The built-in troubleshooters and diagnostics in Windows 7 which cover the most common subjects of calls to Microsoft product support are based on PowerShell scripts, so you can extend these with your own scripts and roll out the new troubleshooting packages through Group Policy, from an intranet site or even a file share. You can also use PowerShell to push application compatibility shims for internal applications to all PCs.
If you're used to using the SysInternals Process Explorer for troubleshooting, you'll recognise some of the features in the Resource Monitor in Windows 7. And the Problem Steps Recorder will let users show you what's going wrong and what they're trying to do much more clearly than the usual phone call or email report.
Security and networking
AppLocker application whitelisting through Group Policy only in the Enterprise edition of Windows 7 may also simplify support as well as improving security. Not only can you control what applications and even scripts users can run with a whitelist of up to 200 items, you can also control what they can install.
You can specify apps by the filename, publisher, version number or whether your IT department has signed the app. You could allow all Microsoft apps like Office and internal line of business applications, and lock down everything else. A rule can specify a single version number but rules can also be dynamic, so you can allow version 9.0 of Acrobat or version 9.0 and above, so that you don't have to go back and change your rules when a new version of an approved app comes out unless you want to retest every new version.
The other security features in Windows 7 are extensions and improvements of those introduced in Vista. Fewer Windows apps and tasks require User Account Control elevation, in the hope that users and IT admins will no longer find it irritating enough to turn off, and Microsoft has improved security so that elevation cannot be scripted.
BitLocker To Go extends full-volume data encryption to removable drives and you can enforce this through Group Policy, which should help keep confidential information off the many USB thumb drives mislaid and lost every year. You can allow read-only access to unencrypted drives.
You can also force strong passwords through Group Policy, or drives can be protected by smart cards. Removable drives can only be encrypted on Windows 7 Enterprise Edition but they can be read but not written to on any version of Windows XP, Vista or 7 without any extra software.
Windows 7 also supports password-protected IEEE 1667-compliant USB drives. When users plug these in, they won't even be able to see the size of the drive without entering the password, much less the file names.
Multiple active firewall policies will improve security for users connecting remotely. If they get online with a network marked as private and then open a VPN connection, the firewall will use the more secure settings you want for the connection rather than being restricted to the initial, less secure settings.
