Post on 24-Dec-2015
Windows XP Service Pack 2Customer Awareness Workshop
Plan – Test – Deploy & Troubleshooting
Windows XP Service Pack 2Customer Awareness Workshop
Plan – Test – Deploy & Troubleshooting
Craig Schofield (craschof@microsoft.com)Microsoft Ltd. UK
September 2004
Windows XP SP2 DeploymentWindows XP SP2 Deployment
Windows XP SP2 deployment is a major event Treat it like a mini-OS deployment New security features will make the system more secure but
may impact some applications Leverage MSF and MOF
Communications and training are critical components Test, test, test
Application compatibility and usability are paramount Desktop and web-based LOB applications
Corporate Security Policy Review and Update Group Policy as required Significant number of additional Group Policy options available
Users will be impacted Train and communicate accordingly
Planning for Windows XP Service Pack 2 Deployment
Planning for Windows XP Service Pack 2 Deployment
Plan, Plan, PlanPlan, Plan, Plan
Define the Vision/Scope Review XP SP2 Changes Documentation Define Test Plans and Lab Setup Plans Put the Lab Setup and Pilot Testing into action Take applications through the Lab to Production
Testing Plan Deployment
Group Policy Service Pack 2 Application changes/fixes/upgrades
Remedy Issues Deploy!
Example Vision/ScopeExample Vision/Scope
Desired outcome of the project Internal and External compatibility of SP2 Ensure environment security and business continuity Phased rollout of SP2 over xx months Risks: Unknown number of application issues
Security PlanningSecurity Planning
Determine preferred security configuration, possible trade-offs (IE/Firewall)
Need to support non-domain machines Requires scripted or command-line approach
Analyze configuration methods Group policy
• XP SP2 group policy contains 609 new settings in SP2 (518 for Internet Explorer alone)
• Updated ADM files (for administering GPOs from non-SP2 machines)
Command-line tools Firewall INF file Unattend.txt – XP SP2 deploy.cab Scripting
Deployment Planning Deployment Planning
Consider deployment of XP SP 2 on limited ‘real systems’ to test: Deploy with firewall on
• Determine commonly needed open ports
• Deploy settings with AD, INF files, WMI, Unattend.txt
Deploy with XP SP2 DCOM and IE defaults
• Use custom OU if you have Active Directory
Plan deployment to pilot community to catch final 5% of issues
Key TasksKey Tasks
Establish Lab Environment Applications Inventory
Application name, vendor & version, XP SP2 status Categorise Applications
Device Driver Inventory Establish testing tools and scripts
Application Compatibility Toolkit
Deployment Planning Deployment technologies Consider dial-up only, machines with insufficient disk-
space etc.
SP1
SP2MSI/Packages
ADDeployment (SMS, SUS)
InternalE
xternalExternal Web SitesFrequently Used
Consoto.comC
on
toso
.com
SP1(To validate)
SP2
Sp2
Sp1
Application Testing
Testing Windows XP Service Pack 2Testing Windows XP Service Pack 2
Pilot TestingPilot Testing
Initial run through of the test plans Refine tasks and refine the lab environment Define and train core test team on roles
Pilot the Test Plan Applications, LOB, web based, desktop Intranet/Internet sites Application deployment, management, support
Create project schedule Update risk assessment
Level of application incompatibility now known
Production TestingProduction Testing
Execute test plans within Lab environment Collect and report data Track and review schedules
Production Testing (cont.)Production Testing (cont.)
How do I know if it’s broken? Compare and contrast
History - present behavior is consistent with past behavior (SP1?)
Claims - consistent with reported functionality and behaviors?
Remedy PhaseRemedy Phase
Review and rank application compatibility data to establish deployment risks: Application is compatible Application requires basic compatibility modifications Application requires extensive modifications Application is incompatible
Determine approach to resolving each incompatibility problem
Application Compatibility SummaryApplication Compatibility Summary
Most applications work without issues For applications that have compatibility
issues Most issues can be mitigated through proper
configuration of SP2 settings Most mitigations will not lead to increased attack
surface area Few applications will require changes to source code
Application Compatibility Drill DownApplication Compatibility Drill Down
Functional Area Compatibility Status
NX & /GS
User experience modifiedAttachment Handler
Windows Firewall
Few apps proper configuration requiredDCOM & RPC
Other components
Internet Explorer Some apps proper configuration required
Application Compatibility ToolkitApplication Compatibility Toolkit
The Application Compatibility Toolkit (ACT) provides methods and information to resolve the most commonly encountered application compatibility issues
ACT 3.0 is available now and can be used to determine applications installed, and apply non-SP2 specific ‘fixes’.
ACT 4.0 is specifically targeted at issues exposed by Service Pack 2 and provides vital assistance to anyone deploying Service Pack 2 Version 4.0 is intended solely for IT professionals planning to
deploy Windows XP SP2 Version 4.0 beta scheduled for release later this year.
ACT 4.0 ComponentsACT 4.0 Components Evaluate
Plan project and gather the necessary information about the existing environment.
Windows Application Compatibility Analyzer used to gather a complete software inventory
Risk Evaluation and Mitigation (REM) tools will assist in finding problem areas in your applications relating to DCOM, Internet Explorer, and the Windows Firewall.
Mitigate Find solutions for the problems identified in the Evaluate phase
using Compatibility Administrator or by identifying the Windows registry settings to be modified.
Deploy Distribution and installation of the Service Pack through tools
such as Group Policy, or Microsoft Systems Management Server.
Possible Issue ResolutionsPossible Issue Resolutions
Applications with source code Review and update the source code
Applications from outside vendors Contact vendor
Applications without source code Use profiling and debugging tools to help diagnose or
resolve problems Modify security or other settings through Group Policy
to enable application to function
Windows XP Service Pack 2 DeploymentWindows XP Service Pack 2 Deployment
Windows XP SP2 FormatsWindows XP SP2 Formats
RTM build 2180 (Version 5.1.2600.2180) XP SP2 Service full download is about 270Mb
in size. I386 folder expands to 326Mb Consider size of backup folder, system restore point
Smaller “express install” for Web download / minimal installed files. Leverages Delta Compression and BITS
Can Slipstream update to install all-in-one But only supported for ‘Gold’ RTM code.
Deploying XP SP2Installation ConsiderationsDeploying XP SP2Installation Considerations Plan on a minimum of 30mins, probably
longer.
Consider disabling Anti-virus for install ONLY
Check “%WINDIR%\svcpack.log” for failures
Require Administrative Rights to install
Plan/test backout procedures for upgrade Will backup existing files by default.
Deploying XP SP2Installation OptionsDeploying XP SP2Installation Options
xpsp2.exe or update.exe +options /help Setup options
/quiet /passive /uninstall
Restart options /norestart /forcerestart
Special Options /l List installed hotfixes /o Overwrite OEM files /n Do not backup files
for Uninstall /f force apps to close /integrate:<path> for slipstream /d:<path> (backup path)
Deploying XP SP2Scripted ScenariosDeploying XP SP2Scripted Scenarios RIS Installations Existing XP images
Slipstream or Update Must be slipstreamed against GOLD!
Existing Build and Lab Environments WinPE images BDD Solution Accelerator
• Technet White Paper - BDD with Service Pack 2 ZTC Solutions In-house
Deploying XP SP2Scripted ScenariosDeploying XP SP2Scripted Scenarios Unattend.txt
[WindowsFirewall] [WindowsFirewall.profile_name] WindowsFirewall.program_name] WindowsFirewall.service_name] WindowsFirewall.portopening_name] [WindowsFirewall.icmpsetting_name]
NetFW.Inf ICF.AddReg.DomainProfile ICF.AddReg.StandardProfile Strings
Netsh
Deploying XP SP2Automated ScenariosDeploying XP SP2Automated Scenarios Windows Update
Limited control Large external bandwidth requirements
SUS Server Fully automated with no user interaction Can work with non-Admin users
SMS 2003 Deploy via advertised package Target installation, exception reporting etc.
SMS 2003 and XP SP2Windows Update (SUS/WUS)SMS 2003 and XP SP2Windows Update (SUS/WUS)
Most enterprise organizations will require tighter control than provided by WU
Large download Ad hoc deployments may impact the corporate
WAN/LAN links
Users must have access to Windows Update and local administrative rights
Benefits Of Using SMS 2003Benefits Of Using SMS 2003
Reliable software deployment SMS provides information for planning, testing, deploying,
analyzing and customizing application deployment
Planning information includes: Customizable hardware and software inventory, built-in reporting,
customizable reports, queries and collections
Controlled deployments Use administrator created collections to target systems
Deployment status reported through SMS reports
Deploying PhaseDeploying Phase
Proceed with each defined, scheduled deployment group
Monitor and adjust deployment as necessary Limit daily machine counts based on:
Network and infrastructure capacity Helpdesk capacity Issues encountered
Windows XP Service Pack 2 ConfigurationWindows XP Service Pack 2 Configuration
Administering SP2Recommended Enterprise Settings (1)Administering SP2Recommended Enterprise Settings (1)
These are guidelines only, review all settings prior to deployment!!
Windows Firewall: Protect all network connections Enabled
Windows Firewall: Do not allow exceptions Not configured
Windows Firewall: Define program exceptions Set to the names of applications and services used by the
computers running Windows XP SP2 on your network for managed, server, listener, or peer applications. (eg SMS)
Administering SP2Recommended Enterprise Settings (2)Administering SP2Recommended Enterprise Settings (2)
Windows Firewall: Allow local program exceptions Enabled (pending corporate policy)
Windows Firewall: Allow remote administration exception Disabled, unless the Windows XP SP2-based computers
are configured remotely using MMC snap-in or monitored remotely using WMI.
Windows Firewall: Allow file and print sharing exception Enabled only if the computers running Windows XP SP2
are sharing local folders and printers.
Administering SP2Recommended Enterprise Settings (3)Administering SP2Recommended Enterprise Settings (3)
Windows Firewall: Allow ICMP exceptions Enabled only to allow diagnostic or management capabilities that
are based on ICMP traffic.
Windows Firewall: Allow Remote Desktop exception Enabled only if you use Remote Desktop to connect to Windows XP
SP2-based computers.
Windows Firewall: Allow UPnP framework exception Enabled only if you use UPnP devices on your network.
Windows Firewall: Prohibit notifications Disabled
Administering SP2Recommended Enterprise Settings (4)Administering SP2Recommended Enterprise Settings (4)
Windows Firewall: Allow logging Not configured
Windows Firewall: Prohibit unicast response to multicast or broadcast requests Disabled – may break Wake-On-LAN
Windows Firewall: Define port exceptions Set to the TCP and UDP ports used by the Windows XP SP2
computers on your network for managed, server, listener, or peer applications that cannot be specified by filename. (Add SMS and similar ports here)
Windows Firewall: Allow local port exceptions Enabled (pending corporate policy)
Administering SP23rd Party firewalls scenariosAdministering SP23rd Party firewalls scenarios
Disable Windows Firewall
Disable Windows Firewall via accidental installation Unattend.txt or Netfw.inf Deploy registry settings to disable WF
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile \EnableFirewall=0 (DWORD data type)
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile \EnableFirewall=0 (DWORD data type)
Configure GPOs accordingly
SummarySummary
Laptops - must be on AC power to upgrade Security Center
Disabled in Domains - Enabled in Workgroups Add/Remove Programs - SP2 entry added Additional Considerations
Applications that run as a Service Security Center and Anti-Virus software Local-Machine-Zone-Lockdown and Web applications Applications which utilize zone elevation VPN Clients application compatibility
Summary Continued…Summary Continued… Plan and Test
Some applications may require modification Locating and addressing issues can take time The benefit of increasing security is likely to be greater than the
cost to deploy Test as Service Pack – Deploy as OS
Leverage existing investments AD, SMS 2003, SUS, ACT, BDD, CER
Communications Users will be impacted Carefully consider communications, testing and training
requirements SP2 impacts both IT and the business
Implement with appropriate rigor SP2 allows customers to focus on business
Troubleshooting Windows XP SP2Troubleshooting Windows XP SP2
General TroubleshootingGeneral Troubleshooting
Slow Installation Copy files locally Disable anti-virus software temporarily.
XPSP2.exe Issues If downloaded, may have been corrupted. Extract using –x switch.
Permissions Require Local Administrator permissions.
Product Key Issues Windows XP SP1 ‘pirated’ keys blocked.
Troubleshooting 32-Bit ApplicationsTroubleshooting 32-Bit Applications
Test application on XP SP1 (baseline) If 64bit Extended use Application Compatibility Toolkit to disable
DEP on a per application basis Disable Firewall
Temporary measure only. Not recommended for production machines - deploy
exceptions and keep firewall enabled. Disable DCOM / RPC authentication
Temporary measure only. Not recommended for production machines - deploy revised
security configuration. Ask software vendor for any needed updates or
patches for Windows XP SP2 support
Consider risks of disabling protection vs. selection of alternate application
Troubleshooting Web ApplicationsTroubleshooting Web Applications
Test site on XP SP1 (baseline) Add trusted intranet applications to trusted sites list Sign all custom Active X objects Review application to remove all cross zone scripting and zone
elevation Lower security settings for required zone
Temporary measure only. Not recommended for production machines - deploy exceptions as
required. Selectively disable IE protection measures (popup’s, ActiveX,
zones etc.) to verify which protection is stopping application Temporary measure only - via GPO or in IE Tools-Security menu. Not recommended for production machines - deploy exceptions as
required.
Consider re-writing application vs. risk of disabling new protection mechanisms
Troubleshooting Windows FirewallTroubleshooting Windows Firewall
ON by default, Domain & Standard profile. File & Print sharing disabled and local
network only. Add exceptions for management / admin
tools, remote desktop etc. Disable temporarily to determine if Windows Firewall
is causing application incompatibility. Configure via INF file, GPO, registry keys,
Prompt to add exceptions, cmd line via netsh & via GUI
Logging to Pfirewall.log
Client Administration ToolsClient Administration Tools
May experience issues in managing client computers due to Windows Firewall blocking TCP port 445 Eg Select Users, Computers, or Groups Retarget MMC at remote workstation
Get errors such as “System Error 53 has occurred. The network path was not found.”
Allow inbound TCP port 445 on remote workstation to enable See MSKB 870703 - Known issues with the client administrative
tools in Windows XP SP2
Call to Action…Call to Action…
Learn: Take training, read guidanceLearn: Take training, read guidance
Test and Evaluate: Begin testing SP2 in your environment
Test and Evaluate: Begin testing SP2 in your environment
Defense in depth: Consider multiple security countermeasures in addition to SP2
Defense in depth: Consider multiple security countermeasures in addition to SP2
Plan for Deployment: Leverage Business Desktop Deployment Solution Accelerator
Plan for Deployment: Leverage Business Desktop Deployment Solution Accelerator
What You Should DoWhat You Should Do
http://www.microsoft.com/uk/sp2
Getting help with installation and deployment…Getting help with installation and deployment…
With Conchango you can take maximum advantage of Windows XP SP2 while minimising the impact to your business.
Conchango will evaluate the impact of SP2 on your business, test your applications against SP2 and assess your organisation's change management processes.
http://www.conchango.com/
Computacenter offer a full Windows XP SP2 Impact Assessment service.
Computacenter can identify likely technical issues, reduce calls to your support team during implementation, reduce the risk of business-critical applications failing and help you determine the likely impact to your application estate.
Computacenter also offer a two hour workshop presenting the benefits of SP2.
http://www.computacenter.com/
Selected Microsoft Partners can assist you with the installation and roll-out of Windows XP Service Pack 2.
ResourcesResources Windows XP Service Pack 2 Home Page
Main: http://www.microsoft.com/windowsxp/sp2/default.mspx UK: http://www.microsoft.com/uk/sp2
Windows XP Service Pack 2 (SP2) Support Centre http://support.microsoft.com/default.aspx?pr=windowsxpsp2
UK Windows XP Support page http://www.microsoft.com/uk/windowsxp/sp2/default.mspx
Windows XP Service Pack 2 - Resources for IT Professionals http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx
Windows XP Service Pack 2 - Security Information for Developers http://msdn.microsoft.com/security/productinfo/xpsp2/
Windows Application Compatibility http://www.microsoft.com/windows/appcompatibility/default.mspx
Release Notes for Windows XP SP2 MSKB 835935 http://support.microsoft.com/?kbid=835935
List of fixes included in Windows XP SP2 MSKB 811113 http://support.microsoft.com/?kbid=811113
Windows XP Windows XP SP2 Support SP2 Support
hotline hotline 0845 090 0845 090
20252025
Thank-You!Thank-You!
Please complete the evaluations…
Craig Schofieldcraschof@microsoft.com
© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.