MDOP and EMET for Windows 10

It’s been a while since I’ve posted anything here now which is in part down to me being busy at home and in part due to work being full-on at the moment trying to juggle a handful of internal systems projects as well as dropping in customer engagements but you won’t hear me complaining as it’s all great work.

In the time between I last wrote anything and now, Windows 10 is full swing and we are already looking at the Threshold 2 (or November 2015 Update) for Windows 10 shipping which will see the Skype Messaging experience rolled out to the public as well as the Cortana text messaging and missed call notifications on the desktop, both of which have been available to people running the Windows 10 Insider Preview builds for a few weeks’ now.

With people looking more closely at Windows 10, there’s good news for people who rely on the slew of Microsoft tools in the enterprise as many of them are either now already updated to support Windows 10 or are working their way to support. MDOP 2015 was released back in August 2015 and this included updated service packs for Application Virtualization (App-V) 5.0 SP3, User Experience Virtualization (UE-V) 2.1 SP1 and Microsoft BitLocker Administration and Management (MBAM) 2.5 SP1 to add support for Windows 10. App-V and MBAM are simply service packs to add support whilst UE-V not only gains support for Windows 10 but also gets native support for Office 2013 via the ADMX files which means you no longer need to manually import the Office 2013 .xml templates into your Template Store.

Sadly, UE-V 2.1 SP1 shipped before the release of Office 2016 which means there is no native support for this which seems to be a common theme for UE-V; the product ships ready for a new Windows version but misses the matching Office version so. If you want to use UE-V for Office 2016, you can head over to the TechNet Gallery and download the official Microsoft .xml templates for it from https://gallery.technet.microsoft.com/Authored-Office-2016-32-0dc05cd8.

Aside from MDOP, Microsoft EMET is being updated to version 5.5 which includes support for Windows 10 along with claiming to include much improved Group Policy based management of the clients. I haven’t tried this for myself yet as the product is still in beta but I will be giving it a try soon and I will be sure to post anything I find that can help improve the management position of it.

As a throw-in note, If you are using System Center Endpoint Protection for anti-virus then you might want to have a read of this post by System Center Dudes at http://www.systemcenterdudes.com/sccm-2012-windows-10-endpoint-protection/, which explains the behaviour of Endpoint Protection in Windows 10.

Microsoft User Experience Virtualization (UE-V) 2.0 Review

In this post I’m going to show you Microsoft User Experience Virtualization (UE-V) 2.0 which is a really nice product from Microsoft for customers with access to Microsoft Desktop Optimization Pack (MDOP). MDOP is available as a free entitlement to customers with Software Assurance on their Windows Enterprise Desktop licenses. UE-V is designed as a 21st century replacement to Roaming Profiles.

Roaming Profiles Backstory

I’ve been a long time fan of Roaming Profiles whether you use them as a means to deliver virtual desktop infrastructure (VDI), a means to allow users to logon to multiple conventional desktops throughout a business or as a crude method to centrally backup user data so that if their laptop or other computing device fails, simply logon to a new machine and you get back the same experience.

Lots of people have hated on Roaming Profiles for their misgivings which they do indeed have: slower logon times, issues with the synchronisation of the profile between multiple machines and the occasional profile corruption issues. Some of the stigma with Roaming Profiles is alleviated when you combine it with folder redirection, another technology which I am a fan of however it’s still not perfect.

Roaming Profiles and Windows 8.1

Roaming Profiles have defiantly taken a back seat in Windows 8 and Windows 8.1. Log in to a Windows 8 or Windows 8.1 machine using a domain account that is setup with a Roaming Profile and you will quickly see that even when you connect a Microsoft Account (MSA) that some things just don’t work properly. Despite all my attempts to correct it, the OneDrive immersive UI app just never worked properly and Sync Settings between multiple PCs is completely disabled with all of the options greyed out to prevent their use.

