Monthly Archives: March 2012

What does the Windows 8 CTP Mean For Windows Intune Today and Tomorrow?

Posted on by
Reply

Thus far the Windows Intune client won’t install on Windows 8, but that’s expected for something during this early stage of pre-release. The big benefit at this point in time is the eligibility to move to Windows 8 Enterprise or what the similarly capable version will be with Windows 8. It’s not a safe assumption that there will be 1:1 version mapping, below I give a couple of reasons why.

ARM Tablets are one of the obvious areas that the Windows Intune team will need to develop for, considering the strong push into enterprise that these tablets will have alongside the traditional Windows PCs. Now, at this stage of the game I’m not 100% convinced on the real viability of ARM based Windows Tablets, the reason being the thing that frustrates me with existing tablet solutions in the marketplace is that they don’t run all the Windows apps I want to run, and I still need my laptop. Over time my dependence on these PC only applications may be reduced, but it is going to take a while. During that period Intel and AMD aren’t going to be sitting on their hands, they will no doubt be chasing the power consumption numbers that ARM based systems tout. If someone from the Windows Intune team is looking for a tester if this is a real scenario, I’m more than happy to put my hand up for the task.

With Windows versions, some choice is good, but too much choice isn’t necessarily good, and can be quite detrimental. While Microsoft has been attempting to simplify its Windows lineup, Windows 7 leaves a lot to be desired, and Windows Intune is a great example where there is some confusion and some inconsistencies. While Windows 7 Enterprise and Windows 7 Ultimate provide the same  functionality, the primary differences are how they are sold/licensed, retail and OEM for Ultimate versus volume license for Enterprise, and they have different approaches to activation.

Where the pain comes in is that Enterprise needs to be a clean installation, whereas Ultimate can do an in place upgrade of lower end versions of Windows 7, as well as Windows Vista clients. In a well managed corporate environment, the upgrade discussion doesn’t usually happen, instead a pristine image, tweaked and tested, is deployed out to users when the time for a new OS rolls around. User data in these environments should be redirected, so the dependency on the physical machine and the OS are minimized.

But what about the SMB customer who doesn’t have the necessary infrastructure, and doesn’t necessarily want to invest in the data migration during the upgrade process, instead they just want to do a good old in place upgrade? Ultimate allows this with ease, but Enterprise isn’t in the running. To add insult to injury, many of the smaller customers out there may not have been domain joined, and not had a need for Professional or higher, so are in fact not eligible for the Windows 7 Enterprise Upgrade. To take advantage of these upgrade rights they need to purchase Windows 7 Professional upgrades in retail or via Windows Anytime Upgrade. I wouldn’t like to be the person who had to explain this to the customer who thought they were all set to move across to Windows 7 Enterprise.

Hopefully Windows 8 sees a further reduction in the SKU lineup. There is much speculation on this at the moment, and I’m sure there are groups within Microsoft and within OEMs who have these details, but the rest of us must wait. For OEMs, the more SKUs Microsoft makes available mean the more decisions they need to make in terms of matching the Windows version to the PC model, and that’s quite a large matrix when you look at the hardware lineup of major OEMs.

The flip side of this is what Apple do, one OS version, across a limited range of hardware choices. While some may scoff at the lack of choices that Apple offers compared to HP, Dell, Acer etc., but economies of scale benefits really favor the Apple approach. Suppliers can ramp up production, warehousing and shipping are simplified, resellers can reduce stock on hand, the right stock is more likely to be available in a short transit time. Sometimes it seems like the other OEMs are deliberately limiting their profitability, while Apple continues to make a very healthy margin.

One or two Windows options for OEMs would be a great start, preferably one, then using the Windows Marketplace, Windows Intune, Software Assurance, or even retail media to allow upgrades to a limited range of premium SKUs. This approach would make Windows Intune and desktop Software Assurance much more attractive to customers that have traditionally avoided SA on the desktop, as they would be seeing immediate value with a much more feature rich, business targeted upgrade to Windows. This would be a step in the right direction, but I think it could be just a bit too drastic.

