Service Pack 1 for Windows 2008 R2 Now Available for Download

Just a quick note to remind everyone that Service Pack 1 for Windows 7 and Windows 2008 R2 has just now become available for download on TechNet & MSDN.

If you don’t have a TechNet or MSDN subscription you should see it on the Microsoft Download sites next Tuesday. [EDIT: Here is the download Link]

Be sure to check with each product group before installing this.  Obviously it is supported with the OS itself (clustering, Hyper-V, RDS, etc) but you should seek a direct support statement like the one the Exchange group published.

You should also validate your 3rd party applications.  You’ll note there may be some issues with VMware, for example…

For more information such as release notes or articles on what’s new, visit this page:

Windows Server 2008 R2 Service Pack 1

Finally, here is a screenshot:

Version    6.1.7601 Service Pack 1 Build 7601

Version    6.1.7601 Service Pack 1 Build 7601

Windows 7 & MDOP Technical Workshop

Come one come all to the Windows 7 & MDOP technical workshop.  I will be presenting at Microsoft again, this time in Reston, VA.  The day will cover many new virtualization concepts and Windows 7 features.

Below is the agenda, and email if you are interested.


Time Session
8:00 – 8:30 Sign-in and Breakfast
8:30 – 9:20 Session 1: Introduction to The Optimized Desktop (Windows 7 & MDOP)
9:20 – 9:30 Break
9:30 – 11:30
     9:30 – 10:00
     10:00 – 10:30
     10:30 -11:00
     11:00 – 11:30
Session 2: Windows 7 Enterprise Technical Overview
  → Planning for Direct Access
  → Considering BranchCache scenarios
  → Applying Bit locker, Bit locker-To-Go, and Key Management
  → Implementing the Microsoft Deployment Toolkit
11:30 – 12:30 Lunch & Vendor/Sponsor Presentation
12:30 – 1:30 Session 3: MDOP Overview
1:30 – 2:20 Session 4: Microsoft Virtualization Session
2:20 – 2:30 Break
2:30 – 3:30 Session 5: Microsoft Application Virtualization Technical Overview
3:30 – 4:20 Session 6: Microsoft Enterprise Desktop Virtualization (MED-V)
4:20 – 4:30 Break
4:30 – 4:50 Session 7: Application Compatibility Strategies
5:00 Q&A & Wrap Up

70-669 TS: Windows Server 2008 R2, Client Virtualization

Taking beta exams is fun because you have the potential of passing an exam before everyone else. You can also shape the exam by your comments and results. Oh yeah, and it’s FREE!

But it does have somewhat of a price. Microsoft takes 5-7 weeks to grade the exam. During this time, the Prometric results page, just says “tested” instead of where Pass or Fail would normally be. I’ve been checking every day for an update to my most recent Beta exam and finally today, I saw some results!



I’ll say, this exam was tough. I didn’t study for it, as there were not really any materials available at the time of the test, but I have been recently working with Desktop Virtualization technologies. The hardest part of the exam, in my opinion was that it included aspects of a LOT of different concepts. Normally Microsoft exams focus on one product at a time, but this exam focused on the desktop virtualization concept which spans products like:

App-V, MED-V, RDS, SCCM, XP Mode, Virtual PC, VDI, etc.

Anyway, good luck if you wish to take this exam! Contact me with your experiences once you do!

By the way, this exam is also a stepping stone to the new MCITP: Windows Server 2008 R2, Virtualization Administrator

  Requirement Exam Status
1 Desktop Virtualization 70-669: TS: Windows Server 2008 R2, Desktop Virtualization In beta—live in May
2 Server Virtualization (choose one)
70-652: TS: Windows Server Virtualization, Configuring


70-659: TS: Windows Server 2008 R2, Server Virtualization
Both are available now
3 Virtualization Administration
70-693: Pro: Windows Server 2008 R2, Virtualization Administrator
Live now

Microsoft’s many uses of the word “Virtual”

It’s really amazing how many smart people are misusing the various product names of Microsoft’s virtualization technologies. I blame this partly on Microsoft’s lack of effort to clarify, but also the topics are just confusing. Here I just wanted to provide a short list of Microsoft’s “virtualization” technologies and a description in easy to understand language.

