The UE-V and App-V teams both have ways for you to get a chance to win some cool prizes like a unlocked Nokia phone or a Microsoft Xbox 360, by sharing your UE-V or App-V templates. Check out both pieces below to learn how to participate in these contests.
Creating and Sharing Your Own Microsoft User Experience Virtualization Settings Location Templates
We recently shared this via the Springboard Newsletter, but wanted to make sure that if you were not yet a subscriber you saw this article about creating and sharing settings location templates with Microsoft User Experience Virtualization written by Senior Product Marketing Manager A.J. Smith.
With the recent beta announcement of Microsoft User Experience Virtualization (UE-V) on the Windows for your Business and Springboard Series blogs, many of you are already seeing how it can easily roam the experience for Windows 7, Windows 8 Consumer Preview, and the Microsoft Office 2010 suite regardless how they are deployed. Now you want to move on to the next step of creating a settings location template for your line of business or 3rd party applications. For those of you not familiar with settings location templates, they are XML files that tell the UE-V agent:
Creating these templates is easy using is the UE-V Generator. This wizard based tool that you can get from the Connect site is will help automate the creation of your templates. To make it even easier I am going to walk you through using the tool step by step using Microsoft Expression Design 4.
1. After launching the UE-V Generator from the start menu and choosing the option to create a settings location template, you provide the tool with the path to the executable that you want to create the template for.
2. The application will launch and the Generator will look and see where in the file system and the registry the application stores its settings.
3. Close out of the application and review the locations the Generator discovered.
Note: The Generator will show you the locations split up into two groups, standard and nonstandard locations. Standard locations are areas on the machine where you would typically find settings written to, like C:\users\AJ\appdata\roaming or HKey_Current_User\Software\Microsoft. Nonstandard locations are places where an application might write if it assumes the user has administrative rights, like C:\Windows or the HKey_Local_Machine location in the registry. By default, the UE-V Generator will assume that you want to roam all the standard locations but none of the nonstandard locations. You should review both sets of locations and decide which ones you do or don’t want to roam.
4. Review the properties of the template to complete the creation of the template.
Now that you have created a template, why not share it with the community? To make this easy we have created a Settings Location Template Gallery so you can share and find templates.
Some of you might be thinking, “What’s in it for me to upload settings location templates to the gallery?” Well beside the thanks and adoration from your fellow IT pros, we thought we would make it even more worth your while to share. From now until May 3, 2012 we will be running a contest and invite you to create your best settings location templates, share them with the community, and possibly win an unlocked Nokia Windows Phone or an Xbox 360! We’ll pick the best two contributions and announce the winners in May*.
*No Purchase Necessary. Open only to IT Professionals 18+. Game ends 5/3/12. For details, see Official Rules.
Create and Share Your App-V Package Accelerators
This was also shared this via the Springboard Series Insider Newsletter, but I wanted to make sure that you saw this information about the App-V Package Accelerators contest as well- Senior Product Marketing Manager David Trupkin
Where do you start when you need to create a package for a new application in Microsoft Application Virtualization (App-V)? If you’re an App-V expert, maybe you dive right in and create the package yourself. If you’re just getting started, or trying to save time, maybe you’ll search the Internet to see if one of your peers has already packaged the same application. If they have, they may have shared the step-by-step process, the recipe, for creating the package. In App-V, this is a process known as Sequencing.
Where can you find App-V recipes? A good place to start is the App-V Sequencing Recipe Forum. We’ve even provided a link to the Recipe Forum right inside the Sequencer! Here you’ll find recipes for applications like Microsoft Visual Studio 2010 and AutoCAD 2010 LT. Other popular packaging-oriented websites and our own App-V MVP community also frequently post App-V recipes.
Starting with App-V 4.6 Service Pack 1, we’ve made it even easier for the App-V community to share packaging knowledge with the introduction of App-V Package Accelerators. Package Accelerators help make App-V packaging easier, faster and more predictable, taking most of the manual steps out of Sequencing. One of the best explanations I’ve heard of Package Accelerators came from the App-V development team. They think of Package Accelerators as “dehydrated” App-V packages. When you use the App-V Sequencer to combine them with the application’s original installation files, you’re “rehydrating” the App-V package.
Where can you find App-V Package Accelerators? You’ll find them in the App-V Package Accelerator Gallery. And, just like the Sequencing Recipe Forum, we’ve included a link to the Package Accelerator Gallery right inside the App-V Sequencer.
