Get the Most from Your Desktops with MDOP

Windows 7 brings an amazing set of features to today's desktop and other client form factors. For larger organizations, Windows 7 Enterprise addsfeatures that provide a true enterprise-ready OS with more capabilities than Windows 7 Professional, including DirectAccess, BranchCache, WindowsBitLocker Drive Encryption and BitLocker To Go, AppLocker, Enterprise Search Scopes, and other fun stuff. For organizations that trulyleverage these features, users gain huge benefits in usability and the IT organization gains better manageability and security. These capabilities alsocan often simplify the environment and save money by removing the need for certain third-party add-ons.

Windows 7 Enterprise provides a fantastic client experience. But to fully optimize the desktop from an IT operations perspective -- to deliver the bestapplication delivery, inventory, compatibility, and execution experience plus great troubleshooting and management -- Microsoft offers the MicrosoftDesktop Optimization Pack.

MDOP is available as an annual subscription, priced per PC and available to organizations with Software Assurance or Windows Intune, the new MicrosoftSoftware as a Service (SaaS) cloud-based PC-management solution. Basically, if your organization has access to Windows 7 Enterprise, then you cansubscribe to MDOP, generally at around $10 per desktop per year. (For most organizations, such an agreement is little more than a rounding error.)

Many people might remember that in 2006, Microsoft purchased a number of companies, including Softricity and Winternals. Microsoft combined thosecompanies' products with its Desktop Error Monitoring (DEM) solution to create the first version of MDOP. Additional acquisitions of AssetMetrix,DesktopStandard, and Kidaro plus plenty of in-house work resulted in MDOP 2011 R2. This current version, which we'll explore in this article, includesa host of desktop-optimization tools:

App-V

Many organizations that have heard of MDOP think first of App-V. This application-virtualization solution is commonly thought of as the flagshipcomponent of MDOP and is certainly the most used.

App-V lets you execute applications on an OS instance without those applications actually being installed. This execution without installation isachieved by a creating a virtualized version of the application, through a process that is known as sequencing.

Sequencing involves creating a clean OS environment that runs the App-V Sequencing component. This component takes all the changes to the file system,registry, COM, user mode services, fonts, and so on that are made during an actual installation and places that data into virtual layers, such as avirtual file system and virtual registry, inside a binary stream. This binary stream, which holds the layers that contain the installed version of theapplication, can then be streamed to App-V clients, into an instance of the App-V virtual environment.

The application then runs in that virtual environment. The application's interaction with the local OS goes through the virtual layers. The applicationis unchanged; it thinks that it's reading from the OS storage for its program files, which in reality are in the virtual layer, as Figure 1 shows. Thesame process applies to components such as the registry, user services, and fonts.

Figure 1: How an App-V virtualized application interacts with the local OS 

This approach of running applications without needing to install them brings a number of benefits:

Most applications can be virtualized through App-V. If you need virtualized applications to communicate with each other outside standard OLE methods,App-V now features a capability called Dynamic Suite Composition -- a fancy name for the ability to create links between virtual applications so thatthey can share a virtual environment. The only restriction on App-V is that it can't virtualize drivers, system services, or components of the OS,including Internet Explorer (IE). But we have a different solution for IE.

MED-V

MED-V is the solution for applications that won't run on Windows 7 but that work fine on Windows XP. In App-V, the application still fundamentally runson the local OS; if the application won't run on Windows 7, then virtualizing the application through App-V does nothing to help. MED-V works byrunning a Windows XP virtual machine (VM) under the covers, using Windows Virtual PC, into which you install those applications that you can't make runon Windows 7 or for which no Windows 7 compatible version or viable alternative is available.

The user experience is seamless. As with App-V, there is no real indication when running an application that is being served through MED-V that theapplication isn't a local application. The application shortcuts are part of the Windows 7 Start menu, the launched application is displayed seamlesslyon the Windows 7 desktop, icons appear in the Windows 7 system tray, and access to Windows 7 drivers and printers is available. The only hint the usermight get that something is a bit different is that the application will have the Windows XP border, plus the dialog boxes and the feel of theapplication will be those of Windows XP.