The other issue that we currently see with the SKU lineup that impacts Windows Intune’s Windows 7 Enterprise upgrade rights is that customers on Windows 7 Professional don’t necessarily see the value in a new OS deployment so they can get BitLocker, BrancheCache, DirectAccess and Enterprise Search. If this is an SMB customer relying heavily on other cloud services, some of these capabilities just aren’t appealing or even terribly useful, and at this stage, SMB customers really are the best targets for Windows Intune. Consolidating the Professional and Enterprise/Ultimate versions would make this value clearer when adopted alongside a single version of Windows that is the default in the market.

MDOP component applicability to different types of Windows Intune users

Posted on by
1

The last update gave a quick run down on what MDOP includes, but now it’s time to see how these components can be used in various types of organizations. We will start with with an unmanaged, distributed workforce, and add structure and potentially complexity through each example. The chart at the end of the post gives each component an applicability rating, but remember that these are just the views of the author, and I am more than willing to be swayed to change my view.

Unmanaged Distributed PCs
This is probably the scenario that will benefit the least from Windows Intune, as many of the components require a more traditional well designed, highly available network infrastructure to allow their effective deployment and maintenance. The ability to install Windows Intune onto unmanaged and distributed PCs, which covers distributed non-domain joined PCs means that some of the MDOP inclusions just aren’t applicable, and then others like the Application Inventory Service may have some very short term value, but DaRT is definitely a very useful addition to the IT arsenal.

Unmanaged Centralized PCs
The big differentiator here is that we have bandwidth. Just what MDOP tools can we start using if we aren’t part of an AD domain? While many in the world of IT have spent years arguing over the best directory or network operating system to deploy, there are still many networks running in peer to peer mode in the SMB space, and while we may want to provide them some more infrastructure, it may not always be as applicable as we like to think. It pains me to write this, as I was a user on one of the first NT style domain rollouts, and then also a lab rat on one of the first AD global domain rollouts, so I fully appreciate the benefits of a directory

Lightly Managed Distributed PCs
Now we have added domain joined PCs into the mix, even if they are at the other end of slow connections and the AD management is quite basic. Suddenly the AGMP tool starts to bring value, and more of the MDOP components start lighting up for applicability.

Lightly Managed Centrally Located PCs
Now we have bandwidth an Active Directory capabilities, what more could we ask for? Well, a lot, and that’s why MDOP and other tools exist. This is where MDOP really starts to shine.

Well Managed Distributed Or Centrally Located PCs
I’ve included this category for the sake of it, but in reality I don’t see anyone swapping out their existing management solution for Windows Intune unless they have some very specific requirements to do so. An ontpremise solutions such as System Center may be more complex to deploy and support than Windows Intune, but the capabilities the combined System Center family offer far exceed anything that Windows Intune will be offer for quite a while.

Unmanaged
Distributed		 Unmanaged
Centralised		 Lightly Managed
Distributed		 Lightly
Managed
Centralised		 Well Managed
Application
Inventory
Service
(AIS)		 Low Low Low Low Low
Application Virtualization (App-V) Low Low Medium High High
Enterprise Desktop Virtualization
(MED-V)		 Low Low Medium High High
Diagnostics and Recovery Toolset (DaRT) High High High High High
BitLocker Administration and Monitoring
(MBAM)		 Low Low High High High
Advanced Group Policy Management
(AGMP)		 Low Low High High High

I don’t want to go into the ratings of everything above, but I do want to focus on a few of them.

Firstly AIS is listed as Low across the board, and the reason for this is that AIS is the basis for the software reporting capabilities that are in Windows Intune. There is a small window of opportunity for AIS to provide some inventorying capabilities as it is a lighter footprint client than the Windows Intune install, but this wouldn’t be a normal scenario.