One of the best things about the App-V Package Accelerator Gallery is that it’s easy for you to share Package Accelerators that you create by uploading them to the Gallery!
Between April 5, 2012 and May 3, 2012, we invite you to create your best Package Accelerators, share them with the community, and possibly win an unlocked Nokia Windows Phone or an Xbox 360! We’ll pick the best two contributions and announce the winners in May*.
To help you get started, check out these videos on how to create an App-V package from an App-V Package Accelerator, and how to create your own App-V Package Accelerator. You can also find more information in the App-V 4.6 SP1 Sequencing Guide and the Online Technical Library for App-V. You can get App-V 4.6 SP1 by downloading the Microsoft Desktop Optimization Pack 2011 R2 Language Update on MSDN or TechNet, or check out the App-V 4.6 SP2 Beta on Microsoft Connect. Happy Sequencing!
If we look at the data from the most recent Microsoft Security Intelligence Report, we see that more than 93 percent of malware required user interaction, the ability to abuse AutoRun, or leveraged known, but patched vulnerabilities. These are items that can be mitigated solely by configuring your systems correctly. Additionally, the Australian Government’s Defence Signals Directorate released it’s top 35 mitigation strategies, the top 4 of which are configuration items that would have prevented more than 85 percent of the intrusions they observed, and the Center for Internet Security has shared it’s top 10 tips to help secure your information.
There is a ton of great information in these three resources, but it can seem overwhelming. To help, we’ve boiled the information down and combined it with our own experience, as well as what we’ve heard from many of you. To address these and other security concerns, we have come up with four controls that you can use to significantly reduce your risk. It’s important to note that configuring these controls is a great first step, but on-going assurance is critical to keeping the computers in your organization protected. The great news is that now you can deploy these controls and monitor them for on-going compliance using System Center 2012 Configuration Manager and our free Security Compliance Manager Solution Accelerator.
Patch your OS
The computers in your organization are only as secure as your least-patched system. I am sure that you are tired of hearing how important patching is. I remember how painful it was when I managed thousands of desktops and servers. That doesn’t eliminate the fact that it’s one of the most significant things that you can do to successfully reduce attacks on your clients and servers.
Luckily, Configuration Manager makes this easier than ever before, taking advantage of features like Automatic Deployment Rules to automate the monthly process as well as the new Software Center interface that lets users better control their update experience. For a detailed walkthrough of these features, check out Jason Githens blog on managing updates with Configuration Manager 2012.
Update your applications & 3rd party add-ons
Secunia reports that in 2011 79 percent of all vulnerabilities reported were identified in non-Microsoft products. Amazingly patches were available for 72 percent of these vulnerabilities at the time they were disclosed. The 50 most common applications deployed are from 12 different vendors. To effectively patch them, you need to learn a variety of additional technologies.
System Center 2012 Configuration Manager provides several mechanisms to help here. The free System Center Updates Publisher tool provides a streamlined way to inject patch catalogs from other vendors (such as Adobe) into Configuration Manager and it also allows for you to create your own. There are also a variety of other add-on tools which provide even deeper application patching for other applications. One example is System Center Alliance partner- Eminentware, which delivers a terrific set of capabilities on top of Configuration Manager.
When we talk about patching and updating, don’t forget to update your anti-malware signatures. System Center 2012 Endpoint Protection is now deeply integrated into Configuration Manager as part of our evolving management and security strategy. Endpoint Protection in Configuration Manager provides deep protection through signature-based scans, behavior monitoring, vulnerability shielding, Windows Firewall management, and event-driven malware analysis and signature delivery through the Microsoft Active Protection Service.
Restrict the use of administrator accounts
According to BeyondTrust, running without admin rights would have eliminated 81 percent of critical vulnerabilities in 2010. I don’t want to oversimplify this challenge, but we’ve worked hard to eliminate some of the more common issues blocking the use of least privileged user accounts. There are still some edge cases that require administrative rights like installing some local devices or installing new software. However, Windows 7 and Windows Server 2008 R2 provide many new features that make this a much more appetizing option.
Installation challenges can be mitigated by deploying your applications using Configuration Manager, but there are some legacy applications that may have run-time issues. In those cases, the use of Microsoft Application Virtualization (App-V) is a great solution that is designed to help. Check out Aaron Margosis’ blog for some great tips on running applications without admin privileges, and a fantastic tool called LUA Buglight that you can use to help identify admin-permissions issues in desktop applications.
