In a previous blog (April 2019) , while Windows Virtual Desktop (WVD) was still in Beta, I explored its features and debated the importance of this move by Microsoft into the world of virtual desktop infrastructure. Computacenter has been working with Microsoft and tracking the development of WVD through Public Preview and General Release.
In this blog I will explain:
- Why you should be interested in it?
- What it means to other vendors?
- How can you know if WVD is right for you?
Why should you be interested in WVD?
From the initial excitement of virtualising desktops, born from the success in the server world, VDI has remained at 10-20% of the desktop estate of large organisations. From the premise of everyone should have one, we now focus on specific use cases where the benefits stack up. With WVD, Microsoft are focusing on three scenarios:
- Replace/migrate on-premises virtual desktop deployment
At some point you’re going to need to refresh your existing virtual desktop infrastructure which will be both timely and costly. With many companies boasting a ‘cloud first’ strategy and an ongoing modernisation of application portfolios, migrating those workloads must be considered.
- New Windows virtualisation
The experience of using and managing virtual desktops has become significantly easier in the last few years, whilst the challenges of effectively maintaining physical desktops is arguably becoming harder. Whether it’s a tactical workload like third party access or something more strategic the ability to pilot and develop on a cloud platform removes a lot of initial investment.
- Windows 7 end of support
There will be organisations out there whose Windows 10 plans are being hampered by problematic Windows 7 applications. Migrating those workloads to Azure will give you the extended support needed, and so time, to allow that final remediation to take place. From a compliance point of view, it’s certainly a better place to be.
Single versus multi-cloud strategies
The main alternative to desktop virtualisation is giving people a laptop but let’s assume you’ve addressed that and your use cases for virtualisation are defined. If there is a limitation of WVD then it is its dependence on Azure. If that is an issue it’s worth remembering though that WVD is in fact two separate constructs; “broker” and “licensing entitlement”.
As a licensing entitlement you can choose to use Citrix, VMware, or a number of System Integrators offering turn-key DaaS solutions as the broker to those Azure desktops. The advantage, of those, being the ability to run workloads not just in Azure but on-premises and on other public-clouds from a single management plane. This could expand the number of users that could be included within scope. It also means that, perhaps, public cloud becomes your disaster recovery site of choice. Offering constantly refreshed hardware at a fraction of the cost while not powered on.
You also need to consider where your desktops reside based on the applications they need to access. With so many legacy applications hamstrung by latency sensitivity the proximity of the application and the desktop could be paramount to the user experience and, so, success of the project.
Assessing if WVD is right for your organisation
Whether you are new to desktop virtualisation or looking to transform an existing deployment, Computacenter would recommend the following approach
- Understand your business requirements and the needs of your users
Ensure you are clear on what WVD can deliver that physical machines can’t and match that to the needs of the business now and in the foreseeable future. Define your user workstyles at a conceptual level and use end user analytics to collect the empirical data that will help you understand which users are a good fit for WVD
- Use proof of concepts and early user pilots to gain confidence and understanding
One of the most powerful aspects of public cloud is how fast you can be up and running. Test the scenarios you’ve identified and the applications that are in scope to confirm the user experience. Target users to pilot the environment and gain real-world feedback. Positive experiences will help gain momentum in the next phase
- Build the business case and plan the deployment
Align identified business metrics to the capabilities of WVD. Baseline those metrics and be clear on how you can measure and so show improvement on them. Consider how ongoing application strategies may impact when people can be deployed and where their desktops should be placed.
Microsoft embracing desktop virtualisation is fascinating, and the long-term benefits for everyone must be a positive. Citrix and VMware have been talking about the benefits of public cloud for VDI for a long time, but few large-scale deployments have moved fully to it. Many on premises VDI deployments were not deployed optimally, I think it’s fair to say, and if you were to do it again you’d probably do it differently. Public cloud forces you to re-visit those decisions both from an operational and a cost point of view. Re-visiting desktop virtualisation also forces you to look at the use cases you are supporting and re-evaluate them. Are you supporting how your users and the business wants to work or making them work in a certain way due to the technologies you’ve implemented?
Desktop virtualisation offers capabilities that physical desktops cannot. Public cloud offers benefits that are hard to achieve on premises. Neither will bring success though if the right users and workloads aren’t identified.
Let Computacenter help you decide if WVD can benefit your organisation.
Let’s face it, nobody likes passwords, but now that everything we access exists online, they are hard to escape. As organisations look to consume more SaaS applications and cloud-based services, they will be faced with not only new security risks but also increased costs: 20% of support calls are about forgotten passwords. At a time when digital identity has never been more important, could we be contemplating the possibility of passwords being a thing of the past?
As we’ve seen in the news, people will often create the simplest password they can get away with to make it easier to remember. The drive to keep us secure is now in itself a security risk. Here’s some advice from one security website I found ‘a phrase like “security breeds success” can become a password of “S3curityBr33d$Succ3$$” ‘. Brilliant, thanks for that. I’ve typed my password in 15 times today and it’s only 2pm. A BBC article, in 2004, revealed that more than 70% of people would tell someone their password in exchange for a chocolate bar. Now that is a long time ago and most people are more aware now, but phishing remains the easiest way to gain access to account information, largely in more sophisticated ways than bribery through Lion bar but the outcome is the same.
The proliferation of systems we authenticate to every day means multiple usernames and passwords, which has led to Identity Access Management (IAM) being a major focus for our customers. IAM solves the problem through single sign-on but the importance of that single password then becomes even greater. You can, of course, add another layer of security by implementing multi-factor authentication (MFA) but let’s be honest no-one likes that either. By that I mean no-one likes traditional MFA, where you end up having to remember a password, a PIN and carry a hardware token around with you. Multi-factor is the key to this problem, we must just implement and view it differently.
Consumerisation influences all areas of IT. Our expectation has become that how we use technology at home should be reflected in how we use it at work. Vendors appreciate this and have benefited by trialling products in the consumer world to gain experience before bringing it into organisations.
We love the fact that we can use our fingerprints, or face, to authenticate to applications on our smartphones and it’s that user experience that we have started to expect at work. Websites, however, can be accessed from any device and so need a different solution. Those solutions are now being trialled by companies like Microsoft and Google. Both of whom allow you to access services using only your phone as a source of authentication. I can’t remember the last time I used my password to access my Outlook account from a device that I trust. In fact, I’m not even sure what my Outlook password is.
In business-to-employee security, organisations are starting to adopt Windows Hello for Business to alleviate the password problem but a barrier to adoption will be a reliance on the hardware required to support it. It also requires everyone to be running a Windows Operating System which goes against the trend of increasing device choice. Solutions that make use of smartphone technology are agnostic of primary device, they also benefit from often being more up to date than many people’s laptops and something your unlikely to ever be very far from. This should make us consider the additional use cases and possibility of allowing business-to-business and business-to-consumer transactions to have a similar simple and secure mechanism to enable people to prove who they are. This would truly digitise many traditional businesses and services, from mortgage applications, to insurance services, money transfers, and more.
The traditional view of authentication is based upon three common factors; something you know (your password), something you have and something you are. Biometrics, along with industry standard authentication specifications (like WebAuthn and FIDO2), can remove the inconvenience of that first factor thus delivering an enhanced user experience, while reducing cost and simultaneously improving security.
Just imagine for a moment that you’ve just changed your Windows password for the last time. Picture never having to click a ‘reset my password’ link ever again. It’s a lovely thought and the reality is not that far away. Until then try taking a phrase from your favourite film, replacing various letters with numbers, adding some random capitals and try to squeeze an ampersand in somewhere just to be on the safe side. Don’t forget to repeat that across all your accounts and be prepared to make changes every 60 days.
World waits to see what it means.
Microsoft have almost always done virtual desktops, well, published desktops at any rate. So, why, since its announcement at last year’s Microsoft Ignite Conference, has Microsoft Windows Virtual Desktop (WVD) generated such interest? Last week, it was finally released as a public beta, so now we can validate whether WVD is aimed at small and medium businesses or can really compete in the Enterprise space.
Cloud desktop adoption is growing as organisations move more applications out of their datacentres and increase their consumption of SaaS, thus reducing the need to site resources locally. The attraction of the ability to deliver a disaster recovery platform without investing in ageing hardware is a compelling one. Similarly, the ability to deliver any virtualised desktop platform without paying for compute upfront removes a barrier to adoption. So far, VMware and Citrix’s Cloud desktop offerings have tried to remain platform agnostic, so can Microsoft make a success of an offering that limits you to only Azure? Here at four features that may convince you.
If you’re a Microsoft 365 E3/E5, Windows E3/E5 or M365 Business/F1 you are already licensed for it. You will, of course, still need to pay for your Azure VMs and any supporting solutions, but it removes the need for the additional cost of desktop virtualisation licensing.
- Windows 7 support
It should come as no surprise to any of you that Windows 7 goes EOL in January 2020. If you haven’t migrated all your desktops to Windows 10 and wish to remain supported, you are going to have to pay for that extended support unless you migrate those Windows 7 desktops to Azure. With WVD you will continue to receive security patches for the full three-year term, if needed, at no cost.
- Windows 10 multi-user support
Windows 10 multi-user is a feature of Azure, rather than WVD specifically, and will come with native Office 365 support. The expectation is that providing a session-based desktop on a client OS will give greater application compatibility, better GPU integration, and an improved user experience than you get with on a server OS. It also gives you an alternative solution for when support for Office 365 is dropped from Windows Server 2019.
- Office 365 support optimisation
Through Microsoft’s acquisition of FSLogix, WVD offers support for Office 365 in non-persistent desktops through their layering technology. This means you can deliver your desktops in the most cost-effective way while maintaining user experience and performance.
So, this is great, WVD will replace the need for additional licensing from Citrix and VMware? Well, don’t forget Microsoft has always delivered basic services in this area and other vendors have enhanced that functionality for people that needed it. So, is WVD any different? At present, Citrix can sell WVD (there’s a whole other discussion here…) and intend to offer Citrix DaaS as an enhancement but what that means isn’t clear. VMware have yet to make any announcement but continue to develop their own Azure offering to rival Horizon Cloud on AWS.
The Microsoft of today is all about agility. WVD is only at the public beta stage, over the coming weeks and months, we’ll see the product rapidly mature I’m sure. But, and it’s a big but, do you want to put everything into Azure? Every customer I talk to has a multi-cloud strategy. Even those that have gone heavily into Azure are transforming their applications to microservices and containers to simplify their portability. Perhaps Microsoft will look to use Azure Stack to extend their functionality to on-prem. They are unlikely, however, to ever allow you to run workloads in other Clouds. In the past Microsoft had little incentive to make massive investments in RDS because every Citrix or VMware license pulled through a Windows one. Now though, those investments are going to drive Azure consumption. Citrix and VMware both have mature virtualisation solutions that offer flexibility as well as wider desktop portfolios, but will it be enough to fight of this new competition?
If you are looking at a tactical desktop virtualisation project and/or you have decided that Azure is the platform for you, WVD needs to be considered. Let’s not forget that this solution hasn’t even been released yet, but Computacenter are certainly investing time to understand what it means for us and what it will mean for our customers.
I am fresh back from the biggest ever VMworld Europe, buoyed by the numerous announcements and developments in their end-user capabilities. On the back of our strengthening strategic partnership I thought it was time to address that age-old question; which is best Citrix or VMware?
It’s not easy being a consultant. It’s even harder when you don’t work for a vendor and so aren’t invested in a specific technology stack. Yes, I get it, there are worse things in life, but all things are relative. For me, nothing represents that better than organisations asking whether they should choose VMware or Citrix? The response ‘it depends’ is often met with exasperation, but it’s key to everything we do, by focusing on the value to a business and the requirements they are trying to meet.
Back in 2014, VMware bought AirWatch for $1.54 billion; a staggering fifteen times it’s reputed worth. We had already seen the explosion of mobile devices into organisations and the realisation of how much more productive they could make people, but it was also evident that managing mobile devices was a different proposition to managing static PCs.
Pretty soon that was looking like a smart move. However, roll forward to 2018 and the benefits of Mobile Device Management are being exploited across the wider estate. Making the purchase look like a fabulous move. The development of Unified Endpoint Management (UEM) has allowed VMware to talk not just about virtual desktops, not just about mobile devices but the whole end-user estate. With this the focus has shifted just from competing with Citrix to move directly with Microsoft. With virtual desktops constant at around 10% for most customers the bigger opportunity remains the physical world hence the development of Workspace ONE. The prize now is looking beyond the Microsoft ecosystem at how the workplace is becoming more disparate, driven by consumer/colleague choice. This strategic, holistic, vision is now more often what drives solution choice.
In August 2017, VMware bought Apteligent, nine months later they bought E8 Security and delivered Workspace ONE Intelligence to improve user experience, optimise resources and strengthen security and compliance. In May of this year, they announced their strategic partnership with Okta which increased their capabilities to deliver a compelling identity story. I said above that the focus has shifted from Citrix to Microsoft, with these acquisitions and the capabilities they bring, in truth VMware is battling against their partnership.
The decision to remain on a certain virtual platform should be considered alongside how devices will be managed, how identity will be handled, what cloud investment strategy has been decided, which endpoint security requirements you have. Most organisations have existing investments in technology that come up for renewal at different times so changes need to be modular and fit an end vision. They must interact and exist alongside other products until the time is right to retire them. So where do you start? In Workspace ONE I see four opportunities.
Device diversity – organisations are increasingly looking beyond Microsoft Windows to support greater user choice. The drive from Apple and Google into Enterprise organisations is, so far, better supported and has more focus from VMware
Consumerisation of IT – as the consumer world now leads the Enterprise world there is an expectation of a certain user experience and ease of use. Workspace ONE delivers a consistent consumer-like experience across multiple OS platforms and form-factors.
Existing AirWatch investment – where mobile devices are already being managed via AirWatch the ability to extend that management to the primary device estate through a ‘single pane of glass’ can make a strong case for retaining and strategically developing investment in VMware.
Existing virtual desktop and app investment – where VMware Horizon has been deployed the built-in integration into Workspace ONE and potential licence benefits could make the case for deploying the wider portfolio of products. Publishing applications through the Workspace ONE app can be a key driver to greater end-point diversity.
VMware can co-exist with traditional management systems to manage a wide range of devices and form factors. Using analytics, they now have insight into the user experience, with their open security platform they can take advantage off best of breed vendors and with their partnership with Okta they have an identity solution to integrate any application strategy safely and securely. That gives them the capability to offer a direct comparison to Microsoft’s Enterprise Mobility and Security suite.
Competition provides benefits for the user and drives vendors to be innovative. If you believe that your future desktop strategy extends beyond the Microsoft world, then Workspace ONE is something you need to consider. Let’s have the conversation, just don’t expect a simple answer.
Hands up who has departments that depend on Zoho Invoice, Eclipse Manager or Diagram Painte? Okay I’ve picked some of the more random business applications available in the Microsoft Store for Business, but I’ve not had to leave the home page to do so. Other than the Microsoft applications and a couple of offerings from Citrix there isn’t much there you’d recognise. Because of this the Windows App Store has not so far been a focus for enterprise organisations, but could that be changing?
Microsoft’s attempt to modernise how we install and deliver Windows applications has failed to impress. Continuum was meant to deliver universal applications to run across the entire Microsoft ecosystem, but as good an idea as it was, the developers never came and, so, neither did the apps. That led to the end of Windows phone, while doing nothing to improve the dearth of business content in the Microsoft Store. Terry Myerson, Vice President of Operating Systems at Microsoft in 2015 said “tool kits will allow developers to bring their code for iOS, Android, the Web, .NET, and Win32 to the Windows Store with minimal code modifications. Our goal is to make Windows 10 the most attractive development platform ever”. Apple and Google have their own app stores though and the benefits of moving away from ‘how we’d always done it’ weren’t compelling enough. Windows Desktop Bridge was the last initiative to invigorate the Universal Windows Platform (UWP) and so the Microsoft App Store. This time the focus was on migrating 32-bit MSI (so just Windows) packages to APPX (Universal) ones. However, to gain all the benefits of UWP additional development is required and that is a barrier to organisations adopting it. In 2017 Microsoft released the MSIX package format to replace MSI, APPV and APPX extensions and get around this problem. MSIX has all the features of UWP with more container security options and extra application customisations. To further aid the adoption of the new standard, Microsoft open sourced the entire project on GitHub. MSIX is still in its infancy and has only just gained support in Windows 10 1809. The current format does not support driver installation, Windows service installation or modification, kernel or Explorer modification. Having said that the promise is very much in line with the messaging around Modern Management and the continued consumerisation of the Windows desktop. The abstraction of applications from the OS increases the ease at which feature updates can be deployed and offers the self-service experience users now expect.
The previous lack of a cohesive application strategy has held back the promise of a Windows App Store resulting in the chicken and egg problem: if Microsoft can entice software developers to take up the MSIX format people will use the app store, if people use the app store software developers will develop apps for it. The concept is a seismic shift away from how we Windows applications are delivered. but then Windows 10 demands we consider applications in an entirely different way. As we change the way we manage Windows, so ISVs are having to change the way they develop software to keep up with the moving target that Microsoft is presenting. This ability to distribute software across the globe, through a store, with their latest supported versions immediately available to users as soon as they update Windows is hugely appealing for all concerned.
Whatever platforms and initiatives Microsoft invent they are completely beholden to the developer community and the behaviour of users. A consistent message will go a long way to helping them. The hope is obviously to replicate the consumer experience we take for granted with application update notifications. However, other platforms may not have 30 years of legacy applications to contend with. Business-critical, internally developed applications needing extensive user testing before release, will always be treated differently but ‘Evergreen’ is changing application testing. You aren’t going to test 3,000 apps every six months, so which ones do you really care about? Which will you test proactively and which reactively? The drive to modernise applications continues at pace but plenty of legacy remains that could be adapted to be delivered from a Windows App Store. For now though, we’ll have to wait and see what the uptake of MSIX is, both with the software vendors and internal packagers.
Based on the organisations I speak to, we’ve reached roughly a 50/50 split between SaaS and traditional ones. If we assume that the easy ones get transformed first we’re now into the long Microsoft tail of applications we still have to deploy out to colleagues. To do this we need new solutions and MSIX seems to enable this. Does MSIX spell the end of App-V? Probably. Does this mean the reality of a Business App Store is upon us? Possibly. The demand for, and expectation of, a Windows App Store is certainly there, we just need the applications. Of course, you could be one of the 16 people worldwide who use Zoho Invoice in which case you’re already living the dream.
Zero touch deployment is something of a Holy Grail in the desktop configuration management world. Even with complex scripting and numerous third-party products it has continued to evade us. Does that now change with the advent of Microsoft Autopilot? Will you become the Indiana Jones of your organisation?
So what is Windows Autopilot? Autopilot is a process more than a technology, which enables you to take a Windows 10 device out of the box, connect it to a network, type in your credentials and voilà! Moments later (timings dependent on many factors, obviously) you’re up and running complete with applications and data. Truly zero touch (if you exclude the typing); but only for the right users, in the right locations, with the right applications.
At a high-level you upload – or more likely your hardware manufacturer will – your device IDs to your company’s Azure tenancy and you get your policies and applications applied as you login without the need to re-image. The technology behind this is based upon modern management (unified endpoint management) so this will work with any Enterprise Mobility Management (EMM) vendor. Modern management makes use of the APIs enabled in Windows 10 and allows you to manage them in the same way you do the mobile devices in your estate. So SCCM equals traditional, AirWatch, Intune etc. equals modernity. The problem is SCCM has a long history and manages the majority of enterprise organisations’ estates today. That’s a good deal of customisation and knowledge that’s been baked-in over the years as well as the features and functionality that the EMM boys are yet to develop.
There’s also the consideration of whether you join your machines to Active Directory. Autopilot is dependent on Azure AD. This brings your identity strategy into question. Are you ready to switch off AD? APIs give you access to a few thousand settings but group policies run to tens of thousands and if you consider that they’re really just registry settings then they’re virtually infinite. So how quickly could you translate all that configuration onto a new platform?
Microsoft is well aware of this though and since Windows 10 1709 allowed Autopilot to work in conjunction with SCCM in a hybrid model. This allows you to join machines to Azure AD and your local AD, which goes some of the way to solving the current restrictions. However, deployment is still triggered by your EMM tool and so the granularity that SCCM offers is somewhat negated. So what does that mean in practice? Statistically, seven out of ten people reading this are not going to be on Windows 10 yet and so have a transformation programme ahead of you. Thousands of users will be sitting in your offices ready for their new devices. They’ll get them, unbox them and individually start downloading 20GB data across your network. How do you see that going?
Modern management, as a technology, is developing fast so it definitely needs to be part of your strategy but you need to know your use cases and requirements to get the greatest benefits from it. Users who spend the majority of their time away from the office and have a limited application set are a great place to start. Generally, for office users you’ll want to deploy to them using a traditional SCCM imaging solution. Once they’re on Windows 10, then modern management is the way to go as you transition away from local AD security policies and traditional application delivery, but that is a process that will take time to reach maturity.
This is the future of deployment, without a doubt, but for the time being it needs to be part of an overall deployment strategy. As colleagues have become more mobile traditional management methods have failed to keep up. EMM platforms were built with the assumption that all users are mobile. The transformation of your environment will most likely be suited more towards SCCM with some opportunity for Autopilot. Once you get to Windows 10 though, more users are likely to be suitable to be managed in a modern way. As the technology develops more new and refreshed devices will come into scope. The key here is to make Autopilot part of your infrastructure now, but understand which users are able to make use of it. Be aware though that in six months’ time those use cases will have changed and grown so they need to be reviewed regularly. In Autopilot Microsoft has finally caught up with Apple’s Device Enrollment Programme and the expectation that users have for how things should work. So maybe you will find the Holy Grail and won’t need the hat and whip!
Until this year, every year since 2008 has been ‘the year of VDI’. The one where virtual desktop growth would increase exponentially and everything else would be the exception. I did my first virtual desktop project in 2010 (not for Computacenter I hasten to add). I’ll tell you now it was not a great success. Actually, that’s not fair, it did work, there were just some caveats. We explained to the users not to look at web pages with lots of pictures, or view videos (obviously) and to expect some typing delays during busy periods – that sort of thing. I’m sure you can imagine the conversations we had. My efforts to explain how clever it all was were wasted.
That was a while ago. The technology caught up and virtual desktop user experience improved to be at least on a par with their physical counterpart. So why has VDI remained at 10% of the desktop estate for the majority of organisations? Why does no-one talk about the year of VDI anymore and what is the future?
The problem with VDI remains its complexity. Complexity to design, deliver and support. Where mobility and flexibility are important the easiest and most cost-effective solution has been to give users laptops. This left 10% of users for whom virtual desktops made a real difference. These individuals usually worked in areas where focus of return on investment was about enabling ways of working that traditional desktops couldn’t, such as securing access to data from third parties and contractors; where task workers with limited application sets are required (call centres); or to provide the ability to return to a known good state quickly and easily (developers and testers).
Now it’s beginning to feel like VDI numbers are declining or at best have stabilised. The rise of Apple and Google in the enterprise and applications increasingly moving to SaaS (browser-based solutions) means we are no longer so reliant on a Windows operating system. Content management and contextual security has also removed some of the security concerns that previously made the case for VDI.
I’m not suggesting Windows is dead! Yes, device proliferation is a thing, but we will still need to access Windows apps that people lack the desire, or possibly the knowledge, to modernise. What we need is some way of delivering just the application through a client that runs on any OS. We can do that. We’ve been able to do that since 2001 with MetaFrame, earlier if you count WinFrame, so as is often the way, IT solutions previously discounted as ‘old-hat’ has come round again as the solution to all our problems. Things have moved on a bit though.
- Frame gives you the ability to access Windows apps just using a browser
- VMware utilise Windows RDSH through Workspace One to provide a fully integrated solution that can be deployed on premises or public cloud
- Citrix XenApp (the replacement to MetaFrame) can be consumed from the Azure marketplace, any public IaaS platform or on premises
The benefit to the user is the best native experience on the device they have chosen with the ability to access their business applications in a virtually seamless, albeit online-only, manner. The benefit to the organisation is the ability to offer choice while maintaining a simple and secure way of delivering Windows applications. At least it is for the foreseeable future.
I once heard someone say that XenDesktop was a great advertisement for XenApp. When you had a requirement for server-based computing nine times out of ten XenApp was the best answer. The year of VDI never came but server-based computing will be around for a while yet so maybe this year will be the year of the published app. Not that anyone’s going to be stupid enough to prophesy that!