Ninety days after its release to business customers, Windows Vista has cleared the first hurdle--no serious security flaws, so far. But it has stumbled badly on the second--user acceptance--as two big government agencies shun Microsoft's new operating system for other reasons.

It's too early to tell whether Vista will be a big hit or a dud, but it's beginning to look like a long adoption phase. Only two weeks after the consumer release of Vista on Jan. 31, CEO Steve Ballmer advised Wall Street to cool its expectations. "We're driving it hard," Ballmer said in a Feb. 15 presentation to financial analysts. "But I think some people have gotten a little overexcited."

Ballmer's warning proved prescient. Two weeks later, InformationWeek learned of a memo written by Daniel Mintz, CIO of the U.S. Department of Transportation, that placed "an indefinite moratorium" on upgrades to Vista, citing "no compelling technical or business case for upgrading."

About the same time, the Federal Aviation Administration--which is part of the DOT but managed separately--put a freeze on Vista upgrades. CIO David Bowen says he may drop Microsoft's PC software, Office included, in favor of Linux-based PCs and Google's new online business applications. Among other problems, Bowen says Lotus Notes didn't work properly when tested on Vista. "When you consider the incompatibilities and the fact that we haven't seen much in the way of documented business value, we felt that we needed to do a lot more study," Bowen says.

Microsoft can't take lightly the decision by two major federal customers with a total of 60,000 PC users to sidestep what's usually a well-worn path to the next Windows operating system. And a successful implementation of Google Apps by a big agency like the FAA would be a cue to CIOs elsewhere to consider that alternative themselves.

Microsoft is diplomatic about the snubbing. "Every organization has its own process for adopting software," says Shanen Boettcher, general manager of Windows client product management.

Hardware and software compatibility are among the concerns voiced by would-be Vista adopters. Parts manufacturer Quality Trailer Products pushed back its Vista deployment plans after experiencing compatibility issues during testing. "We took a good long look at it and figured it would be awhile before we do anything more with it," VP of IT Carl Weddle says. The company has a few 1980s-era terminal emulators that work fine with XP, but not at all with Vista.

Application compatibility is a factor at the Transportation Department. A number of applications and utilities in use there aren't Vista-compatible, according to a memo issued by the DOT's Federal Motor Carrier Safety Administration. They include releases of Aspen, Capri, ISS, and ProVu applications.

Compatibility problems tend to smooth out over time. Twenty thousand device drivers were available when Vista was released, and more are coming out at a rate of 1,600 per month. "We believe about 90% of devices are covered today," says Boettcher.

More than 7,000 applications have received Microsoft's "Works With Vista" designation, but only 1,000 have been "certified" for Vista, a more rigorous process that ensures the highest level of compatibility. Even Microsoft has to prioritize which of its applications get Vista certification first, Boettcher says.

There are plenty of other reasons companies are holding back--like having more important things to do. "We really haven't had time to advance much beyond setting it up and letting our network guys mess with it," says David Moore, CIO of Spectrum Labs. The medical laboratory network has been tied up with server upgrades and patching systems for the earlier-than-usual shift to daylight-saving time.

The most likely way for Vista to get onto a business desktop is loaded on a new PC that's part of a company's normal equipment upgrade cycle. But even then, some companies are wiping Vista off the machines to maintain consistency in their computing environments. "Even if we get a new PC, we're putting our XP image on it," Moore says.

Still, Windows Vista has begun, or is about to begin, creeping into companies. Engineering company Wright-Pierce will soon bring in new Vista-loaded PCs. However, it won't replace Windows XP on existing PCs until it sees how users like Vista first.

Boeing is evaluating Vista for application compatibility and security while assessing the return on investment. "If we determine it meets our business requirements, we could see migration to Vista beginning mid-2008," says Radha Radhakrishnan, VP of computing and network operations at the aerospace company.

Microsoft says Vista rollouts are in line with its expectations. Two early indicators--support calls and application and device compatibility--are about where it would have expected, Boettcher says. Microsoft last week couldn't name any customers that have deployed Vista on more than a few hundred PCs, but a handful, including the University of Pittsburgh Medical Center, plan to have Vista on thousands of PCs by year's end.

THE SECURITY QUESTION

In the three months since Vista's business release, there's been only one patch to the operating system. Patch MS07-010 was issued in February to fix a critical vulnerability related to the way the Microsoft Malware Protection Engine parses Portable Document Format, or PDF, files. The vulnerability, while not within Vista itself, could allow an attacker to remotely execute code on a Vista PC.

For a company that's been pounded relentlessly for vulnerabilities in its software, a single patch over three months is cause for celebration, though Microsoft knows better than to call attention to its success. "There will be vulnerabilities found in Vista," says Stephen Toulouse, senior product manager in Microsoft's Trustworthy Computing Group. But no news is good news, and Microsoft, remarkably, has no patches planned for March.

The consensus among security researchers, third-party vendors, and corporate security managers is that Vista is a solid improvement over its predecessors. Vista's security features include BitLocker full-disk encryption, Windows Defender anti-spyware, and a feature known as address space layout randomization that arranges applications in memory to protect against buffer overflows.

No security feature has elicited more of a response than User Access Control. If a user wants to install an application, Vista checks to see if the user has the appropriate privileges to do so, making it harder for malware to trick the system. Some early users have found it annoying, but others--particularly managers--see the benefit. "It actually has a whole lot going for it," says Michael Barrett, chief information security officer of PayPal.

The true test of Vista's strength will come as it gets more exposure and becomes a larger target for malicious hackers. If Vista security holds up, Microsoft will find it easier to convince slow-moving customers like the Department of Transportation to upgrade. Despite its Vista moratorium, CTO Tim Schmidt says the agency hasn't ruled out upgrading its computers to Vista if all of its concerns are resolved. "We have more confidence in Microsoft than we would have 10 years ago," he says.

Vista may be slow getting out of the gate. But if improved security holds up over time and trans- lates into a higher level of customer confidence, slow and steady could still win the race for Microsoft.

--with Larry Greenemeier AND Paul McDougall