Microsoft Virtualization: part 3 (desktop virtualisation)

Before the weekend, I started a series of posts on the various technologies that are collectively known as Microsoft Virtualization. So far, I’ve looked at host/server virtualisation and in this post, I’ll look at the various forms of desktop virtualisation that Microsoft offers.

Whilst VMware have a virtual desktop infrastructure (VDI) solution built around Virtual Infrastructure (VI), Microsoft’s options for virtualising the desktop are more varied – although it should be noted that they do not yet have a desktop broker and recommend partner products such as Citrix Xen Desktop or Quest vWorkspace (formerly Provision Networks Virtual Access Suite). With Hyper-V providing the virtualisation platform, System Center Virtual Machine Manager, Configuration Manager and Operations Manager for management of virtualised Vista clients, this is what some people at Microsoft have referred to as Microsoft VDI (although that’s not yet an official marketing concept).

Licensed by access device (PC or thin client) with the ability to run up to four virtual operating system instances per license, the Vista Enterprise Centralized Desktop (VECD) is actually platform agnostic (i.e. VECD can be used with VMware, Xen or other third-party virtualisation solutions). VECD is part of the Microsoft Desktop Optimization Pack (MDOP) and so requires a Software Assurance (SA) subscription.

With a broker to provide granular authentication and support for the Citrix Independent Computing Architecture (ICA) protocol (for better multimedia support than the Remote Desktop Protocol), users can connect to a Windows Vista desktop from any suitable access device.

To access this virtualised infrastructure there are a number of options – from thin-client terminal devices to Windows Fundamentals for Legacy PCs (WinFLP) – an operating system based on Windows XP Embedded and intended for use on older hardware. WinFLP is not a full general purpose operating system, but provides suitable capabilities for security, management, dcument-viewing and the Microsoft .NET framework, together with RDP client support and the ability to install other clients (e.g. Citrix ICA). Running on old, or low-specification hardware, WinFLP is an ideal endpoint for a VDI but it is a software assurance benefit – without SA then the closest alternative is to strip down/lock down Windows XP.

VDI is just one part of the desktop virtualisation solution though – since Microsoft’s purchase of Connectix in 2003, Virtual PC has been available for running virtualised operating system instances on the desktop. With the purchase of Kidaro in March 2008, Microsoft gained an enterprise desktop virtualisation solution, which has now become known as Microsoft Enterprise Desktop Virtualisation (MED-V) and is expected to become part of MDOP in the first half of 2009.

Effectively, MED-V provides a managed workspace, with automatic installation, image delivery and update; centralised management and reporting; usage policies and data transfer controls; and complete end use transparency (i.e. users do not need to know that part of their desktop is virtualised).

The best way I can describe MED-V is something like VMware ACE (for a locked-down virtual desktop) combined with the Unity feature from VMware Fusion/Coherence from Parallels Desktop for Mac, whereby the guest application instances appear to be running natively on the host operating system desktop.

MED-V runs within Virtual PC but integration with the host operating system is seamless (although MED-V applications can optionally be distinguished with a coloured border) – even down to the system tray level and providing simulated task manager entries.

A centralised repository is provided for virtual machine images with a variety of distribution methods possible – even a USB flash drive – and a management console is provided in order to control the user experience. Authentication is via Active Directory permissions, with MED-V icons published to the host desktop.

MED-V can be used to run applications with compatibility issues on a virtual Windows XP desktop running on Windows Vista until application compatibility fixes can be provided (e.g. using Application Compatibility Toolkit shims, or third party solutions such as those from ChangeBASE). Furthermore, whereas using application virtualisation to run two versions of Internet Explorer side-by-side involves breaching the end user licensing agreement (EULA), the MED-V solution (or any operating system-level virtualisation solution) provides a workaround, even allowing the use of lists to spawn an alternative browser for those applications that require it (e.g. Internet Explorer 7 on the desktop, with Internet Explorer 6 launched for certain legacy web applications).

Using technologies such as MED-V for desktop virtualisation allows a corporate desktop to be run on a “dirty” host (although network administrators will almost certainly have kittens). From a security standpoint, MED-V uses a key exchange mechanism to ensure security of client-server communications and the virtual hard disk (.VHD) image itself is encrypted, with the ability to set an expiry date after which the virtual machine is inoperable. Restrictions over access to clipboard controls (copy, paste, print screen, etc.) may be applied to limit interaction between guest and host machines – even to the point that it may be possible to copy data in one direction but not the other.

At this time, MED-V is 32-bit only, although future releases will have support for 64-bit host operating system releases (and I expect to see hypervisor-based virtualisation in a future Windows client release – although I’ve not seen anything from Microsoft to substantiate this, it is a logical progression to replace Virtual PC in the way that Hyper-V has replaced Virtual Server)

Desktop virtualisation has a lot of potential to aid organisations in the move to Windows Vista but, unlike VMware, who see VDI as a replacement for the desktop, Microsoft’s desktop virtualisation solutions are far more holistic, integrating with application and presentation virtualisation to provide a variety of options for application delivery.

In the next post in this series, I’ll take a closer look at application virtualisation.

Leave a Reply