Remember the following key issues. The best security solution is to run as a standard user. The next best scenario is to run as a standard user but with access to a local administrator account on the computer when you need to escalate privilege. It is significantly less secure to perform routine tasks with administrator privileges and you should always avoid using a domain administrator account for any day-to day operational tasks.
Harden your OS
Microsoft leads the industry in working with government agencies, customers, and partners to produce security hardening standards and security guides for many of our products. These can be found in our Security Compliance Manager (SCM) tool. You can use SCM to create Group Policy Objects (GPOs) to quickly configure your systems or Configuration Manager DCM configuration packs to monitor your clients for compliance with these standards.
The configuration baselines available in SCM include pre-configured recommendations for both workstations and servers. They address hundreds of the most significant controls such as passwords, firewall and network configuration, encryption, and logging. The configuration baselines are designed to meet the requirements of hundreds of regulations and standards worldwide.
In addition, system hardening includes the use of whitelists and exclusion lists. AppLocker is an evolution of the Software Restriction Policies functionality in Windows Server 2008 R2 and Windows 7 that uses the concept of signed applications to greatly simplify this process. Microsoft and many other vendors sign our applications so that they can be allowed to run based on a simple ruleset. We encourage all organizations to self-sign their own internally developed applications to take advantage of this functionality.
We do recognize that organizations can have thousands of applications so AppLocker includes an audit-only mode that you can deploy on a cross-section of your systems to monitor how the rules might have impacted production systems. It’s no small challenge, but AppLocker can provide an important piece of your overall security management solution.
Call to action:
The Microsoft Solution Accelerator team has released a set of additional baselines for our free Security Compliance Manager (SCM) tool that adds new checks to quickly monitor patch status, identify changes to the administrators group, and report on the use of whitelists using the desired configuration management feature in Configuration Manager. Here’s a quick screenshot of these checks in SCM:
Using these capabilities in conjunction with the traditional baselines provides a robust solution to monitor these key security controls. Here’s what we recommend for next steps:
A well-managed environment pays dividends, and not only in increased security. Even mitigating one attack can save your organization hundreds of thousands of dollars and keep you out of next year’s Data Breach report!
This morning on the Windows for your Business blog, we announced a new Desktop Virtualization product called Microsoft User Experience Virtualization (UE-V), which will be available via the Microsoft Desktop Optimization Pack (MDOP) once it’s complete. The central idea of UE-V is to enable users to keep their Windows and application experience regardless of what device they use to access Windows and their apps. We have heard from many of you that your users have multiple devices to access their corporate applications and content. To support this, we are seeing organizations adopting desktop virtualization technologies, including Microsoft Application Virtualization (App-V), RDS session-based desktops, and Virtual Desktop Infrastructure (VDI).
So what do we mean by “experience”? Think about how you use Windows and productivity applications. If you’re like most users, you have configured specific options just the way you like them – from toolbars that are turned on or off, to font size preferences, or how often autosave kicks in. This is your personalized experience. In the many conversations I’ve had with organizations addressing consumerization, IT Professionals have expressed the challenge of delivering a consistent look and feel to desktops and applications when their users access their experience from more than one delivery method or device.
Let’s consider a scenario to illustrate this problem. You have a user named Jill in the finance department of your organization. She does not travel much and works from the same desk every day using a desktop computer where all of her applications are installed locally. Like most users she rarely logs off her machine and locks it every night when she leaves. She has spent some time configuring Windows 7 and her applications just the way she likes them to help her be productive.
Every few months, Jill travels to another office to participate in budget planning meetings. For these trips, IT temporally grants her access to a RDS session based desktop. In this delivery model, IT takes advantage of App-V to get better scale per RDS server. Jill doesn’t realize this because her applications just work. Each time Jill uses the RDS desktop, she has to reconfigure her applications and desktop experience. This is because the experience does not roam between Windows 7 and Windows Server 2008 R2, and the different application delivery methods used.
With UE-V deployed in the company, Jill would not have to do this. She would no longer need to reconfigure the OS and applications when she went to the other office. UE-V can automatically keep her Windows 7 experience from her desktop – even the background picture of her family – and roam them to her virtual RDS desktop. UE-V also does this for her applications by including items she has configured in Word 2010, like the quick access toolbar, or the database server her line of business application needs to connect to in order to work properly. The other great benefit is that although IT chose to use virtual apps in the RDS session, it doesn’t impact Jill’s experience. UE-V seamlessly moves the personalized settings between traditional and virtual applications.
