Applies to: Windows 8.1, Windows 8
Big changes are afoot for IT departments managing desktop environments. New ways to deliver desktop experiences are on the table now. Bring Your Own Device (BYOD) programs, virtual desktop infrastructure (VDI), and Windows To Go in the Windows 8.1 operating system are enabling new workstyles for users. Windows 8.1 can help companies adopt these new scenarios in a responsible way.
Companies must plan to deliver, operate, and support the new operating system. They want to deliver applications and experiences to users on all of their devices. They also need to secure those devices, and after deployment, they must troubleshoot any issues and manage the new configurations.
The Microsoft Desktop Optimization Pack (MDOP) for Software Assurance (SA) can help organizations reduce the cost of delivering, operating, and supporting desktops. Together, the MDOP applications can give SA customers a cost-effective and flexible solution for deploying and managing desktop computers running Windows 8.1 and enabling new workstyles for users.
For companies in the process of deploying Windows 8.1, now is a great time to put tools in MDOP to good use—if they aren’t already. They can take advantage of the people, processes, and technologies already engaged in the operating system rollout; in turn, MDOP can help to ease the overall time, cost, and effort of the deployment.
This article helps you better understand the value that MDOP brings to the table in a Windows 8.1 deployment. It describes the challenges that customers often face when delivering, operating, and supporting desktop environments and how MDOP can help overcome many of these challenges.
Companies that are deploying Windows 8.1 will at some point evaluate how they package and deliver applications to users. Historically, this process took a lot of effort and could be painful. The pain extended beyond packaging applications to keeping them updated and delivering them to users.
Application virtualization technologies have improved significantly and enabled delivery options that might not have been available previously. The effort required to package and deploy virtual applications has decreased significantly, along with testing and readying the environment. The savings more than offset the typical cost of implementing application virtualization while providing a more flexible and easier-to-manage application environment going forward.
Virtualizing the application portfolio provides several benefits for manageability and flexibility, but one key advantage is minimizing application-to-application conflicts. These conflicts arise when you need to run two versions of the same application simultaneously—for example, some organizations moving to Microsoft Office 2013 have line-of-business (LOB) applications based on Microsoft Office 2003 that are not compatible with Office 2013.
Microsoft Application Virtualization (App-V) is a key part of MDOP, and including it in a Windows 8.1 deployment strategy can help make Windows 8.1 adoption even easier. App‑V provides applications as a network service, essentially streaming applications on demand without the need for local installation. One key deployment benefit is the reduction of image sizes, making deployments faster and more reliable. Updating and managing applications are also easier and less disruptive to users, and you need not uninstall an application to retire it.
When a company is adopting new deployment scenarios like BYOD or VDI, App-V can be even more beneficial. App-V makes it easy to deliver the right applications to the right users on all of their devices. In essence, their applications follow them from device to device, without requiring installation. For example, users can log on to any corporate computer but still access all their key applications.
In App‑V, virtual applications leverage Windows standards for a consistent user experience and work more like traditionally installed applications. This means that people don’t have to change the way they use an application just because it’s virtual. Virtual applications are also easier to deploy, because they use the registry and file system like native applications, and you do not have to manage a shared drive letter across the enterprise.
You can also connect individually packaged App-V applications and configure them to communicate with each other. Virtual Application Connection gives businesses the best of both worlds, providing isolation to reduce application conflicts and time spent regression testing, yet allowing applications to interact and communicate when needed. In contrast to earlier App-V versions, which used Dynamic Suite Composition to connect applications, Virtual Application Connection makes it easy to connect applications by using the new App-V management console. Also, if a single component requires an update, you can now update that one component without updating the others (a big win for IT pros).
App-V has a new web-based management console that is super easy to use. Regardless, you can also deploy virtual applications by using Microsoft System Center 2012 Configuration Manager with Service Pack 1. By doing so, you can use the same tools to manage virtual applications that you already use to manage your desktop environment.
See the Microsoft Application Virtualization zone on TechNet for more information.
As organizations plan their desktop deployment strategies, one item that will come up is how to roam users’ experiences. This question will be more important to organizations that are adopting scenarios that enable new workstyles for users, such as VDI, BYOD, and Windows To Go. To keep users productive, IT needs to deliver users’ experiences to each device they use.
Roaming users’ experiences can be challenging, though. In a mixed environment, user profiles can’t roam between computers running Windows 7 and computers running Windows 8.1. (See Incompatibility between Windows 7 and Windows 8 roaming user profiles.) Not only that, but user profiles can’t roam between session-based and full desktops.
Microsoft User Experience Virtualization (UE-V) solves these problems by delivering a consistent user experience between Windows 7 and Windows 8.1 as well as between VDI and physical desktops. UE‑V is the latest addition to MDOP and provides a consistent user experience across multiple platforms and devices, giving users the ability to maintain a unique user experience on almost any device they use.
UE-V roams users’ experiences, but combining it with the Folder Redirection and Offline Files features in Windows 8.1 provides a more complete roaming experience. Folder Redirection makes users’ files and documents available on any device they use by storing them on the network instead of in their local user profile. To help ensure that their files and settings are available even when users disconnect from the network, Offline Files caches redirected folders and the UE-V settings store locally, synchronizing them to the network when users reconnect.
Configuration is simple: Create a file share for storing user settings, and then deploy the lightweight UE-V agent to their devices. You can deploy the UE-V agent and templates by using System Center 2012 Configuration Manager or any other software-distribution tool. After you configure UE-V by using Group Policy, UE-V will begin synchronizing users’ settings with the UE-V settings store.
UE-V uses the default settings location templates, which define the settings to synchronize with the settings store. These templates include Windows desktop, Microsoft Office, and Internet Explorer settings. Of course, you can customize UE-V by building custom settings location templates. By doing so, you can roam user settings for applications that UE-V doesn’t define in the box. For example, you can create a custom settings location template for your internal expense reporting application, and UE-V will then begin synchronizing the application’s settings to different computers.
As you’ve read, UE-V with Folder Redirection and Offline Files is great solution for providing users a consistent experience. By combining App-V with UE-V, you can unleash even more power and flexibility on your environment, especially if your users will log on to many different devices throughout their workday. Their applications, their settings, and their files will follow them from device to device, from location to location. This functionality separates the operating system, application, and experience stacks from each other to make managing the environment much easier.
See the Microsoft User Experience Virtualization zone for more information about using UE-V.
After delivering all these new experiences to users, especially on devices that they will take with them on the go, device encryption will be a priority. Of course, Windows 8.1 supports BitLocker Drive Encryption with a host of new features that make it easier than ever to deploy and support.
To streamline large-scale BitLocker deployments, MDOP offers Microsoft BitLocker Administration and Monitoring (MBAM). It can simplify BitLocker provisioning, help companies understand and enforce compliance, and minimize support costs.
In MBAM, the self-service portal is big new feature. When users can help themselves, it means fewer support calls, leaving more time for IT to add value to the business. To that end, MBAM includes a customizable self-service portal that people can use to recover their own devices if they inadvertently end up in BitLocker Recovery Mode. Not only that, but MBAM enables users to reset their PINs even if they aren’t administrators on their PCs.
MBAM stores BitLocker recovery keys in an encrypted database, with granular access controls and an audit trail of who has accessed recovery key information, protecting this information from unauthorized access. Also, MBAM includes several reports that help give companies insight into compliance.
Choose the deployment scenario that makes the most sense for your business. You can provision BitLocker as part of your Windows 8.1 upgrade or configure BitLocker deployment to take place after the operating system is installed. MBAM enables the automation of BitLocker provisioning, and companies can target specific encryption policies for specific devices, users, or groups.
Companies can also integrate MBAM with System Center 2012 Configuration Manager. Doing so moves the compliance pieces of MBAM to System Center 2012 Configuration Manager, which means that IT staff can use a single environment for compliance reporting through System Center 2012 Configuration Manager and don’t need to jump among applications to get an enterprise-level picture of compliance.
See the Microsoft BitLocker Administration and Monitoring zone on TechNet for more information.
Beginning with the early planning stages and continuing through deployment, companies are usually thinking about how to manage Windows 8.1 after they roll it out to production.
