The PressPass Q&A we posted today addressed a number of questions around Windows XP Mode. I wanted to clarify in more detail the differences between Windows XP Mode and MED-V and how specifically MED-V v2, a component of the Microsoft Desktop Optimization Pack (MDOP), adds management to Windows XP Mode.

The main facts:

Windows XP Mode is specifically designed to help small-business users to run their Windows XP applications on their Windows 7 desktop.

• Windows XP Mode is available for Windows 7 Professional, Windows 7 Ultimate and Windows 7 Enterprise customers.
• Windows XP Mode combines Windows Virtual PC and a pre-installed virtual Windows XP environment to allow users run many older applications.
• Windows Virtual PC will enable users to launch virtual applications seamlessly from the Windows 7 Start menu.
• Windows Virtual PC includes support for USB devices and is based on a new core that includes multi-threading support.

Microsoft Enterprise Desktop Virtualization (MED-V) is designed for IT Professionals.

• MED-V enables Virtual PC deployment in larger organizations.
• MED-V provides centralized management, policy-based provisioning and virtual image delivery to reduce the cost of Virtual PC deployment.
• MED-V v1 builds on Microsoft Virtual PC 2007 to help enterprises with their upgrade to Windows Vista when applications are not yet compatible.
• MED-V v2 will add support for Windows 7 (both 32 bit and 64bit) and Windows Virtual PC.
• MED-V v2 beta will be available within 90 days of Windows 7 GA.

How MED-V adds management to Windows XP Mode and Windows Virtual PC?

To provide a managed, scalable solution for running virtual Windows XP applications, MED-V addresses many of the IT challenges around deployment and management including:

Deployment – deliver virtual Windows images and customize per user and device settings

• Automate first-time virtual PC setup based on an IT customized script – including assignment of a unique computer name, joining to AD domain
  (for instance: assign the virtual PC a name that is derived from the physical device name or the username to simplify identification and management)
• Adjust virtual PC memory allocation based on available RAM on host, so that the virtual PC does not take significant resources from the user

Provisioning – define which applications and websites are available to different users

• Assign virtual PC images according to users and groups
• Define which Windows XP applications will be available to the user through the start menu
• Define which websites (e.g. internal sites that requires a previous version of Internet Explorer) are redirected automatically to Windows XP

Control – assign and expire usage permissions and Virtual PC settings

• Control the network settings of the Virtual PC (e.g. whether it connects through NAT or DHCP, whether its DNS is synchronized with host)
• Authenticate user before granting access to the Virtual PC
• Set expiration date, after which the Virtual PC is not accessible to the end user

Maintenance and Support - update images, monitor users and remotely troubleshoot

• Update images using TrimTransfer network image delivery – update a master Virtual PC image, and MED-V will automatically distribute and apply the changes to all endpoints
• Centralized database aggregates events from all users, and provides troubleshooting information on malfunctioning virtual PCs
• Administrator diagnostics mode allows faster resolution of Virtual PC issues

Run on multiple platforms – MED-V will work on both Windows 7 and Windows Vista.

Which customers should use Windows XP Mode standalone?

Windows XP Mode standalone is suitable for small and medium business users, who are able to set their XP applications themselves and may or may not have IT Professional staff. Each PC has its own virtual Windows XP environment that is controlled and managed by the end user. Windows XP Mode standalone is not designed for large, centrally managed deployments that have widely deployed business applications that require Windows XP.

So in summary MED-V builds on top of Windows Virtual PC and adds important management capabilities.

Windows XP Mode is specifically designed to help small businesses move to Windows 7. Windows XP Mode provides you with the flexibility to run many older productivity applications on a Windows 7 based PC.

All you need to do is to install suitable applications directly in Windows XP Mode which is a virtual Windows XP environment running under Windows Virtual PC. The applications will be published to the Windows 7 desktop and then you can run them directly from Windows 7.

Windows XP Mode and Windows Virtual PC are best experienced on your new Windows 7 PC. We will be soon releasing the beta of Windows XP Mode and Windows Virtual PC for Windows 7 Professional and Windows 7 Ultimate.

RSA is here again, and presents a great opportunity to discuss the security in Windows 7: specifically how certain features in the OS address key security-related enterprise scenarios. In today’s economic times, businesses and their shareholders need to know that when they make an investment in a product, they are doing so responsibly and securely, and the investment is sound. Windows 7 is this sound investment: it includes features that allow workers to work anywhere, while leaving IT Pros confident that business-related data and content are secure.

The world has changed a great deal in the last decade. Information workers interact with their computers in new ways and have incorporated technology into everything they do, as a result the security landscape has greatly evolved. For example, in 2001, mobile and wireless workers weren’t impacting IT decision making; today, they make up more than a quarter of the workforce. In 2008, laptops made up more than half of all devices purchased in the enterprise. With Windows Vista, we made significant investments to address many of these security concerns and developed the most secure OS to date. With Windows 7, we are carrying forward that investment.

When we began developing for Windows 7, we decided to approach our security feature enhancements in terms of user type and scenarios. We looked at a few types of workers - the mobile worker on the go, the remote worker in a branch office, the IT Pro and the security expert. All have unique needs, pain points, and styles of work - and we’re addressing each in Windows 7.

Consider being a mobile worker. The challenge for you is connectivity and access. Meanwhile, your IT Pro at the office is worried about balancing those with data protection and network security. With Windows 7, we focused on a few key features to address this scenario, and to build confidence in enterprises trying to get the most out of a mobile workforce.

• DirectAccess lets mobile workers connect quickly and securely to a corporate network over any Internet connection, without having to manually access their virtual private network. IT can leverage DirectAccess to manage the Group Policy settings and deliver updates to mobile computers, even if the user is not logged on.
• BitLocker, introduced in Windows Vista, now allows end users to right-click on a drive to quickly enable it, making it more intuitive and easier to use.
• BitLocker To Go now extends support of BitLocker drive encryption to USB removable storage devices – like our mobile worker’s flash drive (see this Springboard Series Video). Theft and loss of proprietary data from mobile devices is a great expense for businesses. However, the loss of integrity is even harder to recover.

The remote worker scenario has similar challenges to the mobile worker, but requires ease of access on a more regular basis. According to a recent study, 91% of employees work away from the corporate headquarters, with the bulk of these working in branch offices. These workers often face difficulties and long wait times accessing information off the corporate drive. With this pain point in mind, we introduced BranchCache, which lets users access information more quickly. For IT Pros, this means the assurance that branch machines maintain the same security protocols as the home office.

For home-use scenarios, employees expect the same level of connectivity and access they would have in the office. In Windows Vista, the firewall policy was based on the type of network connection established – such as Home or Work. This created an obstacle when workers logged on at home, using a Home connection and virtual private networking (VPN), because firewall settings were not set up appropriately for this scenario. So we made changes. With Windows 7, enterprises will be able to simplify their connectivity and security policies by maintaining a single set of rules for both remote clients and clients physically connected to the corporate network.

And businesses will have confidence that all remote users – whether branch office or mobile - will benefit from key improvements in IE8, including protection against XSS threats, identity theft, and new types of phishing attacks like Clickjacking. I think the work we did in IE 8 really helps put people in control of their online safety and privacy.

Finally, let’s take a look at issues people face when trying to manage these environments. Not surprisingly, IT Pros and security experts have daunting missions: they enable secure access to data for mobile, remote and local users; keep systems up to date; and track accessed data– all while attempting to drive new value for the business - it’s enough to cause IT Pro insomnia. As such, we continue to develop a range of security solutions to address evolving IT needs.

Some key examples of user scenarios empowering technology:

• AppLocker: We received feedback that workers today put software from home on their PCS, download applications from the Internet, and access programs through email. As a result, there’s a higher difficulty ensuring PCs in the enterprise environment are running only approved, licensed software. AppLocker solves this issue; it’s an administered mechanism that allows a business’ security expert to specify what is allowed to run on each user’s PC.
• Network Access Protection: This allows IT Pros to create solutions to validate computers that connect to their network and limit the access or communication of noncompliant computers.
• Microsoft Asset Inventory Service: Part of Microsoft Desktop Optimization, complements the OS security and compliance technologies by allowing our IT Pro a comprehensive view of the enterprise desktop software environment.
• User Account Control: We heard loud and clear that end-users wanted fewer UAC prompts and more control over what items they are prompted for, but we know IT Pros still need control over what’s installed or run on a machine. As a result, in Windows 7, we made specific changes to enhance the user experience, while still ensuring the same level of security.

The enterprise security features we’re discussing today are the product of hard engineering work coupled with an understanding of our customers and the security landscape. It’s important to keep in mind that some of these features only work when partnered with Windows Server; for an optimal experience, we recommend businesses use Windows 7 and Windows Server 2008 R2 together upon their availability.

We recognize the enterprise customer for Windows has evolved dramatically over the years and we’ve created solutions to address the needs of varying enterprise scenarios. It’s important to note our work is never finished! We are constantly hearing from our customers about ways to make their machines more secure and productive in their environments. We continue to listen to this feedback and apply it to our technologies. It’s our goal to build technology that lets businesses prosper in a consistently changing security landscape.

Today we are announcing the availability of Microsoft’s updated Microsoft Desktop Optimization Pack – MDOP 2009. MDOP 2009 includes updates to Microsoft Application Virtualization and Asset Inventory Services, as well as the first included release of Microsoft Enterprise Desktop Virtualization.  Additionally, MDOP 2009 still includes Microsoft Diagnostics and Recovery Toolset, Microsoft Advanced Group Policy Management, and Microsoft System Center Desktop Error Monitoring.

For more information on MDOP 2009, check out this blog post on the MDOP blog.