Microsoft has long espoused a "good, better, best" philosophy for its corporate customers. Sure, just upgrading a single part of your infrastructure—Windows 7 on the client, perhaps, or Windows Server 2008 R2—will give you good results. But for a better experience, the software giant recommends upgrading two infrastructure parts—the client and the server, where possible—because of the integration pieces that come into play only in such a scenario.

For the vaunted "best" part of the equation, however, you'll need to consider one of Microsoft's best-kept secrets. This is the Microsoft Desktop Optimization Pack (MDOP), a diverse and useful set of utilities that should quickly become the favorites of any admin or IT pro.

The latest version, the unfortunately named MDOP 2009 R2, adds a host of new features and capabilities and Windows 7 compatibility. Here's what you need to know about MDOP 2009 R2.

What MDOP Is and How to Get It

MDOP is a set of PC management capabilities provided on a subscription basis to Microsoft customers in the Software Assurance (SA) volume licensing program. It currently consists of six core products that provide critical enterprise services such as virtual and streaming application deployment, asset inventory, advanced Group Policy change management, desktop troubleshooting and repair, and more.

These diverse capabilities all have one thing in common: Each of the MDOP products helps to reduce the overall total cost of ownership (TCO) of Windows 7 desktops in an enterprise environment.

Microsoft makes broad claims about the TCO benefits of MDOP 2009 R2 and says rolling out MDOP in your environment will save from $5 to $125 per PC per year, depending on the tools and technologies you use. Pricing is approximately $10 per desktop per year, depending on the type of SA subscription.

Microsoft aims MDOP at those admins and IT pros who spend time putting out fires rather than proactively improving their infrastructure. By providing desktop optimization tools that help them manage common IT tasks more efficiently, the company hopes these admins and IT pros can turn their attention and skills to tasks that will improve their businesses.

Microsoft tells me that MDOP is, by far, the most popular SA product it has ever offered. In fact, some of the tools are so good that I've pressed the company on numerous occasions to consider providing them outside of the SA program.

For now, however, MDOP remains an SA perk. Here's what's available in MDOP 2009 R2.

Application Virtualization (App-V)

One of two desktop virtualization solutions in MDOP, Application Virtualization (App-V) provides a way to stream virtualized application packages to user desktops as managed services. The primary goal is simplicity: Because the applications being streamed are never installed directly on end-user PCs, they can be more easily managed. (Compare this to what is perhaps a more typical application virtualization scenario, one that’s based on backwards compatibility.)

The key here is that applications based on App-V aren’t installed on user PCs. This cuts down on testing, upgrading, and compatibility issues, because the applications are isolated from native applications running locally on the PC.

It can also lower software acquisition and management costs, since applications can be streamed to desktops only when they are needed and can be more easily updated on the server.

Customers who rolled out System Center Configuration Manager (SCCM) 2007 R2 or System Center Operations Manager (SCOM) 2007 can integrate these management tools with App-V via the App-V Group Policy Administrative template and App-V Management Pack. So there's no need for separate tools to deploy, manage, and track App-V-based application licenses.

Microsoft Enterprise Desktop Virtualization

The second of MDOP's two desktop virtualization solutions, Microsoft Enterprise Desktop Virtualization (MED-V) is essentially a managed version of the Windows Virtual PC and Windows XP Mode technologies that debuted in Windows 7.

It provides a way to deploy virtual machines (VMs)and bundled applications to user desktops, letting users run legacy virtualized applications seamlessly and side-by-side with native Windows 7 applications.

MED-V is all about backwards compatibility: Some legacy applications, especially custom apps and line of business (LOB) apps, simply don’t run properly in newer OSs such as Windows 7, even with its improved application compatibility and troubleshooting infrastructure.

In these cases, it's possible to run legacy applications in a virtualized version of Windows XP, which typically offers much better compatibility than Windows Vista or Windows 7. What MED-V adds to this capability is application provisioning based on Active Directory Users and Groups, website redirection for sites that require Internet Explorer (IE) 6.0, and of course the ability to run legacy Windows applications side-by-side with natively compatible Windows 7 apps.

If you're looking at a Windows 7 migration but have some legacy applications that simply won't run properly, MED-V is the way to go.

Advanced Group Policy Management

Advanced Group Policy Management (AGPM) adds change management, versioning, and role-based administration control to Group Policy, providing for a more fine-grained and powerful management experience.

For example, it builds on the Group Policy Object (GPO) management delegation model native to Windows by adding the ability to track, control, and review changes made to GPOs by different admins and IT pros and search for changes that were made by a particular individual or on a particular site. It also provides the ability to copy and paste GPOs from one Active Directory (AD) domain to another and filter GPOs by attributes such as name or state.

Asset Inventory Service

Deployed as a hosted service and not as an on-premises server, Asset Inventory Service (AIS) examines the software installed on PCs and servers in your environment and helps you accurately determine whether you're in compliance with software licensing and policy.

AIS is useful in many scenarios, but for those considering a Windows 7 migration, this solution is key to determining what software is in your environment so you can ensure that it's Windows 7 compatible ahead of time. (Microsoft also offers on-premises inventory capabilities in its SCCM product if you'd rather not store information about your environment on Microsoft servers.)

Diagnostics and Recovery Toolset

Building on tools that were first made available through Mark Russinovich's Sysinternals toolset, the Diagnostics and Recovery Toolset (DaRT) provides a consistent repair and recovery environment for XP, Vista, and Windows 7 desktops and various Windows Server versions.

If you're familiar with the recovery tools that come with desktop versions of Windows, you'll immediately notice that DaRT is far more powerful. It provides an offline registry editor, admin password recovery, a crash dump analyzer, file restore capabilities, advanced disk tools (including ERD Commander), secure disk erase, a host of computer management functionality (including an event viewer), a hard-drive file browser, a hot-fix uninstaller, a system file repair utility, and more.

 I assume the benefits of such a full-featured tool are immediately obvious. This is a serious IT tool that would benefit admins, IT pros and Help desk personnel in any environment.

System Center Desktop Error Monitoring

System Center Desktop Error Monitoring (DEM) helps admins examine OS and application errors as they happen and solve PC issues proactively. Normally, this information is sent directly to Microsoft so that the company can aggregate and evaluate issues, accelerating the response for those that are particularly widespread or dangerous. But with DEM, organizations can choose to intercept this data before it goes to Microsoft and observe issue trends that occur within their own organizations. This helps IT become more proactive about such issues.

The best aspect of DEM, perhaps, is that it doesn’t require an agent installation on user desktops. Instead, this solution uses the error reporting infrastructure that's already built into Windows. All you need to do to enable DEM is toggle a GPO in AD. (Microsoft also offers a more complete and integrated error monitoring solution as part of its SCOM solution; this solution requires you to install an agent on each desktop and server to gather error monitoring information.)

Recommendations

We're at an interesting juncture when it comes to desktop PC management. On the one hand, Microsoft is providing customers with a monster of its own making—a multifunction desktop OS with decades of improvements and backwards-compatibility capabilities that is as powerful as it is hard to manage. On the other hand, larger customers, especially those that take advantage of the software giant's SA program, have an impressive and ever-improving set of technologies they can access to improve and optimize desktop management and rein in some of Windows' less desirable traits.

Simplification is coming: I expect Microsoft to dramatically alter its desktop OS and use virtualization technologies it debuted in MDOP to remove legacy technologies from Windows. In this sense, MDOP tools like App-V and MED-V provide enterprises with capabilities that, no doubt, will become mainstream down the road.

People are confused about the dual desktop virtualization solutions as they now stand, however. The differences between the two are important. MED-V is primarily concerned with backwards compatibility. App-V is for simplifying application deployment. So while MED-V–based apps will generally run within a virtualized legacy Windows version and take on that environment's look and feel, App-V applications can run under Windows 7 and take on the Windows 7 look and feel. These are both important capabilities, but when you factor in other Microsoft virtualization capabilities, like the presentation virtualization offered by Remote Desktop Services (formerly Terminal Services), some confusion is justified.

Although I can't verify Microsoft's TCO claims, I can say that MDOP is an unparalleled collection of tools and technologies. I can quibble over whether some of these should be included in Windows proper already. But if you are taking part in SA, you owe it to your workplace to at least evaluate MDOP. There's some serious enterprise management muscle to be had here, and it comes with a minimum of overhead, learning curve, and cost.