As we get closer and closer to a feature-complete version of Windows Vista--which Microsoft will complete in late December, but testers should see by the February CTP--eager Windows users around the globe wonder what feature-set, exactly, will constitute the next Windows client release. Part of the answer can be found in my showcase, Windows Vista Product Editions Preview, which spells out which features will be found in each upcoming Windows Vista version. But in the December CTP, which represents the Vista Ultimate Edition, we can already see a wide range of new features which weren't present in previous builds. In this third part of my Vista December 2005 CTP review, I'll look at some of those new features.

Palladium Lives: Secure Startup and Bit Locker

Years ago, when Microsoft chairman Bill Gates revealed that he was spending at least half his time focusing on "Longhorn," the next major Windows version, the concept of trustworthy computing, enabled through a synthesis of security hardware and custom software, was first offered to a curious, and suspicious, computing public. Since then, this system, which Microsoft first called Palladium, but since renamed to Next Generation Secure Computing Base (NGSCB), has come under a lot of fire in various circles, as people began to perceive that it could be used to usurp users' ability to control what they do with their PCs.

To even use this system, however, PCs must include a specific Intel Trusted Platform Module (TPM) security chipset, which will interact with Palladium software in Windows Vista to provide a number of optional security services. These services will be optional both because only a small percentage of Vista-compatible PCs will initially include this hardware, and because Microsoft has scaled back its Palladium plans significantly since 2002. In short, concerns over Palladium and TPM may be valid, but it's going to be a while before we see a truly oppressive operating system that truly takes advantage of this technology. Windows Vista is not that operating system.

With the Big Brother stuff out of the way, we can look at which NGSCB services will actually be made available in Windows Vista. It turns out there will be exactly two NGSCB features in Windows Vista, Secure Startup and Bit Locker, the latter of which used to be referred to as Full Volume Encryption.

Secure Startup ensures that a PC hasn't been tampered with since the system was last booted, and it protects the PC from brute force electronic attacks that are typically launched via attached storage devices. The goal here is physical security: Secure Startup is effective against malicious users that sit down with a stolen or physically compromised laptop or desktop PC and try to hack into the system. When Secure Startup is enabled, you can no longer boot your PC with a CD/DVD, USB-attached storage, or bootable floppy disk. Secure Startup was present in previous Vista builds.

In build 5270, we finally get access to Bit Locker, the new name for what was previously called Full Volume Encryption. Bit Locker takes the technology behind the Encrypting File System (EFS) and applies it to the full hard disk all the time. The goal here, too, is physical security. Bit Locker's encryption of the drive contents prevents a thief who steals your laptop or desktop PC and then removes the hard drive from accessing its contents.

Secure Startup is accessed from the Control Panel in 5270, though you won't see much if your system doesn't have TPM hardware (Figure). If you do have a TPM-compatible system, you can enable Secure Startup, which in turn enables the Bit Locker full volume encryption as well (Figure). When you choose to enable these features, Microsoft steps you through a fairly lengthy process that involves several reminders to back up the recovery key that it must create in order to decrypt the drive later. If you don't have copies of these keys, you won't be able to access the files on the disk in the event of a hardware malfunction. You can save the recovery key as an automatically generated 48-digit password if you'd like (Figure) and copy it to a folder and/or a USB memory key (Figure). Encrypting even a small hard drive takes quite a bit of time.

Once the drive is encrypted, you shouldn't notice any differences per se.

Better parental controls

In Windows Vista build 5270, a new Family Safety and User Accounts control panel lets you access the system's user account and parental controls functionality (Figure), the latter of which has been extensively updated. Now, any administrator on the system (typically a parent) can configure parental controls for any limited user (typically a child). You configure these settings on a user-by-user basis (Figure). In the main configuration window, you can enable parental controls, determine whether you will collective activity reports that detail what the user is doing, and set up various controls for Web restrictions, time limits, games, and programs you might want to block.

The Web restrictions settings include Web filtering, in which you can allow or block specific Web sites; Web content filtering, which includes various restriction levels; content types you'd like to block (including bomb making, hate speech, and sex education, among several others); and whether to block file downloads (Figure).

In Time Restrictions settings, you use a project planning-like grid to toggle specific time blocks as allowed or blocked (Figure). This will prevent the user from accessing the PC at those times you've blocked. So, you might set up a schedule for your kids where they can access the PC from 3 to 7 during the week, but all day on weekends, or whatever (Figure).

The Games settings lets you determine whether the user can play games at all, and if so, which games, by ESRB ratings, or via a list of games you've specifically blocked or allowed. And in the Block Specific Games section, you can specify which programs the user can access.

So what does this all look like to the affected user? When you log on with an account to which parental controls have been applied, you'll see some restrictions based on your activities. For example, if you attempt to navigate to a blocked Web site in IE 7, you'll see a message explaining why you can't do so (Figure). And of course, if you attempt to logon to the account during a blocked time period, you'll be out of luck.

Super Fetch improvements

One of the more unbelievable Vista features that Microsoft has touted is Super Fetch, which provides memory caching and performance improvements via a USB memory key (see my Windows IT Update commentary, SuperFetch: Windows Memory Caching Gets Intelligent, for more information). In build 5270, Super Fetch is finally enabled, but it's also been improved somewhat over the original announcement. "We talked about a feature called Super Fetch back in October," Shanen Boettcher, the Senior Director of the Windows Client Group at Microsoft said in a briefing this week. "But we take that a lot further [in the December CTP]. Now, we support the use of any expandable memory you can plug into the PC's USB port. So you can plug in an external hard drive and ... use part of it as extended memory for Super Fetch. You might use 1 GB of an 80 GB drive. It's a great way to increase performance and leverage this new technology."

When you insert a USB-based storage device, such as a USB memory key or an external hard drive, you'll see a new option on the Auto Play dialog that appears, titled "Speed up my system using this device" (Figure). If you select that option, and you have a compatible USB storage device (i.e. one that is based on USB 2.0 and meets certain performance requirements), you'll be presented with an opportunity to devote a certain percentage of that device's storage space to the system (Figure). Any space you reserve cannot be used as storage (unless you later format the device or disable its system use). And Vista will recommend a certain amount of storage per device, but you can allot as much storage space as you like.

There's an additional caveat to this functionality, aside from the aforementioned performance requirements: The device must have at least 64 MB of free space.

The big question here, of course, is, does it work? Though build 5270 includes some performance improvements over previous builds, it's still pretty lacking on the systems to which I've installed it. I've left a USB device devoted to this purpose in my main Vista test machine (a ThinkPad T43), but I haven't noticed any improvements per se. I'll keep testing to see whether it performs as advertised, of course, but the possibilities are compelling.

Windows Firewall improvements

While the Windows Firewall included with Windows Vista build 5270 doesn't appear to have changed much at first glance, a lot has changed under the hood. The firewall now supports bidirectional filtering, and not just inbound filtering as before, which is obviously a major improvement. Microsoft has also enabled advanced security features such as the ability for corporations to manage IPsec (IP security) configurations. From an end user perspective, Windows Firewall acts much like the firewall in Windows One Care Live now, though you'll receive notifications when it blocks a program (which you can disable).

Windows Update improvements

First introduced as an online companion to Windows 98, Windows Update has grown over the year to encompass automatic updating (Automatic Updates) and non-Windows products (Microsoft Update). But one thing has remained the same: Windows Update has always been accessed as a Web site, via Internet Explorer. In Windows Vista, Microsoft is finally abandoning that approach, and the company has created a true Windows Update application, that works from within Windows Vista in the same manner that Software Updates works in Mac OS X.

The new Windows Update is now accessible via Control Panel and it resembles other Control Panel applets (Figure). What's not immediately obvious is that it also combines the features from Automatic Updates and Windows Update into a single application. From this simple interface, you can scan for new updates, changing Windows Update settings, and perform other related tasks. I just have one question: Why doesn't Windows Vista include the more full-featured Microsoft Update?

Power management improvements

As I described in Windows Vista Beta 1 vs. Mac OS X "Tiger" (Part 2), today's Windows and OS X versions approach power management in slightly different ways, and each system has a unique feature the other lacks. OS X supports an instant sleep mode that kicks in whenever you close a PowerBook or iBook's lid, for example. But Windows XP supports hibernation, which lets you write the contents of RAM to disk and then get right back to work the next time the system turns on; hibernation also dramatically speeds the boot-up process.'

In Windows Vista, Microsoft is trying to reach a happy medium and offer users the best possible power management experience. In essence, Vista will combine the two unique features I mentioned above, and offer them as the default power management experience. Here's what I mean: When you close the lid of a Vista-based laptop, or leave any Vista-based machine idle for a set length of time, it will move into sleep mode nearly instantaneously. But if the machine isn't reactivated within another set amount of time, hibernation will be triggered, pushing the contents of RAM onto the disk so it can be resuscitated at a later date.

If you turn on a Vista-based machine (laptop or desktop) that's in sleep mode, it should return to life nearly instantaneously, just like a Macintosh. But if it's gone into hibernation, it will act just like a typical Windows machine today, and boot up normally, providing you with whatever applications you had open previously.

"We're shifting to a single button on/off control for Windows Vista," Boettcher said. "In Vista, the default off mode is sleep mode, which will help preserve power and provide quick response times." You can, of course, change this as you see fit.

What I don't like is the way Microsoft exposes power management and on/off states in the Start menu. Experienced Windows users know that they can hit Windows Key + U + H to immediately enter hibernation today, and that's a series of key strokes I perform regularly today with XP-based laptops. In Vista, the key strokes won't ever work, because of the new instant search box. If you hit Windows Key + U + H, you end up typing "uh" into the search box. Now, in order to trigger power management, or turn off the computer, you have to use the mouse. There's a dedicated "power" button (which enables the "sleep-then-hibernation" scheme I describe above. But if you want to do anything else, like reboot, shut down the machine, or log off, you have to trigger a little sub-menu that cascades off the new Lock button (Figure).

As a power user, I really dislike this setup, and I'd like to see some way to configure what these buttons do, and provide a way for keyboard strokes to work. It's just silly that we have to use the mouse to trigger these functions.

And then there's the fact that the new sleep-then-hibernate mode doesn't work on all test PCs I'm using. On a Dell Latitude D810, it works as advertised, and you can use the system's hardware power switch to trigger this new state. But on my main machine, a ThinkPad T43, sleep mode is death: Once asleep, it can never reawaken, and you have to physically shut down the box by holding down the power switch for several seconds, and then reboot. Ah well, it's a beta.

Continue to Part 4...