Windows 7 brings an amazing set of features to today's desktop and other client form factors. For larger organizations, Windows 7 Enterprise adds features that provide a true enterprise-ready OS with more capabilities than Windows 7 Professional, including DirectAccess, BranchCache, Windows BitLocker Drive Encryption and BitLocker To Go, AppLocker, Enterprise Search Scopes, and other fun stuff. For organizations that truly leverage these features, users gain huge benefits in usability and the IT organization gains better manageability and security. These capabilities also can often simplify the environment and save money by removing the need for certain third-party add-ons.
Windows 7 Enterprise provides a fantastic client experience. But to fully optimize the desktop from an IT operations perspective -- to deliver the best application delivery, inventory, compatibility, and execution experience plus great troubleshooting and management -- Microsoft offers the Microsoft Desktop Optimization Pack.
MDOP is available as an annual subscription, priced per PC and available to organizations with Software Assurance or Windows Intune, the new Microsoft Software as a Service (SaaS) cloud-based PC-management solution. Basically, if your organization has access to Windows 7 Enterprise, then you can subscribe to MDOP, generally at around $10 per desktop per year. (For most organizations, such an agreement is little more than a rounding error.)
Many people might remember that in 2006, Microsoft purchased a number of companies, including Softricity and Winternals. Microsoft combined those companies' products with its Desktop Error Monitoring (DEM) solution to create the first version of MDOP. Additional acquisitions of AssetMetrix, DesktopStandard, and Kidaro plus plenty of in-house work resulted in MDOP 2011 R2. This current version, which we'll explore in this article, includes a host of desktop-optimization tools:
- Application Virtualization (App-V)
- Microsoft Enterprise Desktop Virtualization (MED-V)
- Asset Inventory Services (AIS)
- Advanced Group Policy Management (AGPM)
- Microsoft BitLocker Administration and Monitoring (MBAM)
- Diagnostics and Recovery Toolset (DaRT)
Many organizations that have heard of MDOP think first of App-V. This application-virtualization solution is commonly thought of as the flagship component of MDOP and is certainly the most used.
App-V lets you execute applications on an OS instance without those applications actually being installed. This execution without installation is achieved by a creating a virtualized version of the application, through a process that is known as sequencing.
Sequencing involves creating a clean OS environment that runs the App-V Sequencing component. This component takes all the changes to the file system, registry, COM, user mode services, fonts, and so on that are made during an actual installation and places that data into virtual layers, such as a virtual file system and virtual registry, inside a binary stream. This binary stream, which holds the layers that contain the installed version of the application, can then be streamed to App-V clients, into an instance of the App-V virtual environment.
The application then runs in that virtual environment. The application's interaction with the local OS goes through the virtual layers. The application is unchanged; it thinks that it's reading from the OS storage for its program files, which in reality are in the virtual layer, as Figure 1 shows. The same process applies to components such as the registry, user services, and fonts.
This approach of running applications without needing to install them brings a number of benefits:
- Application-to-application incompatibilities resulting from any kind of clash (such as DLLs or configuration) are solved. Every virtual application runs in its own virtual environment, which can't see the virtual environments of other applications.
- The time required to get new applications or application updates is significantly reduced. Testing no longer needs to include the many combination-scenario tests to determine whether app A works if apps B and C are installed because the applications don't see one another.
- The operating system stays cleaner and does not experience bloat over time.
- Applications can be delivered to users almost instantly, on demand. No installation is required, only the content of the stream needs to be transferred to the client, and only the part of the stream that is used to initially launch the application -- maybe 20 percent of the total stream size -- is necessary; the rest is streamed in the background.
Most applications can be virtualized through App-V. If you need virtualized applications to communicate with each other outside standard OLE methods, App-V now features a capability called Dynamic Suite Composition -- a fancy name for the ability to create links between virtual applications so that they can share a virtual environment. The only restriction on App-V is that it can't virtualize drivers, system services, or components of the OS, including Internet Explorer (IE). But we have a different solution for IE.
MED-V is the solution for applications that won't run on Windows 7 but that work fine on Windows XP. In App-V, the application still fundamentally runs on the local OS; if the application won't run on Windows 7, then virtualizing the application through App-V does nothing to help. MED-V works by running a Windows XP virtual machine (VM) under the covers, using Windows Virtual PC, into which you install those applications that you can't make run on Windows 7 or for which no Windows 7 compatible version or viable alternative is available.
The user experience is seamless. As with App-V, there is no real indication when running an application that is being served through MED-V that the application isn't a local application. The application shortcuts are part of the Windows 7 Start menu, the launched application is displayed seamlessly on the Windows 7 desktop, icons appear in the Windows 7 system tray, and access to Windows 7 drivers and printers is available. The only hint the user might get that something is a bit different is that the application will have the Windows XP border, plus the dialog boxes and the feel of the application will be those of Windows XP.
I mentioned that App-V can't virtualize IE, which is considered part of the OS. Many organizations, when moving to Windows 7, still need access to IE 6, either because they have systems that don't work with IE 9 or because upgrading to support IE 9 is cost-prohibitive. MED-V uses Windows XP, which includes IE 6, but it has another great feature. You can define URLs in the MED-V configuration so that users are automatically redirected to an IE 6 instance inside MED-V when they launch IE via the Run command or try to access the URLs in IE 9. Therefore, the end users don't need to do anything different to continue accessing sites that require IE 6.
If you've dismissed earlier versions of MED-V, look again at the version that is provided as part of the current MDOP. The separate MED-V infrastructure that was previously required has been removed, and deployments are now available as installation packages that you simply deploy to clients by using standard software-deployment mechanisms or by making them part of your Windows 7 image.
App-V and MED-V both enable great application-management and application-delivery technologies that can improve the way in which your IT organization provides applications and supplement traditional application-deployment solutions. However, keep in mind that MED-V is the one MDOP component that no one really wants you to run for the long term. When planning your Windows 7 deployment, don't rush the move to Windows 7, planning to run everything in MED-V until you have time to test applications in the new OS. MED-V is for those few show-stopper applications that just won't run on Windows 7 and that will halt your migration if you can't find a way to make them available on the Windows 7 desktop. You should still look for alternatives to those applications so that you can retire MED-V at some point.
MDOP's AIS component provides detailed asset information about your environment, for both hardware and software. This component is provided as a cloud service, requiring no infrastructure in your local environment and making AIS quick to deploy. The only setup requirement is to deploy the AIS client to the machines whose inventory data you want to capture. You can perform this step by using Group Policy or any other software-deployment solution.
AIS works a little differently from traditional inventory solutions, particularly from a software-inventory perspective. Most software-inventory solutions query Windows Management Instrumentation (WMI) and retrieve information based on the Win32_Product class, which is also shown in the Programs and Features Control Panel applets. AIS uses this information but also looks at artifacts on the OS to help identify software that might not show up in WMI and to get more detailed information. The information that is found is then sent to the Microsoft cloud and compared against a dynamic, constantly updated catalog. This method helps to identify the installed software and details about that software.
The actual management of AIS is performed via a web-based console that allows you to view detailed inventory information for all machines, plus gives you the ability to run reports about all software and hardware. But AIS also goes a step further by allowing you to import licensing information, enabling reports that show what you're running and what is licensed so that you can ensure license compliancy for your organization. AIS has a great security policy to ensure that only your organization can see your license and inventory information, and everything is encrypted. It's a great tool for your organization to understand your license position and to track your assets.
If you're using Microsoft System Center Configuration Manager (SCCM), then you already have a similar capability. The SCCM Asset Intelligence feature leverages the same dynamic catalog that AIS uses to identify detailed information about software, so you'll probably need to use AIS only on machines that you don't manage with SCCM.
I don't think that there's a company out there that doesn't use Group Policy in its environment. Just look at the Group Policy functionality advancements that we've seen in Windows Server 2008 and Windows Server 2008 R2, with new features such as Group Policy Preferences, new XML-based formats, improved Group Policy application based on network circumstances, and the sheer number of available configuration options: If you aren't making heavy use of Group Policy, you definitely should be. One item that hasn't quite kept up with the pace of advancement is the management of Group Policy. Although improving, this capability still lacks some key features. That's where the AGPM component of MDOP swoops in to save the day -- or at least the administrator's sanity.
AGPM adds the ability to check out and check in Group Policy Objects (GPOs) from a new Group Policy store, to make changes to GPOs without actually applying the changes, and to manage the change control of GPO application. AGPM also adds the ability to delegate groups of users to perform different levels of GPO modification and deployment, through built-in roles for Editors (who can modify GPOs), Reviewers (who can view and compare GPOs), and Approvers (who can create and deploy GPOs). AGPM can also integrate with email to send notification to approvers when an approval is needed.
AGPM has a small server component, which can be installed on any server or on your domain controllers (DCs). The client-side component integrates easily with the existing Group Policy Management Console (GPMC), to which it adds a Change Control node, which Figure 2 shows. This node allows you to configure GPOs as Controlled, giving you the full capabilities of AGPM to manage those GPOs.
The newest addition to the MDOP suite is MBAM, which gives us enterprise-class management of the BitLocker feature. This type of management was previously restricted to a limited set of Group Policy controls that let you set the level of encryption and determine whether to require BitLocker To Go for removable media and whether recovery keys should be stored in Active Directory (AD).
MBAM provides both improved management capabilities and better insight into the state of the BitLocker environment. The component does this through built-in reports, which can be extended through standard SQL Server Reporting Services (SSRS) methods.
Administrators can set how BitLocker should be used on the desktops in the environment. This policy will then be enforced. For example, you can ensure that volumes are enabled for BitLocker but also add exceptions for hardware that doesn't meet requirements or users that have a valid reason not to use BitLocker. When additional volumes are added or a user disables BitLocker, MBAM walks the user through enabling or re-enabling BitLocker encryption, ensuring the security of your devices.
MBAM radically improves the BitLocker end-user experience. With MBAM, standard users can now manage their BitLocker environment, initiate encryption, and set up BitLocker -- tasks that were previously restricted to local administrators. Another great feature comes in handy when things go awry and users need the BitLocker recovery key. When BitLocker is enabled, a recovery key is generated. That key can be typed in manually at the BitLocker recovery screen to enable the OS to boot in times of distress.
Typically, users are prompted to save this key to disk, or print it, or tattoo it on their arms -- because if you lose it and BitLocker needs it, you've lost everything on the disk. One great enhancement that's in the Windows Server 2008 schema and that can be applied to Windows Server 2003 is the ability to automatically save this recovery key as a child object of the computer account in AD. Some additions were made to help the IT Help desk get this key and give to users, but MBAM makes this much nicer by providing a secure web portal that the Help desk can access to give the key to the user. When the recovery key is used, a new one is automatically generated, and a full audit trail is logged, showing when the key was pulled from the database and who pulled it. MBAM uses a small SQL Server database for the recovery key storage and general management, and a SQL Server encrypted database with Transparent Data Encryption (TDE) is used to ensure security of the recovery keys.
If you're using BitLocker, then you definitely should implement MBAM to get the best management, usability, and compliance within your organization.
I doubt that anyone is unfamiliar with Sysinternals, which provides some of the best Windows troubleshooting and administrative tools there are. Sysinternals had a commercial sister site, Winternals Software, which had purchasable solutions for computer management, including great tools to help fix unbootable machines, recover deleted information, and change forgotten local passwords. With Microsoft's acquisition of Winternals, the best of these tools became DaRT, which has been enhanced even further. Although DaRT still supports a machine from CD, DVD, or USB, IT technicians can now also use DaRT over the network and remotely, meaning that a desktop visit is no longer required to help recover a machine.
When a machine boots to DaRT, all the toolset's capabilities, which Figure 3 shows, are available to help resolve a variety of issues:
- Gain full access to both the registry and file system of the OS to recover deleted files or to perform a secure wipe of the disk
- Modify the passwords of local accounts, including administrator accounts
- Perform disk configuration changes, including repairing corrupt volumes and boot records
- View computer information and change settings, including network configuration, services, events, drivers, and AutoRun
- Uninstall hotfixes
- Perform a System File Checked scan to ensure that the correct OS critical files are used
- Scan for and remove malware
DaRT is one of those tools that you should keep on a small USB drive and carry at all times. The toolset is one of those things that you hope you don't need, but when you do need it, you want it quickly to hand. One important note: DaRT is OS-specific. DaRT 7 works with Windows 7 and Windows Server 2008 R2 (DaRT 6.5 also supports Windows 7); earlier versions are also supplied to work with Windows Vista and Windows Server 2008 (DaRT 6) and Windows XP and Windows Server 2003 (DaRT 5).
If you investigated MDOP in the past, you might wonder what has happened to DEM, which allowed the application errors that are typically sent directly to Microsoft to instead be sent to a central internal server, which gave visibility to the errors in the environment and then forwarded them to Microsoft. DEM has been retired from MDOP, though it is still supported per typical Microsoft support timeframes. DEM functionality is now part of System Center Operations Manager (SCOM).
About tools such as DaRT and AGPM, you're likely thinking, "These are great, but I want to use them on my servers. How do I license MDOP on my servers?" You can't license MDOP for servers, but the great news is that you don't need to. If all your desktops are covered by MDOP, you can use DaRT, AIS, and AGPM on your servers as well. If you want to use App-V on your Remote Desktop Session Hosts, there's more good news: App-V for Remote Desktop Session is now part of the standard Remote Desktop Session CAL, so those virtual applications that you create for desktop App-V can be used in your Remote Desktop Session environment as well.
MDOP offers amazing value for any organization, even if you use only one part of the suite. When you're thinking about designing your optimal desktop, you can go that one step further by utilizing MDOP.