I mentioned that App-V can't virtualize IE, which is considered part of the OS. Many organizations, when moving to Windows 7, still need access to IE6, either because they have systems that don't work with IE 9 or because upgrading to support IE 9 is cost-prohibitive. MED-V uses Windows XP, whichincludes IE 6, but it has another great feature. You can define URLs in the MED-V configuration so that users are automatically redirected to an IE 6instance inside MED-V when they launch IE via the Run command or try to access the URLs in IE 9. Therefore, the end users don't need to do anythingdifferent to continue accessing sites that require IE 6.

If you've dismissed earlier versions of MED-V, look again at the version that is provided as part of the current MDOP. The separate MED-Vinfrastructure that was previously required has been removed, and deployments are now available as installation packages that you simply deploy toclients by using standard software-deployment mechanisms or by making them part of your Windows 7 image.

App-V and MED-V both enable great application-management and application-delivery technologies that can improve the way in which your IT organizationprovides applications and supplement traditional application-deployment solutions. However, keep in mind that MED-V is the one MDOP component that noone really wants you to run for the long term. When planning your Windows 7 deployment, don't rush the move to Windows 7, planning to run everything inMED-V until you have time to test applications in the new OS. MED-V is for those few show-stopper applications that just won't run on Windows 7 andthat will halt your migration if you can't find a way to make them available on the Windows 7 desktop. You should still look for alternatives to thoseapplications so that you can retire MED-V at some point.

AIS

MDOP's AIS component provides detailed asset information about your environment, for both hardware and software. This component is provided as a cloudservice, requiring no infrastructure in your local environment and making AIS quick to deploy. The only setup requirement is to deploy the AIS clientto the machines whose inventory data you want to capture. You can perform this step by using Group Policy or any other software-deployment solution.

AIS works a little differently from traditional inventory solutions, particularly from a software-inventory perspective. Most software-inventorysolutions query Windows Management Instrumentation (WMI) and retrieve information based on the Win32_Product class, which is also shown in the Programsand Features Control Panel applets. AIS uses this information but also looks at artifacts on the OS to help identify software that might not show up inWMI and to get more detailed information. The information that is found is then sent to the Microsoft cloud and compared against a dynamic, constantlyupdated catalog. This method helps to identify the installed software and details about that software.

The actual management of AIS is performed via a web-based console that allows you to view detailed inventory information for all machines, plus givesyou the ability to run reports about all software and hardware. But AIS also goes a step further by allowing you to import licensing information,enabling reports that show what you're running and what is licensed so that you can ensure license compliancy for your organization. AIS has a greatsecurity policy to ensure that only your organization can see your license and inventory information, and everything is encrypted. It's a great toolfor your organization to understand your license position and to track your assets.

If you're using Microsoft System Center Configuration Manager (SCCM), then you already have a similar capability. The SCCM Asset Intelligence featureleverages the same dynamic catalog that AIS uses to identify detailed information about software, so you'll probably need to use AIS only on machinesthat you don't manage with SCCM.

AGPM

I don't think that there's a company out there that doesn't use Group Policy in its environment. Just look at the Group Policy functionalityadvancements that we've seen in Windows Server 2008 and Windows Server 2008 R2, with new features such as Group Policy Preferences, new XML-basedformats, improved Group Policy application based on network circumstances, and the sheer number of available configuration options: If you aren'tmaking heavy use of Group Policy, you definitely should be. One item that hasn't quite kept up with the pace of advancement is the management of GroupPolicy. Although improving, this capability still lacks some key features. That's where the AGPM component of MDOP swoops in to save the day -- or atleast the administrator's sanity.

AGPM adds the ability to check out and check in Group Policy Objects (GPOs) from a new Group Policy store, to make changes to GPOs without actuallyapplying the changes, and to manage the change control of GPO application. AGPM also adds the ability to delegate groups of users to perform differentlevels of GPO modification and deployment, through built-in roles for Editors (who can modify GPOs), Reviewers (who can view and compare GPOs), andApprovers (who can create and deploy GPOs). AGPM can also integrate with email to send notification to approvers when an approval is needed.

AGPM has a small server component, which can be installed on any server or on your domain controllers (DCs). The client-side component integrateseasily with the existing Group Policy Management Console (GPMC), to which it adds a Change Control node, which Figure 2 shows. This node allows you toconfigure GPOs as Controlled, giving you the full capabilities of AGPM to manage those GPOs.

Figure 2: Controlled GPOs and configuration and delegation tabs available with AGPM 

MBAM

The newest addition to the MDOP suite is MBAM, which gives us enterprise-class management of the BitLocker feature. This type of management waspreviously restricted to a limited set of Group Policy controls that let you set the level of encryption and determine whether to require BitLocker ToGo for removable media and whether recovery keys should be stored in Active Directory (AD).