App-V and MED-V only receive Medium scores in distributed environments due to the potential bandwidth requirements for deployments. If bandwidth isn’t a concern they can both become High.

DaRT is useful across the board as it will help solve issues with non-booting PCs, which is great inside of a large organisation, but also highly valuable if you have to do any remote recovery and repair work.

Looking at the chart, one of the things that should be clear is that MDOP shines when it has the right infrastructure to work with. While Microsoft would like all of its customers to have some type of Software Assurance (SA) on the desktop OS, combined with MDOP, that isn’t the case. Windows Intune allows customers who chose not to go down this path, or missed the window of opportunity, to get many of the benefits of SA without an SA agreement. Now that I’ve typed that out, I think I may have to write an article comparing a Windows Intune subscription with SA. That will be the first licensing post for the site!

What’s Included In The Microsoft Desktop Optimization Pack add on for Windows Intune

Posted on by
Reply

The MDOP add on for Windows Intune is an interesting offering from Microsoft, allowing subscribers to get even more of the capabilities that would usually only be available to a customer under a Microsoft volume license agreement that included desktop software assurance.

MDOP is a collection of technologies from Microsoft, and here’s a description of it in Microsoft’s own words…looks like we need to remind them that it’s available via Windows Intune as well…

MDOP
The Microsoft Desktop Optimization Pack (MDOP) is a suite of technologies available as a subscription for Software Assurance customers. MDOP helps to improve compatibility and management (App-V/MED-V), reduce support costs (DaRT), improve asset management (AIS) and improve policy control (MBAM/AGPM).

MDOP

Application Virtualization

Microsoft Application Virtualization (App-V) transforms applications into centrally managed services that are never installed and don’t conflict with other applications.

Microsoft Enterprise Desktop Virtualization
MED-V removes the barriers to Windows upgrades by resolving application incompatibility with Windows 7 and delivering applications in a Windows XP-based application compatibility workspace. Upgrades can proceed on schedule, and users can take advantage of the power of Windows 7 right away without losing access to applications they need while IT departments can remediate incompatible applications.

Advanced Group Policy Management
Microsoft Advanced Group Policy Management (AGPM), a core component of the Microsoft Desktop Optimization Pack for Software Assurance, makes it easier for IT organizations to keep enterprise-wide desktop configurations up to date, enabling greater control, less downtime, and reduced total cost of ownership (TCO).

Diagnostics and Recovery Toolset
Microsoft Diagnostics and Recovery Toolset, a core component of the Microsoft Desktop Optimization Pack for Software Assurance, helps IT teams make PCs safer to use, keeps employees productive, and enables desktops that are easier and less expensive to manage. Administrators can easily recover PCs that have become unusable, rapidly diagnose probable causes of issues, and quickly repair unbootable or locked-out systems, all faster than the average time it takes to reimage the machine. When necessary, you can also quickly restore critical lost files.

Bitlocker Administration And Monitoring
Organizations around the world rely on BitLocker Drive Encryption and BitLocker To Go to protect data on Windows 7 PCs and portable storage devices. To make large-scale BitLocker implementations easier to manage, enterprises turn to Microsoft® BitLocker® Administration and Monitoring (MBAM).

Asset Inventory Service
Microsoft Asset Inventory Service (AIS), a core component of the Microsoft Desktop Optimization Pack for Software Assurance, provides a comprehensive view of your enterprise’s desktop software and hardware environment. AIS helps reduce total cost of ownership (TCO) and improve license compliance through advanced software inventory scanning and by translating inventory data into actionable information.

Well, all of this is well and good, but how well will these work for your company? That is the topic for the next post, where I will delve into what organisations of different sizes may benefit from with MDOP, as all of the pieces aren’t necessarily right for everyone.

