Advanced Group Policy Management (AGPM)

What is it?

AGPM is a core component of MDOP and “helps customers overcome challenges that affect Group Policy management in any organization, particularly those with complex information technology (IT) environments”.

It’s three key features are:

Change Control: These concepts will be familiar to most, if not all, server administrators-particularly those who use Sharepoint.

The steps necessary to change and deploy a GPO are as follows:

1. Check out the GPO from the archive.

2. Edit the GPO as necessary.

3. Check in the GPO to the archive.

4. Deploy the GPO to production.

Change Control keeps a version history of the GPO’s, allowing you to quickly roll back to a previous version if needed. Another neat feature is it’s ability to compare different GPO versions, quickly showing what changes were made.

Change Control

Offline Editing: This allows you to test new/altered GPO’s without the worry of messing up your production environment!


Role Based Delegation:  This feature differs from standard Group Policy in that it can prevent Admins from approving their own changes. To do this it provides 3 new roles:

· Reviewer. Administrators assigned to the Reviewer role can view and compare GPOs. They cannot edit or deploy them.

· Editor. Administrators assigned to the Editor role can view and compare GPOs. They can check out GPOs from the archive, edit them, and check them in to the archive. They can also request deployment of a GPO.

· Approver. Administrators assigned to the Approver role can approve the creation and deployment of GPOs. (When administrators assigned to the Approver role create or deploy a GPO, approval is automatic.)


The whitepaper can be found here.

Updates in MDOP 2009:

The new version of MDOP will be released late October 2009 and makes the following enhancements to AGPM:

Manage Group Policies across different domain forests: ability to copy Group Policy Objects (GPOs) from one domain forest to another, even if the two domains are not physically connected, easily creating a new controlled GPO or replacing an existing one.

Easier GPO tracking with search & filter: ability to filter GPOs according to various attributes, such as name, state, or comment. You can also search for GPOs that were last changed by a particular administrator or on a particular date.

The MDOP Blog post is here.

System Center Desktop Error Monitoring (SCDEM)

SCDEM is the newest addition to the MDOP family and it’s a corker!

What does it do?

SCDEM captures all application & OS failures across your enterprise and stores them in one central location, to enable your technicians to track, monitor and pro-actively respond to issues.

This is like a local version of the “Send error report to Microsoft” box you sometimes get when apps crash and hang. While it’s good for MS to have this information, in a larger enterprise it’s more immediately useful for the in-house IT team to have it. This way they can identify error trends and match them up to recent changes they’ve made to the network, desktops, 3rd party software etc-thus quickly identifying, and (hopefully) fixing, the problem.

It also enables you to create a company specific knowledge base of fixes for errors.

Advantages of SCDEM

Increase productivity of users: Once SCDEM has been running for a while, IT will have had a chance to identify and correct the vast majority of common issues. That means that there will be less errors on the desktops and thus less downtime for users. The internal knowledge base will also make it easier for end users to be pro-active and solve their own issues without having to log a ticket with the help desk.

Easy Deployment: Due to it using the standard Windows error reporting system, all it takes to get SCDEM deployed to however many 1000’s of PC’s you have with a single Group Policy in Active Directory-nice huh? 🙂

Advanced Reporting: SCDEM provides many different reports to show which applications crash most, when they crash etc so that IT can make well informed decisions when it comes to patching and fixing.

For anyone who is using SCDEM and having problems, I’ve just found a great whitepaper on Troubleshooting this program. Download here. The Technet blog post is here.

If you head over to this Technet blog, you can see a great video of SCDEM in action-here.


MED-V or Microsoft Enterprise Desktop Virtualization is like SUPER XP mode 🙂

As great as XP Mode is, it has caused a few problems where people are now wondering if MED-V has been replaced-it hasn’t.

First up-MED-V is used for virtualizing legacy applications so they can be run on new OS’s like Vista and Windows 7. Yes that sounds a lot like XP Mode but MED-V introduces a whole extra management layer for use in the corporate world-specifically:

“MED-V provides important centralized management, policy-based provisioning and virtual image delivery to reduce the cost of Virtual PC deployment”

Stephen L Rose has got a great post over on the Windows Team Blog about the differences between these 2 technologies so, rather than re-invent the wheel I’m going to respectfully copy & paste 😉

How does MED-V adds management to Windows Virtual PC?