I wasn’t too bothered about the lack of Sync Settings previously. This is mainly because of the fact that I work from home on a machine joined to my home domain with my other PC, a Surface Pro tablet connected to the same domain with the same roaming profile so my settings would sync in that manner but in a scenario where I could be using a work computer joined to a work domain means I wouldn’t have any sync activity between home and work. If you use a Surface RT or a Surface 2 running Windows RT you are in the same situation as even on the same network, you cannot domain join Windows RT leaving you with no sync options.

The lack of the OneDrive app did leave me feeling a little bit at a loss but not so much as I could quickly access OneDrive using the website and OneDrive worked just fine on my Windows Phone but the real kicker arrived with Windows Phone 8.1 Preview and tab sync for Internet Explorer. I’m a tab abuser and I commonly am known to have in the region of 20 tabs open all for various work and non-work related things all in various states of read and unread so being able to sync these tabs between my desktop from day job, my Surface for intensive evening browsing or my Windows Phone for casual pickup browsing hurt.

Introducing UE-V

User Experience Virtualization (UE-V) came to my attention a year or so ago when I was working with Application Virtualization (App-V), also from MDOP but I’d never seen the reason to try it out when Roaming Profiles worked for me but with the now lack of Internet Explorer tab sync between my devices, it made me want to have a go and see if it could improve my roaming experience by any amount.

Whereas Roaming Profiles captures the entire Application Data Roaming folder from the user profile and copies the changes back and forth between the clients and the server hosting the profile share and logon and logoff, UE-V works with a client-side agent which reads application data from a UE-V User Settings share at application runtime and writes back changes at application close.

Features of UE-V

The changes are captured per-application and not for the profile as a whole which means the change delta sync is very fast to converge, isn’t dependant on the user logging on or off whilst connected to the corporate network and working in tandem with Offline Files sync provider on the client allows for users to make changes to application settings which get written back to the share as soon as the agent detects a connection to the network making this a technology which could work really well with DirectAccess remote access technologies. This silo approach to sync also means that in the rare event of any corruption occurring whilst synchronising would be limited to only effecting one application and not your whole profile. All of these settings are sent back to the server in small files with the format .pkgx and are structured in an easy to understand hierarchy per application.

UE-V User Settings Packages

Because UE-V works not by operating at a roaming profile but instead as a man in the middle, monitoring your applications, tracking changes to settings and recording them to the central store, it doesn’t interrupt the way Windows handles profile state. For Windows 8 and Windows 8.1 users this means that you can connect an MSA to a domain user account and the options for Sync Settings are available and work and also that native apps like the OneDrive app work and sync properly which was my main driver for taking UE-V for a test drive.

UE-V Agent

This per-application nature of UE-V is perhaps also it’s Achilles heel dependant on the nature of your user base. Because UE-V works with applications and not profiles, it needs to know about your applications. For default Microsoft applications such as Notepad, WordPad, Calculator and Windows 8 immersive UI applications such as Weather, Sports, Finance and the like you can enable and disable the sync of settings for these applications out of the box either via the client manually or with a Group Policy Object using the UE-V ADMX file from the Microsoft Desktop Optimization Pack Group Policy Administrative Templates download. UE-V natively supported Office 2007 and 2010 also however Office 2013 is not natively supported but more on that in a minute.

To support custom applications including Office 2013, you need XML files to provide application definitions. These definition files can either be generated by you as an administrator for your custom line of business (LOB) applications using the Microsoft User Experience Virtualization Generator application or you can download XML files generated by others from the TechNet Gallery and hope that they fit your need. Microsoft thankfully provide an official set of XML files for Office 2013 for UE-V 2.0 which you can get from the TechNet Gallery in the form of either the Microsoft Authored Office 2013 (32-bit) UE-V Template or the Microsoft Authored Office 2013 (64-bit) UE-V Template. Standard community issued XML files can be obtained from the main list on the TechNet Gallery here.

Deploying UE-V

Deploying UE-V is really simple and because the .pkgx files generated for each application are typically very small and are transmitted across the network in a much friendlier approach that a giant squirt of traffic as you would have observed with Roaming Profiles it required little planning or infrastructure on either your SMB file share server or your network capacity.

The UE-V agent is installed using an .msi file which means you can install it via a Group Policy Software Installation policy, using a Computer Configuration startup script from a Group Policy Object, via System Center Configuration Manager or any other deployment toolkit which can accept an .msi file. You could even use System Center Updates Publisher (SCUP) 2011 to generate a custom update for the .msi file and deploy it using Windows Server Update Services (WSUS) if you have that implemented instead of a full product suite like SCCM and the GPO approach doesn’t take your fancy.

Configuration of the agent is done via Group Policy ADMX settings with settings that can be applied on a per computer or a per user basis allowing you to hone your deployment as you see fit for the business needs. If you are using System Center Configuration Manger you could use the System Center 2012 Configuration Pack for Microsoft User Experience Virtualization download from Microsoft to fully integrate the management of UE-V and SCCM into a single pane of glass.

In terms of the SMB file shares, in it’s simplest form, you need two shares. One for user settings packages and one for your XML custom templates. Permissions on the custom templates share simply need to be read for Domain Computers as the client runs in the context of the computer. Permissions on the user settings packages share where user data will be written requires similar permissions to a Roaming Profiles share: Permissions for your users, Domain Users for arguments sake to Create Folders at the root of the share and then Full Control for Creator Owner for sub-folders to allow users to own their own folder.

Creating custom XML files is pretty simple and painless so long as you have a reference computer with the applications you want to capture settings for installed. A simple event of launching the application to allow UE-V to monitor registry and file locations accessed by the application, close the application and then save your XML file is about as hard as it really gets.

UE-V XML Generator

Deployment of the XML files to the agents is a simple case of copying the files into the share you created earlier.

UE-V Template Store

Microsoft had the foresight also to include an option in the UE-V ADMX Group Policy extension which allows you to enable sync for either an administratively controlled list of Windows immersive UI apps or you can enable the setting to include all unlisted Windows immersive UI apps so that any app the user installs from the Windows Store or any app you develop as a business and sideload using your Enterprise rights for sideloading will be tracked too.

UE-V ADMX Settings

With a suitable selection of XML files imported into the Template Store, the client will on it’s next schedule, sync with the store and begin to include any new templates as I previously eluded to as shown below.

Roaming Profiles and UE-V Co-Existence

UE-V and Roaming Profiles can co-exist perfectly which makes migration super simple. In any environment, you can simply roll out the UE-V agent to your clients, setup your Group Policy with the appropriate settings to point users to the correct SMB file shares for both their own personal settings to be stored and a second share for your custom XML definitions. Once deployed, you can let UE-V sync application settings for users whilst the Roaming Profile is still in effect and when you have decided that you’ve let the overlap run it’s course, pull away the Roaming Profile attribute from a users Active Directory User Object. The profile for that user will be converted back from a Roaming Profile to a Local Profile and UE-V will have already captured all their application settings and will now operate as the single version of authority for application settings.

For me personally, I’m not the kind of user with a long list of applications. I found with some monitoring that I had all the applications I needed for UE-V to be successful for me in sync within about a week of normal working practice. One the week was up, I pulled the Roaming Profile attribute from my user object, free of the Roaming Profile logon delay and associated lack of Sync Settings in Windows 8.1 to be left with a Local Profile and all the Sync Settings I could ever want available.

In an environment with a long list of applications you may need a month or more to successfully overlap the deployment of the two but either way, it’s totally achievable and with the right amount of overlap your users probably won’t event notice the change. I’m still using Folder Redirection with Offline Files to keep my Documents are other vital folders protected but I think that feature will be a given for any company, it’s the profile that’s the real issue here.

The Future for UE-V

Microsoft have just recently made the UE-V 2.1 Beta available via Microsoft Connect. I haven’t yet tried this as it was made available only a few days after I deployed UE-V 2.0 here but I will be looking at it soon. The release notes promise better control over some of the settings requested through customer feedback from UE-V 2.0 and includes native support for Office 2013 so you don’t need the custom XML templates for it any longer.

UE-V certainly has a good future and if you are in the market for a Roaming Profiles replacement I would definitely look at it.