US TS2 Team Tackle Intune and 3rd Party Antivirus Solutions

Posted on by
Reply

Follow the link for the full article, but here’s my take…

The inbuilt and integrated AV is one of the core benefits of Windows Intune, and is really the only way for a customer > 10 but < System Center Configuration Manager to get the MS AV endpoint technologies. It’s part of what I call the perfect storm for Intune applicability to a customer – expired or expiring AV, a relatively unmanaged environment, and preparing for an SOE or desktop OS upgrade. As one or more of these is removed, the value proposition for Intune is reduced, making it a harder sell for the partner, or a harder justification for the customer.

For a partner looking at Intune as a scale out support option, possibly as an MSP, the integration of the Intune Endpoint Protection into the Intune administration console is a great convenience, and I would really ask them to find really good reasons to not use what Intune provides versus what the 3rd party offerings are. I’m not saying that Intune Endpoint Protection will necessarily check all the boxes for all customers, but it’s worth checking if it does before committing to alternatives.

Windows 7 WEI Comparisons – Acer AC100 versus the HP NL36 MicroServer

Posted on by
Reply

Why the Windows Experience Index? Well, it’s simple, it’s included in Windows 7, and I didn’t want to run an extensive test of the disk performance under different RAID options, not yet anyway. That would be something outside of scope for what I’m really doing with these devices.

First up, the HP MicroServer N36L, which has a dual core Athlon Neo at 1.3Ghz. As you can see the CPU score is quite low by modern standards, but when this is being used a basic server or NAS device, it shouldn’t really matter, the disk subsystem and network throughput are going to make a bigger difference. The N40L is also available with a 1.5GHz CPU, but I highly doubt it would do much to close the gap in CPU and RAM performance. Today it’s easy enough saturate Gigabit ethernet with a single HDD, so unless you drop in an additional NICs you aren’t going to hit any real throughput issues with this server. Note that this server, like the Acer AC100, has 8GB of RAM installed.

For server purposes the graphics scores are largely irrelevant, and the HDD score is capped due to testing against a single 7200RPM HDD.

Now on to the Acer – as expected, the WEI score for the CPU blows the HP out of the water, but this is not unexpected at all. I was surprised though that an almost entry level Xeon in many ways was able to score so well. Again, as a NAS, the CPU speed isn’t going to have that much of an impact, but for running our test VMs this is going to make a big difference, as is the ability to take it up to 16GB of RAM instead of maxed out at 8GB like the HP. As this server also has the ability to take an additional PCI-E card you can add a multiport NIC if you really want to push the throughput across the wire.

The Acer is going to be my primary server for the next few months, so it will certainly get put through it’s paces. My MicroServer has been doing 24/7 duty in various roles for a while now, so the reliabiliy of the unit is a known quantity, now it’s time to see how the Acer copes, but with bigger workloads than the HP was ever really capable of.

Acer AC100 Micro Server First Impressions

Posted on by
13

The Acer unit arrived yesterday, and the first thing I noticed was that it ships in a much smaller box than the HP MicroServer, but I wasn’t surprised by how much smaller the Acer would be in comparison. This is instantly a big plus for me at the moment with some extended travel coming up, something small and light, with a degree of flexibility is what I need.

So far I have 8GB installed, and have been in contact with my favourite Kingston employee to get the scoop on supported memory to take it to 16GB, which is going to be a much better option longer term for some of my virtualisation and testing projects I need to perform around Windows Intune and Windows 7 deployments.

The faster CPU is really noticeable, and it’s a bit of an unfair comparison for a low power dual core Athlon against a quad core Xeon with multithreading, and that’s before the CPU speeds are even taken into account.  Like most techs, I like to see more cores in Task Manager, and this certainly delivers, but the overall responsive while under load is much, much better. I will do a Windows 7 install within the next few days so that I can provide a sample WEI comparison between the two microservers, but remember though, one is a quarter the price of the other, and while HP and Acer may be targetting them at similar audiences - SMBs with a need for Small Business Server Essentials 2011, Windows Server Foundation 2008 R2 or Windows Server Standard 2008 R2, the way they go about the task is very different.

I’m not completely sold on the Acer concept of keeping the power button behind the locked front panel, and the keyhole on the side of the unit, but that’s a minor squabble. The ease of dropping in new drives is just as simple as the HP, but in this case you are limited to 4 internal HDDs plus 1 external eSATA drive, versus the HP’s ability to take up to 6 internal drives if you forgo the optical drive and route the eSATA cable into one of the internal drive bays that are free.

Setup was simple, the only catch I had was needing to change the order of boot devices to be able to get Windows to install off the flash drive. I’ve encountered this on my Acer Iconia W500 tablet as well, so it was easy enough to change, but it did have me scratching my head for a few minutes. I’ve kept the drives in AHCI mode rather than taking advantage of either the LSI or Intel onboard RAID capabilities, I’ll test those out at some point in the future.

Battle Of The Micro Servers

Posted on by
1

With an extended overseas journey approaching, and some spare time which will be dedicated to some software and scenario testing, I’ve decided to purchase one of the Acer AC100 micro servers for this purpose.

The Acer box is a very different beast to the HP MicroServer, with Acer going down the path of a high performance Xeon versus the ultra low voltage AMD CPU in the HP. For general NAS, storage or other light CPU overhead work, this difference won’t really be seen, but due to the amount of work I’ll be doing building out VMs and running various test loads, the AMD CPU in the HP is going to be a little anemic. Two cores versus four cores with HyperThreading, the ability to go to 16GB of RAM instead of just 8GB are the big winners on this front. I will be sticking to 8GB to start with due to the lack of supported 8GB ECC Unbuffered RAM on the Acer compatibility list, and the lack of support from the major RAM manufacturers as well, but this will change. Having an Intel NIC on board is also a nice sweetener.

That’s not to say the HP doesn’t have it’s own charm – the ease with which you can turn this 4 HDD device into a 6 HDD device means that it’s potentially a better option for the storage junkie. It also has two PCI-E slots instead of the single slot in the Acer (which will be occupied by an Intel i350-T2 NIC due to it’s support for advanced virtualisation and iSCSI capabilities), and is built like a tank. The modular design of the HP generally impresses, hopefully the Acer comes close. The HP unit is also a quarter of the price of the Acer, which is definitely going to be a deciding factor for most.

There are some things that both servers lack – neither support hardware RAID 5. While Acer promotes the support of RAID 5, the fine print reveals that it is via an Intel software solution. Both can support RAID 5 via OS configuration, but hardware offloading would defintiely be appreciated. The extra horsepower in the Acer should reduce the overall potential impact performance of parity calculations, but a better RAID implementation wouldn’t hurt.

I’ll give a further update when the Acer unit arrives, and give some feedback on setup and build quality versus the HP, but to me they are very different beasts, even though they appear similar at first.

Project TWIAD Part 4

Posted on by
Reply

This is just a short update, primarily confirming that the NIC traffic in Hyper-V VMs is being accurately reported again. I’m not quite sure what has triggered this, but I’ve got a few VM snapshots I can revert to when I want to dig further into the issue.

The other piece of the testing that I’ve just confirmed is working as expected, that is traffic is being cached comprehensively, is the single NIC proxy/caching only scenario for TMG that I wanted initially. The TMG wizards make it easy enough to reconfigure the server after removing the additional virtual NIC, and the client was updated with the changed IP address of the proxy server via IE and netsh as shown in previous posts. With these changes in place, I now have a working TMG configuration for all the machines on my network, not just machines in a virtual network, and I’ll certainly save myself some Windows Intune and Windows Update traffic on my ISP connection each month.

After spending way too much time doing updates and rebuilds (or reverting to snapshots…) I’ve been noticing some interesting differences between the way Windows Intune delivers the updates versus the way Windows Updates does, but that will be a topic for a future post.

Microsoft Deployment Toolkit 2012 RC1 Now Available

Posted on by
Reply

I’ve mentioned before that I’m a big fan of MDT, and using whatever tools possible to help with the automation and customisation of OS images, so was pleased to get this information today. SCCM 2012 and Windows 8 support are the two things that should get most people excited, and by most people, I mean a subset of most people, who like technology that helps deploy operating systems.