Deploying Windows 8.1 is only the beginning. Of course, Group Policy is an essential way in which businesses manage their desktops. Windows 8.1 provides many Group Policy settings to give businesses fine control of security and compliance on the desktops in their environments. For example, settings like AppLocker make controlling application access easier. Earlier, this article mentioned that you use UE-V combined with the Folder Redirection and Offline Files features in Windows 8.1, and you configure both of these features by using Group Policy.
While Group Policy does provide the Group Policy Management Console (GPMC) for managing Group Policy objects (GPOs), it doesn’t provide any sort of role-based workflow. Large environments can be complex, with hundreds of GPOs. Often, different people edit different GPOs, with no formal edit, review, approval, and deployment processes. Administrators cannot edit GPOs without affecting the production environment and cannot easily roll back GPOs when they fail. Group Policy, by itself, does not provide role-based control of authoring and deployment.
A Windows 8.1 deployment is the perfect time to think about how you manage Group Policy. In mixed environments with Windows 7 and Windows 8.1, companies will likely create separate GPOs for each operating system, because some policies are not compatible across Windows versions.
Another part of MDOP, Microsoft Advanced Group Policy Management (AGPM), adds this missing role-based delegation model to Group Policy. By using AGPM, companies can delegate reviewer, editor, and approver roles per domain or per GPO. AGPM provides a Group Policy workflow. Administrators can create and test GPOs offline, in a test lab, and easily move approved GPOs into production. AGPM provides version control for GPOs and allows for quick rollback of failed GPOs. It also makes managing GPOs in a complex environment easier by providing features such as filtering and searching.
To learn more about AGPM, see the Advanced Group Policy Management zone on TechNet.
Even after all the effort of delivering the perfect Windows 8.1 rollout, things do occasionally go wrong. Every company that rolls out Windows 8.1 will troubleshoot the individual and isolated issues that inevitably occur with any deployment. A computer that does not start, a system failure caused by a device driver, or a user who accidentally deletes files are examples of common issues. Windows 8.1 does provide troubleshooting tools, but there is a set of tools that make diagnosing issues even easier.
Microsoft Diagnostics and Recovery Toolset (DaRT) is another MDOP application that can help companies troubleshoot desktops. With DaRT, organizations can recover PCs that will not start, and administrators can remove bad device drivers and services that prevent systems from starting. DaRT includes tools that help troubleshoot varieties of other problems, too. The result can be quicker recovery and reduced downtime and data loss.
In DaRT, you use the new Recovery Image Wizard to generate a recovery image, which extends the Windows Recovery Environment with a host of new troubleshooting and recovery tools. You can generate 32-bit or 64-bit recovery images for both BIOS and Unified Extensible Firmware Interface systems. Options include locking tools to prevent user access to them and configuring Remote Connections to enable support to use the DaRT tools remotely. (Support can access all of the tools even if users cannot.)
A big improvement for DaRT 8 is the support for new deployment scenarios. By using the DaRT Recovery Image Wizard, you can generate WIM and ISO files. Although you can still burn the ISO file to a CD, you can easily deploy the WIM file that the wizard generates by using Windows Deployment Services or install it locally by using System Center 2012 Configuration Manager or by using the Microsoft Deployment Toolkit. The wizard even provides native support for writing the DaRT recovery image to a USB drive.
To learn more about DaRT, see the Microsoft Diagnostics and Recovery Toolset zone.
Windows 8.1 deployment is the perfect time to deploy the MDOP toolset, as well. MDOP can not only decrease the time and effort required to perform the deployment but also reduce its cost.
Adding MDOP to a Windows 8.1 deployment can enable companies to more easily adopt new deployment strategies, like BYOD, VDI, and Windows To Go. It offers the key pieces—App-V and UE-V—to make users’ applications, files, and experiences available on each device they use.
After delivery, MDOP can help organizations secure users’ devices by using MBAM and enable IT to better manage those devices by using AGPM. DaRT can help them more easily troubleshoot systems.
For companies that are planning to deploy Windows 8.1, now is the time to consider MDOP. These organizations are already geared up for a major rollout and are in the mindset for change. They can incorporate the tools that this article describes to help optimize that process.
For more information about optimizing your Windows 8.1 deployment by using MDOP, see the Microsoft Desktop Optimization Pack zone on TechNet.