Windows 8 Brings New Virtualization Benefits

Hot off the tailwinds of MMS 2012, a new Windows Blog announcement caught our eyes (and ears) today.  I actually have to thank my colleague, Kenny Chan at CDW for bringing this to my attention, because I wasn’t paying attention to MMS at all this week.  I’ll keep it short, since you can read the details on the site, but basically, there are a couple of enhancements being made to Windows Software Assurance:

  1. Windows To Go, which is basically running Windows 8 on a USB drive, is now available to both personal devices as well as work devices as long as the user’s primary device has SA on it.  And the key point here is that even if you bring in your personal device to work, it still counts (yeah!).
  2. Windows RT VDA Rights, which is Windows 8 running on ARM tablets, can now access VDI sessions assuming the user’s primary device is covered user SA.  In other words, if Bob, your end-user has a desktop/laptop covered under SA at work, he can now use his Windows RT Tablet to access those VDI sessions.  It is a huge bummer that it only covers ‘Windows’ tablets; I’m guessing that will change to include iOS and Android at some point in the future.
  3. Companion Device License – this is a new ‘add-on’ (AKA additional cost) to allow the user, who has SA on their primary endpoint, to connect into their VDI sessions from up to 4 personal devices.  The assumption here is that ‘where’ the connection is made – work or home doesn’t matter anymore.

So the best way to explain this, is to whiteboard this out.  You may see a pattern here, but maybe not.  Bob is the employee who has a Windows 8 Desktop licensed with SA.  As you can see in the diagram below, because he has SA on his primary device, he can use his Windows RT tablet to access his VDI sessions in the data center.  This is a benefit of SA, no big surprise.

Just like before, because of SA, Bob can go home and use his iMac and other devices to access his VDI sessions, as long as those devices don’t make its way back onto company premises.  However, let’s assume Bob also has CDL now added to SA on his primary device; this now allows him to bring in up to 4 of his personal devices while at work, and use them to access his VDI sessions.  So now Bob has more flexibility in bringing his own devices in and allowing his company to stay compliant.

Are these big changes for Microsoft?  Well, it’s definitely a step in the right direction, with BYOD gaining steam worldwide.  Like everything else, some will question whether these changes are ‘enough’ but like everything else, we have to wait to see how this evolves.  This is definitely a good thing.

Nathan

Microsoft releases a new VDI/VDA FAQ document

One of my coworkers just told me that a new FAQ dated April 2012 just came out, and it’s available here.  For this most part, there are no new surprises, but it does do a great job of clarifying things in detail.  There is a whole section on FPP, and you already know my thoughts on that – just stay away from FPP when trying to do hosted virtual desktops.

This document also clarifies using Windows Server licenses as desktops (many have tried to do this) as well as Service Provider options and issues around Client Hypervisors.  Definitely a good read.

Microsoft Windows Software Assurance isn’t the same as VDA

On the cusp of my last blog post, one of my colleagues pointed out another Microsoft document that shed some more light on the virtual desktop subject.  According to the  Licensing Windows 7 for Use with Virtual Machines licensing brief, which actually spells out how Windows can or can’t be licensed for use in a virtual desktop, it also highlights a couple things that you can and can’t do with VDA.

One thing in particular that caught my attention, was that if you plan on using a Client Hypervisor, like Citrix XenClient or the one built into Windows 8, you cannot use VDA.  You pretty much have to buy a device with OEM Windows and then upgrade to SA to run a VM (or 4).  You also can’t dual boot with Windows, or run Windows locally with up to 4 virtual Windows VMs, but I don’t see too many folks looking to do this with VDA anyways.

So for right now, it looks like licensing your endpoint with OEM Windows and upgrading to SA may yield the most amount of benefits if your use case calls for it.

Nathan

Please Read This before you deploy Virtual Desktops

Ok, i’ll keep this one simple and straightforward. There is only one licensing model to access a virtualized/hosted Windows 7 desktop, and that’s called Microsoft Virtual Desktop Access (VDA).  VDA has been around for a few years now (previously VECD), and here’s how it works.

  1. VDA is only available as a subscription model, and is about $100/device/year depending on your licensing tier.
  2. VDA is also available at no additional cost if your device has active Software Assurance.
  3. VDA also has Extended Roaming Rights (ERR) for the operating system, which allows the primary end point’s user to use a personally-owned device, such as a home computer or an iPad etc. to access that virtual desktop, as long as that device isn’t running on the organization’s or an affiliate’s network.   Just so you didn’t miss that one, which is critical for compliance reasons; ERR does not allow you to bring in a personal device and use your virtual desktop in the office, its only allowed when you are not on company property.

The clarification of how this works is done best by using an example.  Bob works in the Finance department at a large company.  He has a company-issued Windows 7 desktop computer with Office 2010, as well as an older notebook which runs Windows XP and Office 2003.  He has also been given a new iPad which was customized by the IT department.  IT has recently deployed a VMware View desktop solution, which enables Bob to get to a new virtual desktop and all his applications, from any device. The goal of this VMware View system is to unify Bob’s technology experience across his desktop, notebook and iPad, so he always has a common Windows 7 virtual desktop with all his data and apps.

The IT department has active Software Assurance (SA) on all its devices, including Office.  Since Bob’s desktop and notebook both have active SA, they are licensed properly to access his new virtual desktop, including all his Office Applications.  However, since the iPad doesn’t have an OEM Windows operating system or SA, the IT department will need to purchase additional VDA licensing for that device.  In fact, they will also need to purchase an additional Office 2010 license for that iPad if Bob plans to open and edit Excel spreadsheets while connecting with VMware View.  The key point here is that the device is actually a corporate asset, so it needs to be licensed like any other device that needs to access Windows 7 and Office.  Now, since Bob’s desktop is his primary device that has SA on it, he is also entitled to go home and use his personal iPad or PC to access his virtual desktop, provided that he is not bringing these devices physically onto the corporate network or an affiliate’s office.

Believe it or not, the above example is actually pretty simple.  But what if Bob’s IT department didn’t have SA on anything?  If that were the case, in order for Bob to access his new virtual desktop using his desktop, notebook or iPad, IT would need to purchase three VDA licenses as well as three Office licenses.  And if he needed to access his virtual desktop from a personal computer or tablet while at home, SA would be needed on one of those Office licenses.

Are we having fun yet? And you wonder why Client Virtualization adoption is stalling?  There’s one of the reason’s why.  In the interest of being simple and realistic, here is some advice:

  1. Don’t try and beat the system.  Avoid buying OEM licenses in bulk or doing Data Center Edition desktops with a Windows 7 skin.  If you need full Windows 7, VDA is the only way to go.
  2. Talk to your reseller’s Microsoft Licensing team.  These rules change all the time and they are always current on the latest and greatest compliance rules.
  3. If you find yourself struggling with the TCO and ROI aspect of deploying a Virtual Desktop solution, there is nothing wrong with deploying a regular desktop/notebook solution.  Windows 7/8 on a pc/notebook isn’t going away anytime soon and if designed and managed correctly, can be a rock solid solution for your organization.
  4. After you figure it all out, run your licensing scenario by another licensing specialist.  It never hurts to double-check your work.

Diving into Mobility & BYOD

Mobility seems to be the talk of the town these days; and it should be.  Smartphones are now the norm, and with millions of tablets floating around, the lines are starting to blur between the traditional ways we once viewed mobility.

In the past, when someone said mobility, I would assume they were talking about a BlackBerry, Palm Treo or Windows Mobile device.  However today, not only do we have new contenders like Apple’s iPhone and Google’s Android (who dominate the smart phone market), but we have a new class of devices – tablets, slates, ultrabooks and more to come.

Another term we can’t seem to stay away from these days is BYOD (Bring Your Own Device), and this is definitely a force that’s driving mobility solutions.  We first started seeing people carrying around their own netbooks (remember those?) and it seems that after the iPad and the MacBook Air, this started becoming increasingly prevalent.  Sure, there are many companies that provide these devices to their employees, but you would be surprised how many of these devices are actually owned by each individual employee.

So getting back to defining Mobility; what exactly is it?  Let’s take a look at all the possible options:

  1. Devices – Clearly, smartphones and tablets are in this category.  But what about the staple computing device – the notebook?  Isn’t the notebook the real catalyst that started mobility?  Of course it is, and notebooks and now ultrabooks are definitely in the mix when you talk about mobility.  In a nutshell, we’re talking about any device that can connect back into your data center applications, or even cloud-hosted ones.
  2. Carrier-enabled Broadband –  Every device has WiFi today, and almost everything in this category has a carrier broadband option.  For smart phones, it’s a given, they can all consume data plans, and in some cases, you can’t activate service without a data plan.  For tablets, this is a model-based option, like the new iPad with various LTE and 3G carrier options.  Another quite popular option is buying a mobile hotspot, like the Sprint Overdrive Pro, that can allow up to 5 WiFi users to access its 3G/4G network thereby consolidating data plans and sharing connectivity between devices.  From a mobility perspective, being able to activate these devices, managing them and watching data overages is key for organizations that provide these carrier services to their workforce.
  3. Security – This is on top of everyone’s list.  With initial smartphones that were limited in functionality, we could tie down these devices, encrypt their email/calendar data and remotely wipe it if necessary.  With today’s smartphones and tablets, you can pretty much extend their functionality to that of a computer, and controlling how your data is stored, either locally or in the cloud is a nightmare.  Thankfully there is a slew of  Mobile Device Management (MDM) players that can enforce security policies on each device, so that data leakage can be prevented (even though it’s not full-proof at the time of this writing).  Something else to consider here, is a more advanced Network Access Control (NAC) technology such as Cisco’s Identity Service Engine (ISE) technology.  This will enable your end users to only access systems they are authorized to access, even if they are on the local network.  Essentially, rather than relying on each application’s software to control who can ‘get’ to what system on your network, this controls and reports access attempts from the network layer, thereby isolating users and devices before they even become a threat.
  4. Policy – Having a strong, governed IT Acceptable Use Policy is key, but even more important is setting the right enforcement and ramifications if employees fail to adhere to such policies.  This is a huge issue today, with many organizations that don’t even have any policies in place, or have policies that aren’t being followed/governed.  The bottom line is that every organization should have a current, well-defined policy, and every coworker should be held accountable for adhering to that policy.  While policy inspection isn’t completely automated today, it will be in the future as more granular controls and reporting tools emerge in the marketplace.  Think about a mix of Cisco ISE, Splunk , Mobile Iron and Microsoft System Center; it’s all coming together eventually.
  5. Apps – It’s all about the apps these days.  And while we may all agree that a local app running on your device gives you the best mobile experience, there are still a lot of apps that are only available in a browser.  For everything else that can’t be ‘applified’, we resort to using Client Virtualization technologies, such as those made by Citrix, Microsoft and VMware.   However, embarking on a Client Virtualization journey is not for the faint hearted; this takes a lot of time, planning, testing, training etc. before it can be rolled out to the masses.  Thus mobility includes the management, monitoring and updating of not just local apps, but also client virtualization technologies, which include both virtualized apps and desktops.

This may all seem very overwhelming.  However, in many cases, it may be a necessity to move your organization forward.  In some cases, you could just stay the current course and wait for the next big wave of technologies.  The bottom line is; start with a well justified business plan.  Many go down the Client Virtualization or BYOD path because the assumption is that ‘everyone needs iPad or remote access.’  While that may be true, you have to look at mobility as an end-to-end solution, and understanding all the intricacies, including a phased adoption approach that will be key in making it a successful addition to your organization’s technology strategy.

Notice that I didn’t mention TCO or ROI in this blog entry.  There is a reason for that, because unless you look at mobility collectively, you can’t get an accurate reading on this.  Start with TCO today versus TCO post implementation, and many times, you will be surprised by the results.