Desktop Files Revisiting the Microsoft Desktop Optimization Pack
It’s been just under two years since I first covered the Microsoft Desktop Optimization Pack (MDOP) and the five technologies it included: SoftGrid Application Virtualization, Asset Inventory Service, Diagnostics and Recovery Toolset, Advanced Group Policy Management, and System Center Desktop Error Monitoring. Since then, Microsoft has released two updates—MDOP 2008 and then MDOP 2008 R2 (see Figure 1). The latest release includes numerous enhancements to all of the key components, as well as support for additional locales for most of the components. Another update due by mid-2009 will include support for Microsoft Enterprise Desktop Virtualization (MED-V), which I'll cover in detail at the end of this month's article. Let's take a look at how each of the technologies included in MDOP have been improved.
Figure 1 The new Microsoft Desktop Optimization Pack 2008 R2
The MDOP component originally named SoftGrid Application Virtualization is now Microsoft Application Virtualization 4.5 (APP-V), and it has been considerably enhanced to make using it within a Microsoft Windows–based organization faster and easier. Among the reliability features that have been improved are:
- A memory-locked cache that enables applications to be retained on client systems in the local application cache, even when the system shuts down suddenly;
- Background streaming, which allows for auto-caching of the application, where applications are downloaded in the background while a user is performing other tasks;
- Application check-pointing, which allows the state of applications, such as user preferences and settings, to be backed up so that they may be rapidly restored later.
Supporting a Microsoft infrastructure in a manageable way is now easier with APP-V, as it lets you create an MSI file from virtualized packages—meaning your existing application publishing tools can be used to quickly and reliably push out APP-V packages as well. Similarly, System Center Configuration Manager (SCCM) and SMS customers can push out a pre-cache of applications, even to new systems with no local users installed yet. With SCCM 2007 R2, App-V and SCCM are integrated, allowing you to leverage one management console, perform well-known workflows for managing applications, and take advantage of SCCM core functionality to inventory, distribute, manage, and report on virtual applications just like physical applications. You also get a WMI provider that allows managed monitoring of APP-V usage, whether online or offline.
In order to improve the performance and convenience of APP-V, the product now supports streaming from any existing HTTP server in your infrastructure. The sequencing process has been optimized to speed up the creation of virtualized applications. Moreover, you can now virtualize .NET-based applications. More information on .NET virtualization is available in the article "Support for .NET in Microsoft Application Virtualization 4.5 (App-V)".
From a usability perspective, APP-V now supports 11 localized languages, and it can now virtualize an application in any language except those that use "Complex Script," such as Thai, Hebrew, Arabic, Vietnamese, and Indic languages. It also supports Section 508 (of the Rehabilitation Act of 1973) accessibility compliance.
APP-V is supported on 32-bit Windows XP (APP-V 4.2) and Windows Vista (APP-V 4.5). Support for x64 versions of Windows Vista is expected in a beta form in late 2009, with a release during calendar year 2010 (see the article "MDOP Makes Some Noise in Spain "). Support for 64-bit versions of Windows is a frequently requested feature for APP-V, but making APP-V compatible with Windows Vista and Windows Server 2008 requires significant modifications to the APP-V infrastructure; this will be supported in due time.
Advanced Group Policy Management
Two versions of Microsoft Advanced Group Policy Management (AGPM) are supplied—2.5 and 3.0. If your server infrastructure is running Windows Server 2003 or your clients are still running the original RTM version of Windows Vista, you must use the earlier 2.5 release of AGPM. In order to use AGPM 3.0, your server must be running Windows Server 2008, and your clients used for managing AGPM must be running Windows Vista Service Pack 1. The new release also adds support for x64 versions of Windows Vista Service Pack 1 and Windows Server 2008. However, note that AGPM can be used to manage Group Policy on systems running Windows 2000 SP4 or newer.
In addition to the platform and architecture support, AGPM 3.0 now offers the ability to apply permissions to group policies—meaning that you can control who modifies group policy within your organization (see Figure 2). It also has enhanced change tracking in order to monitor when a policy was changed, how, and by whom (and who approved or rejected it), as shown in Figure 3. The user interface of AGPM 3 has also been significantly enhanced, and like APP-V, is available in additional languages (11 in total).
Figure 2 AGPM integrated into the Group Policy Management Console
Figure 3 Policy revision control viewed through AGPM
Asset Inventory Service
The Microsoft Asset Inventory Service (AIS) 1.5 component is the sole "Software as a Service" piece of the MDOP. It is available from an easily used online site, and retrieves information from managed systems using a lightweight client installer. Originally designed to provide software management details (quickly and easily retrieving details on installed applications from client systems), AIS now also provides license tracking. So in addition to telling you what software is installed in your infrastructure, AIS will correlate that inventory with your Microsoft License Statement information. That's crucial in this day and age to make sure that you are not only compliant from a legal perspective, but also that you aren't wasting money on unused licenses. AIS incorporates data normalization based on a catalog of many application titles. The resulting reports provide information that is complete, easy to understand, and not cluttered by repetitive entries.
Diagnostics and Recovery Toolset
As with AGPM, there are two versions of the Microsoft Diagnostics and Recovery Toolset (DaRT) included in MDOP now—5.0 and 6.0. The 5.0 version that previously shipped with the release of MDOP I discussed in 2007 is still available and is unchanged. That's the version you need if you are trying to recover a Windows XP system.
For organizations using Windows Vista, however, MDOP now includes all of the functionality of the 5.0 release, and then some. The 6.0 release supports Windows Vista, both 32-bit and 64-bit. In fact, the process of creating your ERD Commander ISO uses a Windows Vista DVD to complete its work. As I've mentioned before, you shouldn't ever use a Windows PE 1.x CD (which DaRT 5 is) to boot a Windows Vista system as it will cause your Restore Point data to be lost, thus the move to Windows PE 2 for DaRT 6.
Unlike DaRT 5, which had its own unique user interface, DaRT 6 integrates into the Microsoft Windows Recovery Environment (WinRE) interface and provides a quick-launch menu upon startup to launch the appropriate tool.
New to this release is the Standalone System Sweeper (Figure 4), which provides anti-malware functionality in an offline scan. It uses a signature that is up to date when the ISO image is initially created; updates can also be provided via a USB Flash Drive (UFD) when using ERD Commander. If Internet connectivity is available, updates can be downloaded in real-time for offline scanning.
Figure 4 Standalone System Sweeper retrieving signature updates
Also new is System Boot File Repair, part of WinRE, which provides the ability to repair critical system boot files to get a system bootable again.
While DaRT 6 no longer has the ability to share out the local system drive for recovery, you can still connect to remote shares and copy data as needed using ERD's Explorer-like interface.
DaRT has also been enhanced to support BitLocker-encrypted volumes. Previously, you would have had to manually hack in support for disk/volume encryption tools, and BitLocker was not supported at all. That's changed now with the rest of the Windows Vista support.
System Center Desktop Error Monitoring
Microsoft System Center Desktop Error Monitoring (DEM) 3.0 SP1 lets organizations centralize and diagnose Windows crashes and application hangs. It has been enhanced to improve performance and reliability plus better reporting functionality (the ability to see the top demographics, for example). DEM 3.0 SP1 also can be easily upgraded to a full System Center Operations Manager implementation.
DEM is useful for organizations because it provides insight into the lifecycle of systems in the organization—events that would previously have gone undetected or resulted in strange system failures can now be seen ahead of time. Thus, DEM allows more proactive handling of troublesome applications or drivers to deliver a more reliable desktop experience for an organization's end users. It also helps to close the loop with application and driver developers who may not be aware of how and why their software is failing.
But Wait—There's More
So now we have covered all of the key components of the MDOP that were in the product when I discussed it in 2007. While these components have all improved significantly, what I think you will find most interesting about the MDOP is what's new. As with most of the other MDOP components, Microsoft Enterprise Desktop Virtualization (or MED-V for short), is comprised of technology that Microsoft acquired and is turning into technology that can really enhance the enterprise Windows world.
In 2008, Microsoft acquired Kidaro, a small virtualization company. What made Kidaro products interesting is that they were not strictly virtualization products like Virtual PC, VMware, Citrix XEN, and so forth. Instead, Kidaro's technology worked to make existing virtual machines much more dynamic and manageable—and that's exactly the direction Microsoft has continued to take with it.
MED-V, available in a public beta form as I write this, is designed to allow an organization to keep legacy applications around, as needed, but offer them in a managed, virtual environment. Instead of providing a full "desktop in a window," which can be confusing to end users and hard for administrators to maintain, MED-V contains needed legacy applications on a standardized image that is centrally maintained. And it does this in a way that—for all but administrators and power users— looks convincingly like they are native applications running on the actual host OS. Instead, of course, they are actually running on a guest under Microsoft Virtual PC.
MED-V begins with the packaging process, where it provides a console to help administrators create and test images and store them on an IIS Web server, and then create an MSI that is capable of pulling the images down from a the repository.
The images can be deployed via removable storage (UFD, DVD, and so on), via a MED-V internal delivery mechanism called TrimTransfer that provides a bandwidth-optimized delivery mechanism for deployment and updates to images. You can, of course, also distribute the images via SCCM if you have the infrastructure.
The central management server of MED-V supports up to 5,000 endpoints and allows you to use Active Directory to assign images and require authentication based on Active Direct Users or Groups.
During deployment, MED-V provides the means to automatically configure the network of the guest OS and join it to the domain, as well as to apportion RAM to the guest based upon the host's RAM. Once deployed, MED-V enables monitoring and centralized remote administration of the guest OS.
Authentication of the image can be governed via Active Directory, and you can restrict images to only allow access for a certain timeframe, with a set expiration point, or for a certain window of hours, say, during business hours.
Instead of the traditional "floating desktop" displayed by traditional virtualization systems—which can throw nontechnical users—MED-V places a small icon in the Windows notification area. The virtual machine is essentially invisible to the end user, and any applications that are installed on the guest display shortcuts in the end user's host Start Menu. When these applications run, unless they are configured to display the full desktop, they will run as freestanding applications (as if they were running on the host). Optionally, MED-V can frame these apps with a colored border to help users discern "where" the application is. This is useful for users, and it also lets a help desk see that a user is running MED-V. This option is available to administrators via the MED-V management console.
Just as with Virtual PC, printer redirection to a host printer, file transfers, and copy and paste all typically work as configured. Effectively, the user can print from and copy or past to or from MED-V-hosted applications as if they were applications on the host itself. MED-V can also specify URLs that should always be opened from within the MED-V guest, while others will use the host OS's Web browser instead. Finally, the images can be configured to either retain state, or to be reversible (revert to a snapshot in time) if no user state needs to be retained.
Thus, MED-V can best be thought of as a means to provide a managed, secured, and easily updated environment to end-users. Whether the goal is to provide a managed environment to access legacy applications, to provide controlled access to information for security or compliance reasons, or simply to provide an enterprise application in a managed environment, MED-V provides a new and exciting way to offer the necessary applications to your end-users. It does this in a low-impact, high-performance, secure, and manageable way.
MED-V is an eagerly anticipated update to the MDOP platform, and will undoubtedly help Microsoft customers optimize their Windows investment.
The licensing requirements for MDOP have not changed. To license MDOP, customers must have an existing Microsoft Software Assurance (SA) agreement covering the desktops that MDOP is to be used on. Once Software Assurance is in place, the licensing costs begin at approximately $10 per desktop per year. Volume discounts and educational pricing are available.
As before, the MDOP is not generally available for use on servers. However, you can license Application Virtualization 4.5 for Terminal Services. More information is available at Microsoft Application Virtualization for Terminal Services site.
With the MDOP 2008 R2 release, and the impending release that supports MED-V, Microsoft continues to add valuable new tools to the product to help Microsoft SA customers make the most of their Windows investment, and do so in a way that optimizes the investments customers have made in other Microsoft management technologies, including operations that require support for other languages.
More information about MDOP is available on the Windows Desktop Management and Deployment site, which is updated with each MDOP release to include new components and updates.
If you currently have Software Assurance and are considering licensing MDOP, you may want to visit the free MDOP Return on Investment (ROI) tool MDOP ROI tool, which can help you visualize the estimated cost savings of deploying MDOP on your desktop systems.
Wes Miller is the Director of Product Management at CoreTrace (CoreTrace.com) in Austin, Texas. Previously, he worked at Winternals Software and as a Program Manager at Microsoft. Wes can be reached at firstname.lastname@example.org