Latest posts by Joseph Moody (see all)
- Always On VPN Remote Access and Network Policy Server - Tue, Nov 28 2017
- Active Directory, Group Policy, and certificates for Always On VPN - Tue, Nov 21 2017
- Always On VPN - DirectAccess+ for Windows 10 - Wed, Nov 15 2017
Microsoft provided an excellent manageable operating system with Windows 7 Enterprise. However, to get the most benefit of Windows 7 Enterprise, Microsoft has provided the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance customers. Here are the six tools included with MDOP:
Microsoft’s Asset Inventory Service (AIS) is a cloud based hardware and software asset management tool. Because of its simplicity, it will probably be the first tool to setup. While many asset management tools exist (one of the most notable free one tools being Spiceworks), few are cloud based and even fewer are Microsoft licensing aware.
By having a hosted inventory service, clients regularly update hardware and software statistics on private/domain and public networks. This ensures accurate application and hardware counts. AIS even includes a variety of alerting and reporting features that cover basic hardware issues (such as low disc space) and licensing issues (such as exceeding installation counts on licensed software). In short, AIS allows you to confidently provide accurate reports on computer count, software count, and licensing information.
The System Overview tab in AIS provides system notices and a quick glance at hardware and software.
The Diagnostics and Recovery Toolset (DaRT) is a tool quite a few windows administrators are familiar with as it is an improved version of Winternals ERD Commander. Microsoft didn’t simply purchase a product and repackage it. DaRT greatly improves on ERD commander by providing the ability to boot into it from the network and to even include it in your WindowsPE boot environment.
With this type integration, all of the tools you could possibly need to troubleshoot an imaging problem are available as the machine images! Microsoft updated DaRT this year to include remote control support in a Windows PE environment. This allows for helpdesk support to remotely assist users when their machine will not boot off of the hard drive.
The screenshot above shows the Remote Connection Viewer in DaRT. Helpdesk personal can now troubleshoot machines in a System Recovery/Windows PE environment remotely.
Microsoft provided over 300 new configuration settings, PowerShell integration, and two revised Group Policy Preferences with Windows 7 along with a host of other improvements. The Group Policy Management that ships in Windows 7 is great, really it is. But what happens when someone in your department changes one of those settings or deletes a GPO that hasn’t been backed up recently?
The next tool available in MDOP is Microsoft’s Advanced Group Policy Management (AGPM) and it solves those problems. With native Group Policy Management, you can see when an administrator creates a policy or the last time that the policy was changed but that is about it. AGPM provides complete change control for Group Policy Objects (GPOs).
AGPM tracks when a policy is created, changed, or deleted. It evens goes as far as to track what was changed. Because it keeps snapshots of what changed, you can instantly jump back to previous versions of GPOs in order to rectify issues caused by a Group Policy change. Built in reporting allows for quick Settings and GPO difference reports and the changed by mechanism shows who changed what and when.
AGPM provides a detailed history pane for each GPO. Right clicking on a unique version provides the ability to compare to the current live GPO as well as the ability to restore a previous configured GPO.
Microsoft first introduced Bitlocker in Windows Vista and made strides in managing Bitlocker since. Any environment that has tried to implement Bitlocker on more than a handful of machines have found that certain settings can be configured centrally, others can’t, and virtually no central reporting mechanism exists.
Microsoft addressed all of these shortcomings with the Microsoft Bitlocker Administration and Monitoring (MBAM) toolkit. MBAM supports multiple ways of deploying Bitlocker from user-less post-imaging encryption to opt-in scenarios where end-users can choose to have their hard drives encrypted.
MBAM supports Bitlocker delegation where first level support can have secure access to Bitlocker recovery keys without Active Directory attribute delegation. The reporting features in MBAM allow a real time view on the status of Bitlocker in your environment whether the device is unencrypted, currently encrypted or even in suspended mode.
The MBAM drive recovery tab allows helpdesk personal to retrieve drive recovery keys and to document why a drive needs to be unlocked.
Microsoft Application Virtualization (APP-V) provides dedicated managed application services for an enterprise environment. Problems consistently seen with software are conflicts with other software, the need to reboot for installations, and managing updates.
With APP-V, Windows administrators can quickly sequence applications into a virtual package, deploy to clients, and track usage. APP-V tracks when applications are used and by whom. This allows for better managing of licenses and distribution of existing software. APP-V provides the ability to update software without any user intervention. Without rebooting or logging off, software can be deployed and updated. APP-V even integrates into AIS and SCCM!
Application Virtualization (APP-V)
The final tool in the MDOP suite is Microsoft’s Enterprise Desktop Virtualization (MED-V). In a nutshell, MED-V is XP Mode on steroids. For those familiar with XP Mode, the hassle of setting up an XP virtual machine and then configuring an application for each user made the use of this tool very limited.
However, MED-V provides the ability to centrally configured XP virtual machines and applications and to deploy the VM configuration to users and computers needing to run the virtual applications. With MED-V, you can set VMs to auto start on logon which in turn speeds up application run time. Shortcuts can be even pinned to the taskbar thus providing a seamless application experience for the end user!
While MED-V may not be the most used tool of the MDOP suite, it is certainly extremely useful when a mission critical application simply won’t work on a Windows 7 machine.
Microsoft’s Enterprise Desktop Virtualization (MED-V) Workspace Package Wizard
In the next post in this series I will describe the Asset Inventory Service (AIS) in more detail.