 

Reliable and Flexible OS Deployment-now with support for System Center Configuration Manager 2012 RC2

The Solution Accelerators team is pleased to announce Microsoft Deployment Toolkit (MDT) 2012 RC1 is available for download on Connect now.

Download the MDT 2012 RC1 release now

 

New features and enhancements make large-scale desktop and server deployments smoother than ever!

 

Support for Configuration Manager 2012 RC2: This update provides support for Configuration Manager 2012 RC2 releases. MDT 2012 fully leverages the capabilities provided by Configuration Manager 2012 for OS deployment. The latest version of MDT offers new User-Driven Installation components and extensibility for Configuration Manager 2007 and 2012. Users now also have the ability to migrate MDT 2012 task sequences from Configuration Manager 2007 to Configuration Manager 2012.

 

Customize deployment questions: For System Center Configuration Manager customers, MDT 2012 provides an improved, extensible wizard and designer for customizing deployment questions.

 

Ease Lite Touch installation: The Microsoft Diagnostics and Recovery Toolkit (DaRT) is now integrated with Lite Touch Installation, providing remote control and diagnostics. New monitoring capabilities are available to check on the status of currently running deployments. LTI now has an improved deployment wizard user experience. Enhanced partitioning support ensures that deployments work regardless of the current structure.

 

Secure Deployments: MDT 2012 offers integration with the Microsoft Security Compliance Manager (SCM) tool to ensure a secure Windows deployment from the start.

 

Reliability and flexibility: Existing MDT users will find more reliability and flexibility with the many small enhancements and bug fixes and a smooth and simple upgrade process.

 

Support for Windows 8: The RC1 release of MDT 2012 provides support for deploying Windows 8 Consumer Preview in a lab environment.

Key Benefits:

  • Full use of the capabilities provided by System Center      Configuration Manager 2012 for OS deployment.
  • Improved Lite Touch user experience and functionality.
  • A smooth and simple upgrade process for all existing      MDT users.

 

New Features:

 

For System Center Configuration Manager customers:

  • Support for Configuration Manager 2012 (while still      supporting Configuration Manager 2007)
  • New User-Driven Installation components for      Configuration Manager 2007 and Configuration Manager 2012
    • Extensible wizard and       designer, additional integration with Configuration Manager to deliver a       more customized OS experience, support for more imaging scenarios, and an       enhanced end-user deployment experience
  • Ability to migrate MDT 2012 task sequences from      Configuration Manager 2007 to Configuration Manager 2012

 

For Lite Touch Installation:

  • Integration with the Microsoft Diagnostics and Recovery      Toolkit (DaRT) for remote control and diagnostics
  • New monitoring capabilities to see the progress of      currently running deployments
  • Support for deploying Windows to computers using      UEFIAbility to deploy Windows 7 so that the computer will start from a new      VHD file, “Deploy to VHD”
  • Improved deployment wizard user experience

 

For all customers:

  • Integration with configuration templates from the      Security Compliance Manager Solution Accelerator, ensuring Windows is      secure from the start
  • A simple mechanism for running Windows PowerShell      scripts during a deployment, with task sequence environment and logging      integration
  • Better partitioning support, creating the recommended      partitioning structures on new computers and ensuring deployments work      regardless of the current structure
  • A smooth and simple upgrade process for all existing      MDT users
  • Many small enhancements and bug fixes

 

Tell us what you think! Test drive our release and send us your constructive feedback through the Connect site. We value your input; this is the perfect opportunity to be heard.

Tell your peers and customers about Solution Accelerators! Please forward this to anyone who wants to learn more about OS deployment with MDT, and Microsoft Solution Accelerators.

Already using the Microsoft Deployment Toolkit? We’d like to hear about your experiences.

 

MDT Team

Microsoft Solution Accelerators

 

Project TWIAD Part 3

Posted on by
Reply

Today’s post is a recap of some of some of the testing and scenarios I’ve been through. All of this unscientific, not laboratory controlled, and can be interpreted many ways, and here is my take on it all… I’m not saying I understand exactly what I am seeing here, but am open to suggestions.

I originally started all of my testing running Windows 7 VMs against a single NIC, proxy/caching only solution, but I noticed that there was alot of traffic that was going outside of the proxy when I was using the Install approach for updating. If I was purely going through Windows Update, the results were as expected, exceptional caching of the Microsoft Update and Windows Update traffic, and incredibly high speed downloads of the updates. The issue that I was seeing was that I hadn’t configured the network to force activity outside of the logged on user to go via a proxy, and I could monitor this easily via Resource Monitor. Here’s a screenshot of what it should look like, note that all the connections are going through 8080, which I have forced via the following steps.

In order to start isolating the network traffic further, I set the TMG VM as the gateway with a private network in Hyper-V, which in my case is 10.10.10.1. If the traffic didn’t go via TMG, it didn’t go anywhere. The IE proxy was set to match TMG, which in my case is 10.10.10.1:8080. All fairly simple and standard for many network configurations. However, because I hadn’t gone through the process of setting up the whole test environment to match a working environment with domain users, domain joined PCs etc, I had to follow another step, which was to run netsh to configure the machine based proxy settings. This was required in order to avoid “The software cannot be installed, 0x80cf402c.” installation error…

Running the netsh command here is quite easy,  but first I want to make sure there are no other proxy settings already in place.

Defining a machine based proxy is easy to do.

Kicking off the Intune install succesfully now, and allowing it to update the latest signatures for Intune Endpoint Protection, my client VM NIC shows roughly 140MB of traffic, which matches the incremental traffic on my internally facing NIC on my TMG machine. So far so good. Only about 70MB is showing as moving through my ISP, which also includes traffic from some additional machines on the network, and the TMG TMG NIC is only showing 3MB of traffic.

It’s after this first round of the Intune installation, when I have 42 updates available for download and install, that some of the numbers don’t add up. Check the desktop screenshot below.

Apparently I received 42 updates, which are now installing, and they were less than 5MB of network traffic. Whether this issue is due to the accuracy of reporting traffic within the VM or some other reason I do not know yet, but would love to hear if you’ve seen the same or received an explanation. The external NIC on the TMG machine is showing less than 1MB of traffic, and the Hyper-V internal NIC is showing around 10MB. Again, at least from the internal NIC perspective, there is a bunch of traffic that just isn’t being reported. It’s not all bad though, this update, and my other network traffic, has generated less than 70MB of traffic. This means that there is definitely caching taking place, it’s the reporting that’s the issue. My TMG cache hit ration has moved up from 67% to 80% over the course of the afternoons testing, so it’s at reporting at least some of this activity.

The takeaways from all of this…
1. Simulating a real environment is going to give you better results when it comes to reproducing them outside of your sandbox
2. Route all traffic via the caching option you go for. There are huge benefits to be had here, both from a bandwidth savings perspective for those of you who pay per MB, and also from the perspective of speed of additional clients downloading the updates. The previous post to this had an image of a download coming down the wire at 111MB/s, which is close to the maximum download speed over Gigabit ethernet. This is what you want.
3. Part of this exercise was reacquainting myself with the Microsoft proxy/firewall family, which I had succesfully avoided for many years. While it had changed quite a bit, for the simple tasks I have it performing it has not been much of a roadblock or learning curve.
4. While I chose to start with a non-SP1 ISO of Windows 7 Ultimate as the base for my VM testing, you are going to save some time using the latest media with SP1 integrated, or manually adding SP1 during your build process.I just wanted the worst possible state for the machines to start with, ensuring that my TMG cache was getting very well used.
5.The numbers don’t lie. The caching works. Big thanks to the Intune team for posting the script on their blog site.