience with Windows 7 compared to Windows Vista? Well, my biggest problem with Windows Vista was that it was slow. Yes, lots of people complained about it being slow, but I tried to take an empirical approach and learn WHY my experience with Vista was slow.

For me, personally, I learned the "slow culprit" was the "Windows Search" service. On my previous laptop, the D620, where I tried to run Vista, every time I ran Filemon / Procmon, I could see it. Spinning it's wheels, doing it's thing -- ALL THE TIME and slowing me down.

As for Windows 7, I'm sad to say, that my initial experience is the same in this particular regard. Windows 7 still appears to (at least with my files) churn and churn and churn.

Maybe I haven't given it a fair shake. It's true, I didn't let it "settle in for three days" before getting frustrated and turning it off. I do have 60GB of "data" for it to pour over. So, in fairness, I'm going away next weekend, and I'm planning on turning ON the search service BEFORE I LEAVE, and see what happens when I return.

But for now, I have uninstalled the Windows 7 search feature, and you also (oddly) seem to need
to DISABLE the search service to really kill it (according to my Procmon traces.)

Here's the payoff though: Man, is this lappy fast! Right now, I'm really happy with the speed. Applications pop. Demos snap. Everything is like a crisp clean spring morning. Between a new processor, new OS, the 64-bits, 8GB of RAM and a 7200 RPM HD, darn tootin' this thing better fly.

Here are some miscellaneous notes about my first 7 days, in no particular order:

- I have a wacky wacky "Cannon" all-in-one printer, fax, scanner thing. And that driver was included in Windows 7. And, it even shows me the "ink levels" while printing; just like the driver I previously needed to download from Cannon then hand-install on XP. Neat.

- I'm pretty "keyboard centric." So about 1000 times a day, I type the following key sequence when working on XP: Ctl-Esc, R, cmd, enter. In XP, this would open the Start menu, R would hit the Run command, and CMD would get me to a command prompt. Now on Win 7, the same sequence makes NOTHING happen, because (even though I've put RUN back on the Start menu) there's no keyboard shortcut for 'R'un. gRRRR.

- I have ONE piece of hardware that, darn it, I cannot use, and man, I'm disappointed. It's a USB-connected phone system that's voice activated and hooks into Outlook. It just crashes every time it runs. Just flat out crashes. Can't really get to the bottom of this. If anyone else has this device, it's called ArialPhone, and I'd love to hear if it's working for anyone out there on Win 7 or even Vista. (PS: Even "XP compatibility mode" likely won't get me out of this one; unless I want to run a copy of Outlook *INSIDE* that fake XP machine, which I don't.)

- I have two other Outlook plug-ins which worked great on XP, but won't do their magic on Windows 7. Oddly, two *OTHER* Outlook plug-ins are working swimmingly. So, I don't know where the problem is. Still hacking on this one.

- The Beta for the App-V client 4.6 is out, and includes 64-bit support. Honestly, the thing seems ROCK SOLID to me, but my understanding is that it's planned to be Beta for a while before it goes gold. AppV Applications in cache seem to run WAY WAY faster than they did in AppV 4.5. It took me about an hour to convert all my existing 4.5 sequenced apps to 4.6.

- My wife walked behind me to see what I was working on. And it was my Windows 7 desktop. She saw the huge, huge icons that Windows 7 defaults with and asked "Are you in safe mode?" I can totally see her confusion, as Windows 7, in my opinion, looks totally bizzare with those big honkin' icons. The fix? While on the desktop, hold down Control and use the scroll wheel of your mouse to adjust. Kooky.

- Lots of people seem to be all "gaga" about the new taskbar. Honestly, I don't love the "mixed metaphor" of applications running and applications' icons all jumbled together. I've reset it act a little more like XP did, and I'm a little saner now.

But, all around, 95% of my applications are working. Everything that's "broken" seems to be revolved around Outlook in some way. Everything else is working great. So, I'm not sure if I can blame Windows or what here. Regardless, I'll get to the bottom of these and shake out my final bugs.

But in short, my first week -- pretty solid after getting thru the bumps. I do have that "last mile" to push through, and I'll keep you posted as things progress.

Team: I had this email exchange with a friend of mine the other day.

The email title was: "Policy vs. Preference (I don't get it.)"

I thought you'd like it. Read all the way thru to the end for how to get more information TOMORROW, Friday at 12.00 PM EST.

[Note, we're having some login issues to the GPanswers.com web accounts. Sorry if you're affected right now; we're working to fix it... Thanks.]

--

Jeremy...

OK I'm having serious brain 'problem.' What, really, is the difference between an unmanaged policy setting and a preference (GPPreferences-style)?

I CAN remember, at this late hour, that managed policy settings are in the Policies key of the registry. Seems to me that unmanaged policy settings (which equate to settings that can tattoo, right?) are elsewhere, yeah? So what makes them different than changes made by Preferences?

I am just trying to hone my use of terminology and make my boss understand "Policy" vs "Preference" vs "PolicyPak". THANKS!!!!

Okay Frank.. So.. I'm sure there's some "complete and proper definition" somewhere at Microsoft about what a Policy is vs. a Preference.

But when I talk with people about "Policy" Vs. "Preference" here's the litmus-test I use to determine "which is which."

I define policy as "three things"... that is, these three things need to be TRUE for you to be able to call it a "True Policy." A policy means that the setting:

1. Properly goes to the "Policies" keys in the registry (one of only FOUR sanctioned locations)

and

2. UI lockout occurs such that users cannot scoot around it

and

3. UI lockout / setting reverts when GPO falls "out of scope" (ie: You whack the GPO.)

So, "Prohibit Access to the Control Panel" is a true POLICY. It meets these three criteria.

If you crack open the ADM/X, you'll see that the registry punch goes to the Policies keys... and once set, users cannot scoot around it.

A Preference is EVERYTHING ELSE.

So.. some criteria to check if it's a Preference would be:

1. Does it store its keys anywhere in the registry? (ie: OUTSIDE the 4 proper Policies keys?)

and

2. Does it still permit a user to manipulate the UI? (ie: No UI lockout?)

So, 99% of hand-created ADM or ADMX templates and a large percentage of GP Prefs items are just that.. Preferences. (Note that many GP Preferences items have a scope which are NOT the registry. For instance, "Local users and groups" deals with the local SAM and NOT the registry. Others, deal with services. But for the purposes of this discussions, I think you're asking about REGISTRY items, and many of the GP Preferences items are, indeed, registry focused.)

So, let's examine the GP Preferences "Internet Explorer Settings." They're Preferences.

Why? Because... once a user gets the settings...

Test #1: The keys aren't contained in the "Policies" keys
Test #2: Users can scoot around and change the values to whatever they want
Test #3: If you whack the GPO with a preference, what happens? It "tattoos" or "leaves behind" the settings you set.

Do note, if you whack the GPO with a GP Preference, on some items there is an extra flag which is called "Remove when no longer applies" which will DELETE THE VALUE (not REVERT the value). Which, could be harmful to your application. Ouch.

So, where does PolicyPak fit in?

In contrast.. POLICYPAK will "bridge the gap" when it comes to Registry punches and settings Applications' settings.

The free PolicyPak Community edition is able to:

1. Write keys anywhere in the registry

while

2. Performing UI lockout

and magically

3. Reverting to the value you want when no longer applies (not totally deleting the value!)

PS: There's a guide which I wrote to help clear up a lot of these questions. Let me know what you think:
https://www.policypak.com/solutions/why-group-policy-admins-need-policypak.html

Quick update #1: About the "backing up GPOs" stuff we talked about this week...
-------------------------------------------------------------------------------------------------------------------

I forgot all about Darren Mar-Elia's PowerShell cmd-lets (free!)

If you don't want to wait for Win 7 but want to use Powershell to manage GPOs now, head on over to http://www.sdmsoftware.com/freeware and get their free Powershell GPMC cmdlets.

To backup up all GPOs in a domain using the SDM Powershell cmdlets, just use:

Get-sdmgpo * | export-sdmgpo -location c:gpbackups

Neat !