Another great feature of UE-V is when we capture and load the experience information. Compared to traditional roaming solutions that only capture the experience at login and logoff, UE-V uses additional triggers to capture and load the experience, reducing delays. For applications, we use the trigger of opening the application to apply the experience and then closing the same program to gather it. This way, if you make any changes to the look and feel of the app, we quickly roam this to another instance of the application. This also means that we can decrease the Windows login time compared to other roaming settings solutions since all we need to load at login is just the Windows experience. For the operating system triggers, we use login and log off, screen lock and unlock and RDS session connect and disconnect.
Jill gets her great experience, but what does IT have to do to roam the experience for the application and OS? At a high level, IT needs to deploy the UE-V agent to all the machines (physical or virtual) that they want to enable roaming on. UE-V also needs a settings location template for each roaming application. These XML-based templates are used to tell the agent what applications should have their experience roamed, and where in the file system and registry the settings are stored. In the beta release of UE-V, we provide settings location templates for Windows 7, Windows 8 Consumer Preview, and the Microsoft Office 2010 suite. If IT needs to support more applications, they can create their own templates using the UE-V Generator. The UE-V Generator is a wizard-based tool that automates the creation of the settings location template. All the IT Pro has to do is point the tool to the executable for the application, watch the application open (so that it can read and write settings to file system and registry), close out of the application, and choose the locations they want to add to the template.
This last step where the UE-V Generator shows you where an application writes and reads from in the file system and registry is crucial. These locations are split up into two groups: standard and nonstandard locations. Standard locations are areas on the machine where you would typically find settings written to, like C:\users\jill\appdata\roaming or HKCU\Software\Microsoft. Nonstandard locations are places where an application might write if it assumes you have administrative rights, like C:\Windows or HKLM location in the registry. By default, the UE-V Generator will assume that you want to roam all the standard locations but none of the nonstandard locations. You should review both sets of locations and decide which locations you do or don’t want to roam.
Here is a quick screenshot of what the review process looks like in the UE-V Generator:
Another important task is helping users rollback settings to a known “good” point, an issue we hear about often from IT Pros. Sometimes users change settings that they don’t mean to. For example, they accidently drag and drop a toolbar to a new location and don’t know how they did it. The user typically calls the help desk to get it fixed. Sometimes the help desk does not know the application well enough to fix this and the only solution is to delete the user’s profile and have them reconfigure every application, instead of just the one they need help with. With UE-V, the help desk does not need to do this. Now they can roll back the application’s experience to when UE-V first saw that application launch and get the user back up and running. All other application and OS experience information is not touched.
Beyond the agent, the settings location template, and the UE-V Generator, there is one other piece needed to roam Jill’s experience: a remote location to sync the experience information. This information is stored in a settings package that is synced from the machine to a file share on the corporate network. The file share can be the users’ home drive mapped in Active Directory or another location that is configured on agent install or through group policy. If disconnected from the corporate network, the settings packages are cached on the local machine and any changes will be synced when connectivity to the share is restored.
The last thing I want to discuss is how UE-V integrates and scales, leveraging your investments in existing tools. A software distribution system like System Center Configuration Manager or group policy can be used to deploy the UE-V agent and settings location templates. If you plan on using System Center Configuration Manager 2012, we will release a desired configuration management (DCM) pack to help you keep the agent configuration consistent across the organization. UE-V also heavily leverages Windows PowerShell, so all the knowledge you have in creating PowerShell scripts to automate tasks can be utilized. As I mentioned earlier, UE-V also works with the Microsoft Desktop Virtualization products like RDS, VDI and App-V, so that there is nothing to configure in these products to make them work seamlessly with UE-V. All the logic happens inside the UE-V agent.
UE-V will be available in a future version of MDOP, but the beta is available for you to download and evaluate how it can help you deliver a consistent experience for your users. The UE-V Beta can be downloaded here (Windows Live ID required). You can also watch a short overview video about UE-V on the MDOP Video Zone on the Springboard Series on TechNet.
Ready to automate the compliance management of your desktop, virtualized, and private cloud environments? Then check out Security Compliance Manager 2.5 (SCM 2.5) which is now available for download. SCM 2.5 is a free tool from the Microsoft Solution Accelerators team that enables you to quickly configure and manage both desktops and servers using Group Policy and Microsoft System Center Configuration Manager.
Key Features Include:
Next steps:
This week I had a chance to sit down with Craig Ashley, product manager for Microsoft’s Diagnostics and Recovery Toolset (DaRT), to discuss the next release of the toolset and the public beta that is now available.
DaRT has been a favorite tool for many IT pros, dating back to its days as part of Winternals Admin Pack. As a quick review, the taoolset can help IT professionals reduce the challenges associated with troubleshooting and repairing system failures on Windows-based desktops, saving time for both them and users. Administrators can easily recover PCs that have become unusable, rapidly diagnose probable causes of issues, and quickly repair unbootable or locked-out systems, all without leaving the office, making it much faster than the average time it takes to reimage a machine. When necessary, it can also quickly restore critical lost files. This helps make PCs safer to use, makes them easier and less expensive to manage, and keeps employees productive,.
For additional details on DaRT or other products within the Microsoft Desktop Optimization Pack, visit the MDOP Resource Zone on TechNet.
Stephen: Craig, thanks for taking time to chat with me. Let’s jump right in. Many IT Pros have been using DaRT for many years now. What’s new in DaRT 8 for them?
Craig: Absolutely Stephen. I am very excited to start talking about DaRT 8 and get users involved in our beta that is now available.
With regard to what will be new in DaRT 8, we chose to focus on two key investment areas: support for new software and hardware platforms, and improving the image creation process.
First, let’s start with the new software and hardware platforms supported by DaRT 8. If you have not heard the buzz around the technology world, there is a new version of Windows and Windows Server that will be available later this year. One key focus with DaRT 8 is compatibility with these two new versions, Windows 8 and Windows Server 8.
Additionally, we needed to look at supporting some new hardware requirements arriving in the upcoming months as well. The first is support for GUID Partition Tables, which allows tools like Disk Wipe, Disk Commander, File Restore, and Computer Management to work with GPT disks. The second is supporting the UEFI boot process, allowing users with UEFI machines to boot into DaRT.
Stephen: It is certainly important to be sure that we continue to make DaRT compatible with upcoming Windows platforms. The other investment area you mentioned was the image creation process. What is new there?
Craig: Right on Stephen. This may be one of the most exciting updates for DaRT 8 and incorporates a few new areas of functionality. The first is that the image creation wizard is now built on top of Windows PowerShell cmdlets. We have heard many times that the ability to use scripting for each of the image creation steps would provide additional extensibility and support for deployments of DaRT. While the previous versions of DaRT leveraged Deployment Image Servicing and Management (DISM) cmdlets for much of the image creation process, not all steps were covered. Therefore, to complete the process we rounded out the image creation process by creating four new DaRT cmdlets, providing end-to-end image creation via scripting. For beginning or novice scripters, the end result of utilizing the wizard the first time is the output of a script which can be repurposed for later use.
Cmdlet
Description
Mount-WindowsImage
Mount image from Windows 8 media
New-DartConfiguration
Create DaRT configuration object
Set-DartImage
Apply DaRT configuration to mounted image
Add-WindowsDriver
Add additional drivers to image
Copy-Item
Add additional files to image
Dismount-WindowsImage
Dismount image and save changes
Export-DartImage
Creates ISO file from WIM image file
Copy-DartImage
Burns ISO to CD/DVD or USB
Stephen: In addition to the use of PowerShell, what else is new with the Image Wizard?
Craig: Good question. While PowerShell provided the base for the new wizard, there is a bit of additional functionality we included on top of scripting. We have heard from users that at times DaRT requires additional steps or multiple machines for creating images or media types. DaRT 8 focuses on simplifying some of the areas.
For example, in DaRT 7, we supported the creation of DaRT images for USB media, but it required an additional tool that was not included in the box with DaRT. With the next version, we are including native support for USB media deployments.
Additionally, it will now be possible to create both 32- and 64-bit images from a single machine. In previous versions, users would be required to create 32-bit images from 32-bit machines, and the same was required for 64-bit images. With DaRT 8, users can select which one should be created during deployment, from a single machine.
Finally, through the DaRT image creation process, users will now be able to create both WIM and ISO output formats, depending on which is required for their image deployment plan.
Stephen: I believe a beta for the next version of DaRT is available. Two questions: Is this a public beta? And how can users get the beta bits?
Craig: You are absolutely correct, there is a beta version of DaRT currently available. It is a public beta available to everyone that completes the short beta questionnaire. We are very excited about this release and encourage everyone to download it and try it out by signing up and downloading the beta installer files from the DaRT 8 Connect site.
We are looking forward to hearing about beta experiences using the software in various environments. Please note, we are collecting feedback using surveys and the feedback form on these sites: