10 IT Pro Pain Points Simplified with MDOP
Everyone enjoys a good list. There are lists of influential people, best and worst dressed celebrities, happiest places to live, and so on. Our list is a bit more humble—if not a bit geeky. We are Microsoft, after all! Our list focuses on Windows 7. In particular, it describes 10 pains that IT pros endure and how the Microsoft Desktop Optimization Pack (MDOP) can help reduce them.
If you are not already familiar with MDOP, depicted in Figure 1, this list provides a good introduction. However, you can also learn more about it on the MDOP Web site at
http://www.microsoft.com/mdop/. In a nutshell, MDOP is a collection of six products that can help streamline desktop deployment, management, and support. Like the Swiss Army knife, it solves many problems and can simplify your life as an IT pro.
Figure 1. Products in the Microsoft Desktop Optimization Pack
1. Testing and Remediating Application Conflicts
Arguably one of the most painful steps of deployment is testing and remediating applications. Regression testing consumes an inordinate amount of time. Fixing any discovered compatibility issues requires an uncommon skillset that is difficult to learn and sometimes requires outside help.
Microsoft Application Virtualization (App-V) can help address this challenge. It isolates applications so that they see their own virtual environments. They change files and settings only in those virtual environments, rather than changing the host PC’s files or settings. As a result, applications do not affect the operating system or other applications. For that matter, you never actually install virtual applications on the host PC; you stream them from the network and cache them, so the operating system remains pristine, updating them is simple, and removing them does not interrupt users. Think of App-V as the equivalent of running each application in its own sandbox. The application can do whatever it wants within its own sandbox, but it cannot play with sand in other sandboxes—unless given explicit permission. It cannot throw sand out of the sandbox, either.
To be clear, App-V does not address application incompatibility with the operating system. For that, you must still rely on tools like the Application Compatibility Toolkit (ACT). You can learn more about the ACT on the Springboard Series at
http://technet.microsoft.com/en-us/windows/aa905066.aspx. Also, see this article’s third pain point, “Deploying Operating-System-Incompatible Applications,” to learn about mitigating operating-system compatibility issues by using Microsoft Enterprise Desktop Virtualization (MED-V).
Note that because App-V isolates applications in their own virtual environments, it can greatly reduce the need for regression testing to identify conflicts between applications. As a result, it reduces the need to remediate application conflicts. In fact, many companies report that they skip these steps altogether and go directly to packaging (or sequencing) applications, which is like recording the installation to a file that the administrator can stream over the network. It is easy.
How about a practical example? Some organizations moving to Microsoft Office 2010 have line-of-business (LOB) applications based on Microsoft Office 2003 that are not compatible with Office 2010. Such incompatibilities might block deployment for mere mortals. But with App-V, they can easily run both versions of Office side-by-side, maintaining access to legacy LOB applications while continuing to move forward with Office 2010. The proof is in the screenshot, and Figure 2 shows both versions of Office running on the same PC.
Figure 2. Office 2003 and Office 2010 Side by Side
2. Getting the Right Applications to the Right Users
A pain point related to testing and remediating applications is packaging and distributing them. Packaging applications for automated deployment and configuration is often the most time-consuming, difficult, and expensive part of any deployment project. And how do you get the right applications to the right users in all the right places?
Two common choices are to include applications in monolithic Windows images or to distribute them using electronic software distribution (ESD) systems. Including applications in Windows images usually leads to a high image count and a maintenance nightmare.
Through the years, these processes have served us well. But what if you could save time by more easily targeting applications to end users and enabling those applications to follow users to each device they use? Would your job be easier, and less repetitive, by keeping applications out of your Windows images? If you want to make application distribution less frustrating and make more time available for other tasks, then you owe it to yourself to take a closer look at App-V.
With App-V, you can strike a balance between the control you need and the flexibility users need. App-V untangles applications from the operating system. That is, each application is packaged separately, provided as a network service, and isolated from the operating system and other applications. Applications can still communicate with one another and take advantage of system resources.
Once you sequence an application, assign the appropriate rights, and place it on the server, the application is immediately available for users. They can launch the application without waiting for it to install, because App-V streams the application on demand.
Imagine the impact on not just application delivery but on the deployment process as a whole. Suddenly, getting down to the mythical single image becomes a real possibility. You deploy a single Windows image, and when users log on to their PCs, App-V delivers the applications they need. Because App-V does not actually install applications on the host PC, it can reduce the support time associated with applications. You simply do not have to troubleshoot or reinstall applications.
3. Deploying Operating-System-Incompatible Applications
Whereas our first two pain points dealt with application conflicts and distribution, our third pain point addresses a big issue that most IT pros face: application compatibility issues with the operating system. Most popular applications are compatible with Windows 7. Compatibility problems most often come from internally developed LOB applications or intranet sites. Occasionally, you simply do not have time to test some applications and have to assume they are not compatible.
Windows XP Mode, which Windows 7 introduced, can help address this challenge. Windows XP Mode can run applications that do not work on Windows 7 in a virtual Windows XP environment. Even though they are running in a virtual Windows XP environment, they look and feel as if they are running natively on the host PC because they launch from the Windows 7 Start menu and run seamlessly on the Windows 7 desktop. This is a good solution for a small business with a couple of PCs, but it quickly turns into a management headache for organizations that have more PCs.
MED-V provides all of the power of Windows XP Mode plus the control and management features that IT pros need. MED-V helps IT deploy managed virtual Windows XP environments to end users.
MED-V also enables customization of each environment. For example, it will automate the first-time setup of the virtual machine (VM), set its network connection according to the host PC’s settings, assign a unique name to the VM, and join it to the Active Directory Domain Services (AD DS) domain.
MED-V 2.0, the latest version, requires no dedicated infrastructure or management servers. You can deploy MED-V through existing ESD systems just like any other application.
Application compatibility is not the only pain that MED-V addresses. It also addresses the scenario in which some internal Web applications work only with Internet Explorer 6. MED-V can redirect individual Web sites to the virtual Windows XP environment, opening them in Internet Explorer 6.
4. Managing and Controlling Group Policy
Managing and controlling Group Policy is our fourth pain point. Simply put, the problem is that any change a Group Policy administrator makes affects the production environment immediately. There is no review process. No approval process. Additionally, Group Policy does not maintain any sort of history for each Group Policy Object (GPO), making it difficult to know who changed what and when they changed it. You can more precisely express this pain as “cleaning up someone else’s mess.”
Advanced Group Policy Management (AGPM) can reduce this pain by providing accountability and an auditable history. As Figure 3 shows, AGPM adds change management, or version control, to Group Policy. To edit a GPO, you check it out of the archive (offline storage for GPOs), change it, and check it back in to the archive. This process works like any other version-control system, such as document libraries in Microsoft Office SharePoint Server 2010. Change control also keeps a history of changes for each GPO, so you can compare different versions to show added, changed, or deleted settings. You can even see who made each change and when they made it.
Figure 3. Advanced Group Policy Management
Building on its change-control features, AGPM provides a robust delegation model to Group Policy. It enables you to define a workflow that works well for your organization by assigning GPO administrators to one of three roles: Reviewer, Editor, and Approver. Reviewers can view and compare GPOs but cannot edit or deploy them. Editors can edit GPOs in the archive but cannot deploy them to production. Approvers can approve GPO creation and deployment to production. After an Editor changes a GPO and requests deployment, an Approver reviews the GPO and approves deployment.
You can assign the Approver role to an individual or panel of administrators, with the remaining administrators assigned to the Editor role. An alternative is to assign the Editor and Approver roles for each individual GPO. For example, you can assign the Approver role for each GPO to the department heads within its scope. The point is that role-based delegation in AGPM is extremely flexible, allowing you to create a workflow that works for you.
AGPM is one of those tools that is hard to get excited about until you actually use it. Then you cannot imagine Group Policy without it. It can help you get things done more quickly and with less frustration. And it can help dissipate the fog that surrounds GPOs in fast-changing environments.
5. Reducing Downtime that Errant GPOs Cause
Our fifth pain point also deals with Group Policy, and the obvious relief is AGPM. We call out this pain separate from the previous because we frequently hear IT pros lamenting about the time they changed a GPO, and the Help Desk made them wish they had not come to work that day.
AGPM features that the previous section described can help prevent errant changes from occurring in the first place. First, any changes that Editors make to a GPO happen in the archive and not in production. They can edit to their heart’s content, but they will not touch production. Only after an Approver permits deployment does a GPO affect production, and hopefully the Approver is paying attention.
Second, change control in AGPM makes it simple to recover from errant changes that do creep into production—maybe the Approver was not paying attention after all. In that case, change control can help you quickly identify specific changes that might be causing the problem. After identifying the GPO containing the offending changes, you can quickly roll back to a previous version of the GPO. By the end of the next Group Policy refresh interval (90 minutes, by default), the problem should be resolved.
AGPM has a particular feature that is useful if you run a tight ship and want to be very sure about a GPO before deploying it: cross-forest management. You can copy a GPO from a domain in one forest to a domain in a different forest, and then deploy it. Using cross-forest management, you can edit and thoroughly test GPOs in an isolated lab environment. Once you are satisfied with the results, you can easily copy the GPOs to production and deploy them.
6. Provisioning BitLocker on PCs and Supporting End Users
Sixth on our list of IT pro pain points is BitLocker Drive Encryption management. BitLocker provides full-volume encryption to help protect corporate data while Windows is offline. There is nothing particularly painful about BitLocker itself, other than the fact that it takes a while to encrypt a large drive.
What is missing is an easier way for IT pros to make the right configuration choices for their organizations and provision BitLocker automatically for users who do not have administrator privileges on their PCs. Additionally, supporting end users who lose access to their BitLocker-encrypted drives is challenging for organizations that do not want to store recovery passwords in AD DS.
In a future version of MDOP, we will release Microsoft BitLocker Administration and Monitoring (MBAM), which can significantly reduce these pains. It makes centrally configuring BitLocker policies, deploying BitLocker across the organization, and enforcing those policies easier. It can manage fixed drives with BitLocker and removable devices with BitLocker To Go.
You define BitLocker encryption policies centrally by using Group Policy, and then deploy the MBAM agent to each PC you want to manage. Since MBAM relies on Group Policy to configure the agent, you have a lot of flexibility to target specific hardware or groups of users’ PCs with your BitLocker policies.
When policy requires encryption on a PC, MBAM prompts the user to begin encryption immediately, as Figure 4 shows. The process does not require elevation, and users can continue working because the process runs in the background. However, they can briefly postpone encryption if necessary.
Figure 4. Microsoft BitLocker Administration and Monitoring
Supporting BitLocker is also easier when using MBAM. First, it allows end users to perform basic tasks without calling the Help Desk. For example, they can reset their BitLocker PINs without requiring administrator privileges. Second, MBAM provides a Web page that authorized IT pros can use to securely access end users’ BitLocker recovery passwords. Unlike recovery passwords stored in AD DS, MBAM encrypts recovery passwords in a Microsoft SQL Server database and you can limit access to them.
7. Monitoring BitLocker Compliance and Identifying Risk
Monitoring BitLocker compliance is another pain point that MBAM can help reduce. BitLocker does not provide a way to know which PCs are compliant with an organization’s BitLocker policies. It is like flying in bad weather without instrumentation. You just do not know which PCs are compliant and which are not. To drive this point home, imagine a scenario in which a mobile PC is lost or stolen. Can you quickly determine your organization’s risk by looking up whether the PC was compliant?
MBAM addresses this pain point by providing BitLocker compliance reports in the box. You can view the compliance status of the entire organization or an individual PC. These reports tell you how many PCs are compliant, how many are not compliant, and the details for individual PCs. Figure 5 shows an example report. In the event that a mobile PC is lost or stolen, you can look it up to determine whether it was compliant with BitLocker policy. You are not left in fear of the worst, because you know the risk almost immediately.
Figure 5. Compliance Report in Microsoft BitLocker Administration and Monitoring
8. Troubleshooting PCs that Won't Start
Troubleshooting unresponsive or unbootable machines is our eighth IT pro pain point. Troubleshooting can be time consuming and often does not lead to a solution. Contributing to such considerations is the fact that IT pros usually have to visit users’ desks to troubleshoot their PCs, and they have limited experience with their tools because they use those tools so infrequently.
Many IT pros simply reimage troubled PCs. So, in organizations that are not using roaming user profiles or Folder Redirection, the user loses settings and any data stored on the local drive.
The Diagnostics and Recovery Toolset (DaRT) can relieve this pain. As Figure 6 shows, DaRT is a collection of 14 tools for troubleshooting typical PC problems. For example, you can use the Crash Analyzer to figure out why a PC fails to start. Then, you can disable the device driver or service that’s causing the problem. You can also recover deleted files; explore the PC’s event log, file system, or registry; remove hotfixes; and so on. DaRT is one of those tools that you hope to never use, but it’s good to have in your arsenal when you need it.
Figure 6. Diagnostics and Recovery Toolset
9. Removing Rootkits and Other Malware
Spyware, viruses, and malware are becoming more advanced and are using technologies like rootkits to load themselves into memory and remain hidden from most forms of detection. Removing these rootkits and other types of malware is our ninth pain point. Although real-time malware scanners are an effective and critical part of your infrastructure, malware can still slip through the cracks. Additionally, many malware engines have a hard time effectively removing rootkits, which often leaves you with few options short of rebuilding the PC. As a result, it’s important to have an in-depth defense strategy. DaRT provides a better option for removing rootkits: Standalone System Sweeper, which Figure 7 shows. It is one of the 14 tools that DaRT provides. Booting the PC by using the DaRT disk leaves the infected operating system offline. With the installed operating system offline, Standalone System Sweeper can scan all of the PC’s files and folders without the rootkit or malware code hiding. With the malware thus clearly visible, Standalone System Sweeper can remove it. Without Standalone System Sweeper, many people would have no other option than to reimage the PC.
Figure 7. Standalone System Sweeper
10. Figuring Out What Users Have and What You Need
Do you ever wonder exactly what software is on all of your organization’s PCs? You know what was in the Windows image you deployed, and you know what software you installed later, but how about any software your users added? Ever wonder if you really need that 5,000-seat license for the accounting software you purchased? As you might guess, MDOP has a solution for our 10th and final IT pro pain point. Asset Inventory Service (AIS) is an online service that helps provide a comprehensive view of an organization’s desktop software environment. With AIS, you can find out how many copies of an application are installed, where they are installed, and whether you need to increase or decrease your number of licensed seats with the software publisher. As you plan a Windows 7 migration, AIS can also help by providing a map of which applications are running in your current environment—even remote locations that you don’t visit often, or ever. Using this data, you can prioritize your testing and deployment schedules and plans.
That's it. MDOP is like a Swiss Army knife for tackling IT pro pain points. If you are considering Software Assurance or a platform Enterprise Agreement for your organization, make sure you add MDOP to the package. It will cost you approximately $10 per desktop per year or less for all those great tools. If you have Software Assurance in your organization already, but you don’t know whether you own MDOP, you should check with your purchasing department to find out if you are already licensed to deploy it. For more information about MDOP, see the MDOP Web site at