To provide a managed, scalable solution for running virtual Windows XP applications, MED-V addresses many of the IT challenges around deployment and management including:

  • Deployment – deliver virtual Windows images and customize per user and device settings
    • Automate first-time virtual PC setup based on an IT customized script – including assignment of a unique computer name, joining to AD domain
      (for instance: assign the virtual PC a name that is derived from the physical device name or the username to simplify identification and management)
    • Adjust virtual PC memory allocation based on available RAM on host, so that the virtual PC does not take significant resources from the user
  • Provisioning – define which applications and websites are available to different users
    • Assign virtual PC images according to users and groups
    • Define which Windows XP applications will be available to the user through the start menu
    • Define which websites (e.g. internal sites that requires a previous version of Internet Explorer) are redirected automatically to Windows XP
  • Control – assign and expire usage permissions and Virtual PC settings
    • Control the network settings of the Virtual PC (e.g. whether it connects through NAT or DHCP, whether its DNS is synchronized with host)
    • Authenticate user before granting access to the Virtual PC
    • Set expiration date, after which the Virtual PC is not accessible to the end user
  • Maintenance and Support – update images, monitor users and remotely troubleshoot
    • Update images using TrimTransfer network image delivery – update a master Virtual PC image, and MED-V will automatically distribute and apply the changes to all endpoints
    • Centralized database aggregates events from all users, and provides troubleshooting information on malfunctioning virtual PCs
    • Administrator diagnostics mode allows faster resolution of Virtual PC issues
    • Run on multiple platforms – MED-V will work on both Windows 7 and Windows Vista, and will not require processor-based virtualization support

MED-V is available only as part of MDOP and thus is only available to certain volume licence customers with active Software Assurance.

This technology builds on Microsoft Virtual PC and the new version has got some great new features including:

USB Support: Access USB devices connected to your Windows 7 machine directly from the Virtual Machine.

Clip Board Sharing: Copy and paste between your Windows 7 desktop and your Virtual desktop.

Printer Redirection: Print directly from your Virtual PC.

More can be found over at The Windows Team Blog.

Application Virtualization (App-V)

Microsoft App-V is what was formerly known as SoftGrid and it’s some pretty clever stuff 🙂

It’s main feature is to virtualize applications, this isolates them on the users workstation and reduces application conflicts-thus reducing end user downtime. However the apps can still fully interact with each other such as copy & paste etc so still giving the users the experience they’re used to.

The latest version is 4.5 and major highlights include:

  • HTTP streaming. Support for streaming virtual applications from an IIS server (v6 or v7) providing dramatic performance and scalability improvements for large App-V deployments.
  • Re-designed Sequencer. Simplifies the process and reduces the complexity of creating virtual application packages.
  • Dynamic Suite Composition (DSC) for MSI packages. Consolidate virtual environments, control virtual application interaction, enable faster, easier administration.
  • Seamless integration with System Center Configuration Manager 2007 R2. Allows customers to easily deploy virtual applications through the System Center Configuration Manager 2007 R2 infrastructure and scale their deployments.
  • Client cache improvements. The maximum size of the client cache has been increased to 1 TB.
  • Improved Manageability. Integration and support for VSS writer, Operations Manager management pack, ADM template.
  • Accessibility. The product is now Section 508 compliant, bringing App-V in line with Microsoft shipping requirements.
  • Most conversations I have with schools include App-V as they often have odd bits of software like “Science for GCSE 1997” and “Maths is brilliant V 2.3” that don’t play nice with each other-and App-V is a great way to solve that.

    See the Technet MDOP page here.

    Advantages of using App-V:

  • Streams applications on demand over the Internet or via the corporate network to desktops, terminal servers, and laptops.
  • Automates and simplifies the application management lifecycle by significantly reducing regression and application interoperability testing.
  • Accelerates Windows and application deployments by reducing the image footprint.
  • Reduces the end-user impacts associated with application upgrades, patching, and terminations. No reboots required, no waiting for applications to install, and no need to uninstall when retiring applications.
  • Enables controlled application use when users are completely disconnected.
  • Integrates with System Center Configuration Manager to enable physical and virtual deployments through the same people, process and technologies.
  • Licensing:

    It needs to be noted that there are 2 version of App-V available to buy.

    App-V as part of MDOP: For use in standard environments.

    App-V for Terminal Services: For use in Terminal Service environments only. App-V’s application virtualization allows any application to run alongside any other—even applications that normally conflict, multiple versions of the same application, and many applications that previously could not run under Terminal Services.

    Terminal Services

    %d bloggers like this: