10 IT pro pain points simplified with MDOP
Applies to: Windows 8.1, Windows 8, Windows 7
Everyone enjoys a good list. Lists are everywhere—lists for popular songs, best- and worst-dressed celebrities, top vacation destinations, and so on. Our list is a bit more humble (if not a bit geeky). We are Microsoft, after all.
Our list focuses on the Windows 8.1 operating system and the Microsoft Desktop Optimization Pack (MDOP). It specifically describes 10 pains that IT pros endure and how MDOP can help reduce them. If you’re not already familiar with MDOP, this list provides a good introduction. However, you can also learn more about it on Microsoft TechNet.
Essentially, MDOP is a collection of the six products that Figure 1 describes that can help virtualize the user experience, applications, and desktop; manage features within Windows; and restore user productivity after a system issue. Like a Swiss Army knife, it solves many problems and can simplify your life as an IT pro.
Figure 1. Products in the Microsoft Desktop Optimization Pack
In this article:
- Roaming user settings in mixed environments
- Remediating application compatibility conflicts
- Getting the right applications to the right users
- Managing and controlling Group Policy
- Reducing downtime that errant GPOs cause
- Supporting BitLocker Drive Encryption
- Monitoring BitLocker compliance and identifying risk
- Troubleshooting desktops that won't start
- Removing rootkits and other malware
- Using too many management tools
1. Roaming user settings in mixed environments
Our first pain is here, because it’s fresh: Roaming user profiles between the Windows 7 operating system and Windows 8.1 are not supported. (See Incompatibility between Windows 7 and Windows 8.1 roaming user profiles.) In addition, roaming user profiles don’t work between session-based and full desktops.
So, what can you do? Use Microsoft User Experience Virtualization (UE-V), the latest addition to MDOP, to solve these problems by providing a consistent user experience across platforms and delivery methods. It synchronizes Windows settings when users log on to or off of their desktop, when they lock or unlock their desktop, and when they start or stop a Remote Desktop connection. UE-V synchronizes application settings when they open or close the application. UE-V can keep users’ experiences in sync even when they’re using multiple desktops at the same time, without them having to log off of their desktops to do it.
Combining UE-V with the Folder Redirection and Offline Files features in Windows 8.1 provides a complete roaming experience. Folder Redirection stores users’ files and documents on the network to make them available on any device users have. To help ensure that their files and settings are available even when users disconnect from the network, Offline Files caches redirected folders and the UE-V settings store locally, synchronizing them when users reconnect.
Aside from everything UE-V offers, IT pros needs to know two things about UE-V. First, deploying UE-V is simple:
- Install the UE-V agent on each device. You can use Microsoft System Center Configuration Manager, the Microsoft Deployment Toolkit, or any electronic software distribution (ESD) tool.
- Create the settings store location. This location is where UE-V will put users’ personalizations. You can use people’s home folders, as defined in Active Directory Domain Services, or create a new location.
- Configure the UE-V agent by using Group Policy. In this way, you define where to store settings on the network, whether Offline Files is required, and so on.
The second key thing is that UE-V is customizable. You can create custom settings location templates, which define where UE-V will find the settings and files that it should synchronize, by using the UE-V Generator. You can also create a network share in which to store the custom settings location templates and update your policy to point the UE-V agent to it.
That’s it! See Microsoft User Experience Virtualization for more information about using UE-V.
Back to top
2. Remediating application compatibility conflicts
Arguably, one of the most painful steps of deployment is testing and remediating applications. Regression testing consumes an inordinate amount of time. Fixing any discovered compatibility issues requires an uncommon skillset that is difficult to learn and sometimes requires outside help.
Microsoft Application Virtualization (App-V) can help address this challenge. It isolates applications so that they see only their own virtual environments. Users change files and settings only in those virtual environments rather than changing the host desktop’s files or settings. As a result, applications do not affect the operating system or other applications. For that matter, you never actually install virtual applications on the desktop: Rather, you stream them from the network and cache them, so the operating system remains pristine. Updating these applications is simple, and removing them does not interrupt users. Think of App-V as the equivalent of running each application in its own sandbox. The application can do whatever it wants within its own sandbox, but it cannot play with sand in other sandboxes—unless given explicit permission. It cannot throw sand out of the sandbox, either.
To be clear, App-V does not address application incompatibility with the operating system. For that, you must still rely on tools such as the Microsoft Application Compatibility Toolkit. You can learn more about the toolkit in the Application Compatibility Toolkit Technical Reference on TechNet.
Because App-V isolates applications in their own virtual environments, it can significantly reduce the need for regression testing to identify conflicts between applications. As a result, App-V reduces the need to remediate application conflicts. In fact, many companies report that they skip these steps altogether and go directly to packaging (or sequencing) applications, which is like recording the installation to a file that the administrator can stream over the network. It’s easy.
How about a practical example? Contoso Ltd. has an accounting application that it is upgrading. Both versions cannot coexist on the same desktop, but accounting needs access to the previous version until it can close the previous year’s books. Such problems might block deployment for mere mortals. But with App-V, the accounting staff can easily run both versions of the application side by side, maintaining access to the legacy version until the department closes the previous year’s books.
See Application Virtualization on TechNet for more information.
Back to top
3. Getting the right applications to the right users
Packaging applications for automated deployment and configuration is often one of the most time-consuming, difficult, and expensive part of any deployment. And how do you get the right applications to the right users on all of the right devices?
Two common choices are to include applications in monolithic Windows images or distribute them by using ESD systems. Including applications in Windows images usually leads to a high image count and a maintenance nightmare. The story for ESD systems like System Center Configuration Manager is much better these days, particularly because System Center Configuration Manager can target applications to users. But still, ESD systems are installing these applications locally, so the applications don’t follow users from device to device easily.
Through the years, these processes have served us well. But what if you could save time by more easily targeting applications to users and enabling those applications to follow users to each device they use? Would your job be easier and less repetitive if you could keep applications out of your Windows images? If you want to make application distribution less frustrating and make more time available for other tasks, then take a closer App-V.
With App-V, you can strike a balance between the control you need and the flexibility users need. App-V untangles applications from the operating system—that is, you package each application separately, and App-V provides it as a network service, isolating it from the operating system and other applications. However, you can also connect individually packaged App-V applications and configure them to communicate with each other. This flexibility gives businesses the best of both worlds, providing isolation to reduce application conflicts and time spent regression testing, yet allowing applications to interact and communicate when needed.
After you sequence an application, publish it on the server, and assign the appropriate rights, the application is immediately available for users. They can launch the application without waiting for it to be installed, because App-V streams the application on demand to each device they use. In other words, App-V enables applications to follow users from device to device, similar to how UE-V enables users’ experiences to follow them. In fact, App-V plus UE-V (and Folder Redirection with Offline Files) is destined to be a classic better-together story.
Imagine the impact on not just application delivery but on the deployment process as a whole. Suddenly, getting down to the mythical single image becomes a real possibility. You deploy a single Windows image, and when users log on to their desktops, App-V delivers the applications they need. Because App-V does not actually install applications on the desktop, it can reduce the support time associated with applications. You simply do not have to troubleshoot or reinstall applications. Not only that, but App-V enables entirely new deployment scenarios in which applications follow users.
See Microsoft Application Virtualization on TechNet for more information.
Back to top
4. Managing and controlling Group Policy
Managing and controlling Group Policy is our fourth pain point. Simply put, the problem is that any change a Group Policy administrator makes affects the production environment immediately. There is no review process, no approval process. In addition, Group Policy does not maintain any sort of history for each Group Policy object (GPO), making it difficult to know who changed what and when. You can more precisely express this pain as “cleaning up someone else’s mess.”
Microsoft Advanced Group Policy Management (AGPM) can reduce this pain by providing accountability and an auditable history. AGPM adds change management, or version control, to Group Policy. You use AGPM in the Group Policy Management Console (GPMC), as shown in Figure 2. To edit a GPO, you check it out of the archive (offline storage for GPOs), change it, and check it back in to the archive. This process works like any other version-control system, such as document libraries in Microsoft Office SharePoint Server. Change control also keeps a history of changes for each GPO, so you can compare different versions to show added, changed, or deleted settings. You can even see who made each change and when they made it.
Figure 2. Advanced Group Policy Management in the Group Policy Management Console
Building on its change-control features, AGPM provides a robust delegation model to Group Policy. It enables you to define a workflow that works well for your organization by assigning GPO administrators to one of three roles: Reviewer, Editor, or Approver. Reviewers can view and compare GPOs but cannot edit or deploy them. Editors can edit GPOs in the archive but cannot deploy them to production. Approvers can approve GPO creation and deployment to production. After an Editor changes a GPO and requests deployment, an Approver reviews the GPO and approves deployment.
You can assign the Approver role to an individual or panel of administrators, with the remaining administrators assigned to the Editor role. An alternative is to assign the Editor and Approver roles for each individual GPO. For example, you can assign the Approver role for each GPO to the department heads within its scope. The point is that role-based delegation in AGPM is extremely flexible, allowing you to create a workflow that works for you.
AGPM is one of those tools that is difficult to get excited about until you actually use it. Then, you cannot imagine Group Policy without it. It can help you get things done more quickly and with less frustration. And it can help dissipate the fog that surrounds GPOs in fast-changing environments.
To learn more about AGPM, see Advanced Group Policy Management on TechNet.
Back to top
5. Reducing downtime that errant GPOs cause
Our fifth pain point also deals with Group Policy, and the obvious relief is AGPM. We call out this pain separate from the previous one, because we frequently hear IT pros lamenting about the time they changed a GPO and the help desk made them wish they had not come to work that day.
AGPM features that the previous section described can help prevent errant changes from occurring in the first place. First, any changes that Editors make to a GPO happen in the archive, not in production. They can edit to their heart’s content, but they will not touch production. Only after an Approver permits deployment does a GPO affect production, and hopefully the Approver is paying attention.
Second, change control in AGPM makes it simple to recover from errant changes that do creep into production—maybe the Approver was not paying attention after all. In that case, change control can help you quickly identify specific changes that might be causing the problem. After identifying the GPO containing the offending changes, you can quickly roll back to a previous version of the GPO. By the end of the next Group Policy refresh interval (by default, 90 minutes), the problem should be resolved.
AGPM has a particular feature that is useful if you run a tight ship and want to be sure about a GPO before deploying it: cross-forest management. You can copy a GPO from a domain in one forest to a domain in a different forest, and then deploy it. Using cross-forest management, you can edit and thoroughly test GPOs in an isolated lab environment. When you are satisfied with the results, you can easily copy the GPOs to production and deploy them.
To learn more about AGPM, see Advanced Group Policy Management on TechNet.
Back to top
6. Supporting BitLocker Drive Encryption
Sixth on our list of IT pro pain points is supporting BitLocker Drive Encryption in large enterprises, where provisioning and managing compliance can sometimes be challenging. BitLocker provides full-volume encryption to help protect corporate data while Windows is offline. There is nothing particularly painful about BitLocker itself, especially in Windows 8.1, which enhances BitLocker in significant ways. (See article “BitLocker Overview” on TechNet for more information.)
What can be painful is supporting BitLocker after deployment. First, users cannot manage their own PINs if they aren’t administrators on their devices. Second, BitLocker Recovery Mode invariably leads to a help desk call to recover users’ devices.
Microsoft BitLocker Administration and Monitoring (MBAM) can eliminate this pain. By using MBAM, which Figure 3 shows, you can centrally provision and configure BitLocker, gain insight into users’ compliance with your company’s encryption policies, and—most important to this pain—enable users to support themselves. First, MBAM allows users to perform basic tasks without calling the help desk. For example, they can reset their PINs without requiring administrator privileges. Second, MBAM provides a self-service portal that mere users can use to look up their own recovery passwords, avoiding the help desk call.
7. Monitoring BitLocker compliance and identifying risk
Monitoring BitLocker compliance is another pain point that MBAM can help reduce. BitLocker does not provide a way to know which desktops are compliant with an organization’s BitLocker policies. It is like flying in bad weather without instrumentation. You just don’t know which desktops are compliant and which are not. To drive this point home, imagine a scenario in which a mobile PC is lost or stolen. Can you quickly determine your organization’s risk by looking up whether the desktop was compliant?
MBAM addresses this pain point by providing BitLocker compliance reports in the box. You can view the compliance status of the entire organization or an individual desktop. These reports tell you how many desktops are compliant, how many are not compliant, and the details for individual desktops. In the event that a mobile PC is lost or stolen, you can look it up to determine whether it was compliant with BitLocker policy. You are not left in fear of the worst, because you know the risk almost immediately.
You can now integrate MBAM with System Center Configuration Manager. Doing so moves the compliance pieces of MBAM to System Center Configuration Manager, which means you can use a single pane of glass for compliance reporting and don’t need to jump among applications to get an enterprise-wide understanding of users’ compliance with its BitLocker policies.
See Microsoft BitLocker Administration and Monitoring on TechNet for more information.
Back to top
8. Troubleshooting desktops that won't start
Troubleshooting unresponsive or unbootable desktops is our eighth IT pro pain point. Troubleshooting can be time-consuming and often does not lead to a solution. Contributing to such considerations, IT pros usually have to visit users’ desks to troubleshoot their desktops, and they have limited experience with their tools, because they use those tools so infrequently.
Many IT pros simply reimage troubled desktops. So, in organizations that are not using UE-V and Folder Redirection, the user loses settings and any data stored on the local drive.
The Microsoft Diagnostics and Recovery Toolset (DaRT) can relieve this pain. DaRT is a collection of 14 tools for troubleshooting typical problems (see Figure 4). For example, you can use the Crash Analyzer to figure out why a computer fails to start. Then, you can disable the device driver or service that’s causing the problem. You can also recover deleted files; explore the desktop’s event log, file system, or registry; remove hotfixes; and so on. DaRT is one of those tools you hope never to use, but it’s good to have in your toolbox when you need it.
9. Removing rootkits and other malware
Spyware, viruses, and malware are more advanced than they were in the old days, and they’re using technologies like bootkits and rootkits to load themselves into memory and remain hidden from most forms of detection. Removing these kits and other types of malware is our ninth pain point.
But first, let’s acknowledge that the nastiest of malware—bootkits and rootkits—are extremely difficult to contract on Windows 8.1–certified devices. Windows 8.1 introduces a completely new boot architecture that starts with the Unified Extensible Firmware Interface (UEFI). UEFI and its Secure Boot feature protect the system from bootkits that might attempt to tamper with the device’s firmware or even the operating-system bootloader. After Windows 8.1 starts, the Trusted Boot feature will protect the remainder of the system’s boot process and any antimalware solutions that are designed to meet the Windows 8.1 Early Load Anti-Malware (ELAM) requirements. (Meeting these requirements will enable the antimalware driver to start before any non-Microsoft drivers and applications.) Collectively this gives Windows 8.1 the protection that it needs to help eliminate bootkits and rootkits from the landscape.
But let’s just say that a desktop does get infected with a nasty bit of malware. Although real-time malware scanners are an effective and critical part of your infrastructure, malware can still slip through the cracks. Also, many malware engines have a hard time effectively removing rootkits, which often leaves you with few options short of rebuilding the computer. As a result, it’s important to have an in-depth defense strategy.
Windows Defender Offline, one of the tools that DaRT provides, should be a part of that strategy. Starting the computer by using the DaRT recovery image leaves the infected operating system offline. With the installed operating system offline, Windows Defender Offline can scan all of the machine’s files and folders without the rootkit or malware code hiding. With the malware thus clearly visible, Windows Defender Offline can remove it. Without Windows Defender Offline, many people would have no other option than to reimage the computer.
To learn more about DaRT, see Microsoft Diagnostics and Recovery Toolset.
Back to top
10. Using too many management tools
Number 10 on our list of pains for IT pros will hit home with many of you: management tool overload. We have tools for everything these days, and each tool includes at least one console that we must use. Sometimes, just getting a single task done can mean opening several consoles or user interfaces. Although we can’t consolidate all of your tools, we can help integrate some of the MDOP tools we discussed in this article with your existing management infrastructure.
For example, both App-V and MBAM integrate with System Center Configuration Manager so you can use the same tools to manage virtual applications and BitLocker compliance that you use to manage other aspects of the machine. You can deploy DaRT recovery images to local hard drives by using System Center Configuration Manager. Of course, you can deploy any of the agents that MDOP uses by using System Center Configuration Manager. You also use AGPM to manage Group Policy by using the one tool. Instead of a separate console, AGPM simply extends the GPMC.
Back to top
That’s it. MDOP is like a Swiss Army knife for tackling IT pro pain. If you’re considering Microsoft Software Assurance or a platform Enterprise Agreement for your organization, make sure you add MDOP to the package. If you have Software Assurance in your organization already but don’t know whether you own MDOP, check with your purchasing department to find out if you are already licensed to deploy it.
For more information about the benefits of MDOP, click here. For more technical information about MDOP, visit Microsoft Desktop Optimization Pack on TechNet.