Tag Archives: AppLocker

How to Fix Windows 8 for Corporate Environments

March 2012 Note:  With the release of last month’s consumer preview, this blog entry has spiked in views.  I want to stress that I wrote this over a year ago.  I wrote this before the Developer Preview and before Metro UI was leaked.  So keep in mind that a lot of new information has been released from Microsoft and some of this may not be applicable now that we know what Win8 is and what it looks like. This is not a note for or against Metro, but these are corporate facing features that should be addressed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

After the CES2011 demo last week of Windows running on an ARM CPU, there has been all kinds of speculation what this means.  There’s even talk about a new touch interface for Windows codenamed MoSh (Modern Shell) which resembles the Windows Phone Metro UI. While it’s fun to speculate, most of the discussion has been around consumer based computing.  Very little of the discussion has been around the boring corporate features. I work as a desktop architect in a corporate environment and I have some ideas how to improve Windows 8 for my world. As boring as corporate computing can be, it is still a relevant driver forming the future of computing for all environments. Here are some of the main ways Microsoft could drastically improve Windows.NEXT.

Overhaul The Microsoft EA

The biggest improvement Microsoft can make is to fix the Enterprise Agreement licensing model.  The world is changing and virtualization is here. More and more companies are finding ways to implement Windows without signing an EA. (IBM even has a program to help users called Liberate.)  My company opted to not renew our EA and saved a load of cash.  The downside is that we cannot use the Enterprise edition of Win 7 and as a result we are implementing Win 7 Pro.  While Pro is ok for most users in my org, we have some users who need encryption. – not just isolated encryption, but the centrally managed BitLocker that only comes with an EA.  I could deploy some isolated BitLocker islands, but this is not a good practice since keys are not managed.  We have a 3rdparty solution, but if we could implement a mix of Pro/Enterprise and still use the centrally managed tools in AD then life would be much easier and the MS sales people would have a better story to tell.  Other great features that I cannot use are AppLocker and Med-V.  When looking at the cost of the EA, AppLocker and the other included items did not justify the cost.  That’s too bad since these are some great tools that are just collecting dust and could benefit organizations. I bet most people reading this don’t even know what AppLocker is! (See a few paragraphs down; perhaps MS should combine BitLocker with Security Essentials.)

Make Hyper-V More Complete for VDI

While Microsoft is doing well with server virtualization, the desktop Hyper-V product needs to mature.  The fundamentals to Hyper-V seem very solid. In fact, we stood up a Hyper-V VDI environment quicker and with better performance than we had with our VMWare VDI solution. The problem with Microsoft’s solution is the lack of tools.  Like most other products, MS builds the base components with an open architecture, but waits for partners like Quest and Citrix to make the solution manageable in large organizations. So, to stand up a nice VDI solution I need to work with multiple products from multiple vendors. How is that EASY?  They also need to keep maturing RemoteFX as a full featured VDI client. To enable true VDI, the old roaming profile feature needs to dusted off and updated.  While this was a good idea, implementation often wasn’t practical because of the amounts of data that neeed to be streamed.  This feature now seems relevant again, but needs to be integrated with could and VDI offerings.

Three-Tiered Virtualization Model

Speaking of virtualizing user profiles, why not take a radical shift and create three distinct virtual layers:

  1. The OS
  2. Applications
  3. User profiles (or user state)

The latter two would be applicable for physical (non-virtualized) operating systems as well.  Imagine how much simpler administration would be if applications were virtualized with App-V and user profiles were virtualized with User-V (I just made that name up).  Not only could I easily login to any computer (or slate device) on the network, but app delivery gets easy, licensing gets easy, etc… There are a couple of problems with the scenario.  The amount of data being transferred for large profiles is one, but the other is how do I take virtual apps on the road without connectivity?  Regardless, this is a huge fundalmental shift in the way apps and users are managed today on the desktop, but this fits into Microsoft’s cloud vision.

Allow Windows Phone Apps to Run as Gadgets

It’s no secret that I have become a fan of Windows Phone 7.  The phone is a fresh take on mobile interfaces with the live tiles and integrated services.  The app catalog is relatively small as of this writing (January 2011) but the apps that are there are high quality.  I expect the number of apps to grow quickly.  Who knows what plans Microsoft has for the gadget platform in Win8, but can you image having the abaility to run a WP7 app on your desktop?  This would be huge for two reasons:

  1. The user would have instant access to thousands of cool apps
  2. This would also drive more app development

Enhance MDT

The Microsoft Deployment Toolkit (MDT 2010) deployment method is LIGHT YEARS ahead of Ghosting type technologies. Instead of maintaining a gold reference machine and making sector based images from this, MDT configurations can be managed from any desktop.  You simply point MDT to your Windows media, applications, and drivers.  From here you build logic around these items (for example, ‘If IsLaptop then install VPN’), then generate your bootable image with all the logic.  This is easy, but the learning curve is STEEP and not for the non-technical.  MDT needs refinement in initial setup (too many separate parts), driver management, wireless config (can’t import wireless profiles), IE config (most settings must be controlled via GPO), and the user experience (no way to set a theme for default user).

Clean Up AD

Speaking of Active Directory, it needs to be cleaned up. AD has grown over the years and the number of individual policy objects is nearly incomprehensible.  As you walk through the objects, the functionality of certain items has changed and the descriptions don’t always agree and many times actually conflict with the setting.  Furthermore, there is no check/balance system so setting A may undo setting B, or the combination of settings X, Y, and Z could have detrimental effects to the end user.   At the very least, AD needs versioning control with the ability to un-tattoo managed computers.

Touch, Pen, & Voice Input

Touch is the big consumer focus for 2011. However, it has relevant uses in businesses as well. Yes, Windows 7 has multi-touch and handwriting recognition, but that’s as far as it goes.  Again, MS wants partners to extend this functionality to make it useful.  MS needs to build in a touch UI that controls 100% of the operating system without sacrificing usability with a keyboard and mouse.  (Is this what Mosh is all about?)  Keep in mind that all of my 6,800 desktop clients use mice and keyboards as their interface to the computer.

The pen input method is over looked these days due to touch devices.  However, pen is very useful for taking notes in an app like OneNote or drawing diagrams. The ability for Win 7 to convert handwriting to text is unparalleled.  It does a good job even when you try to write sloppily. It even learns as you use it.  When writing in traditional apps such as Office, Windows presents you with a pop-up containing a single line to write text on.  When you pause writing or click “insert” it places the text in your document. Writing on this single line can be awkward and unnatural. This is a huge area for improvement especially when your palm rests on the touch screen.

Most people don’t know that you can control Windows with speech.  It’s been there for years. It’s good for functions like “select word” or “select paragraph” but it’s not intuitive to say “search for mexican restaurants in tulsa” like you can in Windows Phone.  Microsoft owns a product called TellMe that is built into Windows Phone 7 devices.  TellMe is fantastic.  This product needs to be integrated into the core of Windows 8.

Windows Security

Keep improving the security story. Windows 7 made huge strides in security – at least in what most people think of security (viruses, spyware, etc).  It is now considered the most secure desktop beating previous versions of Windows, Linux, and OSX. On top of that, while not part of Windows itself, the free Security Essentials is one of the best malware engines I have used.  However, it doesn’t rank in Garnet’s “completeness of vision” chart since it doesn’t offer a Mac OSX version, and there are no firewall, encryption, or other loss prevention (DLP) features.  Figure out a way to combine malware, encryption, and DLP with audit, and then the security story for Microsoft gets even better.  Of course, this all needs be deployable through MDT and managed through AD.

IE9, IE10, and Beyond

Microsoft is doing a surprisingly good job with Internet Explorer 9.  They need to keep up the good work and continue standards compliancy.  Most people don’t really care about 100% compliancy, but it is still a good story to tell.

Dump WMP for Zune

Currently, Microsoft offers two media experiences: Windows Media Player and Zune.While media is often viewed as consumer focused, it still plays an important role in corp worlds.  Microsoft needs to dump WMP and focus on the superior Zune desktop software. Zune is more modern with ties into other devices like Windows Phone and Xbox.  It also has hooks into streaming and cloud storage. Of course, MDT and AD integration are required. (Windows Media CENTER is actually a third built-in media experience, but it doesn’t have much use in the corporate space. Actually, Media Center is one of my favorite home apps, it could use some updating from Microsoft.  I have lots of ideas for that, but that’s another topic.)

The one really cool feature of WMP that Zune does not have is the “play to” feature.  When set up properly, you can select any media file and stream it to any device on your network.  This could be an Xbox, a hand held device, or even another computer.  It’s a really cool feature but set up is less than ideal.

Photo Gallery Needs to Grow Up

Speaking of Media, Live Photo Gallery (part of Live Essentials) is a great tool for managing and viewing images/videos. It has a built in compact version of SQL Server which makes handling, tagging, organizing, moving, etc thousands of photos easy. In fact, my wife uses it for her photo business in Tulsa, Oklahoma.  The problem is (once again) is that it is consumer focused.  There is no way to deploy parts of it with MDT. Furthermore, once the install is completed there is no method in AD to block the Live ID sign-in screen.  I don’t want all my users going out and creating Live IDs just to view photos.  I am NOT suggesting, MS include WLPG as part of Windows 8.  I like the idea of keeping it separate so it remains on its own development path.

Remote Support

The built-in remote support options work but are limited. While Dameware and Bomgar have built solid businesses for desktop support, MS could improve the built in offering to work more reliably over multiple LAN/WAN/Firewall segments.

Desktop Sharing

Building on remote support, I would like to see a user feature for easily and securely sharing desktop screens. Our graphics people would love the ability to share their screen as they are working on projects. We are currently implementing Microsoft Lync for web conferencing, but this is overkill for simple desktop sharing.

Corporate App Store/Marketplace

An internal App Store that allows end-users to install software would be a great idea! Early in 2010, a leaked MS document showed plans for a Windows 8 Marketplace/App store.  This is a great consumer feature (in fact, Apple took notice and created their own for OSX), but I do not want my 7,000 users buying Angry Birds or Fruit Ninja for their work computers.  The Marketplace needs the ability (through AD) to be redirected to an internal version. This could potentially reduce calls to the helpdesk for software installs.

What Else?

My time is running out, but I will re-visit this list again soon.  What other items would you like to see in Windows 8 that would benefit the corporate user?