MBAM provides both improved management capabilities and better insight into the state of the BitLocker environment. The component does this throughbuilt-in reports, which can be extended through standard SQL Server Reporting Services (SSRS) methods.

Administrators can set how BitLocker should be used on the desktops in the environment. This policy will then be enforced. For example, you can ensurethat volumes are enabled for BitLocker but also add exceptions for hardware that doesn't meet requirements or users that have a valid reason not to useBitLocker. When additional volumes are added or a user disables BitLocker, MBAM walks the user through enabling or re-enabling BitLocker encryption,ensuring the security of your devices.

MBAM radically improves the BitLocker end-user experience. With MBAM, standard users can now manage their BitLocker environment, initiate encryption,and set up BitLocker -- tasks that were previously restricted to local administrators. Another great feature comes in handy when things go awry andusers need the BitLocker recovery key. When BitLocker is enabled, a recovery key is generated. That key can be typed in manually at the BitLockerrecovery screen to enable the OS to boot in times of distress.

Typically, users are prompted to save this key to disk, or print it, or tattoo it on their arms -- because if you lose it and BitLocker needs it,you've lost everything on the disk. One great enhancement that's in the Windows Server 2008 schema and that can be applied to Windows Server 2003 isthe ability to automatically save this recovery key as a child object of the computer account in AD. Some additions were made to help the IT Help deskget this key and give to users, but MBAM makes this much nicer by providing a secure web portal that the Help desk can access to give the key to theuser. When the recovery key is used, a new one is automatically generated, and a full audit trail is logged, showing when the key was pulled from thedatabase and who pulled it. MBAM uses a small SQL Server database for the recovery key storage and general management, and a SQL Server encrypteddatabase with Transparent Data Encryption (TDE) is used to ensure security of the recovery keys.

If you're using BitLocker, then you definitely should implement MBAM to get the best management, usability, and compliance within your organization.

DaRT

I doubt that anyone is unfamiliar with Sysinternals, which provides some of the best Windows troubleshooting and administrative tools there are.Sysinternals had a commercial sister site, Winternals Software, which had purchasable solutions for computer management, including great tools to helpfix unbootable machines, recover deleted information, and change forgotten local passwords. With Microsoft's acquisition of Winternals, the best ofthese tools became DaRT, which has been enhanced even further. Although DaRT still supports a machine from CD, DVD, or USB, IT technicians can now alsouse DaRT over the network and remotely, meaning that a desktop visit is no longer required to help recover a machine.

When a machine boots to DaRT, all the toolset's capabilities, which Figure 3 shows, are available to help resolve a variety of issues:

Figure 3: DaRT tools 

DaRT is one of those tools that you should keep on a small USB drive and carry at all times. The toolset is one of those things that you hope you don'tneed, but when you do need it, you want it quickly to hand. One important note: DaRT is OS-specific. DaRT 7 works with Windows 7 and Windows Server2008 R2 (DaRT 6.5 also supports Windows 7); earlier versions are also supplied to work with Windows Vista and Windows Server 2008 (DaRT 6) and WindowsXP and Windows Server 2003 (DaRT 5).

Final Thoughts

If you investigated MDOP in the past, you might wonder what has happened to DEM, which allowed the application errors that are typically sent directlyto Microsoft to instead be sent to a central internal server, which gave visibility to the errors in the environment and then forwarded them toMicrosoft. DEM has been retired from MDOP, though it is still supported per typical Microsoft support timeframes. DEM functionality is now part ofSystem Center Operations Manager (SCOM).

About tools such as DaRT and AGPM, you're likely thinking, "These are great, but I want to use them on my servers. How do I license MDOP on myservers?" You can't license MDOP for servers, but the great news is that you don't need to. If all your desktops are covered by MDOP, you can use DaRT,AIS, and AGPM on your servers as well. If you want to use App-V on your Remote Desktop Session Hosts, there's more good news: App-V for Remote DesktopSession is now part of the standard Remote Desktop Session CAL, so those virtual applications that you create for desktop App-V can be used in yourRemote Desktop Session environment as well.

MDOP offers amazing value for any organization, even if you use only one part of the suite. When you're thinking about designing your optimal desktop,you can go that one step further by utilizing MDOP.