Presentation is loading. Please wait.

Presentation is loading. Please wait.

WCL312: Standard User Desktops with Windows Vista User Account Control (UAC) (WCL312) Alex Heaton Sr. Product Manager Chris Corio Program Manager.

Published byPhyllis Lyons Modified over 8 years ago

Similar presentations

Presentation on theme: "WCL312: Standard User Desktops with Windows Vista User Account Control (UAC) (WCL312) Alex Heaton Sr. Product Manager Chris Corio Program Manager."— Presentation transcript:

1 WCL312: Standard User Desktops with Windows Vista User Account Control (UAC) (WCL312) Alex Heaton Sr. Product Manager Chris Corio Program Manager

2 Agenda Why be a Standard User How Windows Vista Makes it Easy Standard users can do more Application Compatibility Application and Driver Deployment Q&A

3 Microsoft Confidential User Account Control Challenges Windows Vista Solution Easier to Run as Standard User Users can do more on their own Change time zone, power settings, VPN, and more Install approved devices Admin commands clearly marked Higher application compatibility File and registry virtualization Greater Protection for Admins Software runs with lower privileges by default Administrator provides consent before elevation Most users run with full administrator privileges all the time At risk from malware Can’t manage desktops or enforce policy Expensive to support Difficult to run a standard user User can’t perform many tasks Many applications don’t run

4 Elevation Model Administrator Privileges Standard User Privileges (Default) Administrator Account Standard User Account Ways to Request Elevation Application marking Setup detection Compatibility fix (shim) Compatibility assistant Run as administrator

5 Total Cost Of Ownership Gartner found: Use Best Practices to Reduce Desktop PC TCO, 2005-2006 Update 8 December 2005, Gartner, Inc. “…a locked and well-managed PC can save 40%.” “Fewer PCs will need a dispatched technician to try to remove a worm or recover or re-image a damaged system.” “All of that also means less end-user downtime and higher user productivity.” “The ‘locked and well managed’ profile assumes liberal use of tools, technology and processes for managing PCs...”

6 User Account Control

7 Agenda Why be a Standard User How Windows Vista Makes it Easy Standard users can do more Application Compatibility Application and Driver Deployment Q&A

8 Standard Users Can Do More View system clock and calendar Change time zone Configure secure wireless (WEP/WPA) connection Change power management settings Create and configure a Virtual Private Network connection Add printers and other devices that have the required drivers installed or allowed by IT policy Install approved ActiveX controls Disk defragmentation is a scheduled background process Shield icon consistently marks what actions a standard user can and cannot do

9 Agenda Why be a Standard User How Windows Vista Makes it Easy Standard users can do more Application Compatibility Application and Driver Deployment Q&A

10 Application Compatibility Initiatives Technologies added to Windows Vista to help applications run as a Standard User Application Compatibility Toolkit provided to help inventory and fix applications within environments. ACT 5.0 Release Candidate currently available Application Compatibility Factory available for outsourcing application compatibility and mitigation.

11 Helping Legacy Applications Run as Standard User Many applications would run fine as standard user, but they needlessly store data in HKLM\Software or %ProgramFiles% They use these locations for per-user data, not global data These locations are system-global and so only writeable by administrators It’s always worked because Windows users have always been administrators The solution: help them through virtualization Modifications of most system-global locations go to per-user areas Reads generally go to the per-user location and fall back to the global location

12 Virtualized Files Redirected file system locations: %ProgramFiles% (\Program Files) %AllUsersProfile% (\ProgramData – what was \Documents and Settings\All Users) %SystemRoot% (\Windows) %SystemRoot%\System32 (\Windows\System32) Exceptions: Files that have executable extensions (.exe,.bat,.vbs,.scr, etc) Prevents masking of system executables for servicing and security Exceptions can be added in HKLM\System\CurrentControlSet\Services\Luafv\Parameters \ExcludedExtensionsAdd Per-user virtual root: %UserProfile%\AppData\Local\VirtualStore Note: Virtual files do not roam with Roaming Profiles

13 File Virtualization Implementation File system virtualization is implemented in a file system filter driver, luafv.sys Luafv.sys Ntfs.sys Legacy Application User Mode Kernel Mode \Windows\App.ini \Users\ \AppData\Local\ VirtualStore\Windows\App.ini Vista Application \Windows\App.ini Access Denied

14 Registry Virtualization Redirected locations: HKLM\Software Exceptions: HKLM\Software\Microsoft\Windows HMLM\Software\Microsoft\Windows NT Other subkeys under Microsoft Per-user virtual root: HKEY_CURRENT_USER\Software\Classes\VirtualStore

15 Solving Application-Specific Issues Some applications have to be helped in other ways to run as Standard User If an application is broken ask the vendor for a fix!! Isolate to standard user compatibility issue Common application issues include: Unnecessary Administrator checks Registering a COM object to HKLM Writing to file or registry locations that are not virtualized Aaron Margosis highlights how to fix these problems in his blog: http://blogs.msdn.com/aaron_margosis/

16 Application Compatibility Toolkit Customer Target Medium/Large Businesses and Large Enterprises Mission A lifecycle management tool that assists in identifying and managing your overall application/device/computer portfolio, reducing the cost and time involved in resolving application compatibility issues, and helping you quickly deploy Windows Vista and Windows Updates. Strategy Help detect, diagnose, and mitigate compatibility issues found in Windows Vista Microsoft Compatibility Exchange to facilitate exchange of compatibility data between ISV/IHV, Microsoft, and customers Deliver tools that are timely and relevant to Windows releases

17 Developer and Tester Tools Standard User Analyzer Provides a way for testers to further test the LOB applications to determine what will fail as Standard User on Vista Internet Explorer Test Tool Provides a way for testers to further test the intranet web applications to understand the exact issue and determine which of their web applications will not work with IE 7 Setup Analysis Tool Detects issues such as WRP, installing of 32 bit kernel mode drivers, 16 bit components to flag any of your packages which could run into this issue Compatibility Administrator Helps IT Admins, Developers, Testers create and test compatibility shim/fixes (no code changes required)

18 Standard User Analyzer

19 Application Compatibility Factory Enterprises can have 1,000’s of custom apps, compatibility testing can take months, years Application Compatibility Toolkit helps ID scope of project Application Compatibility Factory partners will test and remediate your applications 5 global SIs are on board and ready to work with you now All already have deep expertise in application remediation ACF partner services focus on custom apps, scales to some ISV apps All receive customized, ongoing training from MCS application remediation experts

20 Agenda Why be a Standard User How Windows Vista Makes it Easy Standard users can do more Application Compatibility Application and Driver Deployment Q&A

21 Application and Driver Deployment Problem: Deploying protected machine-wide binaries requires Administrator privileges. Windows Vista Technologies for facilitating deployment: Group Policy Software Installation Device Management Infrastructure ActiveX Installer Service

22 Group Policy Software Installation Method for deploying MSIs within an enterprise MSIs can be assigned to users or groups using Group Policy On Demand installation through advertisement. Policy consists of product information being published in both AD and GP. Enterprises must create an inventory of their applications packaged as MSIs.

23 Managing Device Driver Installation Problem: In enterprises, Standard Users cannot install device drivers but need network printers. Device Management Infrastructure introduced in Windows Vista Configurable by Group Policy Allows Standard Users to install drivers Hardware-first install initiates automatic search for drivers

24 Device Driver Installation Policy Device Management Infrastructure policy is based on the driver location, signature, and device class guid. The Driver Store is a trusted cache of drivers on client machines Dynamic and updatable Windows Vista installs these trusted drivers as needed Device Drivers must be signed by a certificate in the Enterprise Trusted Publishers store. Device class must be enabled for Standard User installation using Group Policy in Driver Installation ADM.

25 ActiveX Installer Service Service built into Windows Vista because of extensive customer feedback. ActiveX controls are designed to install per-machine This requires administrator privileges. Packaging ActiveX controls into MSIs is expensive. Many enterprises do not have a full inventory of the controls that are used in their environment. No good pull-based solution for MSI deployment

26 ActiveX Installer Service is an optional Windows Component included in Ultimate, Enterprise(N), and Business SKUs. Manually enabling the service Control Panel ->Programs->Turn Windows Features on or off. Check the ActiveX Installer Service Service can be enabled within image Policy is configured using an Administrative Template in Group Policy. Enabling the ActiveX Installer Service

27 ActiveX Installer Service: Policy Installation Policy based on Host URL and signature of content Host defined by URL http or https (recommended) Cab file signature can be checked against enterprise Trusted Publishers store. ActiveX Controls can be deployed from a central server using CodeBaseSearch path. Attempt to install ActiveX control is audited.

28 ActiveX Installer Service

29 Agenda Why be a Standard User How Windows Vista Makes it Easy Standard users can do more Application Compatibility Application and Driver Deployment Q&A

30

31 Related Presentations Application Compatibility WCL201 \ WCLCT07 Windows Vista Application Compatibility and the Microsoft Application Compatibility Toolkit (ACT) 5.0 Device Driver Installation WCL314 Windows Vista Hardware and Device Management Windows Vista Security WCLCT03 Windows Vista Security and User Account Control (UAC)

32 Microsoft Confidential For More Information Windows Vista: User Account Control http://www.microsoft.com/windowsvista/uac Blogs http://blogs.msdn.com/windowsvistasecurity/ http://blogs.msdn.com/uac/ Download ACT 5.0 RC Now!! http://connect.microsoft.com/site/sitehome.aspx?SiteID=81 Device Management Documentation Step-by-Step Guide to Device Driver Signing and Staging: http://go.microsoft.com/fwlink/?linkid=69208 http://go.microsoft.com/fwlink/?linkid=69208 Step-by-Step Guide to Controlling Device Installation and Usage with Group Policy: http://go.microsoft.com/fwlink/?linkid=63416http://go.microsoft.com/fwlink/?linkid=63416

33 Ask The Experts Get Your Questions Answered You can find us at the Microsoft Ask the Experts area, located in the Exhibition Hall: Wednesday15 November10.15 – 10.45 Wednesday15 NovemberLunch Thursday16 November14.45 – 15.45 Thursday16 NovemberLunch

34

35

36 ©2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "WCL312: Standard User Desktops with Windows Vista User Account Control (UAC) (WCL312) Alex Heaton Sr. Product Manager Chris Corio Program Manager."

Similar presentations

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Managing User Settings with Group Policy

Managing User Settings with Group Policy
©2006 Microsoft Corporation. All rights reserved. Application Compatibility in Windows Vista and the Application Compatibility Toolkit Micheal Sciacqua.

©2006 Microsoft Corporation. All rights reserved. Application Compatibility in Windows Vista and the Application Compatibility Toolkit Micheal Sciacqua.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation

Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation
11.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

11.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies
Application Repackaging - Naushad Ali T Doddamani.

Application Repackaging - Naushad Ali T Doddamani.
Installation Requirements. Agenda Installation requirements Installation options Installing to correct folder locations Installing Windows resources Creating.

Installation Requirements. Agenda Installation requirements Installation options Installing to correct folder locations Installing Windows resources Creating.
Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.

Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.
Ran Oelgiesser, Sr. Product Manager Praveen Vijayaraghavan, Program Manager (Virtual PC) Yigal Edery, Group Program Manager (MED-V)

Ran Oelgiesser, Sr. Product Manager Praveen Vijayaraghavan, Program Manager (Virtual PC) Yigal Edery, Group Program Manager (MED-V)
Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: February 2010.

Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: February 2010.
Virtual techdays INDIA │ 18-20 august 2010 Testing & Fixing Applications on Windows 7 Sudhir Rao │ Solution Specialist, Microsoft Corporation.

Virtual techdays INDIA │ august 2010 Testing & Fixing Applications on Windows 7 Sudhir Rao │ Solution Specialist, Microsoft Corporation.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.

Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.

Similar presentations

Ads by Google