Top 7 IT Pro Pain Points Simplified with MDOP
Everyone is familiar with top 10 lists. There’s the top 10 best dressed, worst dressed, dog names, places to vacation, etc. Since this, however, is Microsoft, and it’s all about Windows 7, I figured we should do a top 7 list, and focus on the top 7 pain points that the Microsoft Desktop Optimization Pack, or MDOP for short, can simplify for IT Pros.
Before we get into our list, however, you might not be familiar with MDOP. Think of MDOP as the Swiss army knife that all IT Pros should have with them. MDOP is a collection of six technologies designed to increase desktop manageability. Like the Swiss army knife, it solves many different problems and generally makes your life much easier, as we will see.
1. Application Conflicts, Provisioning to Users, and Windows Rollouts
We all know the challenges of delivering the right applications to users’ machines. You have to create the installation, test it in your base image and with other applications to make sure it doesn’t break anything, figure out who needs it and which PCs they use as their primary machines, set up the targeting for delivery, schedule the delivery to take place overnight so users aren’t impacted during working hours, reboot if needed, and then check to make sure the application successfully installed after the fact and retarget failed or missed machines. All of this requires a lot if hands-on work throughout the entire process to make sure everything works just right.
Don’t get me wrong; this is a methodology that has been working for years. But what if you could apply the same principles and consolidate the steps to save time and money for your organization? How about to the tune of reducing costs by $150+ per PC? What if you could drastically cut the time it takes from the point of request to when a user is up and running, all while enabling the user to “pull” the application when needed? Interested? Then keep reading.
With Microsoft Application Virtualization (App-V), you can strike a balance between giving IT the control it needs and meeting user requirements to be flexible and get applications anywhere, by decoupling your applications from the operating system. In other words, every application is packaged separately, and isolated from the operating system and from other applications, but can still interact with each other and take advantage of system resources. Technically, each application “sees” its own view of the system files and registry, so changes it makes are contained within the application’s virtual environment and do not affect the system or other applications. More than that, since applications do not need to makes changes to the system, when using App-V, you never install the application. This is both cool and beneficial. Because there is no change to the base operating system, it remains in a pristine state, the impact between applications is minimal, and conflicts are greatly reduced.
The time and cost of software and Windows rollouts are also reduced. Your testing time is less because each application is isolated from each other. Once you sequence the application, assign the appropriate rights, and place its package on the server, the icons immediately show up for the users. They can launch the application without having to wait for the application to install because it is streamed down on-demand. Setting up a new Windows 7 PC is just as easy as loading the base image and having the user log in: App-V will do the rest.
Because the application never installs, help desk time associated with application troubleshooting is reduced. You don’t have to troubleshoot, or uninstall/reinstall the application. Instead, just perform a refresh or a repair, and you are back up and running.
Another good example of the power of App-V is running two versions of Microsoft Office on a single desktop. If you have ever tried to get two different versions of Office on the same PC you know this is near impossible for most mere mortals. With numerous shared and common files, the two versions step all over each other. Your organization might have users or line of business applications that still require a previous version of Excel, Access, or another Office component, but your users want to be able to use the latest version of Office for most of their work because the newer versions of Office offer improved capabilities to increase user productivity.
As you can see in figure 1, this is very simple and easy to accomplish with App-V. Because the two versions, Office 2007 and Office 2010, are virtualized and isolated from each other, you can run them side by side.
Figure 1 – Office 2007 and Office 2010 running side by side, thanks to App-V
If you want to check out App-V or any MDOP products, you can get access to the bits through your MSDN or TechNet subscription. If you are preparing to rollout 64-bit Windows 7 or Windows Server 2008 R2, you can download App-V 4.6 Beta from Microsoft Connect.
2. Applications that are Incompatible with the Operating System
One of the biggest pains an IT Pro faces is dealing with application compatibility issues. It could be an internally written application that only runs on an older version of an operating system, or a purchased software package that you just don’t have time to complete testing on a new operating system.
As you might have heard, Windows 7 introduced Windows XP Mode, which allows applications that do not work on Windows 7 to run in a virtual Windows XP environment, and still look and feel like they installed normally on the PC. While this is a good solution for a small business with a couple of PCs, it quickly turns into a management headache for larger organizations and enterprises.
Reaching for our Swiss Army knife, we can pop out the Microsoft Enterprise Desktop Virtualization, or MED-V, tool.
MED-V provides you with all of the power of XP Mode—you can run applications in a native XP virtual machine that are hidden from the user—plus, with MED-V you have the control and management features that you need as an IT Pro to deploy virtual Windows XP environments.
MED-V helps deploy IT-managed virtual XP environments to end users. It enables customization of each environment. For example, it will automate the first-time setup of the virtual machine, set its network connection according to the computer settings, assign a unique name to the virtual machine, and join it to the Active Directory domain. It will then adjust the virtual PC memory allocation according to the available RAM on the host. In addition, MED-V helps you provision the virtual images to users and groups. You can also choose specific applications that will become available. Those applications launch from the Windows 7 start menu, and run seamlessly on the user Windows 7 desktop.
A good usage scenario for MED-V is when some internal Web applications do not work well with the new Internet Explorer, and still require Internet Explorer 6. With MED-V, you can define individual Web sites so that, when a user tries to access them (by typing the URL in his default browser), the request is automatically redirected by the MED-V client to the virtual XP environment, and runs in Internet Explorer 6.
Finally, MED-V adds monitoring and troubleshooting capabilities to ensure the overall health of the virtual environments they deployed to hundreds or thousands of PCs.
3. Recovering Unbootable PCs
Troubleshooting unresponsive or unbootable machines can be time-consuming and, often, does not lead to a solution. As a result, many IT Pros simply reimage the machine. In organizations that are not using roaming profiles this can result in a loss of settings and, potentially, critical data that was only stored on the local drive.
You can solve this with the Diagnostics and Recovery Toolset, or DaRT, which is part of MDOP. DaRT is a collection of 14 tools for dealing with typical PC problems. Those of you familiar with what was known before as Winternals tools will recognize the ERD Commander at the center of DaRT. But DaRT also includes new tools and enhancements.
Using the Crash Analyzer, you can easily figure out what issue the unbootable PC is suffering from. Things like a bad hotfix install can be rolled back from inside DaRT, a bad driver can be unloaded and removed before rebooting. You can also edit the registry, use tools like Computer Management, or copy files to a USB drive or network location.
If you are using BitLocker in your organization, you can recover lost and deleted files from BitLocker-encrypted drives with DaRT.
DaRT is one of those tools you wish you’ll never have to use, but it’s good to have it in your arsenal for when you need it.
Figure 2 – DaRT has many of the tools you need to keep your desktops running efficiently
4. Removing Rootkits and Other Malware
Spyware, viruses, and malware are becoming more and more advanced and are utilizing technologies like rootkits to load themselves into memory and remain hidden to most forms of detection.
While real-time anti-malware scanners are very effective, and a critical part of your infrastructure, some things slip through so it’s important to have an in-depth defense strategy. Many anti-malware engines on the market today have a hard time effectively removing rootkits, which often leaves you with few options short of wiping the machine and rebuilding it.
But, when you use DaRT, you have a much better option: Standalone System Sweeper, one of the 14 DaRT tools. Because you are able to boot the PC from the DaRT disk, the infected operating system (OS) is left inactive, in an offline state. With the hard drive-based OS offline, Standalone System Sweeper can scan all of your files and folders, without the rootkit and the malicious code being able to hide. Since they are now visible, System Sweeper can remove them. Without Standalone System Sweeper, many people would have no other option than to reformat the problem computer and reinstall everything.
Figure 3 – Standalone System Sweeper, one of the DaRT tools, is great for removing malware and rootkits from infected machines
5. Monitoring Error Trends
How often do you visit a user’s machine and discover an application that frequently crashes? When you ask the user about it the most common response is, “It does that all of the time,” yet you have never heard about this problem. On average, about 90 percent of all application and system crashes go unreported by users. Users simply sigh, reboot their machines or restart the applications and go back to work. Most of the time that this happens, the user can choose to automatically report information about the application crash with Windows Error Reporting (WER), but that information goes directly to Microsoft.
In MDOP you will find System Center Desktop Error Monitoring, or DEM. DEM provides a subset of System Center Operations Manager capabilities for monitoring desktops – and, despite its name, it does not require a System Center server or license. Using DEM you can setup a SQL Server database and SQL Reporting Services reports to provide you with information about all of the application crashes and blue screen errors that happen in your enterprise. While you can set up alerts for more immediate action, it is best used to run regular reports to view the combined error information.
