Skip to main content

Microsoft technologies for consumerization

Applies to: Windows 7, Windows Server 2008 R2

The workplace is changing. The boundaries between peoples’ professional and personal lives are blurring. Work is no longer confined to the office. Employees check work email at home during the night and update their social media at the office during the day. In addition to their desktop computers, they're using portable computers, slates, and smartphones.

Contributing to this trend is the increasing computing power that’s available on a wide range of devices. Consumer devices, including smartphones and media tablets, are becoming powerful enough to run applications that were previously restricted to desktop and portable computers. For many workers, these devices represent the future of computing and help them do their job more efficiently.

In a world in which highly managed information technology (IT) infrastructures can seem inflexible, workers prefer to use the many consumer devices available to them. For IT, the challenge is to embrace consumerization as appropriate while minimizing risks to the enterprise and its data. Many consumer devices were not initially designed for business use, so IT must plan carefully to enable the level of management and control they require.

As a leader in business and consumer technologies, Microsoft is in a unique position to understand and provide guidance on how to responsibly embrace consumerization within enterprises. In a previous white paper, Strategies for Embracing Consumerization (no longer available), you'll find specific strategies for embracing the latest consumerization trends. This article explores specific technologies that the aforementioned white paper recommends in its various scenarios.

In this article:

Windows Optimized Desktop

The Windows Optimized Desktop offers client computing choices to enhance user productivity while meeting specific business and IT needs. Built on the Windows 7 Enterprise operating system, managed by Microsoft System Center, and secured by Microsoft Forefront Endpoint Protection, the Windows Optimized Desktop includes virtualization technologies with integrated management across physical and virtual machines (VMs), including virtual desktop infrastructures. Add Microsoft Office 2010, Windows Internet Explorer 9, and the Microsoft Desktop Optimization Pack (MDOP) to enable a workforce that is more productive, manageable, and secure.

This section focuses on specific technologies in the Windows Optimized Desktop that can help IT embrace consumerization on rich devices running Windows 7. These technologies can address challenges such as managing applications and user data, safeguarding data, defending the network, and protecting intellectual property in consumerization scenarios.

Application management

In consumerization scenarios, application management is about provisioning applications and controlling which applications users can run on their computers. System Center Configuration Manager 2007 and Microsoft Application Virtualization (App-V) are key deployment technologies. Additionally, AppLocker is a Windows 7 Enterprise feature that you can use to control access to applications.

Configuration Manager provides a rich set of tools and resources that you can use to manage the complex task of creating, modifying, and distributing application packages to computers in your enterprise. Deploying applications by using an existing Configuration Manager infrastructure is remarkably straightforward. Administrator Workflows for Software Distribution on TechNet describes this process in detail:

  1. Create a software distribution package containing the application installation files.
  2. Create a program to include in the package. Among other options, the program defines the command necessary to install the application package.
  3. Distribute the package to distribution points.
  4. Advertise the package to computers in your organization.

Organizations using System Center Essentials can also use it to distribute applications. For more information about Essentials, see System Center Essentials. Technical guidance for deploying applications is available in the System Center Essentials 2010 Operations Guide.

To control access to physical or virtual applications, Windows 7 Enterprise offers AppLocker. AppLocker is a new feature that replaces the Software Restriction Policies feature in earlier Windows versions. It adds capabilities that reduce administrative overhead and help you control users’ access to program files, scripts, and Windows Installer files. By using AppLocker to control access to physical applications, you can prevent unlicensed, malicious, and unauthorized applications from running.

To use AppLocker, you create a Group Policy Object (GPO) and then define AppLocker rules inside it. Within a rule, you can allow or deny access to a program file, script, or Windows Installer file for a specific user or group. You identify the file based on file attributes—including the publisher, product name, file name, and file version—from the digital signature. For example, you can create rules based on product-name and file-version attributes that persist through updates, or you can create rules that target a specific version of a file. In addition to allowing or denying access to a file, you can define exceptions. For example, you can create a rule that allows all programs which ship as part of Windows 7 to run except for the Registry Editor (regedit.exe).

AppLocker is surprisingly easy to configure and deploy. It provides wizards that make defining rules for program files, scripts, and Windows Installer files straightforward. However, because AppLocker prevents users from opening or running files that are not defined explicitly in a rule, you should plan your AppLocker deployment after examining an inventory of applications used in your environment. More information about AppLocker is available in AppLocker on TechNet.

User state virtualization

A specific challenge to embracing consumerization is people working on more than one computer. This scenario can be painful for both end users and IT pros. Users’ files and settings do not follow them when they roam from computer to computer. If a user creates a document on his or her work computer, for example, that document isn’t immediately available when he or she logs on to a slate or through a VM accessed by a non-Windows PC. For IT, decentralized storage of files and settings leads to even more challenges. Files are difficult to back up. They’re difficult to secure. And because they’re scattered across many PCs, availability of important files is difficult to manage.

User state virtualization addresses these challenges. It centralizes storage of users’ files and settings to make backing up and securing them easier. Managing the availability of important files is possible. Also, user-state virtualization enables users’ files and settings to follow them from PC to PC and even to VMs. In Windows 7, three technologies support user state virtualization:

  • Roaming user profiles give you the ability to store user profiles (in other words, files stored in C:\Users\Username, including the registry hive file) in a network share. Windows 7 synchronizes the local and remote user profiles when users log on to and off of the computer. For more information, see What's New in Folder Redirection and User Profiles.
  • Folder Redirection redirects folders such as Documents, Pictures, and Videos from a user profile to a network share. Redirecting folders reduces the size of roaming user profiles and can improve logon and logoff performance. You configure Folder Redirection by using Group Policy. The important distinction between roaming user profiles and Folder Redirection is that you use roaming user profiles primarily for settings and Folder Redirection for documents. For more information, see What's New in Folder Redirection and User Profiles.
  • Offline Files, a feature enabled by default in Windows 7, provide the ability to work with redirected folders and other shared network content when disconnected from the network by caching copies locally. Offline Files synchronizes changes the next time a connection is available. For more information, see What's New in Offline Files.

The Infrastructure Planning and Design: Windows User State Virtualization guide can help you implement user state virtualization.

Local data security

BitLocker Drive Encryption is an integral security feature in Windows 7 Enterprise that helps protect data stored on fixed drives and the operating system drive. BitLocker helps protect against offline attacks, which are attacks made by disabling or circumventing the installed operating system or by physically removing the hard drive to attack the data separately. BitLocker helps ensure that users can read the data on the drive and write data to the drive only when they have either the required password, smart card credentials, or are using the data drive on a BitLocker-protected computer that has the proper keys.

BitLocker protection on operating system drives supports two-factor authentication by using a Trusted Platform Module (TPM) along with a personal identification number (PIN) or startup key as well as single-factor authentication by storing a key on a USB flash drive or just using the TPM. Using BitLocker with a TPM provides enhanced data protection and helps assure early boot component integrity. This option requires that the computer have a compatible TPM microchip and BIOS:

  • A compatible TPM is defined as a version 1.2 TPM.
  • A compatible BIOS must support the TPM and the Static Root of Trust Measurement as defined by the Trusted Computing Group. For more information about TPM specifications, visit the TPM Specifications section of the Trusted Computing Group Web site.

The TPM interacts with BitLocker operating system drive protection to help provide protection at system startup. This is not visible to the user, and the user logon experience is unchanged. However, if the startup information has changed, BitLocker will enter recovery mode, and the user will need a recovery password or recovery key to regain access to the data.

The BitLocker Drive Encryption Deployment Guide for Windows 7 provides detailed guidance for deploying BitLocker. Additionally, numerous Group Policy settings are available for managing BitLocker. You can learn about these in the BitLocker Group Policy Reference. You can provision BitLocker during deployment by using the Microsoft Deployment Toolkit (MDT) 2010 or Configuration Manager. For more information, see the MDT 2010 documentation.

Windows 7 Home Premium and Windows 7 Professional do not include BitLocker. If you allow employees to use devices that are running these operating systems, you can use the Encrypting File System (EFS) to help protect corporate data on these computers. However, EFS does not provide full-volume encryption, as BitLocker does. Instead, users choose the folders and files they want to encrypt. For more information about EFS in Windows 7, see The Encrypting File System.

note iconNote: Users who are running Windows 7 Home Premium or Windows 7 Professional can use Windows Anytime Upgrade to upgrade to Windows 7 Ultimate for a charge. Doing so would provide BitLocker. For more information about Windows Anytime Upgrade, see Windows Anytime Upgrade.

Removable storage

In Windows 7 Enterprise, BitLocker To Go extends BitLocker to portable drives, such as USB flash drives. Users can encrypt portable drives by using a password or smart card. Authorized users can view the information on any PC that runs Windows 7, Windows Vista, or Windows XP by using the BitLocker To Go Reader. Also, by using Group Policy, you can require data protection for writing to any removable storage device but can enable unprotected storage devices to be used in read-only mode.

The BitLocker Drive Encryption Deployment Guide for Windows 7 provides detailed guidance for using BitLocker To Go. Additionally, numerous Group Policy settings are available for managing BitLocker To Go, which the BitLocker Group Policy Reference describes.


The Windows 7 Backup and Restore feature creates safety copies of users’ most important personal files. They can let Windows choose what to back up or pick individual folders, libraries, and drives to back up—on whatever schedule works best for them. Windows supports backing up to another drive or a DVD. Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise also support backing up files to a network location.

Whereas Windows 7 provides a built-in backup feature that users can use on their own devices, System Center Data Protection Manager (DPM) 2010 enables an organization to create a two-tiered backup solution that combines the convenience and reliability of disk for short-term backup—where most recovery requests are concentrated—with the security of tape or other removable medium for long-term archiving. This two-tiered system helps to alleviate the problems associated with tape backup solutions while still allowing for the maintenance of long-term off-site archives.

Important to consumerization scenarios, DPM 2010 adds support for protecting client computers, such as laptop computers and slates, which are not always connected to the network. Additionally, users can recover their own data without waiting for the backup administrator. You can learn more about DPM 2010 at System Center Data Protection Manager 2010.

Network access

Forefront Unified Access Gateway (UAG) provides remote client endpoints with access to corporate applications, networks, and internal resources via a Web site. Client endpoints include not only computers running Windows but also other non-Windows devices. It supports the following scenarios:

  • Forefront UAG as a publishing server. You can configure Forefront UAG to publish corporate applications and resources, and enable remote users to access those applications in a controlled manner from a diverse range of endpoints and locations.
  • Forefront UAG as a DirectAccess server. You can configure Forefront UAG as a DirectAccess server, extending the benefits of DirectAccess across your infrastructure to enhance scalability and simplify deployment and ongoing management. Forefront UAG DirectAccess provides a seamless connection experience to your internal network for users who have Internet access. Requests for internal resources are securely directed to the internal network without requiring a VPN connection.
  • Single and multiple server deployment. You can configure a single server as a publishing server and as a Forefront UAG DirectAccess server, or deploy an array of multiple servers for scalability and high availability.

Infrastructure Planning and Design: Forefront Unified Access Gateway on TechNet provides guidance for designing a Forefront UAG deployment. Additional detailed technical guidance is available in Forefront Unified Access Gateway (UAG) on TechNet.

Network security

Network Access Protection (NAP) includes client and server components that allow you to create and enforce health requirement policies that define the required software and system configurations for computers that connect to your network. NAP enforces health requirements by inspecting and assessing the health of client computers, limiting network access when client computers are noncompliant, and remediating noncompliant client computers for unlimited network access. NAP enforces health requirements on client computers that are attempting to connect to a network. NAP can also provide ongoing health compliance enforcement while a compliant client computer is connected to a network.

NAP enforcement occurs at the moment client computers attempt to access the network through network access servers, such as a virtual private network (VPN) server running Routing and Remote Access (RRAS), or when clients attempt to communicate with other network resources. The way in which NAP is enforced depends on the enforcement method you choose. NAP enforces health requirements for the following:

  • Internet Protocol security (IPsec)-protected communications
  • Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated connections
  • VPN connections
  • Dynamic Host Configuration Protocol (DHCP) configuration
  • Terminal Services Gateway (TS Gateway) connections

The Network Access Protection Design Guide can help you design a NAP deployment. The Network Access Protection Deployment Guide provides detailed technical guidance for the above scenarios.

In Configuration Manager, NAP lets you include software updates in your system health requirements. Configuration Manager NAP policies define which software updates to include, and a Configuration Manager System Health Validator point passes the client's compliant or non-compliant health state to the Network Policy Server (NPS). The NPS then determines whether the client has full or restricted network access, and whether non-compliant clients will be brought into compliance through remediation. For more information about NAP in Configuration Manager, see Network Access Protection in Configuration Manager.

Information protection

In addition to securing local data and network access, protecting access to business information—such as intellectual property—is an important consideration if you're embracing consumerization. Two technologies are available for protecting this information:

  • Rights Management Services. By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment your organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information—such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands. Microsoft Exchange Server 2010 and Microsoft Office SharePoint Server 2010 are examples of applications that integrate with AD RMS. You can learn more about AD RMS at Active Directory Rights Management Services.
  • File Classification Infrastructure. To reduce the cost and risk associated with this type of data management, the File Classification Infrastructure in Windows Server 2008 R2 offers a platform that allows you to classify files and apply policies based on that classification. The storage layout is unaffected by data-management requirements, and you can adapt more easily to a changing business and regulatory environment. Files can be classified in a variety of ways. Additionally, you can specify file-management policies, based on a file’s classification, and automatically apply corporate requirements for managing data, based on business value. You can easily modify the policies and use tools that support classification to manage their files. For example, you can automatically manage the rights to files that contain the word confidential. To learn more about the File Classification Infrastructure, see Working with File Classification.

Back to top

Windows cloud services

For organizations that do not have the resources or infrastructure to support the Windows Optimized Desktop, Windows Intune can help deliver the management and security essentials. Organizations that have deployed the Windows Optimized Desktop can manage pockets of unmanaged computers (home-office computers and consumer devices running Windows that users bring to work) by using Windows Intune (Figure 1).

Windows Intune interface

Figure 1. Windows Intune

Windows Intune helps you manage and secure computers in your environment through a combination of Windows cloud services and upgrade licensing. Windows Intune delivers cloud-based management and security capabilities through a single web-based administrative console. With Windows Intune, you can manage computers from almost anywhere—all you need is an Internet connection and the Windows Intune client installed on each managed computer. Additionally, with an active Windows Intune subscription, you have the rights to upgrade to future versions of Windows, with the same benefits of the Microsoft Software Assurance program for Windows.

The Windows Intune administrator console organizes management tasks into the following workspaces, which you can manage from almost any browser that supports Microsoft Silverlight:

  • System Overview. The System Overview workspace provides a starting point for assessing the overall health of computers across your organization, identifying issues, and performing basic management tasks such as creating computer groups and viewing reports.
  • Computers. You use the Computers workspace to create and manage computer groups for ease and flexibility of management. You can organize groups in the way that best suits your organizational needs (e.g., by geographic location, department, or hardware characteristics) and move computers among groups.
  • Updates. You use the Updates workspace to administer the software-update process efficiently for all the managed computers in your organization. The Windows Intune administrator console supports and encourages best practices for update management and lets you focus on your environment and the tasks that you have to perform.
  • Endpoint Protection. Windows Intune Endpoint Protection helps enhance the security of managed computers in your organization by providing real-time protection against potential threats, keeping malicious software definitions up to date, and automatically running scans. The Windows Intune administrator console provides Endpoint Protection status summaries so that if malicious software is detected on a managed computer, or if a computer is not protected, you can quickly identify the affected computer and take appropriate action.
  • Alerts. You use the Alerts workspace to quickly assess the overall health of managed computers in your organization. Alerts let you identify potential or current problems and take action accordingly to prevent or minimize negative effects on business operations. For example, you can view all recent alerts to obtain a broad picture of computer health. Or you might want to investigate specific issues that are occurring on members of specific computer groups or for specific workspaces, such as Endpoint Protection. By using filters, you can view all alerts of a specific severity level, and you can display alerts that are active or closed.
  • Software. The Software workspace lists programs that are installed on all client computers that you are using Windows Intune to manage and lets you sort the inventory by software publisher, name, installation count, or category. Each unique software title has its own entry in the list. You can also search for specific software.
  • Licenses. The Licenses workspace lets you upload Microsoft Software License Terms information to Microsoft Volume Licensing Services (MVLS) and lets you determine the license entitlement that corresponds to a set of Microsoft Volume Licensing agreements.
  • Policy. You use the Policy workspace to configure Windows Intune policies that manage settings for updates, Endpoint Protection, Windows Firewall, and Windows Intune Center on computers. You can create policies based on templates, configure policy settings, and then deploy policies to groups of computers. The policy templates include setting descriptions and recommended values. Additionally, you can search for policies by name or description.
  • Reports. Although other workspaces in the Windows Intune administrator console also provide search and filtering functionality, you can use the Reports workspace to obtain more detailed reports and print or export the information. The Reports workspace provides reports for updates, software, and licensing. For example, the License Reconciliation report provides a detailed list of software compared with your licenses.
  • Administration. The Administration workspace lets you download the most current version of the client software, view details about your Windows Intune account (such as account name, status, and active seat count), and add administrators to your account. You can also use tools in the Administration workspace to configure the kind of updates that you want to deploy to managed computers in your organization, and to send email notifications to other people in your organization when specific alerts are generated. Additionally, you can enable or disable alerts of a specific type so that you can focus on the most important alerts in your environment.

Remote assistance alerts provide a key tool for troubleshooting problems that occur on managed computers. A user on a managed computer can initiate a remote assistance request, which generates an alert. When you view the alert in the Windows Intune administrator console, you can accept the request. Accepting the request opens a Microsoft Easy Assist session so that you can perform remote troubleshooting on the user’s computer.

Windows Intune also provides Windows 7 Enterprise upgrade rights with Software Assurance. With the upgrade rights provided by Windows Intune, you can upgrade any computer that is managed by Windows Intune and that meets the minimum Windows 7 system requirements to Windows 7 Enterprise. Windows Intune also provides all the benefits of the Microsoft Software Assurance Program for Windows, including:

  • New version rights
  • TechNet Benefits through Software Assurance
  • Extended hotfix support
  • 24x7 problem-resolution support
  • Employee Purchase Program
  • E-learning
  • Training vouchers

You can learn more about Windows Intune at the Windows Intune website.

Back to top

Application Virtualization

Virtual applications are streamed to computers as network services. They do not leave footprints on systems and are easy to update. They’re also self-contained, helping prevent conflicts between personal and business applications that may cause downtime and require intervention from the support team.

App-V is part of MDOP that supports packaging, deployment, and management of virtual applications. App-V can make applications available to end-user computers without requiring you to install the applications directly on those computers. This is possible through a process known as sequencing the application, which enables each application to run in its own self-contained virtual environment on the client computer. Sequenced applications are isolated from one another. This scenario eliminates application conflicts, but the applications can still interact with the client computer.

The App-V client is the feature that lets end users interact with applications after they have been published to the computer. The client manages the virtual environment in which the virtualized applications run on each computer. After the client has been installed on a computer, the applications must be made available to the computer through a process known as publishing, which enables the end user to run the virtual applications. The publishing process copies the virtual application icons and shortcuts to the computer—typically on the Windows desktop or on the Start menu—and also copies the package-definition and file-type-association information to the computer. Publishing also makes the application package content available to end users’ computers.

Virtual application package contents can be replicated to one or more App-V servers so that they can be streamed to the clients on demand and cached locally. File servers and Web servers can also be used as streaming servers, or the content can be copied directly to end users’ computers. In a multi-server implementation, maintaining the package content and keeping it up to date on all the streaming servers requires a comprehensive package-management solution. Depending on the size of your organization, you might need to have many virtual applications available to end users located all over the world. Managing the packages to ensure that the appropriate applications are available to all users where and when they need access to them is therefore an important requirement.


As shown in Figure 2, the primary components of App-V are:

  • Client. The client provides and manages the virtual environment on client PCs. It manages the cache, publishing refresh, transport, and all interaction with the App-V servers.
  • Data store. The data store is a Microsoft SQL Server database responsible for storing all information related to the App-V infrastructure. This information includes all application records, application assignments, and the groups responsible for managing the App-V environment.
  • Management Console. The Management Console is a Microsoft Management Console (MMC) 3.0 snap-in that you use to administer the App-V infrastructure. You can install this tool on the App-V server or on a separate PC.
  • Management Server. The Management Server is responsible for streaming the package content and publishing the shortcuts and file-type associations to the client. It supports active upgrade, license management, and a database that can be used for reporting.
  • Management Web Service. The Management Web Service communicates read and write requests to the data store. You can install the Management Web Service on the Management Server or on a separate PC that has Microsoft Internet Information Services (IIS) installed.
  • Sequencer. You use the sequencer to monitor and capture the installation of applications to create virtual application packages. The output contains the application’s icons, an .osd file that contains package-definition information, a package-manifest file, and the .sft file that contains the application program’s content files.
  • Streaming Server. The Streaming Server is responsible for hosting the App-V packages for streaming to clients in branch offices, where the link back to the Management Server is slow. This server contains streaming functionality only and provides neither the Management Console nor the Management Web Service.
  • Content folder. The content folder is the location of the App-V packages available for streaming. You can locate this folder on a share on or off the Management Server.

Application Virtualization diagram

Figure 2. Application Virtualization

App-V 4.6 is the latest version of the product. With App-V 4.6, you can sequence and run 32-bit and 64-bit applications on the 64-bit version of Windows 7. It supports new Windows 7 features such as the taskbar, Jump Lists, AppLocker, BranchCache, and BitLocker To Go. App-V 4.6 adds support for 12 additional languages. To support Microsoft Virtual Desktop Infrastructure (VDI), App-V 4.6 provides the capability for a read-only shared cache to help optimize server disk storage. Last, App-V 4.6 improves the sequencing experience and provides support for sequencing 32-bit and 64-bit applications. You can learn more about App-V at the Microsoft Desktop Optimization Pack Web site. More detailed technical information is available on TechNet at Application Virtualization.

note iconNote: Citrix XenApp is a Microsoft Partner solution that extends support for traditional and App-V virtual applications to a wide range of devices, including smartphones and other non-Windows-based devices. It provides on-demand application delivery that can virtualize, centralize, and manage almost any application in the datacenter. By using XenApp, you can centralize applications in the data center, control and encrypt access to data and applications, and deliver applications instantly to users almost anywhere. To learn more about Citrix XenApp, see the Citrix XenApp website. Additionally, the article How to publish an App-V-enabledapplication in Citrix XenApp describes how to use XenApp to publish App-V applications.

System Center Configuration Manager 2007

Configuration Manager gives IT pros the ability to deploy, upgrade, and track usage of both physical and virtual applications in a single management experience. By seamlessly integrating virtual application formats into the Configuration Manager software-distribution capability, IT pros can follow known processes and workflow for delivering virtual applications to end users. This enables IT to deliver applications more quickly while also isolating potentially conflicting applications from interfering with one another. Configuration Manager’s integration with App-V provides added scalability while also allowing IT to enable existing distribution points to stream virtual applications, eliminating the need for a separate App-V infrastructure. With Configuration Manager, virtual applications can be delivered to either computers or users. Administrators can inventory virtual applications and deliver virtual applications as part of Operating System Deployment task sequences.

Configuration Manager takes the place of the publishing and streaming components in a typical App-V full infrastructure by integrating with an existing Configuration Manager infrastructure that is already delivering traditional applications, updates, and more. Figure 3 illustrates the minimal Configuration Manager and App-V processes and components required to manage virtual applications with Configuration Manager. The App-V Sequencer produces packages that can be distributed via a Configuration Manager infrastructure to the Configuration Manager clients. This eliminates the need for two separate infrastructures to support application deployment, allowing both traditional and virtual applications to be deployed from the same console.

Diagram of Configuration Manager and App-V infrastructure

Figure 3. Configuration Manager and App-V Infrastructure

Using Configuration Manager to publish virtual applications requires that you follow a simple process. At a high level, managing virtual applications with Configuration Manager requires applications to be sequenced, published by using Configuration Manager advertisements, and delivered to the end clients. The following minimum process is required to support App-V in a Configuration Manager infrastructure:

  1. Sequencing. Similar to traditional App-V, virtual application management in Configuration Manager begins with moving an application into the sequenced format. Configuration Manager requires sequencing applications with an App-V 4.5 or newer sequencer to create the necessary files (Manifest.xml file) for publishing and delivering.
  2. Publishing. Publishing is the process of provisioning virtual applications to users or computers in Configuration Manager. Configuration Manager uses distribution points for delivering applications in either streaming or download-and-execute format.
  3. Delivery. Delivery is the process of moving the virtual application assets to the client computers. This process is normally referred to as streaming in an App-V full infrastructure. Configuration Manager provides two options for delivering virtual applications (streaming and download and execute). The default delivery format is download and execute to avoid connectivity dependencies.

Managing virtual applications with Configuration Manger will require an App-V sequencer for creating packages, a Configuration Manager site server, Configuration Manager distribution points for delivery of the packages, and Configuration Manager client computers with the App-V client installed. The following minimum components are required to support App-V in a Configuration Manager Infrastructure:

  • Microsoft App-V Sequencer. Similar to an App-V infrastructure, the App-V sequencer is used to package virtual applications for deployment with Configuration Manager.
  • Configuration Manager Site Server. A part of the Configuration Manager site hierarchy, the Configuration Manager site server manages virtual application distribution through Configuration Manager distribution points to target systems, either as a streaming service or as a locally delivered package.
  • Configuration Manager Distribution Point. Configuration Manager Distribution Point site roles provide management services such as hardware and software inventory, operating system deployment, and software updates, as well as software distribution of both physical and virtual applications, to Configuration Manager target systems.
  • Configuration Manager/App-V Clients. Client devices include desktop and laptop computers as well as terminal servers and VDI clients. Configuration Manager clients that receive delivery of virtual applications from a Configuration Manager infrastructure require both the Configuration Manager client and App-V client software to be installed and configured. The Configuration Manager and App-V client software work together to deliver, interpret, and launch virtual application packages. The Configuration Manager client manages the delivery of virtual application packages to the App-V client. The App-V client executes the virtual application on the client computer.

System Center Configuration Manager 2012

Configuration Manager 2012, now in beta 2 release, helps IT empower their users with the devices and applications they need to be productive, while maintaining the control necessary to protect corporate assets. It provides a unified infrastructure for managing mobile, physical, and virtual environments that allows IT to deliver and control user experiences based on user identity, connectivity, and device specifics. Along with all of the world-class inventory, operating system deployment, update management, assessment, and settings enforcement you’ve come to expect from Configuration Manager, the new release will deliver:

  • Integrated Mobile, Physical, and Virtual Management. Provides a single, unified tool with which to manage all your client desktops, thin clients, mobile devices, and virtual desktops.
  • Personalized Application Experience. Evaluates corporate identity, device type, and network capabilities to deliver applications in the most optimal way for the user, whether that is through local installation, streaming through App-V, or through a presentation server. It integrates with Citrix XenApp to give users access to any business application from a wide array of mobile platforms.
  • Application Self-Service. Allows users to securely self-provision applications from anywhere with an easy-to-use web catalog.
  • Integrated Security and Compliance. Integrates with Forefront Endpoint Protection to provide a single solution for protecting against malware, identifying and remediating vulnerabilities, and gaining visibility into non-compliant systems.
  • Continuous Settings Enforcement. Automatically identifies and remediates non-compliant physical or virtual personal desktops.

You can find more information about the new updated capabilities involving the deployment of virtual applications in System Center Configuration Manager 2012 beta 2 release at Introduction to Application Management in Configuration Manager 2012.

Back to top

Virtual Desktop Infrastructure

Due to consumerization, users are bringing to work more than just PCs running Windows. Non-Windows-based slates and tablets run a range of operating systems, such as Apple iOS, Google Android, Linux, and so on. These devices provide different user interfaces, different levels of security, and different management capabilities. There are multiple operating systems across consumer devices, so adopting a systematic approach to management and security is essential.

Microsoft offers technologies with which to enable management and security across these kinds of disparate consumer devices. For devices that cannot provide the full Windows 7 experience and security, you can use a VDI-based strategy to enable secure access to a server-hosted, Windows-based desktop. This approach is the most effective one for non-Windows-based portable computers and slates. However, a VDI-based strategy can also be useful when employees bring their own Windows-based portable computers into the workplace. In this case, VDI is used to deliver a secure enterprise desktop while keeping all personal data and software out of the corporate network.

VDI is a centralized desktop-delivery solution. Illustrated in Figure 4, the concept of VDI is to store and run desktop workloads—including a Windows client operating system, applications, and data—in a server-based VM in a data center and enable a user to interact with the desktop presented onto a user device via Remote Desktop Protocol (RDP) and RemoteFX. VDI is part of an enterprise’s cohesive, holistic virtualization strategy across the IT infrastructure to support Microsoft’s vision of Dynamic IT. VDI is not an isolated architecture but rather one of the many technologies available to optimize enterprise desktops.

For devices that cannot provide a full Windows 7 environment, VDI can enable secure access to a server-hosted Windows 7 desktop. For computers and slates that do not run Windows (i.e., Apple Mac, Apple iPad, and netbooks based on Linux), VDI can be the most effective solution. However, VDI can also be useful when employees bring their own portable computers running Windows into the workplace. It can deliver a secure enterprise desktop, keeping all personal data and software off the corporate network.

Virtual Desktop Infrastructure diagram

Figure 4. Virtual Desktop Infrastructure

For more information about VDI, see Virtualization Products and Technologies.


Part of Windows Server 2008 R2, Remote Desktop Services (RDS) provides the Remote Desktop Connection Broker (RD Connection Broker). RD Connection Broker is a native VDI connection broker that provides a unified experience for accessing VDI as well as traditional session-based remote desktops. RD Connection Broker delivers virtual desktops similarly to RemoteApp. For example, a user will access http://rds-all.contoso.corp/rdweb to see a Web page listing both authorized applications and desktops, once authenticated.

Figure 5 shows three Office 2007 applications published by using RemoteApp. In Windows Server 2008 R2, RemoteApp programs shown at a URL can be composed from multiple sources. They do not need to be installed on the same Remote Desktop Session Host (RD Session Host) or Terminal Services server. They can be from multiple RD Session Hosts and Terminal Services servers, yet composed and presented with the same URL. Further, the presence of a RemoteApp program is based on the access control list (ACL) of a published application in RD Session Host. By default, all authenticated users will have access to published RemoteApp programs.

Screenshot of Remote Desktop Connection

Figure 5. Remote Desktop Connection Broker

The My Desktop icon appears only to those users who are assigned with a personal virtual desktop. The assignment can be done in RD Connection Broker or the user object in AD DS. When a user clicks the My Desktop icon, a virtual desktop will be delivered to the user’s device, after the user is authenticated.

The Contoso Desktop icon is for accessing a virtual desktop running on a VM dynamically picked from a VM pool defined in RD Connection Broker. Once a VM pool is defined, the icon to access a VM in the pool will show up on the RDS webpage for all authenticated users, regardless of whether a user has access to the pool. Both the display name of the page and the display name of the icon to access a VM pool can be easily customized in RD Connection Broker; in this example, “Contoso Wonder LAN” and “Contoso Desktop” are customized display names. Further information about the RDS architecture and how RD Connection Broker plays a central role in a VDI solution is available in Remote Desktop Services (RDS) Architecture Explained.

A new feature in Windows Server 2008 R2 is RemoteApp and Desktop Connection, which provides the ability to access RemoteApp programs, remote desktops, and virtual desktops from the Start menu of a computer running Windows 7. You can configure RemoteApp and Desktop Connection as follows:

  • Manually in the Control Panel. The URL of an RDS webpage and user credentials are required to complete the process. When RemoteApp and Desktop Connection access an RDS webpage on users’ behalf, it will prompt them for credentials.
  • Manually by using a client configuration (.wcx) file. You can create and distribute to users a client configuration (.wcx) file that configures RemoteApp and Desktop Connection.
  • Automatically by using a script. You can distribute a script to run the client configuration file silently, so that RemoteApp and Desktop Connection is set up automatically when users log on to their computers running Windows 7. The automation is easy, minimizes operator intervention, and provides a great user experience.

With RemoteApp and Desktop Connection, users can access RemoteApp programs and virtual desktops directly from the Start menu without specifying the RDS URL. This capability minimizes user training and offers a consistent user experience on Windows applications.


With VDI, a virtual desktop is isolated from the client’s device and runs in a VM maintained in a data center. The device can be a desktop, laptop, slate, or thin-client computer—running Windows or another operating system. Users interact with their virtual desktops through RDP and RemoteFX, which provides a rich desktop experience. Similar to session-based remote desktops (i.e., Terminal Services), VDI provides a server session with a full-fidelity desktop environment that is virtualized within a server-based hypervisor. The premise of VDI is that all users are running virtual desktops on VMs. Key technical components making VDI a reality include:

  • Windows Server 2008 R2 with Hyper-V. This is a virtualization host that runs VMs and is essentially a grid in the virtualization solution infrastructure. It is a repository with virtualization resources such as VMs, Virtual Hard Disk (VHDs), hardware and software profiles, and so on.
  • Microsoft App-V. App-V is a dynamic application-deployment vehicle based on user profiles and transparent to the local operating system. For more information about App-V, see the section titled “Application Virtualization” in this white paper.
  • Microsoft RDS. RDS provides a single and consistent URL for accessing resources published in multiple Remote Desktop Session Hosts (RDSHs) and terminal servers.
  • Microsoft RemoteFX. Part of Windows 7 and Windows Server 2008 R2 with Service Pack 1, RemoteFX enables the delivery of a full Windows user experience to a range of client devices including consumer devices. RemoteFX delivers a rich user experience for VDI by providing a 3D virtual adapter, intelligent codecs, and the ability to redirect USB devices in VMs. It is integrated with RDP, which enables shared encryption, authentication, management, and device support.
  • System Center Management Suite. The suite provides a comprehensive management solution for managing the enterprise IT lifecycle. It can simplify deployment, provisioning, and management of virtualization hosts and VMs. Capabilities include:
    • Virtual desktop and application management. Configuration Manager provides asset, application, usage, and desired configuration management for personal physical and virtual desktops.
    • End-to-end management of the VDI infrastructure. System Center Operations Manager monitors state, health, and performance to ensure uptime and reduce the overall cost of management.
    • Management of third-party VDI. For organizations with Citrix VDI solutions, System Center Virtual Machine Manager manages VMs and server utilization across the datacenter. Virtual Machine Manager integrates with Operations Manager to provide enhanced management for VDI scenarios, allowing performance and resource-based allocation of VMs.
    • Compliance insight. System Center Service Manager and its IT GRC Process Management Pack use information collected from Configuration Manager, Operations Manager, and Active Directory to provide unified reporting and visibility of compliance in VDI environments.


There are two VDI deployment models:

  • A static or persistent virtual desktop. In a static architecture, there is a one-to-one mapping of VMs to users. Each user is assigned a designated VM. Because VMs are commonly stored on a Storage Area Network (SAN) and execute on a server, a large user population will likely lead to significant SAN requirements.
  • A dynamic or non-persistent virtual desktop. In a dynamic architecture, there is only one master image of the desktop stored. All user personalization, profile, applications, and so on are stored separately from the desktop. When a user requests a desktop, a VM cloned from the master image is combined with the user’s personal data and applications dynamically delivered to the user device based on roaming profiles and App-V. This delivers a personalized desktop experience by dynamically provisioning a base image. It simplifies the overall VM management by reducing the number of desktop images maintained.


VDI essentially delivers a desktop on demand to a user device via a network connection. This is different from running a conventional desktop computer, in which an OEM license is bound to hardware and cannot be dynamically assigned, as with VDI. Traditional licensing has become insufficient to correctly reflect the number of licenses consumed in a desktop deployment delivered with VDI.

To accommodate new deployment scenarios, Microsoft has introduced two new offerings for VDI:

  • Microsoft Virtual Desktop Infrastructure Standard Suite (VDI Standard Suite)
  • Microsoft Virtual Desktop Infrastructure Premium Suite (VDI Premium Suite)

Both the VDI Standard Suite and the VDI Premium Suite are licensed per client device that accesses the VDI environment, and thereby allow for flexibility of server infrastructure design and growth. You can learn more about VDI suite licensing at Microsoft's Remote Desktop Services site. Additional information about Remote Desktop Services Licensing is available at Licensing Remote Desktop Services in Windows Server 2008 R2.


Both RDS and VDI are core components of desktop virtualization, and they satisfy specific computing requirements and scenarios with deployment readiness and flexibility. For a remote task worker who needs to access a specific application for carrying out a well-defined task—such as entering data or reporting a status for time reporting, inventory updating, or incident reporting—RemoteApp might be sufficient. However, a knowledge worker—who performs complex or unstructured routines such as analyzing data, architecting a solution, designing a product, writing code, or troubleshooting systems—will likely require full access to a desktop to assure productivity, and deploying a virtual desktop is one solution.

Although VDI is flexible, it does require more server hardware resources than the traditional session-based remote desktop approach. Table 1 compares session-based virtualization with VDI. In general, VDI requires an upfront investment in server and storage hardware to store and execute all needed VMs. To ensure that users are able to access virtual desktops, the network supporting VDI needs to be highly available. Generally speaking, the network-bandwidth requirement is higher to support VDI than to support Terminal Services. VM management software is also essential to manage enterprise virtual desktops.

Table 1. Session-based virtualization versus VDI

Table comparing session-based virtualization to VDI

Additionally, users should not expect a remote desktop or a virtual desktop to perform exactly as well as a locally installed desktop. Audio, video, and USB performance on a remote desktop might not be as rich as those directly running on or attaching to a user’s device. A rich client will always provide a superior user experience to that delivered with VDI. Overall, considerations of a VDI solution should include, but not be limited to:

  • Application provisioning
  • Connection management
  • Data center capacity
  • Image management
  • Infrastructure with hypervisor hosts
  • Licensing
  • VM management

note iconNote: Citrix XenDesktop is a Microsoft Partner solution that can deliver on-demand virtual desktops and applications to users on any device they use, anywhere they use it. To learn more about Citrix XenDesktop, see the Citrix XenDesktop website. Additionally, the blog entry Microsoft Virtual DesktopInfrastructure (VDI) utilising Citrix Xendesktop as the Broker describes in detail how XenDesktop fits into and enhances VDI architectures.

Back to top

Choosing the right technologies

This article has described four technologies that can help your organization embrace consumerization. These technologies are Windows Optimized Desktop, Windows Intune, Application Virtualization, and VDI. The following list describes how these technologies fit in to specific consumerization scenarios:

  • Managed Windows PCs. The Windows Optimized Desktop can give IT pros the control they need to control PC configurations while giving users the flexibility they need to do their jobs. For more information, see the section titled “Windows Optimized Desktop,” earlier in this article.
  • Unmanaged Windows PCs. Windows Intune is simple to deploy, and you can use it to manage unmanaged Windows PCs that users bring to the workplace. For more information about Windows Intune, see the section titled “Windows Cloud Services,” earlier in this article.
  • Non-Windows devices. For devices that are not running Windows, you can provide users a full Windows environment by using VDI. For more information about VDI, see the section titled “Virtual Desktop Infrastructure,” earlier in this article.

In all cases, application virtualization can provide users access to the applications they need. For more information, see the section titled “Application Virtualization,” earlier in this article.

Back to top

Smartphones and mobile OS support

Tools are available to manage smartphones in the enterprise. For example, you can use Exchange ActiveSync to manage many Microsoft and non-Microsoft smartphones. Exchange ActiveSync is a Microsoft Exchange Server synchronization protocol that is optimized to work over high-latency and low-bandwidth networks. The protocol, based on HTTP and XML, enables devices to access information such as e-mail, calendars, and contacts on an Exchange Server system.

Exchange ActiveSync also provides management tools through Exchange ActiveSync mailbox policies and related tools. For example, Windows Phone 7 supports management policies like requiring passwords and enforcing password strength. It also provides the ability to remotely wipe the device and restore a mobile phone’s original factory settings after multiple failed attempts to unlock it.

Management based on Exchange ActiveSync is an industry standard for smartphones and other small-form-factor devices. Platforms such as Apple iPhone and iPad, Google Android, Nokia Symbian, and Palm support Exchange ActiveSync and mailbox polices to varying degrees. The blog post Updated - Comparison of Exchange ActiveSync Clients ( Windows phone, Windows Mobile, Android, Nokia, Apple, Palm ) compares support for Exchange ActiveSync across many different platforms.

This section describes some of the mailbox policies and tools in Exchange ActiveSync that you can use to manage smartphones. For more information about Exchange ActiveSync, see Managing Exchange ActiveSync Devices on TechNet.

Remote device wipe

Mobile phones can store sensitive corporate data and provide access to many corporate resources. If a device is lost or stolen, that data can be compromised. Through Exchange ActiveSync policies, you can add a password requirement to mobile phones, mandating that users enter a password to access their phones. Microsoft recommends that, in addition to requiring a device password, you configure your mobile phones to automatically prompt for a password after a period of inactivity. The combination of a device password and inactivity locking provides more security for your corporate data. For more information, see the “Device Management” section later in this article.

In addition to these features, Microsoft Exchange Server 2010 provides a remote device wipe feature. You can issue a remote device wipe command from the Exchange Management Console (EMC). Users can issue their own remote device wipe commands from the Microsoft Office Outlook Web App user interface. The remote device wipe feature also includes a confirmation function that writes a time stamp in the sync state data of the user's mailbox. This time stamp is displayed in Outlook Web App and in the user's mobile phone properties dialog box in the EMC. In addition to resetting the mobile phone to factory-default condition, a remote device wipe also deletes any data on any storage card that's inserted in the mobile phone.

note iconImportant: After a remote device wipe has occurred, data recovery is very difficult. However, no data-removal process leaves a device as free from residual data as when it's new. Recovery of data from a device might still be possible by using sophisticated tools.

You can remotely wipe a device by using one of three methods:

  • Use the EMC to perform a remote wipe on a mobile phone.
  • Use Outlook Web App to perform a remote wipe on a mobile phone.
  • Use the Exchange Management Shell to perform a remote wipe on a mobile phone.

For more information about remote device wipe in Exchange Server 2010, see Perform a Remote Wipe on a Mobile Phone on TechNet.

Device management

You can create an Exchange ActiveSync mailbox policy to configure a variety of security options for users and their devices. In addition to password requirements and settings, you can use the General tab on the policy to specify the types of mobile phones that can connect to the Exchange Server system and whether attachments can be synchronized. The following summarizes the available policies:

  • General policies specify the types of mobile phones that can connect to the Exchange Server system and whether attachments can be synchronized:
    • Allow non-provisionable devices. Allow mobile phones that can't be provisioned automatically. These mobile phones might be unable to enforce all the Exchange ActiveSync policy settings. By enabling this policy, you're allowing these mobile phones to synchronize even though some policy settings might not be applied.
    • Refresh interval. Force the server to resend the policy to clients at a fixed interval defined in the number of hours between policy refresh events.
  • Password requirements for Exchange ActiveSync clients:
    • Require password. Require a password for the mobile phone. If passwords are required, the following policies become available.
    • Require alphanumeric password. Specify that the mobile phone password must include non-numeric characters. Requiring non-numeric characters in passwords increases the strength of password security.
    • Minimum number of character sets. Specify the complexity of the alphanumeric password and force users to use a number of different sets of characters from among the following: lowercase letters, uppercase letters, symbols, and numbers.
    • Enable password recovery. Enable password recovery for the mobile phone. Users can use Outlook Web App to look up their recovery password and unlock their mobile phone. Administrators can use the EMC to look up a user's recovery password.
    • Require encryption on device. Require encryption on the mobile phone. This increases security by encrypting all information on the mobile phone.
    • Require encryption on storage cards. Require encryption on the mobile phone’s removable storage card. This increases security by encrypting all information on the storage cards for the mobile phone.
    • Allow simple password. Allow users to lock their mobile phones with simple passwords such as 1111 or 1234. If you clear this check box, users will be required to use more secure password sequences.
    • Number of failed attempts allowed. Limit the number of failed password attempts a mobile phone accepts before all information on the mobile phone is deleted and the mobile phone is automatically returned to its original factory settings. This reduces the chance of an unauthorized user accessing information on a lost or stolen mobile phone that requires a password.
    • Minimum password length. Specify a minimum password length for the mobile phone password. Long passwords can provide increased security. However, long passwords can decrease mobile phone usability. A moderate password length of four to six characters is recommended.
    • Time without user input before password must be re-entered (in minutes). When a mobile phone password is required, prompt the user for the password after the mobile phone has been inactive for a specified period of time. For example, if this setting is set to 15 minutes, the user must enter the mobile phone password if the mobile phone has been idle for 15 minutes. If the mobile phone is idle for 10 minutes, the user won't have to re-enter the password.
    • Password expiration (days). Force users to reset their mobile phone’s password at a given interval. The interval is set in a number of days.
    • Enforce password history. Force the mobile phone to prevent the user from reusing previous passwords. The number you set determines how many past passwords the user won't be allowed to reuse.
  • Sync Settings policies specify a variety of synchronization-specific settings:
    • Include past calendar items. Select the date range of calendar items to synchronize to the mobile phone. The available options include the following: All, Two Weeks, One Month, Three Months, and Six Months. If you have to specify other options, use the Shell to configure this setting.
    • Include past e-mail items. Select the date range of e-mail items to synchronize to the mobile phone. The available options include the following: All, One Day, Three Days, One Week, Two Weeks, and One Month. If you have to specify other options, use the Shell to configure this setting.
    • Limit e-mail size to (KB). Limit the message size that can be downloaded to the mobile phone. After you've enabled this policy, specify a maximum message size in kilobytes (KB).
    • Allow Direct Push when roaming. Enable the mobile phone to synchronize as new items arrive when you're roaming with your phone. You're roaming when you're outside your normal service area. Check with your mobile service provider to determine your normal service area. Disabling this policy forces you to manually launch synchronization when you're roaming with the phone, and data rates are traditionally higher.
    • Allow HTML-formatted e-mail.Enable e-mail messages that are formatted in HTML to be synchronized to the mobile phone. If this policy is not enabled, all e-mail messages will be converted to plain text before synchronization. This policy does not affect whether messages are received on the mobile phone.
    • Allow attachments to be downloaded to device. Enable attachments to be downloaded to the mobile phone. If this policy is disabled, the name of the attachment is visible within the e-mail message but can't be downloaded to the mobile phone.
    • Maximum attachment size (KB). Specify a maximum size for attachments that are downloaded to the mobile phone. After you enable this policy, enter a maximum attachment size in KB. If this policy is enabled, attachments larger than the specified size can't be downloaded to the device.
  • Device policies specify a variety of device-specific settings:
    • Allow removable storage. Allow storage cards to be accessed from a mobile phone. If this policy isn’t enabled, storage cards can't be accessed from a mobile phone.
    • Allow camera. Allow the mobile phone camera to be used.
    • Allow Wi-Fi. Allow the mobile phone to use a Wi-Fi connection for Internet access. Direct Push isn't supported over Wi-Fi.
    • Allow infrared. Allow the mobile phone to establish an infrared connection with other devices or computers.
    • Allow Internet sharing from device. Allow another device to share the Internet connection of the mobile phone. Internet sharing is frequently used when the device functions as a modem for a laptop or desktop computer.
    • Allow remote desktop from device. Allow the mobile phone to establish a remote desktop connection to another computer.
    • Allow desktop synchronization. Allow the mobile phone to synchronize with a desktop computer through desktop ActiveSync or the Windows Mobile Device Center.
    • Allow Bluetooth. Control the Bluetooth functionality of the mobile phone. You can choose to Allow, Disable, or enable Bluetooth Hands-Free only.
  • Device Applications policies enable or disable specific features on a mobile phone:
    • Allow browser. Allow mobile phones to use Pocket Internet Explorer. This policy does not control access to third-party mobile phone browsers.
    • Allow consumer mail. Allow the mobile phone to access e-mail accounts other than Exchange Server accounts. Consumer e-mail accounts include accounts that are accessed through POP3 and IMAP4. This policy does not control access to third-party mobile phone e-mail applications.
    • Allow unsigned applications. Allow unsigned applications to be installed on the mobile phone.
    • Allow unsigned installation packages. Allow unsigned installation packages to run on the mobile phone.
  • Other policies specify allowed and blocked applications:
    • Allowed Applications. Add applications to or remove them from the Allowed Applications list. Allowed applications can be installed and run on the mobile phone. Click Add to add an application, and click Delete to remove an application.
    • Blocked Applications. Add applications to or remove them from the Blocked Applications list. Blocked applications are prohibited from running on the mobile phone. Click Add to add an application, and click Delete to remove an application.

On TechNet, Managing Exchange ActiveSync with Policies provides a full list of mailbox policies and describes how to configure them by using the EMC and the Shell. The ability to manage devices through Exchange Active Synch will also be a core feature of the upcoming System Center Configuration Manager 2012, which is now in beta 2 release.

Idle timeout value

Direct Push Technology uses Exchange ActiveSync to keep data on a smartphone synchronized with data on Exchange Server. On firewalls, a network idle connection time-out indicates how long a connection is permitted to live without traffic after a Transmission Control Protocol (TCP) connection is fully established. You must correctly set this time-out value to allow the Exchange ActiveSync heartbeat interval and the enterprise session interval to communicate effectively. If the firewall closes the session, mail would remain undelivered until the client reconnects, and the user could be unsynchronized for long periods of time. Microsoft recommends that organizations set time-outs on their incoming firewalls to 30 minutes. For more information, see Understanding Direct Push and Exchange Server 2010.

Autodiscover settings

Exchange Server includes the Autodiscover service, which simplifies the provisioning of mobile phones by returning the required system settings after a user enters his or her e-mail address and password. The Autodiscover service is enabled by default in Exchange Server 2010 (Figure 6).

Diagram of the Exchange ActiveSync Autodiscover service

Figure 6. Autodiscover with Exchange ActiveSync

The process that Figure 6 describes is as follows:

  1. The user enters his or her e-mail address and password on the mobile phone.
  2. The mobile phone connects to a root DNS server to retrieve the URL for the Autodiscover service and the IP address for the user's domain.
  3. The mobile phone uses a Secure Sockets Layer (SSL) connection to connect through the firewall to the Autodiscover service virtual directory. The Autodiscover service assembles the XML response based on the server synchronization settings.
  4. The Autodiscover service sends the XML response through the firewall over SSL. This XML response is interpreted by the mobile phone, and synchronization settings are configured automatically on the mobile phone.

The ability to use Autodiscover depends on the operating system of the mobile phone you're using. Not all mobile phone operating systems that support synchronization with Exchange Server support Autodiscover. For more information about operating systems that support Autodiscover, see the blog post Updated - Comparison of Exchange ActiveSync Clients (Windows phone, Windows Mobile, Android, Nokia, Apple, Palm).

For instructions on configuring Autodiscover in Exchange Server, see Configure Exchange ActiveSync Autodiscover Settings.

Back to top


IT must be able to embrace consumerization where it is appropriate, while at the same time minimizing risks to the enterprise and its data. By assessing and understanding your users, in addition to the devices that they want to use, you can help ensure that consumerization benefits your business, and that these benefits can be measured and evaluated.

Embracing consumerization enables businesses to deliver productivity gains and competitive advantage. Consumerization becomes a major opportunity when the strategies that are described in this paper are followed, ensuring that corporate assets are secure and establishing new roles for empowered employees and IT as partners. Microsoft has a range of enterprise-ready solutions that can help you address your users’ needs surrounding consumerization, from deployments of Windows Optimized Desktop, through cloud-based management using Windows Intune, to Windows-based and non-Windows-based smartphones.

Additional resources