Presentation Virtualization

This is a fancy name for Terminal Services, which is now called Remote Desktop Services in Server 2008 R2.

Official site:


Hardware Virtualization

Products include, Virtual PC, Virtual Server and Hyper-V. These technologies allow a complete computer operating system to run within another operating system.

Official site:


Now the confusing ones:

Virtual Desktop Infrastructure (VDI)

Use of abovementioned RDS combined with abovementioned Hyper-V. In Server 2008 and earlier Microsoft VDI wasn’t an actual product. It was a licensing scheme that allows use of these technologies:

· Hyper-V for hosting your desktops

· System Center Virtual Machine Manager for managing your VMs

· System Center Operations Manager for monitoring everything

· System Center Configuration Manager for building and managing your desktop images

· The Microsoft Desktop Optimization Pack so you can use App-V to virtualize your applications

· All the Remote Desktop infrastructure components, like RS Web Access, RD Session Broker, RD Gateway, etc.

In Server 2008 R2, the licensing still applies, but there is now a “Server Role: Role Service” called “Remote Desktop Virtualization Host”. This role also adds the Hyper-V role and should not be virtualized, as it is to be considered a virtualization host itself.

Using the RD Virtualization Host role, you can create pools of virtual windows desktops (such as Windows 7) for users to access over Remote Desktop Services. The use of Hyper-V allows for many computers to reside within a single server, but it also can employ snapshots to automatically revert a PC back to its administrator-defined state when a user logs off.

To connect to this magical environment, you can use another computer with the Remote Desktop Client (yes even MAC), or you can use a thin terminal sych as a Wyse WinTerm.

IMO: This is what most people mean when they say “we want to virtualize our desktops”

There are 3 videos that cover this in just the right amount of detail here:




Official site:


Microsoft Enterprise Desktop Virtualization (MED-V)

MED-V is the most confused in this list. While it sounds like this is a product that allows you to do what I just described in the above VDI section; this is actually far from the truth.

MED-V addresses the issue of application to operating system incompatibility. However before you walk down the MED-V road, you should realize that applications that don’t seem to be compatible with the operating system may actually be “fixed” with ACF. I’m not going to get into ACF here, but you can read about it here: Application Compatibility Factory (ACF) Program

MED-V used to be called “Virtualization Player” before Microsoft bought Kidaro, the parent company. MED-V allows a given workstation to run a modern operating system such as Windows Vista or Windows 7 while also running otherwise incompatible applications on Windows XP which is hidden in the background.

This is accomplished by first installing Virtual PC on the workstation, and then the MED-V client. When a user access an application that the administrator configures to run from the XP environment, it is seamlessly merged into their Windows Vista/7 experience without knowledge of a full XP installation running in the background.

If you are familiar with Windows 7’s “XP Mode” you have a head start into this concept. XP Mode is a derivative of MED-V. The “E” in MED-V stands for enterprise, so of course this means the environment can be controlled in a way that is suitable for large environments. This is done by centralizing the images used for the background environments, and controlling their level of interaction with client computers who run the client.

In addition to incompatible applications there could also be incompatible websites. An example here would be when a user types http://oldsite IE6 is called to access the URL when all other applications would run from IE7 or 8. Applications and URLs that are defined as incompatible are configured within the MED-V management application.

MED-V requires better hardware for workstations that run it; however it does not require virtualization support from the CPU architecture like Hyper-V does.

This software is only available through the MDOP (Microsoft Desktop Optimization Pack) offering via Software Assurance.

Official site:


Microsoft Application Virtualization (App-V)

This product was purchased from Softricity who named it SoftGrid. It has since been renamed to App-V 4.6

App-V, like MED-v is an MDOP offering that deals with application incompatibility. The difference is that MED-V addresses application to operating system incompatibilities, whereas App-V solves application to other application incompatibility issues.

Java for example can only exist once on a computer. If a user requires an older AND a current version of Java, they cannot run them both from the same computer. App-V changes this rule.

App-V creates a sort of “bubble” for an application to reside within. The bubble itself interacts with the operating system but not with other bubbles. This allows us to put Java v.old and Java into separate “bubbles” and then run them both on the same computer. At the same time if desired.

This bubble means the application is never “installed” onto the computer.

Another cool thing about App-V is its ability to stream these bubbles to the client. App-V uses RTSP to send the application to the client. App-V is Microsoft’s “application streaming” technology. The advantage of streaming an app is that the computer is able to run the app while all the program bits are being sent over the wire as necessary.

With App-V all application processing and workload is done on the client. I mention this because many people believe the “stream” or the streaming server somehow assists the workstation. This is not true. If you run an application within App-V you need the same hardware you would need without App-V. This also means an app that is incompatible on Windows 7 will remain incompatible with Windows 7 even if packaged via App-V. Remember, this is MED-V’s job.

Official site:

I hope this helps you in your future discussions with customers or at least your own personal understanding of Microsoft’s Virtualization offering!

App-V 4.6 RC Client Error 460579-19D0990A-10000009

Recently I had a customer ask for my assistance with a problem they were having in their App-V environment.

Client computers would get the following error when they tried to connect to their defined publishing server:


My Google foo failed me initially on this, as I was not able to find anything related to the 460579-19D0990A-10000009 error message. Despite these seemingly definitive pages (here & here) on other errors.

I decided to look at the Management Server to see if perhaps it could shed more light on the situation. When I looked at the server’s application log I found this message to be more useful:


Log Name: Application
Source: Application Virtualization Server
Event ID: 44955
Task Category: (1)
Level: Error
Certificate could not be loaded. Error code [-2146893043]. Make sure that the Network Service account has proper access to the certificate and its corresponding private key file.

The Services MMC shows the Application Virtualization Management Server service is logging on as builtin\Network Service. Here is our problem!

Doing a search on this new information brought me to the App-V Security Operations Guide. Within, I found instructions for adjusting the permissions:

(Page 10)

Modifying Private Key Permissions to Support Management Server or Streaming Server

In order to modify the permissions of the private key, a Windows Server 2003 Resource Kit tool, WinHttpCertCfg.exe can be used. There are other ways to modify the certificate permissions, however this is the most straightforward and easy way of completing this task. The following steps explain how to modify the permissions of a certificate to support a secure App-V installation.

Managing Private Keys on Windows 2003

Use WinHttpCertCfg.exe to set the correct ACL on the private key

On Windows Server 2003, the process of changing the permissions on the Private Key to support App-V is described in the steps below. This process requires that a certificate that meets the prerequisites listed above has already been installed on the machine or machines that App-V Management or Streaming Server will be installed on.

Additional information on using the WinHttpCertCfg.exe tools is available at the link below.

1. On the machine that will become the App-V Management or Streaming server, type the following commands in the command shell to list the current permissions assigned to a specific certificate.

winhttpcertcfg -l -c LOCAL_MACHINE\My -s Name_of_cert (eg.


2. Next, if necessary modify the permissions of the certificate to provide read access to the security context that will be used for Management or Streaming Service.

NOTE: The default security context is Network Service, some organizations don’t use built in accounts and a domain account may be used instead.

winhttpcertcfg -g -c LOCAL_MACHINE\My -s Name_of_cert -a NetworkService


3. Verify that the security context was properly added by listing the permissions on the certificate.

winhttpcertcfg –l –c LOCAL_MACHINE\My –s Name_of_cert



Managing Private Keys on Windows 2008

Windows Server 2008 makes the process of changing the ACLs on the private key much easier. The certificates GUI can be used to manage private key permissions.

1. Create an MMC with the Certificates snap-in that targets the Local Machine certificate store.

2. Expand the MMC as shown in the diagram below and select Manage Private Keys.


3. Use the Security tab to add the Network Service account with Read access.


I found that both methods actually work on Server 2008 / R2 in case for some reason you are more comfortable with the command line and/or you didn’t bother to scroll down like I did to realize there is now a GUI alternative! 🙂

After I made this permission adjustment, I tried the client refresh again, and instantly my applications appeared!


I hope this tip helps someone out there!