1. Windows XP Service Pack 2 Customer Awareness Workshop Plan – Test – Deploy & Troubleshooting Craig Schofield (craschof@microsoft.com) Microsoft Ltd. UK September 2004

2. Windows XP SP2 Deployment  Windows XP SP2 deployment is a major event  Treat it like a mini-OS deployment  New security features will make the system more secure but may impact some applications  Leverage MSF and MOF  Communications and training are critical components  Test, test, test  Application compatibility and usability are paramount  Desktop and web-based LOB applications  Corporate Security Policy  Review and Update Group Policy as required  Significant number of additional Group Policy options available  Users will be impacted  Train and communicate accordingly

3. Planning for Windows XP Service Pack 2 Deployment

4. Plan, Plan, Plan  Define the Vision/Scope  Review XP SP2 Changes Documentation  Define Test Plans and Lab Setup Plans  Put the Lab Setup and Pilot Testing into action  Take applications through the Lab to Production Testing  Plan Deployment  Group Policy  Service Pack 2  Application changes/fixes/upgrades  Remedy Issues  Deploy!

5. Example Vision/Scope  Desired outcome of the project  Internal and External compatibility of SP2  Ensure environment security and business continuity  Phased rollout of SP2 over xx months  Risks: Unknown number of application issues

6. Security Planning  Determine preferred security configuration, possible trade-offs (IE/Firewall)  Need to support non-domain machines  Requires scripted or command-line approach  Analyze configuration methods  Group policy XP SP2 group policy contains 609 new settings in SP2 (518 for Internet Explorer alone) Updated ADM files (for administering GPOs from non-SP2 machines)  Command-line tools  Firewall INF file  Unattend.txt – XP SP2 deploy.cab  Scripting

7. Deployment Planning  Consider deployment of XP SP 2 on limited ‘real systems’ to test:  Deploy with firewall on Determine commonly needed open ports Deploy settings with AD, INF files, WMI, Unattend.txt  Deploy with XP SP2 DCOM and IE defaults Use custom OU if you have Active Directory  Plan deployment to pilot community to catch final 5% of issues

8. Key Tasks  Establish Lab Environment  Applications Inventory  Application name, vendor & version, XP SP2 status  Categorise Applications  Device Driver Inventory  Establish testing tools and scripts  Application Compatibility Toolkit  Deployment Planning  Deployment technologies  Consider dial-up only, machines with insufficient disk- space etc.

10. Testing Windows XP Service Pack 2

11. Pilot Testing  Initial run through of the test plans  Refine tasks and refine the lab environment  Define and train core test team on roles  Pilot the Test Plan  Applications, LOB, web based, desktop  Intranet/Internet sites  Application deployment, management, support  Create project schedule  Update risk assessment  Level of application incompatibility now known

12. Production Testing  Execute test plans within Lab environment  Collect and report data  Track and review schedules

13. Production Testing (cont.)  How do I know if it’s broken?  Compare and contrast  History - present behavior is consistent with past behavior (SP1?)  Claims - consistent with reported functionality and behaviors?

14. Remedy Phase  Review and rank application compatibility data to establish deployment risks:  Application is compatible  Application requires basic compatibility modifications  Application requires extensive modifications  Application is incompatible  Determine approach to resolving each incompatibility problem

15. Application Compatibility Summary  Most applications work without issues  For applications that have compatibility issues  Most issues can be mitigated through proper configuration of SP2 settings  Most mitigations will not lead to increased attack surface area  Few applications will require changes to source code

16. Application Compatibility Drill Down Functional AreaCompatibility Status NX & /GS User experience modified Attachment Handler Windows Firewall Few apps  proper configuration required DCOM & RPC Other components Internet Explorer Some apps  proper configuration required

17. Application Compatibility Toolkit  The Application Compatibility Toolkit (ACT) provides methods and information to resolve the most commonly encountered application compatibility issues  ACT 3.0 is available now and can be used to determine applications installed, and apply non-SP2 specific ‘fixes’.  ACT 4.0 is specifically targeted at issues exposed by Service Pack 2 and provides vital assistance to anyone deploying Service Pack 2  Version 4.0 is intended solely for IT professionals planning to deploy Windows XP SP2  Version 4.0 beta scheduled for release later this year.

18. ACT 4.0 Components  Evaluate  Plan project and gather the necessary information about the existing environment.  Windows Application Compatibility Analyzer used to gather a complete software inventory  Risk Evaluation and Mitigation (REM) tools will assist in finding problem areas in your applications relating to DCOM, Internet Explorer, and the Windows Firewall.  Mitigate  Find solutions for the problems identified in the Evaluate phase using Compatibility Administrator or by identifying the Windows registry settings to be modified.  Deploy  Distribution and installation of the Service Pack through tools such as Group Policy, or Microsoft Systems Management Server.

19. Possible Issue Resolutions  Applications with source code  Review and update the source code  Applications from outside vendors  Contact vendor  Applications without source code  Use profiling and debugging tools to help diagnose or resolve problems  Modify security or other settings through Group Policy to enable application to function

20. Windows XP Service Pack 2 Deployment

21. Windows XP SP2 Formats  RTM build 2180 (Version 5.1.2600.2180)  XP SP2 Service full download is about 270Mb in size.  I386 folder expands to 326Mb  Consider size of backup folder, system restore point  Smaller “express install” for Web download / minimal installed files.  Leverages Delta Compression and BITS  Can Slipstream update to install all-in-one  But only supported for ‘Gold’ RTM code.

22. Deploying XP SP2 Installation Considerations  Plan on a minimum of 30mins, probably longer.  Consider disabling Anti-virus for install ONLY  Check “%WINDIR%\svcpack.log” for failures  Require Administrative Rights to install  Plan/test backout procedures for upgrade  Will backup existing files by default.

23. Deploying XP SP2 Installation Options  xpsp2.exe or update.exe +options  /help  Setup options  /quiet  /passive  /uninstall  Restart options  /norestart  /forcerestart   Special Options   /l List installed hotfixes   /oOverwrite OEM files   /nDo not backup files for Uninstall   /fforce apps to close   /integrate: for slipstream   /d: (backup path)

24. Deploying XP SP2 Scripted Scenarios  RIS Installations  Existing XP images  Slipstream or Update  Must be slipstreamed against GOLD!  Existing Build and Lab Environments  WinPE images  BDD Solution Accelerator Technet White Paper - BDD with Service Pack 2  ZTC Solutions  In-house

25. Deploying XP SP2 Scripted Scenarios  Unattend.txt  [WindowsFirewall]  [WindowsFirewall.profile_name]  WindowsFirewall.program_name]  WindowsFirewall.service_name]  WindowsFirewall.portopening_name]  [WindowsFirewall.icmpsetting_name]  NetFW.Inf  ICF.AddReg.DomainProfile  ICF.AddReg.StandardProfile  Strings  Netsh

26. Deploying XP SP2 Automated Scenarios  Windows Update  Limited control  Large external bandwidth requirements  SUS Server  Fully automated with no user interaction  Can work with non-Admin users  SMS 2003  Deploy via advertised package  Target installation, exception reporting etc.

27. SMS 2003 and XP SP2 Windows Update (SUS/WUS)  Most enterprise organizations will require tighter control than provided by WU  Large download  Ad hoc deployments may impact the corporate WAN/LAN links  Users must have access to Windows Update and local administrative rights

28. Benefits Of Using SMS 2003  Reliable software deployment  SMS provides information for planning, testing, deploying, analyzing and customizing application deployment  Planning information includes:  Customizable hardware and software inventory, built-in reporting, customizable reports, queries and collections  Controlled deployments  Use administrator created collections to target systems  Deployment status reported through SMS reports

29. Deploying Phase  Proceed with each defined, scheduled deployment group  Monitor and adjust deployment as necessary  Limit daily machine counts based on:  Network and infrastructure capacity  Helpdesk capacity  Issues encountered

30. Windows XP Service Pack 2 Configuration

31. Administering SP2 Recommended Enterprise Settings (1) These are guidelines only, review all settings prior to deployment!!  Windows Firewall: Protect all network connections  Enabled  Windows Firewall: Do not allow exceptions  Not configured  Windows Firewall: Define program exceptions  Set to the names of applications and services used by the computers running Windows XP SP2 on your network for managed, server, listener, or peer applications. (eg SMS)

32. Administering SP2 Recommended Enterprise Settings (2)  Windows Firewall: Allow local program exceptions  Enabled (pending corporate policy)  Windows Firewall: Allow remote administration exception  Disabled, unless the Windows XP SP2-based computers are configured remotely using MMC snap-in or monitored remotely using WMI.  Windows Firewall: Allow file and print sharing exception  Enabled only if the computers running Windows XP SP2 are sharing local folders and printers.

33. Administering SP2 Recommended Enterprise Settings (3)  Windows Firewall: Allow ICMP exceptions  Enabled only to allow diagnostic or management capabilities that are based on ICMP traffic.  Windows Firewall: Allow Remote Desktop exception  Enabled only if you use Remote Desktop to connect to Windows XP SP2-based computers.  Windows Firewall: Allow UPnP framework exception  Enabled only if you use UPnP devices on your network.  Windows Firewall: Prohibit notifications  Disabled

34. Administering SP2 Recommended Enterprise Settings (4)  Windows Firewall: Allow logging  Not configured  Windows Firewall: Prohibit unicast response to multicast or broadcast requests  Disabled – may break Wake-On-LAN  Windows Firewall: Define port exceptions  Set to the TCP and UDP ports used by the Windows XP SP2 computers on your network for managed, server, listener, or peer applications that cannot be specified by filename. (Add SMS and similar ports here)  Windows Firewall: Allow local port exceptions  Enabled (pending corporate policy)

35. Administering SP2 3 rd Party firewalls scenarios  Disable Windows Firewall  Disable Windows Firewall via accidental installation  Unattend.txt or Netfw.inf  Deploy registry settings to disable WF HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\Dom ainProfile \EnableFirewall=0 (DWORD data type) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\Stan dardProfile \EnableFirewall=0 (DWORD data type)  Configure GPOs accordingly

36. Summary  Laptops - must be on AC power to upgrade  Security Center  Disabled in Domains - Enabled in Workgroups  Add/Remove Programs - SP2 entry added  Additional Considerations  Applications that run as a Service  Security Center and Anti-Virus software  Local-Machine-Zone-Lockdown and Web applications  Applications which utilize zone elevation  VPN Clients application compatibility

37. Summary Continued…  Plan and Test  Some applications may require modification  Locating and addressing issues can take time  The benefit of increasing security is likely to be greater than the cost to deploy  Test as Service Pack – Deploy as OS  Leverage existing investments  AD, SMS 2003, SUS, ACT, BDD, CER  Communications  Users will be impacted  Carefully consider communications, testing and training requirements  SP2 impacts both IT and the business  Implement with appropriate rigor  SP2 allows customers to focus on business

38. Troubleshooting Windows XP SP2

39. General Troubleshooting  Slow Installation  Copy files locally  Disable anti-virus software temporarily.  XPSP2.exe Issues  If downloaded, may have been corrupted.  Extract using –x switch.  Permissions  Require Local Administrator permissions.  Product Key Issues  Windows XP SP1 ‘pirated’ keys blocked.

40. Troubleshooting 32-Bit Applications  Test application on XP SP1 (baseline)  If 64bit Extended use Application Compatibility Toolkit to disable DEP on a per application basis  Disable Firewall  Temporary measure only.  Not recommended for production machines - deploy exceptions and keep firewall enabled.  Disable DCOM / RPC authentication  Temporary measure only.  Not recommended for production machines - deploy revised security configuration.  Ask software vendor for any needed updates or patches for Windows XP SP2 support  Consider risks of disabling protection vs. selection of alternate application

41. Troubleshooting Web Applications  Test site on XP SP1 (baseline)  Add trusted intranet applications to trusted sites list  Sign all custom Active X objects  Review application to remove all cross zone scripting and zone elevation  Lower security settings for required zone  Temporary measure only.  Not recommended for production machines - deploy exceptions as required.  Selectively disable IE protection measures (popup’s, ActiveX, zones etc.) to verify which protection is stopping application  Temporary measure only - via GPO or in IE Tools-Security menu.  Not recommended for production machines - deploy exceptions as required.  Consider re-writing application vs. risk of disabling new protection mechanisms

42. Troubleshooting Windows Firewall  ON by default, Domain & Standard profile.  File & Print sharing disabled and local network only.  Add exceptions for management / admin tools, remote desktop etc.  Disable temporarily to determine if Windows Firewall is causing application incompatibility.  Configure via INF file, GPO, registry keys, Prompt to add exceptions, cmd line via netsh & via GUI  Logging to Pfirewall.log

43. Client Administration Tools  May experience issues in managing client computers due to Windows Firewall blocking TCP port 445  Eg Select Users, Computers, or Groups  Retarget MMC at remote workstation  Get errors such as “System Error 53 has occurred. The network path was not found.”  Allow inbound TCP port 445 on remote workstation to enable  See MSKB 870703 - Known issues with the client administrative tools in Windows XP SP2

45. Call to Action…

46. Learn: Take training, read guidance Test and Evaluate: Begin testing SP2 in your environment Defense in depth: Consider multiple security countermeasures in addition to SP2 Plan for Deployment: Leverage Business Desktop Deployment Solution Accelerator What You Should Do http://www.microsoft.com/uk/sp2

47. Getting help with installation and deployment…  With Conchango you can take maximum advantage of Windows XP SP2 while minimising the impact to your business.  Conchango will evaluate the impact of SP2 on your business, test your applications against SP2 and assess your organisation's change management processes.  http://www.conchango.com/  Computacenter offer a full Windows XP SP2 Impact Assessment service.  Computacenter can identify likely technical issues, reduce calls to your support team during implementation, reduce the risk of business-critical applications failing and help you determine the likely impact to your application estate.  Computacenter also offer a two hour workshop presenting the benefits of SP2.  http://www.computacenter.com/   Selected Microsoft Partners can assist you with the installation and roll-out of Windows XP Service Pack 2.

48. Resources  Windows XP Service Pack 2 Home Page  Main: http://www.microsoft.com/windowsxp/sp2/default.mspx  UK: http://www.microsoft.com/uk/sp2  Windows XP Service Pack 2 (SP2) Support Centre  http://support.microsoft.com/default.aspx?pr=windowsxpsp2  UK Windows XP Support page  http://www.microsoft.com/uk/windowsxp/sp2/default.mspx  Windows XP Service Pack 2 - Resources for IT Professionals  http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx  Windows XP Service Pack 2 - Security Information for Developers  http://msdn.microsoft.com/security/productinfo/xpsp2/  Windows Application Compatibility  http://www.microsoft.com/windows/appcompatibility/default.mspx  Release Notes for Windows XP SP2 MSKB 835935  http://support.microsoft.com/?kbid=835935  List of fixes included in Windows XP SP2 MSKB 811113  http://support.microsoft.com/?kbid=811113 Windows XP SP2 Support hotline 0845 090 2025

49. Thank-You! Please complete the evaluations… Craig Schofield craschof@microsoft.com

50. © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.