Many IT Pros are too busy dealing with the day-to-day volume of requests to proactively monitor the error reports. But don’t worry. DEM helps you here in two ways. It has the ability to send the error reports to Microsoft and will notify you of any knowledgebase articles or patches to solve the problem. By reviewing the report and pushing the patch or updated drivers out to your users, you can solve multiple end users’ problems with limited effort on your part.
DEM also allows you to better triage issues because you have actual statistics about the severity of the problem, such as number of users affected and how often the problem happens to them. With this data, you can focus on solving the problems that impact the greatest number of users.
DEM uses Windows Error Reporting, called WER, the latest generation of Watson. Because WER is a feature of the operating system, developers of applications don’t have to write special code for it. Any crashes of your in-house applications will still report to the DEM server.
Deploying DEM to your desktops enterprise-wide is straight forward since it is set as a Group Policy Object (GPO) – no client component needs to be installed. Just set up the GPO in Active Directory and the next time users log in their computer will start reporting all errors directly to you. It’s really that simple.
Figure 4 – DEM provides invaluable data in its built-in reports to help you understand what applications and systems are having the most issues and prioritize resolving them.
6. Figuring Out What Users are Using and What You Need
Do you ever wonder exactly what software is on all of your organization’s PCs? You know what was in the base image you deployed, and you know what software you installed, but how about any software your users added? Ever wonder if you really need that 5,000-seat license of that accounting software you purchased?
Yep, you guessed it, MDOP has a solution for you and its called Asset Inventory Service, or AIS. AIS is an online service that helps provide a comprehensive view of your enterprise's desktop software environment.
With AIS you can find out how many copies of a piece of software are deployed, who they are deployed to, and if you need to increase or decrease your number of licensed seats with the software publisher.
As you plan your migration to Windows 7, AIS can help you by providing a map of which applications are running in your current environment, even remote locations that you don’t visit often, or ever. Using this data you can prioritize your testing and deployment schedules and plans.
7. Managing Group Policies
Group Policy Objects play a powerful role in how your network is managed by enabling you to quickly manage multiple user and desktop settings on many computers at once. With one change to a GPO you can affect every user and computer on the network.
In the words of the old saying, “With great power comes great responsibility.” As soon as you update a GPO the changes can start affecting hundreds of computers. Before you have had a chance to fully test the update, it can cause disruption around the company and, with no change control system, there is no easy way to roll back the change. This challenge is even greater if you change multiple polices and you are not sure which change caused the disruption.
With Advance Group Policy Management, or AGPM, in MDOP, you have a change management solution that plugs directly into the current Group Policy Management Console interface you are used to working in.
Additionally, although Group Policy provides a delegation model, the editor role has full permissions to deploy changes to the live environment. With the possibility of multiple editors per GPO, there is no way to detect who has made what changes, or to accept or reject changes before they are put into effect.
With AGPM you can set up a delegation and workflow model that works well for your organization. With its reporting capabilities you can find out the change history for any GPO you have to manage, and roll it back in the event of an issue. You can even generate a report comparing any two prior versions of a GPO, with the differences color coded to highlight them for you.
With AGPM 4.0, which supports Windows 7, you also get search/filtering and multi-forest/domain support.
With search and filtering you can filter all of the GPOs in your organization by any of the GPO properties. Instead of spending time scrolling up and down through large amounts of Group Policies that you have deployed trying to find a specific policy to update, AGPM can help get you to the GPO faster so you can spend your time on more meaningful things.
The new multi-forest support allows you to move GPOs from one network to another, even if there is no physical network connection. You can deploy and test GPOs in a test environment and then bring them into your production forest when you are ready. AGPM will preserve the original metadata and support migration tables.
Figure 5 –AGPM allows you to implement change control, workflow, and reporting for all of your Group Policy Objects
There you have it. MDOP—the Swiss army knife for tackling IT Pro pain points. If you are considering Software Assurance or a platform Enterprise Agreement for your organization, make sure you add MDOP to the package. It will cost you approximately $10 per desktop per year or less, for all those great tools. If you have Software Assurance in your organization already, but you don’t know if you own MDOP, you should check with your purchasing department to find out if you are already licensed to deploy it.