Advisory Note – Please review the Windows 8 updated licensing terms
Windows 7 Enterprise
The Windows 7 Enterprise is only available to Windows PCs with Software Assurance. Physical devices that had Windows Enterprise assigned to them prior to Expiration and acquired the perpetual right through Software Assurance can use Windows Enterprise on those assigned device.
- If Windows Enterprise was not deployed prior to Expiration, an organisation can deploy the upgrades after their coverage has expired.
- If the assigned device was replaced after Expiration, then Windows Enterprise cannot be re-assigned to the replacement device.
- New PCs that are replacing old machines can continue to use the perpetual right of Windows Professional
- New PCs that will exceed the number allocated to your organisation will not be covered under the perpetual rights of the EwA and need to be licensed separately.
- New PCs will need to have Active SA assigned to them to deploy Windows Enterprise and BitLocker
Product Use Rights
Why customers can deploy W7 Enterprise on devices that were covered with SA when coverage ended.
From Section 6 (Software Assurance Benefits) in the PUR
With Software Assurance, customers are eligible to upgrade to new versions of licensed software made available during their term of Software Assurance coverage. New Version Rights means, for any underlying licensed product for which Software Assurance coverage is ordered, the right to upgrade to, and run in place of the underlying licensed product, the latest version of that product that we make available during the covered period. For example, if a new version of Microsoft Office is made available during the term of your coverage, your licenses will automatically be upgraded to the new version. Customers that acquire perpetual licenses through Software Assurance can deploy the upgrades after their coverage has expired.
Why customers cannot move an Enterprise Edition upgrade from one device previously covered with SA to another device once SA coverage has terminated.
1. The way a customer moves the right to use Enterprise Edition from one machine to another is through reassignment of the Software Assurance coverage from original device to the new device. There are no reassignment rights of the Windows Enterprise license itself.
From the Software Assurance section of the Product List it states:
Customers may not move Windows 7 Enterprise from the licensed device to another device. However, customer may reassign Software Assurance coverage to a replacement device, as permitted under their license agreement
2. In the EA Agreement it states the below which terminates SA coverage upon expiration w/out renewal:
Enrolled Affiliate’s right to Software Assurance benefits under this agreement ends if it does not renew Software Assurance.
Virtual Desktop Access
Microsoft have included the right to access Windows in a Virtual Desktop Infrastructure as a benefit of Active Software Assurance. After perpetual rights are obtained to Windows Professional or Windows Enterprise Edition, you will lose the right to access Windows in the datacenter.
It is worth reviewing renewal of Software Assurance on Windows 7 to maintain a consistent Windows Enterprise image across your desktop estate. As recommended above, review your devices at the date of expiry to ascertain your perpetual right to Windows 7 Enterprise.
Windows 7 Features
As a reference, with Windows 7 Enterprise, you can take advantage of the following features that are not available in Windows 7 Pro
- DirectAccess: Give mobile users seamless access to corporate networks without a need to VPN.
- BranchCache: Decrease the time branch office users spend waiting to download files across the network.
- Federated Search: Find information in remote repositories, including SharePoint sites, with a simple user interface.
- BitLocker and BitLocker To Go: Help protect data on PCs and removable drives, with manageability to enforce encryption and backup of recovery keys.
- AppLocker: Specify what software is allowed to run on a user’s PCs through centrally managed but flexible Group Policies.
- Virtual Desktop Infrastructure (VDI) optimizations: Improved user experience for VDI with multimon and microphone support, which have the ability to reuse virtual hard drive (VHD) images to boot a physical PC.
- Multilingual user interface: Create a single OS image for deployment to users worldwide.
Microsoft Desktop Optimization Pack (MDOP)
MDOP is a subscription that co-terminates with an Enterprise Agreement and Active Software Assurance. SA needs to be maintained on PCs in order to use the features of MDOP.
After the break – AppLocker and BitLocker
What is AppLocker?
AppLocker is a new feature in Windows Server 2008 R2 and Windows 7 that advances the functionality of the Software Restriction Policies feature. AppLocker contains new capabilities and extensions that reduce administrative overhead and help administrators control how users can access and use files – Exe. Files / scripts /Windows Installer files / DLLs.
Define rules based on file attributes derived from the digital signature, including the publisher / product name / file name and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.
- Assign a rule to a security group or an individual user.
- Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run except Registry Editor
- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
- Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, the existing policy is overwritten.
- Simplify creating and managing AppLocker rules by using Windows PowerShell cmdlets for AppLocker.
How does AppLocker differ from Software Restriction Policies (SRP)?
Software Restriction Policies (SRP) was originally designed in Windows XP and Windows Server 2003 to help IT professionals limit the number of applications that would require administrator access. With the introduction of User Account Control (UAC) and the emphasis of standard user accounts in Windows Vista, fewer applications today require administrator privileges. As a result, AppLocker was introduced to expand the original goals of SRP by allowing IT administrators to create a comprehensive list of applications that should be allowed to run.
Administrators can use AppLocker to control what files are allowed to run on individual computers. A user who is not a member of the Administrators group will not be able to run a file if the AppLocker policy explicitly denies the file from running
Planning and deploying AppLocker policies
Which editions of Windows 7 and Windows Server 2008 R2 support AppLocker rules?
AppLocker rules can be enforced on computers running Windows 7 Ultimate, Windows 7 Enterprise, or any edition of Windows Server 2008 R2 except Windows Web Server 2008 R2 and Windows Server 2008 R2 Foundation.
Which editions of Windows can I use to create AppLocker rules?
To create rules for a local computer, the computer must be running Windows 7 Ultimate or Windows 7 Enterprise. If you want to create rules for a Group Policy Object (GPO), you can use a computer that is running any edition of Windows 7, provided that the Remote Server Administration Tools are installed. AppLocker rules can be created on any edition of Windows Server 2008 R2. While you can create AppLocker rules on computers running Windows 7 Professional, they will not be enforced on those computers. However, you can create the rules on a computer running Windows 7 Professional and then export the policy for implementation on computer running an edition of Windows that does support AppLocker rule enforcement.
Do I need to upgrade my domain controllers to use AppLocker rules?
No, you do not need to update your domain controllers. You can use existing domain controllers running Windows Server 2003 or Windows Server 2008 to host the AppLocker policy. However, you cannot use computers running Windows Server 2003 or Windows Server 2008 to create AppLocker rules.
Can AppLocker control Application Virtualization (App-V) applications?
Yes, but there are some considerations:
- If AppLocker rules are enabled, a path rule condition with an allow action must be set for the App-V installation path.
- If App-V is installed in the default location, generating the default AppLocker rules will be sufficient to allow it to run.
Can AppLocker be managed through a virtual machine?
No. A virtual machine is a separate image. Therefore, the image cannot access the policy files of the computer that hosts the AppLocker policies.
What is BitLocker?
Help prevent loss or theft of data with BitLocker and BitLocker To Go
· Protect your data—even on removable drives. With Windows 7, BitLocker Drive Encryption helps protect sensitive data from being accessed by unauthorized users who come into possession of lost, stolen, or improperly decommissioned computers. BitLocker to Go extends BitLocker data protection to USB storage devices, enabling them to be restricted with a passphrase. In addition to having control over passphrase length and complexity, IT administrators can set a policy that requires users to apply BitLocker protection to removable drives before being able to write to them.
· Easier to manage. Windows 7 gives administrators more control over how data in their environment is protected. From policy-configured Active Directory Domain Services integration for the escrow of recovery keys, to simple and efficient hardware recovery processes, BitLocker provides an integrated management experience for IT professionals. BitLocker to Go also gives administrators control over how removable storage devices can be utilized within their environment and the strength of protection that they require. Administrators can require data protection for any removable storage device upon which users want to write data, while still allowing unprotected storage devices to be utilized in a read-only mode. Policies are also available to require appropriate passwords, smart card, or domain user credentials to utilize a protected removable storage device.
· Easier to set up. Whether you need to protect internal or removable drives, BitLocker in Windows 7 makes that protection easy because it works with almost any drive. Windows 7 simplifies the encryption of internal drives by automatically creating the hidden boot partition necessary to use BitLocker to protect the OS volume, eliminating the need to manually select that option during installation or to repartition the drive afterward. Best of all, BitLocker can be enabled on drives running Windows 7 with a simple right-click.