Beruflich Dokumente
Kultur Dokumente
10324A
Implementing and Managing Microsoft
Desktop Virtualization
ii Implementing and Managing Microsoft Desktop Virtualization
Information in this document, including URL and other Internet Web site references, is subject to change without notice.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people,
places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain
name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright
laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no
representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the
products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of
Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of
Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any
changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from
any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply
endorsement of Microsoft of the site or the products contained therein.
Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. Academic Materials means the printed or electronic documentation such as manuals, workbooks, white papers,
press releases, datasheets, and FAQs which may be included in the Licensed Content.
b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions location, an IT
Academy location, or such other entity as Microsoft may designate from time to time.
c. Authorized Training Session(s) means those training sessions authorized by Microsoft and conducted at or
through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning
Products (formerly known as Microsoft Official Curriculum or MOC) and Microsoft Dynamics Learning Products
(formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on
the subject matter of one (1) Course.
d. Course means one of the courses using Licensed Content offered by an Authorized Learning Center during an
Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter.
e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or analog device.
f. Licensed Content means the materials accompanying these license terms. The Licensed Content may include, but
is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv)
Software. There are different and separate components of the Licensed Content for each Course.
g. Software means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included
with the Licensed Content.
h. Student(s) means a student duly enrolled for an Authorized Training Session at your location.
i. Student Content means the learning materials accompanying these license terms that are for use by Students and
Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files
for a Course.
j. Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other
individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or
instruct an Authorized Training Session to Students on its behalf.
k. Trainer Content means the materials accompanying these license terms that are for use by Trainers and Students,
as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard
Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course.
l. Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard
disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to
allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard
Disks will be considered Trainer Content.
m. Virtual Machine means a virtualized computing experience, created and accessed using Microsoft Virtual PC or
Microsoft Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks,
and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes
of these license terms, Virtual Hard Disks will be considered Trainer Content.
n. you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content,
Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer
basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students
enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use
does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and
only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the
number of Devices accessing the Licensed Content on such server does not exceed the number of Students
enrolled in and the Trainer delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed
Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance
with these license terms.
i. Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not
separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to
the use of those third party programs, unless other terms accompany those programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a
classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may install
and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and
for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own personal training Use
and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions in this agreement,
these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same
information and/or work the way a final version of the Licensed Content will. We may change it for the final,
commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any
Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no
obligation to provide them with any further content, including but not limited to the final released version of the
Licensed Content for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to Microsoft, without
charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to
third parties, without charge, any patent rights needed for their products, technologies and services to use or interface
with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not
give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features and documentation
that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you
may not disclose confidential information to third parties. You may disclose confidential information only to
your employees and consultants who need to know the information. You must have written agreements with
them that protect the confidential information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You
must first give written notice to Microsoft to allow it to seek a protective order or otherwise protect the
information. Confidential information does not include information that
becomes publicly known through no wrongful act;
you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers;
or
you developed independently.
d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date
for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever
is first (beta term).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will
destroy all copies of same in the possession or under your control and/or in the possession or under the control of any
Trainers who have received copies of the pre-released version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print
and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you
will follow any additional terms that Microsoft provides to you for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista,
Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products
which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher,
then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the
install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before
it stops running. You may not be able to access data used or information saved with the Virtual Machines
when it stops running and may be forced to reset these Virtual Machines to their original state. You must
remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch
it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any
Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from
Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such
Software with Microsoft using such product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and
conditions of this agreement and the following security requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are
accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each
Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions
locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from
Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use, activation and
deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an Authorized Training
Session will be done in accordance with the classroom set-up guide for the Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations,
sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized
Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their
personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as Evaluation
Software may be used by Students solely for their personal training outside of the Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates . The Trainer Content may include Microsoft PowerPoint slide decks.
Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session.
If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide
decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is
created; and (b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may
customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are
logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing
rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be
used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic
Materials. You may not make any modifications to the Academic Materials and you may not print any book (either
electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use
You will not republish or post the Academic Materials on any network computer or broadcast in any media;
You will include the Academic Materials original copyright notice, or a copyright notice to Microsofts benefit in
the format provided below:
Form of Notice:
2010 Reprinted for personal reference use only with permission by Microsoft Corporation. All
rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of
Microsoft Corporation in the US and/or other countries. Other product and company names
mentioned herein may be the trademarks of their respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content. It may change
or cancel them at any time. You may not use these services in any way that could harm them or impair anyone elses use
of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any
means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the
Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation,
you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any
technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not
install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the
Authorized Training Session;
allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering
the Authorized Training Session if the Licensed Content is installed on a network server;
copy or reproduce the Licensed Content to any server or location for further reproduction or distribution;
disclose the results of any benchmark tests of the Licensed Content to any third party without Microsofts prior written
approval;
work around any technical limitations in the Licensed Content;
reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law
expressly permits, despite this limitation;
make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this
limitation;
publish the Licensed Content for others to copy;
transfer the Licensed Content, in whole or in part, to a third party;
access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized
by Microsoft to access and use;
rent, lease or lend the Licensed Content; or
use the Licensed Content for commercial hosting services or general business purposes.
Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks
does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or
devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must
comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws
include restrictions on destinations, end users and end use. For additional information, see
www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content marked as NFR
or Not for Resale.
10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as Academic Edition
or AE. If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact
the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with
the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a)
expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically
terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its
component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and
support services that you use, are the entire agreement for the Licensed Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the
interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws
of the state where you live govern all other claims, including claims under state consumer protection laws, unfair
competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country
apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country.
You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does
not change your rights under the laws of your country if the laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of using it.
Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights
under your local laws which this agreement cannot change. To the extent permitted under your local laws,
Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-
infringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT AND
ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES,
INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or
third party programs; and
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the
extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or
exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential
or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement
are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat
sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce
contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez
bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier.
La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage particulier
et dabsence de contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous
pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de
5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux,
indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites
Internet tiers ou dans des programmes tiers ; et
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou
dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays
nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires ou de quelque nature que
ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois
de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le
permettent pas.
Implementing and Managing Microsoft Desktop Virtualization ix
x Implementing and Managing Microsoft Desktop Virtualization
Acknowledgements
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Contents
Module 1: Overview of Desktop and Application Virtualization
Lesson 1: Overview of Virtualization 1-3
Lesson 2: Overview of Virtualization Management 1-20
Lesson 3: Planning an Application and Desktop Virtualization
Deployment 1-38
Lab: Planning Desktop Virtualization Scenarios 1-52
Course Description
This five-day, instructor-led course provides you with the knowledge and skills to implement and manage
desktop virtualization solutions. This course provides an overview of virtualization and the various
Microsoft products that you can use to implement and deploy a virtualization solution. The course
explains how to configure and manage a MED-V deployment. Then, it describes the procedures for
deploying an App-V solution by implementing App-V servers and clients and by sequencing applications.
The course then covers the configuration of Remote Desktop Services and RemoteApp programs. Finally,
the course describes the concept of user state virtualization and procedures for configuring the Virtual
Desktop Infrastructure (VDI).
Audience
This course is intended for Microsoft Windows Server 2008 system and desktop administrators who
will manage and implement desktop and application virtualization technologies within their networks.
The students for this course typically are responsible for implementing their organizations desktop and
application virtualization, or their information technology (IT) management has directed them to research
and/or implement desktop and application virtualization in the existing environment. Students should
have a minimum of 1.5 years of experience working with Windows Server 2008 as a server or desktop
administrator. This course does not require prior experience with virtualization. However, we highly
recommend familiarity with virtualization concepts and management tools.
Student Prerequisites
This course requires that you meet the following prerequisites:
Basic skills with Windows Command line
Monitoring and Management Tools
Networking
AD DS, including Group Policy deployments
Performance Monitoring
Troubleshooting
Course Objectives
After completing this course, students will be able to:
Plan desktop virtualization scenarios.
Implement and configure Windows Virtual PC and the Windows XP mode.
Implement Microsoft Enterprise Desktop Virtualization.
Configure and deploy MED-V images.
Manage a MED-V deployment.
Implement App-V servers.
Plan and deploy Application Virtualization clients.
xiv About This Course
Course Outline
This section provides an outline of the course:
Many organizations are exploring the use of virtualization to optimize their information technology
environment and to streamline their IT management practices. Microsoft provides several products and
technologies that enable organizations to implement virtualization solutions in many different ways. This
module provides an overview of the Microsoft virtualization technologies and provides information on
planning and managing virtualized environments.
Windows 7 has introduced new version of Microsoft Virtual PC software, to support creating virtual
machines with various operating systems within same virtual environment. Also, Windows 7 brings
Windows XP Mode, a pre-created virtual machine with Windows XP Professional SP3 installed, for
supporting older applications and to make migration to Windows 7 more convenient. In this module, you
will learn how to configure and use Windows Virtual PC, virtual machines as well as how to use Windows
XP Mode.
Microsoft Enterprise Desktop Virtualization (MED-V) is an enterprise solution that enables incompatible or
unsupported applications to be available in a virtual environment, and then used by the end users as if
they were installed locally on their computers. However, the applications availability from the virtual
environment is seamless, or invisible, to the user. It provides a virtual environment for legacy applications,
and it enables central administration of applications.
MED-V is built on Windows Virtual PC 2007 Service Pack 1 (SP1), and it is available for Windows clients
such as the Windows XP, Windows Vista, and Windows 7 operating systems.
MED-V uses virtualization to provide an isolated environment, in which you can run legacy applications
and publish applications to the host. A virtual image contains the virtual machine and MED-V enables
central management of the images. There are certain prerequisites that you must meet when you create a
MED-V image. This module describes the purpose and functionality of MED-V images, and the procedures
for configuring and testing of the images. The module also explains how to pack and upload MED-V
images to the image repository on a MED-V server.
Managing the MED-V environment typically is one of the most time-consuming activities for MED-V
administrators. After you deploy the MED-V infrastructure, you must define MED-V Workspaces by
configuring MED-V policies. You then need to enable the workspaces for the users and set options to
configure the workspaces that will be available to the users.
About This Course xv
MED-V users work in two separate environments, the host operating system and the MED-V Workspace. If
you seamlessly integrate published applications with the host, users typically cannot differentiate them
from the locally installed applications.
Besides a configurable virtual environment and a seamless integration with the host, MED-V also provides
reporting and diagnostics capability. The reporting feature requires Microsoft SQL Server, and it logs
MED-V events and provides three basic report types. The MED-V client provides a diagnostics mode,
policy updates, and diagnostic log gathering that you can use to troubleshoot MED-V issues.
The Microsoft Application Virtualization 4.5 Service Pack 1 (App-V 4.5 SP1) and the App-V 4.6 client and
sequencer software provide the latest updates to application virtualization technology. This release
includes new capabilities that make it easy for enterprise Information Technology (IT) organizations to
support large-scale, global application virtualization implementations. This module provides an overview
of application virtualization and App-V components. The module also covers the App-V infrastructure, the
deployment scenarios, and the procedures for installing and configuring App-V servers and App-V clients.
The App-V Client software is the one component that you always require to implement Microsoft App-V
solutions. Therefore, deploying the App-V client requires careful consideration of various factors. You
should consider the best client to deploy, the method of deployment, and the configurations required for
the deployment. You should also be aware of the prerequisites for installing the client.
This module provides an overview of the desktop and remote desktop client including the several
installation methods. The module also describes the recommendations for deploying and managing the
App-V client.
To use applications in an App-V solution, you must first package them into a form that can run in a
virtualized environment. You can use the Microsoft Application Virtualization (App-V) Sequencer to create
these application packages.
You can sequence applications that you plan to deploy by using the App-V infrastructure or standalone
installation. By using App-V sequencing, you create a set of files that contain the all the information about
the application that is required for the application to run in a virtual environment. The App-V Sequencer
provides several packaging options that you can choose based on your specific requirements.
This module describes how to use install and configure the App-V Sequencer to create application
packages. The module also describes how to upgrade existing packages and create standalone packages.
xvi About This Course
Remote Desktop Services (RDS) provide a form of virtualization known as presentation virtualization.
Although you connect to a remote desktop or to individual remote applications, your experience is similar
to running local applications on your computer. With features such as device redirection, single sign-on,
and RD Easy Print, it is not easy to distinguish between remote and local applications.
This module provides an overview of Remote Desktop Services and their role services, and the procedures
for connecting to an RD Session host. The module also describes RemoteApp programs the methods for
accessing them. The module also explains how to using RD Gateway to access RDS infrastructure securely
from an external network.
User state virtualization is a concept that allows administrators to provide more flexible client
environments, and to provide users with ability to have documents and settings following them from
computer to computer. Also, this concept provides better ability to backup and centralize user data, as
well as to prevent data loss.
This module discusses technologies that provide user state virtualization and various ways to provide
virtualization. This module also discusses how to configure roaming profiles and users folder redirection
as part of user state.
Using virtualization technologies for desktop virtualization can be very convenient. Microsoft provides
virtual desktop infrastructure (VDI) as a technology that relies on Hyper-V and Remote Desktop Services
(RDS) to enable administrators to configure virtual desktops as working environments instead of real
physical desktop computers. In order to use VDI, you should be familiar with Hyper-V, RDS as well as with
features and configuration procedures for VDI.
This module summarizes the various desktop virtualization technologies that are covered in this course.
The module compares the features of these technologies, and it also provides examples of real-world
scenarios in which you would implement these virtualization technologies.
About This Course xvii
Course Materials
The following materials are included with your kit:
Course Handbook A succinct classroom learning guide that provides all the critical technical
information in a crisp, tightly-focused format, which is just right for an effective in-class learning
experience.
Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
Module Reviews and Takeaways: Provide improved on-the-job reference material to boost
knowledge and skills retention.
Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its
needed.
Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and answers
and Module Reviews and Takeaways sections, which contain the review questions and answers, best
practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios
with answers.
Resources: Include well-categorized additional resources that give you immediate access to the most
up-to-date premium content on TechNet, MSDN, Microsoft Press
Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the
Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and
demonstrations.
Course evaluation At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
The following table shows the role of each virtual machine used in this course:
10324A -NYC-SVR1 Windows Server 2008 R2 member server in the Contoso.com domain
10324A -NYC-SVR2 Windows Server 2008 R2 member server in the Contoso.com domain
10324A -NYC-SVR3 Windows Server 2008 R2 member server in the Contoso.com domain
Software Configuration
The following software is installed on each VM:
Windows Server 2008 R2 Enterprise
Windows 7
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
All of the virtual machines are deployed on each student computer.
Hardware Level 6
Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
Dual 120 gigabyte (GB) hard disks 7200 RM SATA or better*
6 GB RAM expandable to 8GB or higher
DVD drive
Network adapter
Super VGA (SVGA) 17-inch monitor
About This Course xix
*Striped
Additionally, the instructor computer must be connected to a projection display device that supports
SVGA 1024 x 768 pixels, 16-bit colors.
xx About This Course
Overview of Desktop and Application Virtualization 1-1
Module 1
Overview of Desktop and Application Virtualization
Contents:
Lesson 1: Overview of Virtualization 1-3
Lesson 2: Overview of Virtualization Management 1-20
Lesson 3: Planning an Application and Desktop Virtualization
Deployment 1-38
Lab: Planning Desktop Virtualization Scenarios 1-52
1-2 Implementing and Managing Microsoft Desktop Virtualization
Module Overview
Many organizations are exploring the use of virtualization to optimize their information technology (IT)
environment and to streamline their IT management practices. Microsoft provides several products and
technologies that enable organizations to implement virtualization solutions in many different ways. This
module provides an overview of the available Microsoft virtualization technologies, and provides
information on planning and managing virtualized environments.
Overview of Desktop and Application Virtualization 1-3
Lesson 1
Overview of Virtualization
During the last few years, virtualization has become a key component to enable organizations to deal with
the cost and complexity of managing an IT environment. You can use virtualization to decrease how much
it costs significantly to provide IT services by enabling organizations to decrease the number of physical
servers they need to provide network services and applications. You also can use virtualization to provide
new options for deploying or managing applications for users.
This lesson provides an overview of the various options available for enabling virtualization within the IT
infrastructure.
1-4 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Most organizations consider using virtualization because of the challenges that they are facing and the
associated benefits that it provides. The following sections describe some of the challenges that
organizations are facing.
Data centers also require large amounts of power for cooling and running servers. As the cost of
electricity increases, this can add significant cost to running the IT infrastructure and waste resources.
Virtualization Modes
Key Points
Virtualization separates the components of the applications and operating system that users work with
from the actual physical components that provide the application or operating system services. For
example, virtual machines provide all of the functionality of physical servers. However, the operating
system is not tied to any particular piece of hardware, and can be made available where it is most
convenient. Applications traditionally run on an operating system that is running on a particular piece of
hardware. With application and presentation virtualization, those applications might run on a centralized
server or in a virtual environment that is completely portable to other operating systems or hardware
devices.
Virtualization Solutions
Microsoft provides virtualization solutions that address the virtualization requirements for most
organizations:
Server virtualization. Windows Server 2008 Hyper-V and Microsoft Virtual Server 2005 release 2
(R2) enable server virtualization, so that you can run multiple virtual machines on a single physical
server. This allows you to utilize server hardware resources more fully while allowing you to maintain
operational isolation and security.
Application virtualization. Application virtualization enables you to run applications in a virtualized
environment on a users desktop. Application virtualization separates the application configuration
layer from the desktop operating system, which reduces the potential for application conflicts. With
application virtualization, you isolate the application from the underlying operating system because
you encapsulate it in a virtual environment. With application virtualization, you also can configure
centralized servers to distribute the applications and simplify the distribution of updated virtual
applications. Microsoft Application Virtualization (App-V) is an example of an application
virtualization platform.
Desktop virtualization. You can provide desktop virtualization by running Microsoft Virtual PC on the
Windows Vista operating system, or Windows Virtual PC and Windows XP Mode on the Windows
Overview of Desktop and Application Virtualization 1-7
7 operating system. Desktop virtualization enables you to run multiple operating systems on a single
workstation, and to run an incompatible legacy or line-of-business (LOB) application in a virtual
machine that you host on a more-current desktop operating system.
Microsoft provides a way to manage a complex desktop virtualization environment through Microsoft
Enterprise Desktop Virtualization (MED-V). With MED-V, you can create and manage a centralized
collection of Virtual PC images, and then deliver those images to client computers as necessary.
Presentation virtualization. Remote Desktop Services (RDS) in the Windows Server 2008 R2 operating
system provides presentation virtualization. RDS is an upgrade of Terminal Services, which was in
previous Windows versions. Presentation virtualization enables you to run applications and maintain
application storage on centralized servers, while providing users with a familiar application interface
on their workstations.
Microsoft also provides Virtual Desktop Infrastructure (VDI), which integrates the functionality of
presentation and desktop virtualization. With VDI, you configure desktop operating systems as virtual
machines that are hosted on a Hyper-V infrastructure. These virtual machines are made available to users
through an RDS infrastructure, so that users can connect to the virtual machines through a Remote
Desktop Protocol (RDP) connection.
User state virtualization. User state virtualization enables users to take advantage of separating their
files and profile information from a specific computer, which makes it easy for users to begin working
when you issue them a new computer. User state virtualization also makes it easy for users to move
between computers, or to experience the same desktop environment when using one of the other
virtualization technologies.
Virtualization management. One of the critical components in deploying virtualization is your ability
to manage the solution, including both the physical and virtual components. The Microsoft System
Center suite of tools provides virtualization management. Tools such as Microsoft System Center
Configuration Manager, System Center Operations Manager, and System Center Virtual Machine
Manager (VMM) provide a familiar set of tools for managing both the virtual environment and the
physical layer that hosts the virtual environment.
Cloud computing. Cloud computing enables organizations to purchase IT services from external
organizations. These IT services can include e-mail service hosting, Web site hosting, or online
applications. With cloud computing, organizations can purchase only the services that they require
without significantly increasing the cost and complexity of managing their IT infrastructure.
1-8 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Server virtualization enables you to configure one or more virtual machines that emulate a physical
computer. Multiple virtual machines can run on one physical server, with all of the virtual machines
sharing the resources available on the physical server.
Microsoft provides three products for server virtualization:
Microsoft Virtual Server 2005 R2
Windows Server 2008 Hyper-V
Windows Server 2008 R2 Hyper-V
Note: Windows Server 2008 R2 Hyper-V uses the same underlying technology to enable server
virtualization as Windows Server 2008, but it also provides improved performance and significant new
features, including Live Migration and Cluster Shared Volumes.
Simplified server deployment. By creating standard virtual machine builds, you can deploy new server
builds more easily. Because you are deploying virtual machines rather than physical servers, you also
do not need to acquire new hardware, and locate data center space and power, for each new server.
Note: You may need to invest in new server and storage hardware when you first implement server
virtualization, but an important result of server virtualization is the decrease in the number of physical
servers that your organization has.
Increased service and application availability. Because the service or application no longer connects
directly to a specific piece of hardware, it is much easier to ensure high availability and recoverability.
With Live Migration in Windows Server 2008 R2, you can move a virtual machine to another physical
server with users experiencing little or no service outage.
Multiple operating systems can run on one consistent platform. With server virtualization, you can
deploy multiple operating system technologies on a single hardware platform. For example, you can
deploy Windows Server 2003, Windows Server 2008, and Linux on one Windows Server 2008 R2
Hyper-V host. Server virtualization also makes it much easier to replace hardware when it becomes
obsolete or fails.
1-10 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Desktop virtualization provides new options for deploying client desktops by enabling several ways to
virtualize the desktop. Traditionally, users work on a specific piece of hardware that is running a single
operating system and all applications.
VDI enables you to centralize a users desktop for easier management. The users have an individualized
desktop experience with full administrative control over desktop and applications. Therefore, VDI can be a
very effective solution for users who need to access their work environment from anywhere, including
from a PC that their company does not own. By centralizing the management of the client virtual
Overview of Desktop and Application Virtualization 1-11
machines, you do not need to be as concerned about the location or the device from which the user is
connecting.
Key Points
You can use application virtualization to create virtual applications that you then can distribute to user
desktops. Each virtual application includes its own registry entries, specific dynamic-link libraries (DLLs),
and other resources. When you deploy a virtual application, it uses its own copy of these shared resources.
Because the virtual application runs in an isolated environment, incompatible applications can share the
same workstation.
Microsoft App-V is an application virtualization solution.
must update an application, administrators can update the servers version of the application, and the
updated files then download the next time the client computer needs to run the application.
1-14 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Presentation virtualization runs applications on a central server, with only the application interface, mouse
movements, and keystrokes sent across the network between the central server and the client computer.
Presentation virtualization creates virtual sessions in which the executing applications project their user
interfaces remotely. Each session might run only a single application, or it might present users with a
complete desktop that offers multiple applications.
Presentation virtualization was available for several Windows Server versions as Terminal Services. In
Windows Server 2008 R2, the name for the presentation virtualization feature is Remote Desktop Services,
or RDS.
the application on an RDS host that is located close to the data, rather than pull the data across a
slow network connection to the client.
1-16 Implementing and Managing Microsoft Desktop Virtualization
Key Points
MDOP provides a package of desktop management and virtualization solutions that is available for
Microsoft Software Assurance customers. Many of the application and desktop virtualization products are
available as part of MDOP. MDOP includes the following components:
Microsoft App-V. This application virtualization and streaming solution transforms applications into
centrally managed services that are available when and where you need them.
Microsoft MED-V. This provides deployment and management of virtual PC images. You can deploy
these virtual PC images to user desktops to address application compatibility issues.
Microsoft Asset Inventory Service. This hosted service runs a complete scan of the software installed
on every computer in your environment, and then provides you with intelligent reports and analysis
to understand and better manage your software assets.
Microsoft Diagnostic and Recovery Toolset (DaRT). This provides powerful tools to accelerate desktop
repair for unbootable desktop computers.
Microsoft Advanced Group Policy Management. This enables Group Policy object (GPO) versioning,
change management, and delegation.
Microsoft Desktop Error Monitoring. This makes desktops more stable by causing the client to send
error messages, as they occur, to a central database.
Note: You can download all of the tools, with the exception of App-V, only as part of the MDOP. App-
V is available as a separate download.
Overview of Desktop and Application Virtualization 1-17
Key Points
Cloud computing is a new virtualization option that enables organizations to purchase IT services from
Internet-based service providers or to provide IT services through the Internet. These services can include
servers, storage, or networking resources. The services may be running on virtual environments based on
Hyper-V or one of the other virtualization options. The actual server and storage deployment is largely
transparent to the users who consume the services. They typically are concerned only with being able to
access their required applications easily.
Flexible deployment options. The organization may host the data center that provides cloud services
or an external hosting provider, such as Microsoft or a third party, may host it.
Scalability. In a cloud-computing scenario, all service components are virtual, which makes it very easy
to scale up or down, as necessary. For example, if an organization requires more resources, it can
deploy additional virtual machines in the data center. If the organization requires fewer resources, it
can save money by removing virtual machines or by reusing the physical resources for another
purpose.
Potential for decreased cost. By purchasing online services from a hosting provider, organizations
often can implement services for a cost that is significantly less than hosting the services locally.
More reliable and effective services. Some services require constant monitoring and specialized skills.
By purchasing these services from an online service provider, organizations can take advantage of the
infrastructure and skills that are available at the hosting provider, but which may be prohibitively
expensive for a small organization.
Question: Has your organization moved any services to an environment that is hosted online? If so, which
services?
Overview of Desktop and Application Virtualization 1-19
Key Points
Contoso, Ltd is a large enterprise with multiple locations, and data centers in London, New York City, and
Sydney, Australia. Contoso, Ltd also has several smaller branch offices and many users who work outside
of the office.
Contoso, Ltd has collected the following information about the current computing environment:
Server utilization for most of the data center servers is less that 10%.
Contoso, Ltd has deployed multiple servers in many of the branch offices. These servers are difficult to
deploy and manage because the wide are network (WAN) links to some of the branch offices that
have very little available bandwidth.
Many of the users working outside of the office require a standard set of business applications. Some
of the users who run these applications are mobile users who are using company-issued laptops,
while other users work from home on their personal computers.
Contoso, Ltd has developed a large number of business applications, using different development
platforms, and many of the applications do not use current technologies or may not run on the latest
operating systems.
Question: How will virtualization help Contoso, Ltd address the issues in its current computing
environment?
1-20 Implementing and Managing Microsoft Desktop Virtualization
Lesson 2
Overview of Virtualization Management
The design of many of the Microsoft System Center tools helps you manage the virtualized data center.
This lesson introduces some of the issues that relate to managing a virtualized environment, and
introduces the System Center products that you can use to manage and maintain the virtual
environments.
Overview of Desktop and Application Virtualization 1-21
Key Points
Virtualization technologies provide a range of benefits. Yet as an organizations computing environment
becomes more virtualized, it also may become more complex. A virtualized environment that you do not
manage well can be less reliable, and more expensive, than its unvirtualized counterpart. For example, if
an organization implements a Hyper-V environment without considering high availability, a single server
failure may affect many virtual servers. If an organization implements VDI or MED-V, an outage in the
server infrastructure may prevent users from accessing the virtual desktops that they need to do their
work.
There are several issues that you should consider regarding the deployment and management of
virtualized environments.
One of the primary benefits of a virtualized environment is the option to deploy almost any virtual
component rapidly. If you require an additional server, it is easy to deploy a new virtual machine in
Hyper-V. If you must update an application or deploy a new one, App-V or Windows Server 2008 R2
RemoteApp makes it easy. However, to take advantage of the rapid deployment features, you must
have the required infrastructure in place. This may require additional planning, tools for deploying
components quickly, and monitoring to verify that the additional resources are available on the
current infrastructure.
You realize the many benefits of virtualization when you centralize the virtual components on a small
number of physical servers. This means that it is critical to ensure that the physical servers are highly
available, or that you configure the service or application deployment to be highly available. This
requires advanced monitoring and management tools.
You often perform the management of physical and virtual machines by using separate management
solutions. This may mean that administrators must learn how to use multiple tools, which may not
provide consistent information. Using a single set of administrative tools to manage both
environments simplifies the management processes.
1-22 Implementing and Managing Microsoft Desktop Virtualization
Managing multiple desktops, applications, and servers is complex. With virtualization, the complexity
level may increase because each physical computer now has additional components that you must
manage. For example, a desktop computer running Windows 7 also may be running a Windows XP
mode virtual machine. To ensure your networks security, you must install and manage updates and
antivirus products on both the Windows 7 computer and Windows XP mode virtual machine. A
management system that can handle all assets, regardless of whether they are virtual or physical,
saves time and reduces the number of required resources.
Effective physical and virtual machine management can optimize the benefits of using virtualization
technologies. This includes monitoring and managing hardware and software in a distributed
environment. Monitoring both the software running on physical machines, and the physical machines
themselves, enables administrators to know what is happening in their environment. It also lets them
respond appropriately to running tasks and taking other actions to fix problems that occur.
Overview of Desktop and Application Virtualization 1-23
Key Points
Microsoft developed the Microsoft System Center products and solutions, which assist enterprises with the
planning, delivery, and operation lifecycle of their entire infrastructure. These solutions capture and
aggregate knowledge about an infrastructure, policies, processes, and best practices. They can help
optimize the IT structure, reduce costs, improve application availability, and enhance service delivery.
You can use many of the System Center products to manage your virtualized IT environment and your
physical components, as well.
You can use System Center to manage the virtual environment in the following ways:
A fundamental challenge in systems management is monitoring and managing the hardware and
software in a distributed environment. Operations Manager 2007 R2 enables operations staff to
monitor both the software running on physical machines and the virtual machines themselves, given
the strong similarities between physical and virtual environments. Additionally, you also can use
Operations Manager 2007 to monitor and manage virtual machines and other aspects of a virtualized
world.
Another concern for people who manage a computing environment is installing software and
managing its configuration. While it is possible to perform these tasks manually, automated solutions
provide a better approach in all but the smallest environments. To allow this, Microsoft provides
System Center Configuration Manager 2007. Similar to Operations Manager, Configuration Manager
handles virtual environments in much the same way as physical environments.
As organizations move towards virtualization for their current servers, the process of converting the
physical machines to virtual machines, and then managing the virtual machines, can be complex. To
address this situation, Microsoft provides VMM 2008 R2, which you can use to manage virtual
machines on hosts running Microsoft Virtual Server 2005, Hyper-V, or VMware. Among other things,
this tool helps you choose the virtualization workloads, creates the virtual machines that will run
those workloads, and converts physical computers to virtual machines. You also can integrate
1-24 Implementing and Managing Microsoft Desktop Virtualization
VMM 2008 R2 with Operations Manager 2007 R2 to provide enhanced reporting and management
capabilities.
To ensure that you can recover a virtualized environment, you must ensure that you deploy a
disaster-recovery system that can back up and restore both the physical servers and virtual machines.
You can use System Center Data Protection Manager 2007 Service Pack 1 (SP1) and Data Protection
Manager 2010 to back up and restore servers running the virtual and virtualized components.
Overview of Desktop and Application Virtualization 1-25
Key Points
VMM is the primary tool that you use to manage virtual machines that are running on Hyper-V. VMM
provides a management tool that lets you manage multiple physical host computers and the virtual
machines that are running on the host computers.
VMM provides the following features:
Enables management of virtual environments that are running on different host platforms. You can
use VMM 2008 to manage host computers and virtual machines that are running Windows Server
2008 or Windows Server 2008 R2 Hyper-V, Virtual Server 2005 R2, and VMware ESX Server. With
VMM, you can use a single interface to manage the host server configuration, and deploy and
manage virtual machines on the host servers.
Physical and virtual machine conversion. You can use VMM to convert a physical computer to a
virtual machine while the physical machine is online. You also can use VMM to convert Virtual Server
2005 and VMware-based virtual machines to Hyper-V.
Intelligent virtual machine placement. When you create a new virtual machine or use VMM to move a
virtual machine from one host to another, VMM 2008 analyzes the available physical hosts and
provides a recommendation as to the best location for the virtual machine. You can integrate this
process with Operations Manager 2007, which enables the intelligent placement process to factor in
past performance characteristics to ensure the best possible match between the virtual machine and
its host hardware.
Self-Service Portal. VMM provides the Service Manager Self-Service Portal that enables users to create
and manage their own virtual machines. The VMM administrators retain complete control of the
environment, because they can set permissions that restrict which users can create virtual machines,
what templates users can use to create virtual machines, and where users can create the virtual
machines.
VMM Library. VMM 2008 provides a centralized library to store various virtual machine components,
such as offline machines, templates, virtual hard disks, and other virtualization components.
1-26 Implementing and Managing Microsoft Desktop Virtualization
Administrators can use the components in the library to deploy virtual machines rapidly using
standardized templates.
Windows PowerShell integration. VMM 2008 is built on the command line and scripting
environment that Windows PowerShell provides. VMM provides Windows PowerShell cmdlets that
allow administrators automate VMM management tasks.
Operations Manager 2007 integration. VMM 2008 includes the Performance and Resource
Optimization (PRO) feature, which enables dynamic management of virtual resources though
management packs for Operations Manager 2007. The PRO feature enables administrators to set
rules for moving or configuring virtual machines based on the host server performance.
Note: For detailed information on deploying and managing System Center Virtual Machine Manager
2008 R2, see Course 10215A, Implementing and Managing Microsoft Server Virtualization.
Overview of Desktop and Application Virtualization 1-27
Key Points
Data Protection Manager (DPM) is a solution for disk-based and tape backups that enables you to back
up physical servers and virtual machines. After an initial full backup, the express backups that DPM
performs are significantly faster than typical full backups, because DPM backs up only disk block changes.
You can use DPM to back up both the host server and the guest virtual machines.
Host Backups
Host backups require that you install a DPM protection agent only on the host server, not in each virtual
machine. This can result in significant cost savings when compared to guest backup, which requires that
you install the DPM protection agent in each virtual machine.
You can perform a host backup of a single virtual machine. When you perform a host backup, this backs
up the entire virtual machine as a single unit. However, the backup is not application aware. Therefore,
you can recover only the entire virtual machine, not just specific data.
You can use guest backups to back up both virtual machines that support Volume Shadow Copy Service
(VSS) backups and virtual machines that do not. You cannot use a VSS back up to back up the virtual
machine if the guest operating system does not support VSS or if an application in the guest does not
support VSS.
1-28 Implementing and Managing Microsoft Desktop Virtualization
When backing up a guest virtual machine that does not support VSS, DPM has to hibernate the guest, and
then perform a host-based backup of the virtual machine. DPM takes a snapshot of the virtual machine,
and then the virtual machine is restored. The outage experience with this method is very short, but
noticeable. After the guest resumes, the backup occurs from the snapshot, and DPM backs up only disk
blocks that have changes. This results in a backup process that is much faster than a typical full backup of
virtual machine files.
If the operating system and applications in the guest support VSS backups, the DPM protection agent
uses VSS writers to make data within the guest consistent. Applications running on the guest must have
an appropriate VSS writer. The hypervisor then provides the DPM protection agent with access to the
consistent version of the data for backup. There is no interruption in service at any point during the
backup process. The backup is completely transparent to users.
Overview of Desktop and Application Virtualization 1-29
Key Points
You can use Operations Manager 2007 R2 to monitor servers and their applications from a central
location. To do this, you install an agent on remote systems. The agent gathers events and performance
information about the remote systems, and then forwards it to Operations Manager 2007. The data that
the agent gathers is based on rules that Operations Manager 2007 stores and distributes to the agent
monitoring each server. Operations Manager 2007 also generates alerts based on the rules.
You create the rules in Operations Manager 2007 by importing management packs. The rules in
management packs are appropriate for most environments, and are based on best practices. However,
you can modify the rules to meet the needs of your specific environment. You also can create your own
rules.
Centralized monitoring and alerting is important for any environment, but it is particularly important for
virtualized environments where you can add many additional resources quickly and easily.
Windows Server Hyper-V Management Pack monitors the health and performance on Hyper-V host
computers.
Remote Desktop Services Management Pack monitors each of the Remote Desktop server roles.
Virtualization Reports
Operations Manager 2007 also provides several reports that you can use to plan and monitor the
virtualized environment, including:
The Virtualization Candidates report helps to identify physical computers that are good candidates
for virtualization. This report displays performance and hardware information for physical computers,
which you can sort and filter to select the appropriate candidates.
The Virtual Machine Allocation report enables you to calculate chargeback to cost centers, such as
departments. To use this report, you must assign a cost center to the appropriate virtual machines.
The Virtual Machine Utilization report contains information about the utilization of virtual processors,
memory, and disk space in virtual machines. You can use this report to identify virtual machines that
need additional resources or that have been allocated too many resources.
The Host Utilization report contains information about the utilization of processors, memory, and disk
space on hosts. You can use this report to identify hosts that need virtual machines removed or that
have sufficient resources free for hosting additional virtual machines.
The Host Utilization Growth report shows the percentage of change in resource usage and number of
virtual machines. You can use this for trend analysis, to predict when you will require additional hosts.
Key Points
You can use Configuration Manager 2007 R2 to manage and maintain both physical and virtual
environments, and it treats a virtual machine just like any standard physical machine. Depending upon
deployment settings, you can manage a virtual environment by:
Automatically deploying the Configuration Manager client through standard discovery and
deployment methods. You can discover both physical and virtual machines, and automatically deploy
the Configuration Manager client to both.
Maintaining inventory of all virtual clients that are deployed throughout the environment.
Deploying applications through standard software deployment mechanisms. You can deploy
applications to both virtual and physical machines.
Managing software updates for both physical and virtual machines through standard update
processes.
Deploying virtualized applications to desktop clients. You can integrate Configuration Manager with
App-V 4.5 or newer to distribute the virtual applications prepared in App-V to desktop computers.
Integrating with Virtual Machine Manager 2008 and the Offline Virtual Machine Servicing Tool to
maintain updates on virtual machines stored within a VMM library. One of the biggest challenges in a
virtual environment is managing virtual machines that are not always running on the network, or
maintaining virtual machines that are stored within virtual machine libraries. You can accomplish this
by integrating features provided by Virtual Machine Manager 2008 and the Offline Virtual Machine
Servicing Tool version 2.0.1.
1-32 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Desktop virtualization enables you to run multiple desktop operating systems, either on a users client
computer or on a server running Hyper-V. Implementing desktop virtualization can increase the
complexity of managing your network in several ways:
Individual users may use multiple desktops, both physical and virtual. In a traditional network, you
only have to ensure that you update and configure one client computer per user to meet the
corporate standards. With desktop virtualization, each user may have several client computers that
you must maintain.
As users move from one desktop computer to another, they might have very different user
environments on each computer. For example, they might configure their desktop on their main
computer with short cuts, mapped drives, and other settings. When they launch a virtual desktop, the
customized settings may not be available, which leads to user inefficiency.
Deploying virtual desktops can be difficult. If only a few users in your organization need virtual
desktops, you might be able to manually enable and configure the virtual desktops. However if you
have a large number of users that need to use virtual desktops, it becomes very difficult to manually
configure each virtual desktop. In this scenario, you need some means to automate the deployment
of standardized virtual desktops.
Microsoft provides several tools for managing desktop virtualization:
You can use tools such as Configuration Manager to manage both physical and virtual desktops. With
Configuration Manager, you can monitor and maintain updates on all computers.
You can use the user state virtualization technologies to provide users with a consistent experience on
all desktops. You can use tools such as Group Policy and roaming user profiles to configure the user
desktop, map network drives, and redirect folders so that these settings are available across multiple
desktop computers.
Overview of Desktop and Application Virtualization 1-33
You can use MED-V to configure, manage, and deploy virtual desktops based on Virtual PC 2007.
With MED-V, you can create standard virtual desktop computers and then deploy them to users.
You can use VDI to manage a centralized virtual desktop deployment. With VDI, you can configure
standard virtual desktops that will run on a Windows Server 2008 R2 Hyper-V server, and provide RDP
access to those virtual machines. You can configure virtual machines with the same configuration for
all users, or you can provide a virtual desktop that the user can customize.
1-34 Implementing and Managing Microsoft Desktop Virtualization
Key Points
You can use application virtualization to enable users to run virtual applications on their user desktops.
Implementing application virtualization increases the complexity of managing the user environment in
several ways.
Users may need to be able to run the applications in several different desktop scenarios. They may
need to run the applications from desktop computers in the office, on mobile computers that may be
connected to the corporate network, connected from the Internet, or disconnected from all networks.
Users in different locations in the organization may require access to the same applications.
Distributing applications to users in locations such as branch offices can be complicated.
Virtual applications may require security updates or users might require new versions of the virtual
applications. Applying updates to virtual applications is more difficult than updating client operating
systems or applications that are installed on the client operating systems.
You must prepare applications to run in a virtual environment before you can deploy them to users.
Some applications may require fairly complex virtual environments.
Microsoft provides several tools for managing the application virtualization environment.
You can use the App-V Management server to manage the deployment of virtual applications to
client computers. The App-V Management console provides a single location for configuring and
deploying virtual applications.
App-V provides a variety of options for deploying virtual applications to users. App-V can use
multiple protocols, and also provides options for deploying multiple servers in different locations to
deploy the same applications. You can also create virtual applications as .msi files, which you can then
deploy by using Group Policy or Configuration Manager, or install them on client computers that are
disconnected from the network.
You can update App-V applications with new versions on the App-V Management server and the
applications will automatically be distributed to clients.
Overview of Desktop and Application Virtualization 1-35
You can use the App-V Sequencer to package applications to prepare them for deploying them to
client computers. The App-V sequencer provides a wizard-driven approach for creating virtual
applications, and also provides complete customization of the virtual environment that the
application will run in.
1-36 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Presentation virtualization enables users to run applications installed on centralized servers. Implementing
presentation virtualization introduces some complexities to managing an organizations network.
Users who are not familiar with desktop virtualization may not understand how to launch remote
applications and how the remote application interacts with their usual desktop environment.
Users may need to connect to the remote applications from a variety of locations. These locations
could include computers on the internal network as well as from computers in branch offices or
computers outside the network.
In a desktop virtualization deployment, multiple applications may be installed on the same host
server. Some of these applications may not be compatible with other applications running on the
same server.
Windows Server 2008 R2 provides several features that optimize the deployment of presentation
virtualization:
Remote Desktop RemoteApp. With RemoteApp, you can publish the shortcuts for applications
running on the RD Session Host computer on the user desktop. Users can launch the application
using the normal procedures, and the applications user interface appears on the desktop as if that
application were running locally.
Remote Desktop Web Access. RD Web Access provides another means for users to launch
RemoteApps or connect to remote desktops. RD Web Access provides a Web site that lists all of the
applications and desktops that the user has permission to access.
Remote Desktop Gateway. RD Gateway provides a secure way for users outside of the organization to
connect to applications running on the RD Session Host computers. With RD Gateway, all RDP
connections are tunneled through HTTPS.
RemoteApp and Desktop Connections. This client application allows users running Windows 7 to
easily connect to RemoteApp programs and Remote Desktops. When you configure RemoteApp and
Overview of Desktop and Application Virtualization 1-37
Desktop Connections, all of the applications and remote desktops that the user can access are listed
on the users Start menu. This list is dynamically updated as new applications or remote desktops
become available.
You can combine application virtualization with presentation virtualization by deploying virtual
applications on a Remote Desktop Session Host server. This enables organizations to run applications
that are not compatible with other applications on the same server, and make both applications
available to users through RDS.
1-38 Implementing and Managing Microsoft Desktop Virtualization
Lesson 3
Planning an Application and Desktop Virtualization
Deployment
Application and desktop virtualization provide organizations with options for managing application
compatibility issues, and you can use them to address some of the issues with deploying new desktop
operating systems. These tools also provide options for deploying applications to users outside an
organization or who run thin or mobile clients.
This lesson describes some of the scenarios for deploying application and desktop virtualization, and
provides guidance for planning these virtualization solutions.
Overview of Desktop and Application Virtualization 1-39
Key Points
Desktop and application virtualization are designed to address issues with which many large organization
need to deal. These issues relate to the applications that users need to be able to run, and to the locations
or physical systems that users are using to run the applications.
Mobile Users
Many organizations have a mobile workforce that may work both inside and outside the office. In most
cases, these users carry laptop computers, but the users may need to be able to do their work regardless
of whether they are connected to the internal network, connected to the Internet, or completely
disconnected from any network.
Standard Users
In many organizations, large groups of users require the same user desktop with access to the same set of
applications. In some cases, users may require access to just one or two applications. In other cases, they
may require access to a complete set of business applications. Traditionally, the organization assigns these
users to a standard business desktop computer.
1-40 Implementing and Managing Microsoft Desktop Virtualization
If the standard user environment is quite static, and the organization assigns all users to an individual
desktop computer, there may not be any reason to implement virtualization for these users. If the users
need to run incompatible applications, the users may require solutions for addressing application
compatibility. In some cases, you may be able to deploy thin clients to all standard users, and then use
VDI to provide the users with the required work environment.
External Users
Some organizations have users who work from outside the corporate network and who do not use
computers that the internal IT department manages. These users may be contract workers, consultants, or
people who work from home. Frequently, these users require access to a very specific set of applications
or servers, and do not require a full desktop or set of applications.
Question: What types of workers do you have in your organization? What options will you explore to
virtualize their environment?
Overview of Desktop and Application Virtualization 1-41
Key Points
Microsoft provides several different options for implementing desktop and application virtualization. You
can use some of the solutions to address more than one business scenario.
Desktop Virtualization
You can use desktop virtualization to address the following scenarios:
Application and operating system compatibility issues. If applications require an older operating
system, consider deploying Windows Virtual PC or Windows XP Mode. These options mean that users
can run the older operating system in a virtual machine that is running on the user desktop.
External users. If external users need access to a full desktop computer rather than just an application,
consider enabling this by using VDI. With VDI, you can provide users with a preconfigured desktop
that includes all of the applications required for their tasks.
Mobile users. If a large number of mobile users require virtual desktops, consider managing the
virtual desktop deployment by using MED-V. By doing this, you can manage and distribute the
appropriate virtual machines to all users while the users are connected to the network. Users can then
take these virtual desktops with them when they leave the office.
Application Virtualization
You can use application virtualization to address the following scenarios:
Compatibility issues with running multiple applications on a single host. If two applications cannot
both run on the same operating system, consider using App-V to create an isolated environment in
which one or both of the applications can run.
Application compatibility issues in presentation virtualization scenarios. You can deploy the App-V
client on Remote Desktop Session Host servers, which enables potentially incompatible applications
to run on the same remote server.
1-42 Implementing and Managing Microsoft Desktop Virtualization
Presentation Virtualization
You can use presentation virtualization to address the following scenarios:
Mobile or external users. Implement Remote Desktop Gateway and provide access to only the specific
applications or computers that are required. With Remote Desktop Gateway, you can restrict what
users can connect to and what they can access. For additional security, you can integrate RD Gateway
with Network Access Protection to ensure that clients are compliant with your corporate security
requirements.
Application compatibility issues. For scenarios where applications require separate environments,
consider deploying one of the applications in an RDS deployment. By using features such as
RemoteApp, you can make the user experience with both applications virtually identical.
Key Points
To assist organizations in developing and delivering a virtualization strategy, Microsoft has developed free
solution accelerators. These automated tools help accelerate assessment, planning, and deployment of
Microsoft technologies, such as Windows Server 2008 or virtualization.
Some of the Microsoft Virtualization Solution Accelerators include:
Microsoft Assessment and Planning Toolkit (MAP). You can use MAP to conduct network-wide
deployment-readiness assessments that focus on whether you can migrate Microsoft technologies
from servers to desktops and applications. Using MAP, you now can determine which servers you can
upgrade to Windows Server 2008 R2, which servers you can migrate to virtual machines on Windows
Server 2008 R2 Hyper-V, which applications you may want to virtualize by using App-V, and which
client computers you can upgrade to Windows 7.
Infrastructure Planning and Design Guides. The Infrastructure Planning and Design (IPD) Guides are
free guides that describe the architectural considerations, and also streamline the design processes,
for planning of Microsoft infrastructure technologies. Each guide addresses a unique infrastructure
technology or scenario including server virtualization, application virtualization, terminal services
implementation, and more. Microsoft has released the following IPD guides that relate to
virtualization:
Selecting the Right Virtualization Technology
Windows Server Virtualization
Windows Server 2008 R2 Remote Desktop Services.
Microsoft Application Virtualization 4.6
Windows Optimized Desktop Scenarios
Microsoft Enterprise Desktop Virtualization
1-44 Implementing and Managing Microsoft Desktop Virtualization
Hyper-V Security Guide. Implementing virtualization can increase the number of security issues that
you must consider because you need to secure both the host computer and the virtual machines. The
Hyper-V Security Guide provides guidance and recommendations to address key security concerns
about server virtualization.
Security Compliance Management Toolkit Series. This includes several different security toolkits that
you can use to help your organization plan, deploy, and monitor security baselines for Windows
operating systems, including Windows 7, Windows Vista, and Windows Server 2008, and for
applications such as the Microsoft Office 2007 system and Internet Explorer 8.
Microsoft Deployment Toolkit. This provides guidance and tools to accelerate the deployment of
client and server operating systems. The Microsoft Deployment Toolkit supports the deployment of
Windows Server 2003, Windows Server 2008, the virtualization role on Windows Server 2008, and
other applications. Most organizations use the Microsoft Deployment Toolkit primarily to deploy
client desktops.
A typical IT project lifecycle includes three core phases: planning, delivery, and operation. Solution
accelerators provide guidance and tools for each of these three key elements of the Microsoft Operations
Framework (MOF).
Overview of Desktop and Application Virtualization 1-45
Key Points
The Windows Optimized Desktop Scenarios IPD provides detailed guidance for mapping user and
business requirements that relate to end users to the Microsoft desktop and application virtualization
solutions. The guide includes two components:
Windows Optimized Desktop Scenario Assessment. This document provides detailed information on
how to use the desktop scenarios and selection tool to identify virtualized solutions for your work
place.
Windows Optimized Desktop Scenario Selection Tool. The Microsoft Excel spreadsheet enables you
to select the user and business requirements that apply to your user populations, and then it
identifies which desktop scenarios and virtualization solutions apply to your user population.
1. Understand the Windows Optimized Desktop scenarios. The guide groups users into one of the
following scenarios:
Office Worker.
Mobile Worker.
Task Worker.
Contract Worker.
Access from Home.
2. Identify the target user populations for which you want to optimize desktops. In most organizations,
you will not be able to implement virtualization for all users at once, so it is important that you
identify the specific group of users that are included in the current project.
1-46 Implementing and Managing Microsoft Desktop Virtualization
3. Match user groups with scenarios. You can use the Windows Optimized Desktop Scenario Selection
Tool to map the user population to the desktop scenarios. This tool asks a series of questions related
to user and business requirements, and then indicates the desktop scenario that applies to the user.
4. Preview the scenario solutions. For each desktop scenario, the guide provides a mapping of potential
virtualization products and technologies that can be used to address the requirements.
5. Evaluate relevant Windows Optimized Desktop scenarios. As a final step, you will evaluate the
potential solutions to determine which solutions best suit* your organizations requirements or
capacity. The tool provides multiple solutions for each scenario, so you will need to identify which of
the solutions you will implement.
Overview of Desktop and Application Virtualization 1-47
Key Points
In this demonstration, you will see how to use the Windows Optimized Desktop Scenario Select Tool v1.1
to identify desktop virtualization scenarios and solutions.
Demonstration steps:
1. On the NYC-CL3 computer, start the Windows Optimized Desktop Scenario SelectionTool
v1.1.xls from Documents folder.
2. Review the options available on the Instructions and Scenario Selection tabs.
Question: What do you think of the Windows Optimized Desktop Scenarios Selection Tool? Are there
selection criteria missing? How will you use the results that this tool produces?
1-48 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Microsoft provides many different licensing options depending on the customers requirements. At the
highest level, Microsoft provides the following licensing options:
OEM: You can purchase this type of license only when you purchase a new computer.
Retail: You can purchase this type of license separately from a new computer purchase, and you can
use it to upgrade current software or install new software. With this option, each copy of the software
requires a separate license.
Volume license: This type of license provides the most flexibility as it is the only type of license that
you can use to deploy multiple copies of software with a single license.
Note: With the volume license options, organizations also have the option of including client access
licenses (CALs). The CAL options include a core CAL, which enables access to Windows Servers,
Exchange Servers, Microsoft Office SharePoint, and a System Center Configuration Manager client.
Additional CAL options include Office Communication Server CALs, Operations Manager licenses, and
an Enterprise CAL option, which includes enterprise access to Exchange Server, SharePoint Server, and
Office Communications Server.
Key Points
You can use desktop and application virtualization to address significant business requirements within
organizations. However, within large organizations that have diverse user groups, implementing
virtualization can be complicated and likely will not address all business requirements at once. Consider
the following recommendations when planning a desktop and virtualization deployment:
Start small. It is highly unlikely, and we do not recommend, that you should virtualize your entire
environment immediately. To gain a better understanding of the process for implementing
virtualization, and to gain experience in managing a virtual environment, start with a small pilot
project. Ensure that you plan this project well and test it thoroughly to ensure that the initial user
experience with virtualization is as positive as possible.
Address a critical business need. To enhance the visibility and viability of virtualization in your
organization, ensure that your initial projects address a critical business need. For example, one of the
easiest virtualization solutions to deploy is RD Gateway. For organizations with a large number of
users who work outside of the corporate network but who require access to internal applications and
data, RD Gateway often can address one of the most critical business needs.
Implement virtualization incrementally. For many of the virtualization solutions, you can implement
the solutions incrementally. For example, if you are considering an App-V deployment for a small
group of users, you can begin by manually distributing the App-V clients and applications. Over time,
you can incorporate automatic streaming of the client and applications. If deploying desktop virtual
machines running in Windows Virtual PC, you can begin by deploying the virtual machines manually,
and then later adding MED-V to manage the virtual machine images. By deploying virtualization
incrementally, you can gain the benefits of the solutions without investing in the entire infrastructure
that may be required to automate the solution fully.
Consider the target user group. When considering a virtualization solution, ensure that you keep the
target user group in mind. For example, if you need to deploy a virtualization solution for only a small
group of users, you likely will use a different virtualization solution than if you need to deploy the
same virtualization solution for a large group of users. You also should consider the users locations. If
Overview of Desktop and Application Virtualization 1-51
all the users are in the office, and you assign them to the same desktop computer, you can use a
different virtualization solution than if the target audience consists of mobile or external users.
Consider addressing application compatibility options outside of virtualization. The desktop and
application virtualization solutions provide great tools for dealing with application compatibility
issues, but in some cases, it may be better to rewrite the application. For example, if all users in your
organization need to run an application that can run only in old Windows versions, rewriting the
application may enable you to improve the application without deploying and maintaining an entire
virtualization environment for that one application.
Question: What additional considerations will you need to include when planning virtualization projects
in your organization?
1-52 Implementing and Managing Microsoft Desktop Virtualization
Lab Scenario
Contoso, Ltd., is a large corporation with offices in New York, London, and Tokyo, and branch offices in
several other cities. Contoso is planning to implement application and desktop virtualization to address
several critical business requirements. As a member of project team, you are responsible for analyzing the
user and business requirements and identifying the best virtualization solutions for your organization.
Lab Setup
For this lab, you will plan the virtual environment assigned to you. Before you begin the lab, you must:
1. Start the 10324A-NYC-DC1 virtual machine. This virtual machine should remain running for the rest
of the course.
2. Start the 10324A-NYC-CL3 virtual machine.
3. Connect to 10324A-NYC-CL3, and log on as Contoso\Administrator with the password Pa$$w0rd.
Overview of Desktop and Application Virtualization 1-53
2. Choose two of the user groups that you identified in the first task, and then enter the information
into the tool.
3. For the two user groups, identify the products and technologies that the selection tool suggests.
Results: After this exercise, you will have identified the user groups that may require virtualization at
Contoso, identified virtualization solutions that could be implemented to address the organizations
business requirements, and developed a prioritized list of projects to implement application and
desktop virtualization.
Review Questions
1. Your organization has been monitoring the servers in your data center and has identified several
servers that are running at less than 5 percent utilization. How can you ensure that you utilize the
hardware in your data center appropriately?
2. You are considering deploying an application virtualization solution, but you are concerned about the
amount of effort that it will require to deploy virtual applications to a large number of users. What
tool can you use to simplify this process?
3. The users in your organization are using a variety of user desktops, including both physical and virtual
computers. The users would like to have the same desktop configuration and be able to access the
same mapped drives and data from each desktop. How can you enable this?
2. Your organization has several hundred part-time employees who work outside of the office. The
employees all need to run an application that has to access a database server located in the main
offices data center. How can you make this application available to users?
3. Your organization is planning to upgrade all client workstations to Windows 7 Enterprise Edition. Five
users need to run an application that only runs on Windows XP. How should you address this issue?
When planning or implementing virtualization, it is important to start slowly. You can increase the
level of virtualization as you gain experience with the technology. By starting small, you have a better
chance of ensuring that the first experience with virtualization is positive.
Server virtualization has the potential to significantly decrease the costs of running your
organizations IT infrastructure significantly. As you implement Hyper-V, calculate the cost savings,
and then use that information to convince management to pay for more virtualization.
The cost benefits of implementing desktop and application virtualization may be more difficult to
quantify. If you are implementing a solution to address application compatibility issues, you can
compare the cost of implementing App-V to the cost of rewriting the application. If you are
considering implementing a solution such a Med-V or VDI, you will need to invest quite a bit of
money to develop the infrastructure before you see any benefit.
Consider virtualization as one option when addressing user, security, or business requirements. You
can use virtualization to address many requirements, but you may be able to address the same
requirements without virtualization.
Implementing Windows Virtual PC and Windows XP Mode 2-1
Module 2
Implementing Windows Virtual PC and Windows XP Mode
Contents:
Lesson 1: Installing Windows Virtual PC 2-3
Lesson 2: Configuring Windows Virtual PC 2-20
Lesson 3: Installing, Configuring, and Managing the
Windows XP Mode 2-35
Lesson 4: Creating and Deploying Custom Images of
Windows XP Mode 2-43
Lab: Implementing Windows Virtual PC and Windows XP Mode 2-53
2-2 Implementing and Managing Microsoft Desktop Virtualization
Module Overview
Windows 7 has introduced a new version of Microsoft Virtual PC software that supports the creation
of virtual machines with various operating systems within same virtual environment. Additionally,
Windows 7 includes Windows XP Mode, a precreated virtual machine that is running Windows XP
Professional Service Pack 3 (SP3), and which supports older applications and enables more convenient
migration to Windows 7. In this module, you will learn how to configure and use Windows Virtual PC
virtual machines and how to use Windows XP Mode.
Implementing Windows Virtual PC and Windows XP Mode 2-3
Lesson 1
Installing Windows Virtual PC
Virtual PC software was introduced several years ago as a virtualization platform on workstations and
desktop computers. It enables users to use the same physical host machine to install and run several
virtual machines simultaneously that have the same, or different, operating systems. To provide the same
capability in Windows 7, Microsoft released a new version of Virtual PC, known as Windows Virtual PC.
In this lesson, you will learn about Windows Virtual PC, and its features and requirements.
2-4 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Windows Virtual PC is the latest Microsoft client virtualization technology designed for Windows 7,
and it enables you to run virtual machines on Windows 7 operating systems. This allows for testing,
development, and support of applications made for older operating systems.
Windows Virtual PC is a successor of Virtual PC, which Connectix developed originally for the
Macintosh and released in June 1997. Connectix then released the first version of Virtual PC for
Windows-based systems, version 4.0, in June 2001. In 2003, Microsoft acquired Connectix, and
continued to develop this product. Virtual PC 2004 was first version of this software that Microsoft
developed, and in 2006, Microsoft released it as a free virtualization product for client platforms.
Microsoft then built and released the next version, Virtual PC 2007, to support the Windows Vista
operating system. After the release of Windows 7, Microsoft developed Windows Virtual PC to
provide virtualization on this new platform.
Unlike other virtualization platforms such as Virtual Server or Hyper-V, Windows Virtual PC is not for
usage in server virtualization scenarios. Although you can install some server operating systems in the
Virtual PC environment, we do not support that scenario in a production environment. The primary
purpose of Windows Virtual PC is to provide a platform for learning, testing, development, and
support of older applications. Additionally, Virtual PC and Virtual Server, are not based on Hypervisor
technology, like Hyper-V. This means that communication with physical hardware is through
emulating hardware devices inside the virtual machine. That approach provides somewhat lower
performance than hardware-based virtualization, such as Hyper-V.
Note: In Windows Virtual PC terminology, we will be referring to the terms host and guest to
differentiate between operating systems that are running directly on the physical hardware (hosts)
from operating systems that are running inside virtual machines (guests). Basically, the physical
machine, or host, has hardware and software capabilities that are sufficient to support the running of
one or more virtual machines (guests). In Hyper-V terminology, hosts and guest are typically called
parent and child partitions.
Implementing Windows Virtual PC and Windows XP Mode 2-5
Question: Do you use any virtualization software for testing, learning, or development?
Question: If so, what operating systems did you run inside the Virtual PC environment?
Question: Do you use any other virtualization products, such as Hyper-V or other non-Microsoft
solutions?
2-6 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Windows Virtual PC provides several new features, such as providing seamless integration of the
virtualized and physical environments, and the ability to leverage the capabilities of the new hardware
(mostly processors).
The following sections describe the most important new features of Windows Virtual PC.
USB support
Windows Virtual PC now supports many USB devices, such as printers, scanners, flash memory sticks and
external hard disks, digital cameras, and smart card readers. After a user connects a USB device to a
physical computer, he can choose if that device will be available exclusively to one virtual machine or if it
is shared with other virtual machines. This enables much easier sharing of resources, and greater flexibility
and functionality for applications that are running in virtual machines. Later topics will provide more detail
on USB support in Windows Virtual PC.
Windows Virtual PC supports the redirection of some hardware devices and their functionalities to virtual
machines. For example, you can redirect printers and smart cards to virtual machines.
Beside this, Windows Virtual PC can share hard drives with the physical computer. From the virtual
machine, you can access all hard drives that connect to the physical computer. Users also can access their
Windows 7 known folders, such as Documents, Pictures, Desktop, Music, and Videos, from within a
virtualization Windows environment like Windows XP Mode.
Windows XP Mode
Windows XP Mode is a new benefit of Windows 7 Professional, Ultimate, and Enterprise, and provides
additional application compatibility. It allows you to install and run many of your productivity applications
for Windows XP directly from your Windows 7-based PC. It utilizes Windows Virtual PC and Remote
Implementing Windows Virtual PC and Windows XP Mode 2-7
Desktop Services (RDS) to provide a virtual Windows XP environment for Windows 7. Later lessons will
provide more detail on Windows XP.
Clipboard sharing
With Windows Virtual PC you can share the Clipboard between the physical machine and the virtual host.
For example, you can cut and paste between your Windows 7 host and any virtual machine.
Multithread support
In Windows Virtual PC, users can run multiple virtual machines concurrently, each running in its own
thread. This improves stability and performance.
Note: Windows Virtual PC does not include drag-and-drop functionality between the host and the
guest operating system.
Question: For you, what is the most important feature of Windows Virtual PC?
2-8 Implementing and Managing Microsoft Desktop Virtualization
Key Points
To install and use Windows Virtual PC software, you must fulfill several requirements.
From the software perspective, the most important requirement is to run the Windows 7 operating
system. You can install Windows Virtual PC on the following host operating systems:
Windows 7 Home Basic
Windows 7 Home Premium
Windows 7 Enterprise
Windows 7 Professional
Windows 7 Ultimate
As guest operating systems, we support the following operating systems:
Windows XP Service Pack 3 (SP3) Professional
Windows Vista Enterprise Service Pack 1 (SP1) and newer versions
Windows Vista Ultimate Service Pack 1 (SP1) and newer versions
Windows Vista Business Service Pack 1 (SP1) and newer versions
Windows 7 Professional
Windows 7 Enterprise
Windows 7 Ultimate
Implementing Windows Virtual PC and Windows XP Mode 2-9
Note: Although you can install Windows Virtual PC software on both the 32-bit and 64-bit versions of
Windows 7, inside the virtual machine, you can run only the 32-bit version of any supported operating
system.
We support virtual applications only on Windows Vista Enterprise or Ultimate, Windows 7 Enterprise or
Ultimate, and Windows XP Professional SP3. Virtual applications are applications that you install inside
virtual machines but which you run on the desktop of the physical host computer. From the end users
perspective, a virtual application launches the same way as a local application. The end user clicks the
applications shortcut in the Start menu or on the desktop. Virtual applications are a key feature of
Windows Virtual PC. They enable you to run applications transparently in a guest operating system
when they are not fully compatible with the host operating system.
You also can run other guest operating systems. However, we do not support this, and in this scenario,
you may experience impaired functionality of the virtual machines.
Key Points
Windows Virtual PC requires that you have hardware that can support virtualization. The following
sections detail the requirements that you must meet to be able to install and run this software.
CPU with hardware assisted virtualization support
Your computer must have a CPU with hardware-assisted virtualization capability. This feature typically is
available in the computers basic input/output system (BIOS). Although manufacturers have been shipping
hardware virtualization in PCs for three years, hardware virtualization is not available in all PCs. Therefore,
even if your PC is new, it may not have hardware virtualization. Additionally, some manufacturers of new
PCs turn off hardware, so you will have to turn it on before you can use it. For instructions on how to
enable this feature, consult your computers documentation.
Implementing Windows Virtual PC and Windows XP Mode 2-11
Note: AMD-V and Intel VT are names of CPU-specific hardware-virtualization features that you must
enable to use Windows Virtual PC. Since most computers come with a CPU from one of these two
manufacturers, you should look into your computers BIOS for these options. In some BIOS versions,
this feature is called Virtualization Technology or Virtualization support, but does not state the official
manufacturer name.
If you want to check whether your computer supports hardware-assisted virtualization, you should
download and run the Hardware Assisted Virtualization Detection Tool. Download this tool for free
from http://go.microsoft.com/fwlink
/?LinkId=163321.
Microsoft has released an update for Windows Virtual PC that is specific to Windows XP virtual
machines, such as Windows XP mode. This update removes the requirement to have hardware-assisted
virtualization support on a CPU. This means that if you are going to run only Windows XP virtual
machines in Windows Virtual PC, your computer does not need to have hardware-assisted
virtualization at the CPU level. You should install this update after you install Windows Virtual PC, and
you can find it at http://support.microsoft.com/kb/977206. Be aware that if you are running other
operating systems inside your virtual machine, they will require hardware virtualization support.
Memory
We recommend that you have at least 2 gigabytes (GB) of random access memory (RAM) in a host
machine if you want to run one or more virtual machines within Windows Virtual PC. When allocating
memory for virtual machines, you should leave at least 512 megabytes (MB) for the host machine. The
amount of memory that each virtual machine requires depends on the operating system that you install
on it.
Note: If you are using a 32-bit host operating system, you will not be able to allocate more than 4 GB
of RAM on the physical host. If you want to run several virtual machines simultaneously, we
recommend that you use 64-bit version of Windows 7 as a host operating system because it can
allocate more than 4 GBs of RAM.
Hard drive
We recommend that you have at least 15 GB of free space for each virtual machine that you plan to host.
Virtual machines can require significant storage, depending on the number of applications that you install
inside them. They sometimes require more storage than the host operating system. Also, we recommend
that you store virtual machines on separate volume. For best performance, you should use another hard
drive that you install in the host machine
Other hardware
If you want to run Windows Virtual PC, the host computer does not require any other hardware
components, such as graphic card, sound card, CD or DVD drive, network cards, USB, or parallel and serial
ports. However, if you have this hardware in place, you will experience better functionality when using the
virtual machines.
Question: What is the benefit of running the 64-bit version of Windows 7 as the host operating system?
2-12 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Windows Virtual PC architecture differs from other Microsoft virtualization platforms because it combines
technologies that are available in the Virtual Server and Hyper-V architectures to provide the best
experience and usability for end user.
Windows Virtual PC is not built on hypervisor technology like the Hyper-V server, but instead uses the
Virtual Machine Extensions (VMX) kernel to provide support similar to that which the hypervisor provides.
VMX Kernel is built upon the VMX of Intel Virtualization Technology (Intel VT) technology. It includes the
Virtual Machine Monitor (VMM) runtime layer, which provides support for virtual machine execution,
memory management, intercept and exception handling, and routing of interrupts that virtual machines
raise.
In Virtual PC, Virtual Server, and Windows Virtual PC, device support was primarily done through
hardware emulation. In Windows Virtual PC, the disk, network, and display subsystems present themselves
as physical devices that the guest operating system detects at startup, and are indistinguishable (to the
guest) from real hardware. However, guest operating systems cannot access physical hardware directly,
but rather, only by using device emulators to go through the host operating system.
The guest operating system loads the drivers for these corresponding devices, and they execute
input/output (I/O) commands as they would in a real environment. These I/O commands are intercepted
by the VMM runtime, which is the VMX/ SVM kernel that triggers callbacks of device emulators running
within the user mode process VPC.exe. Windows Virtual PC uses VPCBus-based devices coexisting with the
current device framework.
Windows Virtual PC, unlike products such as Virtual Server and Hyper-V Server, has additional
optimization for end users, but not necessarily for experienced IT professionals. It provides some features
that are not available on server virtualization products to enable integration between the host and the
guest operating system, and to provide greater flexibility and ease of use. Although Windows Virtual PC is
built on the Virtual Server engine, it provides much more integration between host and guest operating
Implementing Windows Virtual PC and Windows XP Mode 2-13
systems than Virtual Server. In Virtual Server and Hyper-V server, this type of integration can be a security
issue, while Windows Virtual PC provides integration as an additional convenience for the end user.
You connect to a virtual machine by using RDS technology. When users initiate a connection to a virtual
machine, they initiate a console Remote Desktop Protocol (RDP) session using port 3389. Using the same
technology, Windows Virtual PC can use device sharing and device redirection between the host and the
guest operating system.
Question: What are the most important differences between Windows Virtual PC and Hyper-V?
2-14 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Unlike virtual machines that are running inside the Hyper-V environment or inside Virtual Server, and
therefore are mostly independent from the host operating system, you can integrate virtual machines in
Windows Virtual PC with the host operating system with less or more integration details.
Integration between the guest and host operating systems in Windows Virtual PC depends mostly on the
integration components, which are software components installed inside the virtual machine that provide
communication and integration between the host and guest operating systems. In previous Virtual PC
versions, it was known as Virtual Machine Additions.
In Windows Virtual PC, you can achieve this integration at four levels:
No integration
If you do not install integration components in a virtual machine, or the guest operating system does not
support them, there is essentially no integration between the host and the guest operating system. The
only interaction in this scenario is by using an emulated console so that you can interact with the virtual
machine when the boot process begins. However, there is no device redirection, folder integration, or
mouse sharing between the host and the guest operating system.
The Basic Mode provides basic integration features between the virtual machine and the host, including
mouse and keyboard integration, USB support, time sync, and heartbeat parity. Integration features such
as clipboard sharing, drive sharing, and printer redirection are not available in this mode, which is useful
for power users in software development and test scenarios, where it is important to display the system-
level settings and BIOS messages explicitly as the virtual machine boots up.
The majority of users will prefer this mode, because it is easy to use, and it provides the complete set of
integration features described above. For example, this mode provides the saved credentials feature so
that users do not have to login each time they launch the virtual machine. You implement Enhanced
Mode by using a connection channel based on the Microsoft RDP protocol.
Virtual Applications Mode is a seamless solution to application compatibility. You likely will find that this is
the most preferable way to launch and run your virtual applications, because they will integrate seamlessly
with the Windows 7 desktop and Start menu. When you install an application in the virtual machine, this
mode publishes a shortcut automatically to the Start menu of Windows 7.
Key Points
Integration features improve the experience of using a virtual machine by providing features that improve
interactions between the virtual machine and the physical computer, as well as between the operating
systems of both.
Integration features are available for all supported guest operating systems.
The Integration Components package, which Windows Virtual PC includes, contains the integration
features. For all other supported guest operating systems, you must install the Integration Components
package in the guest operating system to make the integration features available. Please be aware that an
updated version of the package may be released for a specific guest operating system. In that case,
upgrade the Integration Components package in the guest operating system.
After the integration features are available, you can turn most of them on or off by modifying the virtual
machines Integration Features settings. The two exceptions are mouse integration and time
synchronization, which are turned on when the package is installed. Mouse integration makes it possible
for you to move the mouse seamlessly between the desktops of the host operating system and the guest
operating system. Time synchronization keeps the time in the guest operating system synchronized with
the host operating system.
Printer. You can use the printer that is available on the physical computer inside the virtual machine.
This allows you to print directly from a virtual application that you are using in the virtual machine
Smart cards. Virtual machine can access smart card readers that you install on the physical computer.
This means that you can use these cards (and certificates) for authentication, authorization, and
encryption inside the virtual machine.
Hard drives. This feature shares the drives that you select on the host with the virtual machine, so that
you can access host data easily from the virtual machine. This feature also makes it possible to access
the host desktop and Documents folder from virtual applications when you select those resources to
share.
2-18 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Along with Windows Virtual PC, which is designed for Windows 7, Virtual PC 2007 SP1 is desktop
virtualization software for earlier versions of Windows, such as Windows Vista. You also can run Virtual PC
2007 SP1 on Windows 7, but not in parallel with Windows Virtual PC.
Unlike Windows Virtual PC, Virtual PC 2007 SP1 does not require that hardware virtualization support is
present in the host computers hardware, although it can utilize it. Therefore, you can install Virtual PC
2007 SP1 on older hardware to provide virtualization platform, even if there is no hardware virtualization
support available.
Virtual PC 2007 SP1 does not provide some of the features that Windows Virtual PC provides. One of
these features is USB support, which means that you cannot provide access to USB devices to virtual
machines that you create with Virtual PC 2007 SP1. Also, Virtual PC 2007 SP1 does not provide virtual
application integration with host operating systems, and you cannot use drive sharing the way that you
can in Windows Virtual PC. The creation of new virtual machines in Windows Virtual PC integrates in an
interface that is like Windows Explorer, while Virtual PC 2007 SP1 uses a separate console for that.
Conversely, Windows Virtual PC does not support drag and drop support between the host and guest
operating systems which Virtual PC 2007 SP1 does.
When you deploy virtual machines, and you plan to switch from Virtual PC 2007 SP1 to Windows Virtual
PC, you should consider following:
The virtual machine additions components, also known as Integration Components Virtual PC 2007
SP1 are not compatible with Windows Virtual PC. This means that you must uninstall them before
migrating virtual machines from Virtual PC 2007 SP1 to Windows Virtual PC.
Save state files that you create in Virtual PC 2007 SP1 are not compatible with Windows Virtual PC.
You must delete save state files prior to migration.
You must recreate the virtual machines configuration when you migrate virtual machines from
Virtual PC 2007 SP1 to Windows Virtual PC.
Implementing Windows Virtual PC and Windows XP Mode 2-19
Question: What is a main reason to Virtual PC 2007 SP1 instead of Windows Virtual PC?
2-20 Implementing and Managing Microsoft Desktop Virtualization
Lesson 2
Configuring Windows Virtual PC
Before starting to use virtual machines, you must configure the software options for Windows Virtual PC
and create some components that the virtual machines need, such as virtual hard disks (VHDs). You also
must configure virtual hardware settings for each virtual machine, such as networking and USB devices.
If you want to use virtual machines efficiently, it is very important to understand VHDs, including what
types of VHDs exist and how to use them.
This lesson discusses the configuration of virtual machine settings, and the creation and usage of
components that virtual machines need.
Implementing Windows Virtual PC and Windows XP Mode 2-21
Key Points
If you want to create and use virtual machine in the Windows Virtual PC environment, you have to create
the virtual machines configuration and configure the settings inside the configuration.
The virtual machine configuration is an XML-formatted file that describes the hardware configuration of a
virtual machine in essentially the same way that you describe a physical machines hardware components.
Since virtual machines in Windows Virtual PC do not directly access hardware, the configuration file is
used to configure the virtual machines hardware options and components, and defines resources, such as
RAM memory, that will be taken from the host machine when you start the virtual machine.
You can configure the following settings for virtual machines in Windows Virtual PC:
Name. The name setting defines the virtual machines name. This is not the name of the virtual
computer, or operating system, that the virtual machine represents, but rather just the name of the
configuration file.
Memory. This setting is where you enter the amount of RAM memory that the virtual machine will
allocate from the physical host when you start it. Note that the specified amount of RAM is used only
when the virtual machine is running. When calculating the amount of RAM memory that will be
available to one machine, take into account the number of virtual machines that will be running
simultaneously and the amount of RAM that should remain available for a host operating system.
Note: An example would be if you are going to run three virtual machines simultaneously, and you
have 4 GB of RAM memory, then you should not allocate more than 1GB of RAM per virtual machine.
Windows Virtual PC does not support memory over commitment.
Hard disk (1, 2, 3). These options allow you to move VHD files to the virtual machine. You can add
three VHDs to one virtual machine, and you must define at least one. On the hard disk, you also can
start the wizard to create new VHDs and modify existing ones.
2-22 Implementing and Managing Microsoft Desktop Virtualization
DVD drive. The DVD Drive setting option allows you to use a physical DVD drive from the host
computer or to map the ISO image file as a DVD to the virtual machine.
COM1, COM 2. These settings enable you to configure usage of physical Component Object Models
(COM) ports inside virtual machine or map virtual COM ports to a named pipe or text file.
Networking. The Networking option enables you to add four network adapters to a virtual machine,
and change the connection state of each network adapter. Each network adapter in virtual machine
can be mapped directly to any physical network adapter in host machine, use network address
translation (NAT) through physical network adapter, use Internal Network for communication
between virtual machines, or be in disconnected state. This will be discussed later in more detail.
Integration features. These features and their corresponding settings allow you to configure the level
of integration between the virtual machine and the physical host. You can allow audio, printer,
clipboard, and smart-card sharing, and also allow access to physical drives in the host computer. If
you want to use integration features, you must install integration components in the virtual machine.
Keyboard. The Keyboard setting determines how your computer or virtual machine will respond to
keyboard shortcuts such as ALT+TAB. The default behavior is to pass these shortcuts to the virtual
machine only when you are running in full screen mode. Otherwise, keyboard shortcuts execute on
the host operating system.
Logon Credentials. The Logon Credentials setting enables you to delete all saved credentials if you
previously chose to save credentials that users are entering when they log on to virtual machines.
Auto Publish. The Auto Publish setting enables you to configure whether the virtual machine will
publish virtual applications automatically to the Windows 7 host machine. If you are going to use
Windows Virtual PC to support older applications, we recommend that you to enable this option.
Close. The Close setting enables you to define the virtual machines behavior when the user clicks a
button to close the virtual machine window. You can choose to be prompted for action each time
you try to close the virtual machine window or choose a preconfigured action, such as Hibernate.
If you want to make changes to the virtual machine configuration, you can do it by opening the Settings
dialog box after right-clicking the virtual machine icon in the Virtual Machines folder window. For most
changes to occur, you must turn off the virtual machine. However, you can make some changes, such as
mapping a virtual DVD drive to an .ISO file or physical drive, or changing settings for the virtual network
adapter s connection, even while the virtual machine is running. Conversely, you must perform other
changes, such as changing the amount of allocated RAM memory or adding VHDs to the virtual machine,
when the machine is turned off.
Implementing Windows Virtual PC and Windows XP Mode 2-23
Features of VHDs
Key Points
VHDs are files on the physical machine that store the hard-disk contents of a virtual machine. Windows
Virtual PC treats each VHD file as a separate hard disk, and each virtual machine can have three VHD files
attached. You must have at least one VHD attached to the virtual machine if you want to run it.
The VHD file format is an open standard and does not depend on virtualization technology in use, and to
the host and guest operating systems. Because of that, Windows Virtual PC, Virtual Server, and Hyper-V all
use the same format of VHD files.
Note: You cannot directly use VHD files from one virtualization platform in another platform, since
Integration Components are not compatible between platforms. For example, if you want to use VHD
from a Virtual Server-based virtual machine in Windows Virtual PC, you first must uninstall Virtual
Machine Additions before attaching a VHD to the machine in Windows Virtual PC.
Types of VHDs
There are three types of VHDs: fixed-size disks, dynamically expanding disks, and differencing disks.
Fixed-size disks take up all of the space that the VHD is allowed to have. For instance, if you create a fixed
disk that is 64 GB, the VHD file will occupy 64 GB of hard-disk space from the time of creation, and its size
will never vary. However, this type of disk provides the best performance for virtual machines, and we
recommend that you use it if you have a disk-intensive application in the virtual machine.
Dynamically expanding disks increase in size to take up space as required. The size that you specify when
you create a dynamically expanding disk indicates the maximum size to which the disk can grow. For
instance, if you create a dynamically expanding disk of size 64 GB, the VHD file might initially occupy only
a few hundred kilobytes (KB). It then will grow upon usage to occupy the maximum size that you specify
(64 GB). Note, however, that the guest operating system believes it has the full 64 GB from the start.
Additionally, these disks do not shrink automatically when you delete some files inside the virtual
2-24 Implementing and Managing Microsoft Desktop Virtualization
machine. You must use the Compact option for this. Dynamically expanding disks have a little slower
performance than fixed-size disks, to which you can convert them, if necessary.
Differencing disks are a VHD that you use to isolate changes to a VHD or the guest operating system by
storing them in a separate file. A differencing disk is associated with another VHD that you select when
you create the differencing disk. This means that the disk to which you want to associate the differencing
disk must exist first. Later topics will provide more detail on these types of disks.
Native VHD Support in Windows 7
In addition to the ability to use VHD files as storage, Windows 7 provides native support for booting from
a VHD file rather than from the system boot files on the systems hard disk. Booting from VHD enables
you to mount a VHD as a bootable drive and, as the name implies, boot from it. This can be very useful
for creating multiple operating-system installations without having to create multiple operating-system
partitions on your hard drive. However, when you boot a physical machine from a VHD, you do not start a
virtual machine. Instead, you use a VHD instead of the physical drive. The operating system that is booted
from the VHD has the same level of access to hardware as an OS installed in the traditional way.
Implementing Windows Virtual PC and Windows XP Mode 2-25
Key Points
One specific type of disk that you can use inside a virtual machine is a differencing disk. A differencing
disk is a VHD that you use to isolate changes to a VHD or the guest operating system by storing them in a
separate file.
A differencing disk is always associated with another VHD that you select when you create the
differencing disk. This means that the disk to which you want to associate the differencing disk must exist
first. This VHD is the parent disk, and the differencing disk is typically called the child disk. The parent disk
is sometimes called the base disk.
The parent disk can be any type of VHD, even another differencing disk. The differencing disk stores all
changes that would otherwise be made to the parent disk if the differencing disk is not in use. The
differencing disk provides an ongoing way to save changes without altering the parent disk. You can use
the differencing disk to store changes indefinitely, as long as there is enough space on the physical disk
where you store the differencing disk. The differencing disk expands dynamically as data is written to it,
and it can grow as large as the maximum size that you allocate for the parent disk when you created it.
When you create the differencing disk and attach it to the virtual machine, the operating system reads
data from both the parent disk and the differencing (child) disk at once.
Note: We recommend that you write-protect or lock the parent disk before using the differencing
disk. Otherwise, if some other process modifies the parent disk, all differencing disks related to it
become invalid, and all data written to the differencing disks is lost. You also need to modify the
virtual machine by replacing the parent disk with the differencing disk. Otherwise, you will receive an
error when you try to start the virtual machine because it cannot use a read-only disk.
You can distribute the contents that the differencing disk stores by merging the differencing disk with the
parent disk. This modifies the parent disk with all the changes that the differencing disk stores, and then
deletes the differencing disk. There also is an option to merge changes to a new disk. Merging to a new
VHD retains both the parent disk and the differencing disk in their current state, and creates a new VHD
that is a combination of the contents of the parent disk and the differencing disk. You can use this new
disk as a parent for a new virtual machine.
Note: If you use multiple differencing disks that share a parent disk containing an operating system,
you must apply any software updates to each differencing disk. If you apply the software update to the
parent disk, all differencing disks associated with that parent disk would be unusable.
Note: Chaining several differencing disks and connecting it to one virtual machine can impair
performance, as the operating system must read from several VHD files at the same time. Because of
that, we recommend that you keep the number of chained differencing disks under five.
When you create a chain of differencing disks, it is particularly important to lock all disks except the
most recent child disk. Any changes made to any older disks would invalidate all later disks in the
chain. However, the most recent child disk must be writable so that a virtual machine can use it.
Question: What can you achieve by associating multiple differencing disks to one parent disk?
Implementing Windows Virtual PC and Windows XP Mode 2-27
Key Points
Undo Disks is a feature that saves changes to a virtual machines data and configuration in a separate
undo disk file in case you want to reverse the changes. The feature provides you with a way to decide
whether to modify a virtual machine and its disks permanently each time you end a virtual machine
session or revert the virtual machine to its initial state. When you enable Undo Disks, it applies to all VHDs
installed on the virtual machine.
When you run a virtual machine that is using Undo Disks, any changes to a VHD are temporarily stored in
an undo disk (.vud) file, rather than in the original VHD file. This is very similar to using differencing disks.
However, there are two notable differences. A differencing VHD is associated with one VHD rather than
with the virtual machine, and you are not prompted to decide what to do with the changes when you
shut down a virtual machine.
When you enable Undo Disks, you have the following options to manage them.
Apply changes. This option updates the original VHD with all changes that were stored in the undo disk
file. This is similar to merging a differencing disk with its parent disk. You can access this option through
Virtual Machine settings.
Discard changes. This option deletes the undo disk file and leaves the original hard disk file unchanged.
Windows Virtual PC creates a new, empty undo disk file the next time you turn on the virtual machine.
You can do this by choosing the Turn off and delete changes option when closing the virtual machine
or by choosing the Discard Changes option from the Virtual Machine settings.
When you discard or apply changes on an undo disk, that action applies to all changes that it stores. In
other words, you cannot selectively delete or apply changes on an undo disk.
The undo disk file is always created in the same folder as the virtual machine configuration file.
2-28 Implementing and Managing Microsoft Desktop Virtualization
In this demonstration, your instructor will show you how to create various types of VHDs.
Demonstration steps:
Create a dynamically expanding VHD in Windows Virtual PC.
Create a differencing VHD in Windows Virtual PC.
Create a VHD in Windows 7 Disk Management.
Attach VHDs.
2-30 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Windows Virtual PC supports USB devices in virtual environments. This means that you can access various
USB devices, such as USB memory sticks, printers, or scanners, from applications that are installed in the
virtual machine. You can install up to eight USB devices inside the virtual environment.
USB architecture in Windows Virtual PC
Windows Virtual PC uses the Redirection Policy Manager (RPM) of the Windows to provide the USB
redirection in a virtual machine. It loads an alternate driver in the lieu of the original driver to redirect the
device to a virtual machine. WVPC creates a virtualized host controller in the virtual machine that is
offered by using a Virtual PC bus channel.
USB architecture consists of a server-side component running in the host operating system and a client-
side component that is running in the virtual machine. The server side involves a connector driver to
manage USB devices and a stub instance for every USB device. The client side implements a VPC bus-
enumerated virtual host controller that supports the subset of the USB driver interfaces that are necessary
for compatibility with the supported devices. The redirection process also triggers the connector driver to
send commands to the guest to create the physical device object (PDO) for the redirected device. Then
the stub driver, connector driver, and the virtual bus or hub driver work in unison to enable
communication of commands, responses, and data between the physical USB device and the redirected
USB device.
You can use USB devices in two ways: sharing and redirection. In the default mode, with all integration
features enabled, you can use storage devices, printers, and smart cards without having to redirect the
device manually, by simply sharing it with the physical host. This requires that the device driver is available
both in the virtual machine and on the host.
Implementing Windows Virtual PC and Windows XP Mode 2-31
If the driver is not available in Windows 7, but is available for the operating system inside the virtual
machine, you can redirect the device to the virtual machine. This means that access to the device will be
available only to the virtual machine.
These Group Policy settings can be found by clicking Computer Configuration Administrative
Templates, clicking System, clicking Device Redirection, and then clicking Device Redirection
Restrictions.
2-32 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Inside the Virtual Machine settings console, you can configure networking options if you want to connect
a virtual machine to different type of networks.
You can connect each virtual machine to four networks, which means that you can have up to four virtual
network adapters installed inside a virtual machine. The Virtual PC host application emulates Intel DEC
21140A network cards. Each emulated network adapter is assigned a unique media access control (MAC)
address in the range 00-03-ff-XX-XX-XX. The last three octets are calculated using the host network
adapter MAC address. For each network adapter, you can configure the different types of networks that it
connects to, including:
Not connected. If you configure the network adapter as not connected, that means that it has no
connection to any network. It appears in the device manager of the virtual machine, but it is in a
disconnected state. It is the same as a physical network adapter, with no connection.
Internal Network. When you connect the virtual network adapter to this network, it can connect only
to the other virtual machines on the same physical machine. Software switch, also known as virtual
switch, inside Windows Virtual PC forwards the packets directed for the destination virtual machine
without connecting to any external network on the host. This is useful for cases where you want to
connect to two or more machines completely isolated from the network.
Note: In Hyper-V terminology, Internal Network is used for communication between virtual machines,
and between virtual machines and the host operating system. In Windows Virtual PC, you cannot
communicate with the host via this network.
Host network adapter. This option provides you with the ability to connect the virtual machine
network adapter to any physical network adapter in the host machine, in bridge mode. This enables
you to connect to the external network by using the host network adapters. When you connect the
virtual machine by using this option, the virtual card has a unique presence on the network, just like
any other physical host machine. This option requires that you install the Virtual PC network filter
Implementing Windows Virtual PC and Windows XP Mode 2-33
driver in the hosts networking stack. This driver is installed during the Windows Virtual PC installation
process, and by default, it binds to all network adapters based on 802.3 802.11. To disable the Virtual
PC Network Filter, double-click on network adaptor in the Network and Sharing Center and click
Properties of the host machines physical network adapter, which prevents the virtual machine from
using it. If you connect the machine to a physical host adapter, it can communicate with all other
hosts on that network (physical and virtual) and with the host where the virtual machine resides.
Shared Networking (NAT). Shared networking, or NAT, is another way that the guest can connect to
the external network. The main difference between this and the bridge mode is that the virtual
machine is behind the NAT, and it does not have a unique identity in the external network. It supports
all connections that use TCP/IP. When you connect by using the bridge mode, you must use a
separate IP address for the guest, so if there is a shortage of IP addresses, this option may not work.
Conversely, NAT would be a good option in this scenario. You also can use this option when you do
not want to connect directly to an external network and remain behind this NAT. This acts as a strong
firewall that protects the guest from outside attacks.
There are certain limitations when you connect by using NAT. If the payload contains the source IP
address, then it may break when the IP address is replaced with the host because the payload still will
contain the guest IP address. We do not support connecting with a virtual private network (VPN) that is
inside the guest. Some VPN connections require the opening of raw sockets, which require administrative
privileges to open successfully. Conversely, the Windows Virtual PC application runs in the user context.
Applications that use TCP/IP, like browsing the Internet, Windows Live Messenger, and shared access, will
work when you connect by using NAT. We recommend that you connect by using the bridge mode when
the guest needs to use VPN.
Note: You can use shared networking only on the first network adapter in the virtual machine.
Question: If you use shared networking on a virtual network adapter, can the virtual machine
communicate with the host computer, such as when it needs to share files?
2-34 Implementing and Managing Microsoft Desktop Virtualization
In this demonstration, your instructor will show you how to create and configure virtual machines in
Windows Virtual PC.
Demonstration steps:
Create a virtual machine, and then configure it to use an existing disk.
Change the virtual machine configuration settings.
Start the virtual machine.
Demonstrate different networking types.
Implementing Windows Virtual PC and Windows XP Mode 2-35
Lesson 3
Installing, Configuring, and Managing the Windows
XP Mode
Windows XP Mode is a benefit of using Windows 7 and Windows Virtual PC. It provides users with a
virtual machine that is preconfigured with Windows XP Professional SP3 installed, primarily to support
usage of older applications and devices that cannot work with Windows 7. Windows XP Mode supports
seamless application integration, which means that you can run applications installed inside the virtual
machine in a same way as you run existing applications installed locally on the Windows 7 machine.
This lesson focuses on installing, configuring, and managing Windows XP Mode on Windows 7.
2-36 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Designed primarily with small businesses in mind, Windows XP Mode for Windows 7 enables a user to
install and run Windows XP applications directly from a Windows 7-based PC. With Windows Virtual PC,
Windows XP Mode works in Windows 7 Professional, Enterprise, and Ultimate, and provides a 32-bit
Windows XP Professional Service Pack 3 environment that is preloaded on a VHD. Since Windows XP
Mode is running inside the Windows Virtual PC environment, the same requirements apply as for other
virtual machines that are running inside Windows Virtual PC.
Windows XP Mode is not a part of Windows Virtual PC. You must download it separately from the
Microsoft Download Center, and then install it manually. We recommend that you download and install
Windows XP Mode first, and then install the Windows Virtual PC environment.
Note: Windows XP Mode is available only for Windows Virtual PC and Windows 7. You cannot use it
with Virtual PC 2007.
Using Windows XP Mode is faster and easier than creating your own virtual machine because Windows
Virtual PC creates the virtual machine for you, configures it to run Windows XP, and then installs the
following:
The Integration Components package. These components improve the experience of using a virtual
machine by providing features that improve interactions between the virtual machine and the
physical computer.
Support for virtual applications. This feature requires an update to the guest operating system. In
Windows XP Mode, this update is installed by default.
Additionally, since Windows XP Mode is free for Windows 7 users, you do not have to buy separate
licenses to run a virtual instance of Windows XP on your Windows 7 machine.
Implementing Windows Virtual PC and Windows XP Mode 2-37
Note: Although some of the features of Windows Virtual PC improve the integration between the host
operating system and a guest operating system, such as Windows XP, the operating systems are
separate, and you must manage them separately. For example, to receive the maintenance benefits
that features and tools such as Windows Update and antivirus programs provide, you must install and
run them in the guest operating system.
Windows XP Mode provides users with number of productivity features and benefits, including:
Folder integration to allow accessing the hosting Windows 7 disk drives within XP mode.
Seamless applications to access the XP mode application in the All Programs menu from the hosting
Windows 7 machine.
USB support for XP Mode.
Clipboard sharing between a hosting Windows 7 machine and XP Mode.
Printer redirection for XP Mode.
All of these features are ready to use immediately after you install Windows XP Mode.
Note: The Windows XP virtual machine that is running in Windows XP Mode is networked by default
with the hosting Windows 7 machine by using NAT. You can change this in the virtual machine
settings.
When you use Windows XP Mode, you should consider that XP mode is, in effect, a virtual machine like
the other virtual machines that you create. It means that you can configure most settings for a Windows
XP Mode virtual machine,just like you would configure settings on any other virtual machine.
Storage required for running Windows XP Mode
By default, Windows XP Mode uses space on the system drive to store the virtual machine and VHDs. The
virtual machine requires two VHDs:
A parent VHD. The default location is %systemdrive%\Program Files
\Windows XP Mode. This is the preconfigured default drive inside the Windows XP Mode package,
which you download from the Microsoft Download Center.
A differencing VHD. By default, Windows XP Mode Setup creates this disk at
%systemdrive%\Users\<username>\AppData\Local\Microsoft\Windows Virtual PC\Virtual Machines.
This disk is specific for each user on the Windows 7 machine that is using Windows XP Mode. For
each user, a new differencing disk is created. This enables each user to configure his own Windows XP
Mode environment and applications.
In this demonstration, your instructor will show you how to install and set up Windows XP Mode.
Demonstration steps:
Start Windows XP Mode setup.
Create a password.
Configure the Windows Update options.
Configure drive sharing.
Set up Windows XP Mode.
Configure Windows XP Mode in full screen mode.
Implementing Windows Virtual PC and Windows XP Mode 2-39
Key Points
If you are running a Windows XP Mode virtual machine as a guest operating system, you can run an
application installed in a virtual machine directly from the Start menu of the host operating system. This
makes it possible for you to run Windows 7 as the host operating system, and then use existing
applications, while avoiding problems that might occur if the applications are not compatible with
Windows 7. This method of running an application is called a virtual application.
You can publish and use virtual applications if the guest operating system is Windows XP Professional
Service Pack 3, Windows Vista Enterprise Service Pack 1, Windows Vista Ultimate Service Pack 1, Windows
7 Enterprise, or Windows 7 Ultimate. This scenario does not support other operating systems.
When you publish a virtual application to a Windows 7 host operating system, files on the host will be
associated with the virtual application if those files are not already associated with an application on the
host operating system. If the drive on which the file is stored is shared with the virtual machine, you can
double-click the file, and the virtual application will open the file.
Note: The system tray of the host operating system may include icons of programs that are running in
a virtual machine. For these programs, the tooltip includes (Remote) to help you identify which
programs are running in a virtual machine. If the same program is running in both the host and guest
operating systems, the system tray shows two instances of the same icon.
For each virtual machine inside Windows Virtual PC that is running a supported operating system, you can
configure Automatic Publishing of virtual applications inside the virtual machine to a physical host that is
running Windows 7. This means that each application installed inside the virtual machine will appear in
the Start Menu of the Windows 7 computer, and will work via seamless integration.
2-40 Implementing and Managing Microsoft Desktop Virtualization
For a Windows-based virtual machine (Windows XP SP3 and newer versions), you need to install the
Update for Windows XP SP3 or above to enable RemoteApp or Update for Windows Vista SP1
or above to enable RemoteApp feature inside the virtual machine. Windows XP Mode VHD has this
package preinstalled. Also, you need to ensure that autopublishing is enabled in the virtual machine
settings. You can verify this by opening the settings for the virtual machine, and then navigating to Auto
Publish Setting.
By default, applications installed under the All Users profile are autopublished to the Windows 7 host.
Therefore, if an application has created its shortcuts in the All Users profile, no action is required from the
user. However, there are applications that do not install for the All Users profile, and which are installed
for the current user only. In that case, you should copy the application shortcut from the current user
profile to the All Users profile so that the application can be published.
Exclude List
You may want some applications that you install in the guest to remain unpublished to the hosts Start
menu. For this purpose, there is a list inside the guest registry called the Exclude List. This list contains full
paths of applications that you do not want to publish to the hosts Start menu. The Exclude List is present
in the guest registry at HLKM\Software\Microsoft\Windows NT\CurrentVersion\Virtual
Machine\VPCVAppExcludeList.
Manual publishing
Another way you can control the applications that are published to the host Start menu is through
manual publishing. In this scenario, the user disables autopublishing, and then takes total control of what
is published to the hosts Start menu. This is very useful for IT administrators who want to restrict
applications that are published, irrespective of the number of applications that the user installs inside the
guest.
Applications that publish to the host Start menu have an entry in the guest registry that the WMI class
Win32_TSPublishedApplication manages. You can use scripting to manipulate this WMI class to publish,
and rescind publication of, applications manually.
Implementing Windows Virtual PC and Windows XP Mode 2-41
In this demonstration, your instructor will show you how to publish applications and work with published
applications.
Demonstration steps:
Demonstrate that the virtual machine has enabled Auto Publish.
Install Microsoft Access version 2.0 inside Windows XP Mode.
Show that application shortcuts are added to the Start menu in Windows 7.
Show that the Start menus search functionality finds them.
Start the virtual application.
2-42 Implementing and Managing Microsoft Desktop Virtualization
Key Points
After you deploy Windows XP Mode, you can perform additional configuration of the Windows XP virtual
machine. Some of most common management tasks and considerations for Windows XP mode are:
Joining Windows XP Mode virtual machine to workgroup or domain. Just like any other computer,
this machine can be domain or workgroup member. You do this by using the same procedures as
with a physical host. Before doing this, make sure that the virtual machine is connected to your
network so that it can access the workgroup or domain. In order for Windows XP Mode machine to
have access to the network, you should connect it to your physical adapter.
Managing saved credentials. When deploying Windows XP Mode, during its initial setup, you must
provide a password for a default user called XPMUser. This password is saved, so user is not prompted
to enter it when starting the Windows XP Mode virtual machine. This is very convenient, especially
when you are using virtual applications. However if you want to clear saved passwords for this or
other user accounts, you can do it by using the Settings menu for the virtual machine. You should be
aware that this account is a member of the Administrators group.
Using Undo Disks. When you are using a Windows XP Mode virtual machine, you can use the Undo
Disk option, which is disabled by default. You can enable it by using the Settings menu. This option is
useful if you want to revert a virtual machine to its pre-session state.
Using antivirus and antispyware protection. Windows XP Mode virtual machine does not have
antivirus or antispyware software installed. Since this machine behaves as any other computer on the
network, the host machine cannot protect it. Therefore, it is very important to update this machine
regularly through Windows Update service and to install antivirus and antispyware software,
especially if you are connecting this machine to the Internet.
Implementing Windows Virtual PC and Windows XP Mode 2-43
Lesson 4
Creating and Deploying Custom Images of Windows
XP Mode
Besides using precreated Windows XP Mode virtual machine, you also can make your own virtual
machines. You can make VHD templates that you can use to create new virtual machines, or you can
convert physical hard disks that have Windows XP installed to VHDs. This lesson focuses on these tasks,
and provides you information about deployment techniques.
2-44 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Some users may choose to use a custom Windows XP virtual machine instead of the precreated one in
Windows XP Mode. That means that to create a virtual machine manually, as well as the virtual hard drive,
and then install the supported operating system, which would be Windows XP. After that, you will need to
install the integration features to provide integration between the virtual machine and the Windows 7
host computer. Lastly, you have to install the available updates for the virtual machines operating system,
and the applications that you will use in the virtual environment. Additionally, we recommend that you
install antivirus software inside the virtual machine, because the host operating system does not protect it
from viruses.
Note: Building your own Windows XP Mode images requires Windows XP with Service Pack 3 and the
proper license.
If you want to use application integration features, you will need to install an update to the operating
system inside the virtual machine. If you have installed Windows XP SP3, you need update KB961742. If
you have Windows Vista installed, you need KB961741. These updates provide RemoteApp support inside
the virtual machine operating systems. RemoteApp is a technology from Windows Server 2008, and it
enables you to run remote or virtual applications, as well as local applications. A Windows XP Mode virtual
machine does not require this update, since it is preinstalled.
If you will be distributing a Windows XP virtual machine to several users, or you will be including it in a
Windows 7 image file, we recommend that you perform preparation with the Sysprep utility, especially if
the machine will have a network connection. The Sysprep utility will generalize the operating system
inside the virtual machine, and on the next boot, during it will create a new machine security identifier
(SID) that makes each machine setup unique.
Implementing Windows Virtual PC and Windows XP Mode 2-45
To automate the setup wizard, you can use the Sysprep.inf answer file. Sysprep.inf is a text file that
contains settings for automating installation. The easiest way to build Sysprep.inf for automating
installation is to use Setup Manager, which is included in the Windows XP deployment tools.
Question: Why would you build your own Windows XP virtual machine instead of using Windows XP
Mode?
2-46 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Disk2vhd is a utility that creates VHD versions of physical disks for use in Windows Virtual PC or Hyper-V
virtual machines, which makes the process of converting physical computers to virtual machine easier and
more convenient. It allows you to continue using the same volume with the same data from the physical
disk (and computer) in the virtual machine.
The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on an
online system. Disk2vhd uses the Volume Snapshot capability, introduced in Windows XP, to create
consistent point-in-time snapshots of the volumes that you want to include in a conversion.
However, Disk2vhd cannot replicate computer hardware configuration to virtual machine hardware
configuration (like System Center Virtual Machine Manager 2008 does), so you will need to create a new
virtual machine with hardware characteristics similar to the physical computer, and then attach a disk to it.
Disk2vhd tool will create one VHD for each disk on which selected volumes reside. It preserves the
partitioning information of the disk, but only copies the data contents for volumes on the disk that you
select. This enables you to capture just system volumes and exclude data volumes, for example.
Note: Virtual PC supports a maximum virtual disk size of 127 GB. If you create a VHD from a larger
disk, it will not be accessible from a Virtual PC virtual machine.
To use VHDs that Disk2vhd produces, create a virtual machine with the desired characteristics, and add
the VHDs to the virtual machines configuration as integrated development environment (IDE) disks. On
first boot, a virtual machine that is booting a captured copy of Windows will detect the virtual machines
hardware and automatically install drivers, if they are present in the image. If the required drivers are not
present, you can install them via the Windows Virtual PC or Hyper-V integration components. You also
can attach them to VHDs using the Windows 7 or Windows Server 2008 R2 Disk Management or Diskpart
utilities.
Implementing Windows Virtual PC and Windows XP Mode 2-47
Disk2vhd runs Windows XP SP2, Windows Server 2003 SP1, and newer versions, including x64 systems.
Note: Do not attach to VHDs on the same system on which you create them, if you plan to boot from
them. If you do so, Windows will assign the VHD a new disk signature to avoid a collision with the
signature of the VHDs source disk. Windows references disks in the boot configuration database (BCD)
by disk signature, so when that happens, Windows booted in a virtual machine will fail to locate the
boot disk.
2-48 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Before you deploy the Windows XP virtual images that you created to client computers, you should
consider the following:
Files that should be included. Every virtual machine consists of two files. One is the configuration file,
with a .vmcx extension, and the other is the virtual hard drive with a .vhd extension. If you want to
have a virtual machine ready out-of-the-box, or manually import a virtual machine on another
computer, you need to have both files present.
Using differencing disks. The usage of differencing disks can affect performance. If you will be using
differencing disks, and if you are going to chain them, be sure to deploy all disks, together with the
parent disk, to clients that will be using Windows XP virtual machines.
Planning Antivirus and Security. When you run Windows XP Mode on a host computer, the antivirus
and security applications on the host computer do not provide coverage for the virtual machine that
is running Windows XP. Therefore, you must install any antivirus and other security applications in
your virtual Windows XP image.
Consult the license agreement for your antivirus and security applications to determine whether
installation on the host computer and in a virtual Windows XP image uses a single seat or two seats.
Most antivirus vendors are aware of the problem and working on licensing solutions to solve it.
Note: Microsoft Security Essentials is a free antimalware product that you can use to protect physical
and virtual environments. Consider using it to protect your virtual machines.
Management of updates. Before installing any applications on the virtual Windows XP image,
updating the image is important. Download and install the latest security updates from Microsoft
Update. Review any recommended and optional updates for installation, as well. For businesses that
do not have an update infrastructure, you can simply use Windows Update to update the virtual
Windows XP image. You also can manually download and install updates from the Microsoft
Implementing Windows Virtual PC and Windows XP Mode 2-49
Download Center, but this makes little sense considering the ease and convenience of using Windows
Update. Organizations that have an update infrastructure like Windows Server Update Services
(WSUS) will use it to update their virtual Windows XP image.
Activation issues. Depending on the license program that your company has, you may have to
activate the virtual machine. Be aware that Windows Vista brings new Volume Activation 2.0, which
requires that you activate every machine.
Image Maintenance. After you deploy Windows XP virtual machines to your clients, you will have to
provide support and maintenance for these machines. This includes installing new versions of
software, installing updates and fixes, and other upkeep.
2-50 Implementing and Managing Microsoft Desktop Virtualization
Key Points
It is much more convenient to deploy Windows XP virtual machines to client computers by using
Windows XP Mode virtual images instead of creating new Windows XP virtual machines.
You can customize a Windows XP Mode virtual machine prior to deployment to client machines. That
means that you can include your own applications, security updates, and settings inside this virtual
machine before deployment.
1. Determining readiness to run Windows XP Mode. Before deploying Windows XP Mode to client
computers, you must ensure that they are capable of running it. In some cases, you might need to
upgrade the hardware or free disk space. Although it is no longer necessary to have hardware
virtualization support on the CPU level in order to run Windows XP Mode, you must check if all
computers have enough memory and free space to run the Windows XP Mode virtual machine.
2. Customizing Windows XP Mode images. Before deployment to client computers, you will want to
perform additional customization of your Windows XP Mode virtual machine. The easiest way to do
this is to extract the VHD from the Windows XP Mode machine.
First, you should download Windows Virtual PC and Windows XP Mode from the Windows Virtual PC
Home Page, and then install them on a computer. Then copy the VHD from the Windows XP Mode
program files directory (%ProgramFiles%\Windows XP Mode\Windows XP Mode base.vhd) to an
alternate location. Do not create a differencing disk or use undo disks with this VHD. After copying
the VHD, remove the read-only attribute from the file, and create a virtual machine that uses it as a
primary VHD. By using this option, you are customizing the copy of the VHD that Windows XP Mode
provides. This VHD already has the required components installed.
After you boot your newly created virtual machine, you are ready to install applications in the
Windows XP Mode VHD file. You probably will want to install an antimalware application and some of
Implementing Windows Virtual PC and Windows XP Mode 2-51
your business-related applications that you will use as virtual applications from Windows XP Mode.
Do not forget to install all available security updates, fixes, and service packs.
3. Preparing a Windows XP Mode image for deployment. After customizing the Windows XP VHD with
applications and security updates, you can prepare it for deployment to multiple computers. Do this
by running Sysprep. This removes the computers SID, resets the activation grace period, and
configures the image to run the setup wizard the next time it starts. The wizard will customize the
image for each installation, creating a unique computer name and SID.
Three files are required before you can run Sysprep, and you must copy all of them to C:\Sysprep:
Sysprep.exe. This program prepares the image for deployment.
Setupcl.exe. This file is required for running Sysprep.exe.
Sysprep.inf. This answer file automates all or part of the setup wizard. You can create it by using
Setup Manager or create it manually.
Use the following steps to prepare the image by running Sysprep:
1. On the virtual machine that is running Window XP Mode, create the folder Sysprep on drive C.
2. Copy Sysprep.exe and Setupcl.exe from the deployment tools to C:\Sysprep.
3. Copy the Sysprep.inf file you created in the previous section to C:\Sysprep.
4. Run C:\Sysprep\Sysprep.exe.
5. In the System Preparation Tool 2.0, select the Do not reset grace period for activation and Use
Mini-Setup check boxes. Then, click Reseal.
4. Deploy virtual machines. At this point, you have a customized Windows XP VHD that you can deploy.
Now, you need to distribute this VHD to each destination computer, create the VM configuration
(.vmc) file, and register the VM in Windows Virtual PC.
The steps for deploying virtual machines are:
1. Install Windows Virtual PC on each computer. Before deploying the Windows XP VHD, you must
deploy the Windows Virtual PC update to each computer on which you intend to deploy the
Windows XP VHD. Download the update from the Windows Virtual PC Home Page. You can host
the update on a network share and instruct users on how to install it (simply double-click the
.msu file to install it). You also can install the update by using a logon script or any software
deployment infrastructure that your organization uses. You also can include Windows Virtual PC
in your Windows 7 images to ensure its availability. The Microsoft Deployment Toolkit 2010
makes it easy to add updates during Windows 7 deployment.
2. Remove the Windows XP Mode shortcut from the Start menu. After deploying Windows Virtual
PC, you must remove the Windows XP Mode shortcut that Windows Virtual PC creates when you
install it. Otherwise, if users click the Windows XP Mode shortcut, Windows Virtual PC will prompt
them to download and install the Windows XP Mode package from the Microsoft download site.
You can write a script to remove this shortcut (%programdata%\Microsoft\Windows\Start
Menu\Programs\Windows Virtual PC\Virtual Windows XP.lnk) or you can use Group Policy
Preferences to remove it.
5. Deploy the Windows XP VHD to each computer. To deploy your virtual Windows XP image to
multiple computers, copy the VHD to each computer for each user. By default, Windows 7 stores VHD
files in %LOCALAPPDATA%\Microsoft\Windows Virtual PC\Virtual Machines. To deploy your
customized Windows XP VHD, copy the VHD file to this location for each user on each computer.
6. Create a virtual machine configuration file. You must create this file for each user on each computer.
Run cscript CreateVirtualMachine.wsf -p:<vhd_path> -vn:<virtual machine name> at an elevated
command prompt to create the virtual machine configuration file and register the VM with Windows
2-52 Implementing and Managing Microsoft Desktop Virtualization
Virtual PC. You can download the script CreateVirtualMachine.wsf with Deploying Windows XP Mode
guide available in the section of this topic.
Implementing Windows Virtual PC and Windows XP Mode 2-53
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. Ensure that the 10324A-NYC-DC1 and 10324A-NYC-CL2 virtual machines are running.
2. If required, connect to the virtual machines. Log on to the virtual machines as
Contoso\Administrator using the password Pa$$w0rd.
2-54 Implementing and Managing Microsoft Desktop Virtualization
Results: After this exercise, you should have installed Windows Virtual PC and created a new virtual
machine.
Implementing Windows Virtual PC and Windows XP Mode 2-55
Results: After this exercise, you should have installed and configured Windows XP Mode.
Review Questions
1. What is the main difference between Windows Virtual PC and Virtual PC 2007 SP1?
2. How does Windows XP Mode use differencing disks?
3. When preparing VHD images for distribution and usage on several computers, what must you do
before you start creating virtual machines with these disks?
accounting application that is not working on Windows 7. Contoso is reviewing available virtualization
technologies from Microsoft, specifically Hyper-V, Virtual Server, and Windows Virtual PC.
What would you recommend to them to address their needs and issues?
Tools
Tool Use for Where to find it
Module 3
Implementing Microsoft Enterprise Desktop Virtualization
Contents:
Lesson 1: Overview of MED-V 3-3
Lesson 2: Implementing MED-V Management Servers 3-16
Lesson 3: Implementing a MED-V Client 3-23
Lab: Implementing MED-V 3-31
3-2 Implementing and Managing Microsoft Desktop Virtualization
Module Overview
Microsoft Enterprise Desktop Virtualization (MED-V) is an enterprise solution that enables incompatible
or unsupported applications to be available in a virtual environment. End users then can use them as if
they were installed locally on their computers. However, the applications availability from the virtual
environment is seamless, or invisible, to the user. It provides a virtual environment for legacy applications,
and it enables central administration of applications. MED-V is built on Windows Virtual PC 2007 Service
Pack 1 (SP1), and it is available for Windows clients such as the Windows XP, Windows Vista, and
Windows 7 operating systems.
Implementing Microsoft Enterprise Desktop Virtualization 3-3
Lesson 1
Overview of MED-V
Microsoft provides different desktop virtualization solutions. While Virtual Desktop Infrastructure (VDI)
and Remote Desktop Services (RDS) provide remote virtual desktops and presentation virtualization, MED-
V provides a local virtual machine with a client operating system in which legacy applications can run.
MED-V enables users to access these legacy applications from the host computer, even when the
applications are not compatible with the host operating system.
MED-V provides a complete solution for centrally managing client virtual machines; storing, updating, and
distributing virtual images; and monitoring user activity. MED-V is part of Microsoft Desktop Optimization
Pack (MDOP) for Software Assurance, and the current version is MED-V 1.0 SP1.
3-4 Implementing and Managing Microsoft Desktop Virtualization
What Is MED-V?
Key Points
Each new version of an operating system provides additional features, but also can cause compatibility
issues with older applications. Microsoft offers a variety of methods and tools to address applications that
are not working properly on a target operating system. However, every organization has a subset of
applications that it does not support or that do not work at all on a new version of an operating system.
The process of testing and fixing an application, or upgrading to a new version of it or finding an
alternative application, is costly and time-consuming. Meanwhile, users cannot take advantage of the new
operating system features, which often delays an organizations upgrade plans.
Technologies such as Windows Virtual PC and Windows XP Mode provide a solution for mitigating
application-compatibility issues by enabling you to use a virtualized environment. However, they lack
support for virtual-machine image delivery and central management of the deployed images. You can use
these technologies in small and unmanaged environments, but they do not provide the features and
flexibility that larger enterprises require.
MED-V solves compatibility issues with applications that do not run on a target operating system. MED-V
uses Virtual PC to provide a virtual environment that runs a legacy version of the operating system, such
as Windows XP, which enables you to mitigate application-compatibility issues. By using MED-V, you can
have administrative control over the creation, distribution, and management of virtual images, and ensure
that the images are current and comply with regulations.
MED-V enables you to do this in a seamless and transparent fashion that does not affect the end user.
Applications appear and run as if they were installed on the desktop, they are available on the Start menu
and can access the Clipboard, and users can pin them to the task bar.
Released in 2008, MED-V is part of MDOP for Software Assurance, and it is the first version that Windows
XP and Windows Vista desktops support. MED-V 1.0 SP1, which was released in 2010, adds support for
Windows 7 desktops.
Implementing Microsoft Enterprise Desktop Virtualization 3-5
Question: How does MED-V solve compatibility problems between legacy applications and host
operating systems?
3-6 Implementing and Managing Microsoft Desktop Virtualization
MED-V Features
Key Points
MED-V allows you to deploy Virtual PC images to Windows desktops, and then manage them centrally,
while maintaining a seamless end-user experience. One of the main benefits of MED-V is the ability to
mitigate application compatibility when upgrading a desktop operating system. MED-V allows you to run
legacy applications in a virtual machine that is running an older Microsoft Windows, and it provides
seamless application integration of the applications with the host.
MED-V provides the following benefits:
Centralized deployment, management, and monitoring of deployed virtual images. MED-V provides
enterprise management and monitoring for the Virtual PC-based virtual environments. It enables you
to control access to virtual images, centrally administer configuration of virtual images, and publish
applications by using policies. It also provides a repository for virtual images, deployment of virtual
images to clients, and enables monitoring of user activity through reports.
Application provisioning based on Active Directory Domain Services (AD DS) users and groups. You
can assign a MED-V Policy to the AD DS users or groups. A MED-V Policy defines which virtual image
MED-V will use, which applications it will publish, and how it will integrate those applications with the
host. You can define a MED-V Workspace by using a policy, and you can use the same virtual image
for multiple Policies.
Using a MED-V Policy to configure usage policy. You can configure the MED-V virtual environment
by using MED-V Policies. Policies control various aspects of the virtual environment, such as
expiration of virtual machines, time limits for offline work, automatic redirection of predefined Web
sites to the virtual environment, and allocation of virtual machine memory.
Seamless and transparent integration of published applications. You can access published MED-V
applications from virtual images directly from the Windows 7 Start menu, as if they were installed on
the Windows 7 host itself. You can use the Search feature to find applications, and then pin them to
the taskbar.
Implementing Microsoft Enterprise Desktop Virtualization 3-7
Clipboard sharing and printer redirection. Based on the MED-V Policy settings, you can cut and paste
content between the host and a published application. You also can use printer redirection to print
directly from a MED-V published application to a printer attached to the host.
Question: What is the main benefit of using MED-V versus using Virtual PC or Windows XP Mode?
3-8 Implementing and Managing Microsoft Desktop Virtualization
MED-V Architecture
Key Points
The MED-V solution contains both servers and clients, and requires infrastructure support. The MED-V
solution consists of the following components:
Administrator-defined virtual machine. This contains a full desktop environment, including an
operating system, applications, and optional management and security tools. A virtual machine image
is part of the Workspace policy. You can deploy it to the end users computer to provide an
environment for running legacy applications.
Image repository. This component stores virtual images on a standard Internet Information Services
(IIS) server 7.0 or newer, and then enables version management for virtual images, client-
authenticated image retrieval, and efficient download by using the Trim Transfer technology.
Management Server. This component associates workspaces, which include virtual images from the
image repository, and workspace policies to AD DS users or groups. The Management Server also
collects client events and stores them on a computer that is running a Microsoft SQL Server
database for monitoring and reporting.
Management Console. This enables administrators to control the Management Server and the image
repository, create Workspace policies, and manage the virtual images.
MED-V Workspace. This is the desktop environment, in which end users interact with the virtual
environment.
MED-V policy. This group of configurable settings defines how the virtualized environment and
applications perform on the end-user computer.
End user client. This component builds on Virtual PC, and provides a virtual environment for running
legacy applications. It provides authentication, virtual image retrieval, and enforcement of usage
policies. It also provides a single desktop experience, where applications installed in the virtual
machine are available through the standard desktop Start menu, and they integrate with other
applications on the user desktop.
Implementing Microsoft Enterprise Desktop Virtualization 3-9
You use the HTTP or HTTPS protocol for communication between the client and the servers.
Key Points
The MED-V Management Server can support 5,000 users, depending on its hardware. However, the client-
server communication is rather lightweight: The default configuration has the clients polling the server for
policy every 15 minutes and for image updates every four hours. If you increase the policy polling time,
the server can support more clients.
The only client-server heavy-duty operation occurs when a new image is available, and multiple clients
retrieve several gigabytes (GBs) from the image repository. Since the images repository is a standard IIS
Web server, it is possible to add IIS servers as additional image delivery servers, and have them
synchronize images with the main images repository. You can place all the image delivery servers behind
a load balancer or use the Network Load Balancing (NLB) feature. To improve the download rate, to
optimize bandwidth efficiently, and further balance the load, you can place the image delivery servers in
multiple geographic locations. You can use Domain Name System (DNS) resolution to direct the MED-V
clients to the best available location. Alternatively, you can use a separate distribution mechanism, such as
Microsoft System Center Configuration Manager, to deliver the virtual images to the clients. The MED-V
client looks for the image in a location that you define. This eliminates the need for image download and
a Web infrastructure for MED-V image delivery.
The MED-V client operates independently of MED-V servers. If the Management Server malfunctions or
stops responding, all clients that are running a workspace can continue working. However, new attempts
to start a workspace run in offline mode, and online authentication, policy changes, and image updates
become unavailable. Additionally, the MED-V client aggregates events at the client side until the server
becomes available.
However, to ensure fast recovery from a server failure, MED-V supports a failover structure, in which you
can configure two MED-V servers in cluster mode, and then place all files that are mutual to both servers
on a file system. The server accesses the files from the file system rather than storing the files locally.
Implementing Microsoft Enterprise Desktop Virtualization 3-11
Question: Does a typical MED-V deployment utilize the Management Server heavily?
3-12 Implementing and Managing Microsoft Desktop Virtualization
Key Points
MED-V manages virtual images through its whole life cycle. A typical virtual image life cycle proceeds
through the following steps:
Creation of a virtual image: Install operating system, applications, management tools, and security,
such as antivirus software, in the virtual machine inside Virtual PC. Prepare and test the virtual image
through the MED-V Management Console, and upload it to the MED-V image repository.
Definition of a MED-V Workspace: A workspace consists of a policy and an assigned virtual image. A
MED-V Policy defines a list of applications in the virtual image, which will be available to the users
through the Start menu. It also defines the configuration settings for the virtual machine; the Web
sites that users can view inside the virtual machine browser; the permissions to work offline and for
data transfers between the virtual machine and the host, such as file transfer, copy and paste, and
printing. You can provision a workspace to AD DS users and groups.
Delivery of the virtual image: You can deliver a virtual image to the MED-V client in the following
different ways:
Over a network.
By using standard HTTP or HTTPS protocols.
By using enterprise distribution mechanisms, such as System Center Configuration Manager.
By including it in the base workstation image, or on removable media, such as DVD.
By using the MED-V Packaging Wizard to create a self-install package.
Working with virtual machine: After you deploy a virtual machine to the MED-V client, you can
customize it and join it to a domain. After users authenticate against the MED-V Management Server,
they can work within the virtual machine. After the first online authentication, MED-V also supports
offline work, if the administrator permits that. Based on the policy settings, virtual images can be
persistent, whereby the virtual machine preserves any changes, or they can be revertible.
Implementing Microsoft Enterprise Desktop Virtualization 3-13
Management and update of the workspace: The MED-V Management Console enables administrators
to update policies, assign workspaces to additional users, remove users from the workspace, and
update the virtual images. MED-V then distributes all updates automatically to relevant users when
they work online.
Troubleshooting of malfunctioning clients: The MED-V Management Console presents an updated
report of all users, and provides detailed information on all client events. This helps the administrator
understand the source of problems, and then instruct the user on how to solve it. The MED-V
diagnostic tool runs automatically when client installation fails, and you can execute it manually in
other cases. You can use the report to understand the problems cause and to recommend to users
how to fix it.
Question: What are typical steps in the life cycle of a virtual image?
3-14 Implementing and Managing Microsoft Desktop Virtualization
Key Points
A MED-V virtual image is represented by a Virtual Hard Drive (VHD) file and this file contains the installed
operating system and applications. Images can be several GBs in size, and they are stored in the image
repository, which can be on an MED-V Management Server.
The MED-V advanced Trim Transfer deduplication technology accelerates the download of initial and
updated images over a local area network (LAN) or a wide area network (WAN), which reduces the
network bandwidth that you need to transport a MED-V image from the image repository to end users.
Trim Transfer is available only when you use an MED-V IIS-based image repository.
Trim Transfer technology uses existing local data to build the image, and leverages that, in many cases,
much of the virtual machine, such as system and application files, already exists on the end-user disk. For
example, if MED-V delivers an image containing Windows XP to a client that is running a local copy of
Windows XP, MED-V automatically removes from the transfer the redundant Windows XP elements that
the client makes available already. To ensure a valid and functional image, the MED-V client
cryptographically verifies the integrity of local data before it utilizes it, which ensures that the local blocks
of data are identical to those in the desired image. It does not use blocks that do not match.
If you use a different operating system on the MED-V client from the one in the virtual image, such as in a
Windows XP virtual image on the Windows 7 MED-V client, Trim Transfer does not provide an important
benefit, because most files on the host are different from the files in the virtual image.
This process is transparent and efficient with regard to bandwidth, and the transfers run in the
background, which utilizes unused network and CPU resources. When downloading a new version of a
virtual image that exists already on the MED-V client, it downloads only the changed elements, known as
deltas. This reduces the required network bandwidth and delivery time significantly.
The Trim Transfer process requires an initial host index process to run on the MED-V client. However,
indexing is time consuming, so MED-V enables administrators to control which folders the Trim Transfer
protocol indexes by modifying the ClientSettings.xml file. Images are configured to use Trim Transfer by
Implementing Microsoft Enterprise Desktop Virtualization 3-15
default when downloading from an image repository. However, several scenarios result in Trim Transfer
not providing the benefits that you might expect, including that:
The host operating system and the virtual machine operating system always are different.
You need to reduce the length of the first-time setup.
MED-V Workspace needs to be persistent instead of revertible.
Question: Would you benefit from using Trim Transfer if you deploy a Windows XP Service Pack 3 (SP3)
virtual image to a Windows 7 host?
3-16 Implementing and Managing Microsoft Desktop Virtualization
Lesson 2
Implementing MED-V Management Servers
You can install a MED-V Management Server on Windows Server 2008 or Windows Server 2008 R2. It
provides a virtual images repository, and you can use it as a management point for configuring MED-V
clients. A MED-V server should be a domain member, and should use IIS for virtual image delivery.
Implementing Microsoft Enterprise Desktop Virtualization 3-17
Key Points
The MED-V implementation includes both the server and client components. The MED-V Management
Server is responsible for storing the MED-V Workspace configuration, which includes MED-V Policy and
virtual images. MED-V logs user activity to a computer that is running SQL Server, which you can deploy
on the MED-V Management Server or on a separate server. Before accessing the MED-V Workspace, AD
DS authenticates users.
The following table lists the operating systems that support the MED-V Management Server.
a separate server. If you use a separate SQL Server, you should install Microsoft SQL Server Management
Objects on the MED-V Management Server.
You can install MED-V servers on physical servers or in a Hyper-V virtualized environment.
You should have a relatively lighter load on the MED-V Management Server, because after you deploy the
MED-V Workspace, client computers check the server every 15 minutes for configuration changes. The
disk capacity must be sufficient to store the MED-V Workspace configuration files and virtual images if
image repository is on the same server. The MED-V Management Server also should have a fast network
connection to the clients to deploy virtual images.
The MED-V Management Server uses the SQL Server database to store client status and events. You can
install the SQL Server database on the same machine as the MED-V server, or you can place it on a
separate server that is running SQL Server.
After installation, you can configure the MED-V Management Server by using
MED-V Server Configuration Manager. You can administer the MED-V Management Server by using
MED-V Management Console, which you can install as part of the MED-V client. However, you cannot
install it on a server operating system.
Implementing Microsoft Enterprise Desktop Virtualization 3-19
Key Points
The image repository stores virtual images and enables virtual-image version management, client-
authenticated image retrieval, and the efficient upload and download of new virtual images or updates.
Each MED-V client needs a virtual image, and a workspace policy, to provide a virtualized environment for
running a legacy application. You can deploy virtual images to a client in several ways.
The image repository is based on an IIS Web server, and organizations can take advantage of the standard
Web scalability and high availability infrastructure. To improve download performance, organizations can
create image-repository replicas at branch offices or remote geographic locations.
The IIS server can coexist on the same server as the MED-V Management Server and the server that is
running SQL Server. In smaller implementations, you can have them all on the same server. However,
when the number of MED-V clients increases, you should install the IIS server, SQL server, and the
Management Server on separate servers. You also can also run the IIS server on a virtual machine. The IIS
server infrastructure must have sufficient throughput to deliver images to clients, and the disk subsystem
must meet the input/output (I/O) demands.
To add and configure Web server (IIS) for MED-V, you must perform the following steps:
Add the Web server (IIS) role. During the installation, when you are adding role services, select the
following supported authentication methods: Basic Authentication, Windows Authentication, and
Client Certificate Mapping Authentication.
Install Background Intelligent Transfer Service (BITS). Install this feature and the required role services.
MED-V virtual image upload requires BITS support.
Add the IIS virtual directory. This virtual directory points to the directory that will store virtual images.
By default, the C:\MED-V Server Images folder stores virtual images.
Configure BITS. Enable BITS in IIS. Additionally, you should allow clients to upload files to the IIS
server by using BITS, and they should upload them to the directory where you want to store virtual
images.
3-20 Implementing and Managing Microsoft Desktop Virtualization
Configure additional Multipurpose Internet Mail Extensions (MIME) types. Add the .ckm
(application/octet-stream) and .index (application/octet-stream) MIME types to the directory in which
you want to store virtual images.
Optionally, you can change a TCP port on which the IIS Web site accepts connections, and you can
configure Windows Firewall to allow connections through that port.
Question: Which feature must you install on the MED-V server? Can you upload virtual images to the
MED-V server without installing this feature?
Implementing Microsoft Enterprise Desktop Virtualization 3-21
Key Points
Installing and configuring a MED-V server is a straightforward process. After running the MED-V server
installation package, you need to accept the Microsoft Software License Terms, select an installation
folder, and then wait for the installation to finish. After the installation, you should configure the MED-V
server by running MED-V Server Configuration Manager, which is the default option in the last step of the
setup. The installation also adds, to the Start menu, a shortcut to the configuration tool.
You can use MED-V Server Configuration Manager for configuring the following settings:
Connections: Configure MED-V client connections settings. Define which protocols and ports to use
for connecting to MED-V server. HTTPS is an optional configuration, which you can set to provide
encryption and secure transactions between the MED-V Management Server and MED-V clients. To
configure HTTPS, you also must add a digital certificate to the server store, and then associate it with
the port that the MED-V Management Server uses. If you are using nonstandard ports, you should
add a Windows Firewall exception.
Images: Configure the virtual machine directory, which is the directory in which you want to store the
virtual images. You can specify a local or Universal Naming Convention (UNC) path to the image
directory on the image repository server, which should be accessible from the MED-V Management
Server. You also should specify the URL location of the folder in which you want to store virtual
images.
Permissions: Configure a list of users and groups who can access the MED-V server, typically by using
the MED-V Management Console, so that they can administer MED-V. For each of them, you can
configure read-only or read/write permissions. Read-only access allows users to view the MED-V
configuration and policies, but not modify them. If they have the Changes Allowed permission, which
gives them read/write permissions, users can save changes to the MED-V configuration, effectively
administering MED-V.
Reports: Enable reports and configure database settings. You can define a connection string, test the
connection, and then create a MED-V database on the computer that is running SQL Server.
3-22 Implementing and Managing Microsoft Desktop Virtualization
Additionally, you can configure the database maintenance options, such as deleting old records,
clearing all data from the database, and dropping the database. If you do not install SQL Server
locally, the Reports tab provides instructions on how to install Microsoft SQL Server Management
Objects and connect to the remote SQL Server.
MED-V server configuration is saved to ServerSettings.xml file in the %PROGRAMFILES%\Microsoft
Enterprise Desktop Virtualization folder.
You can perform additional MED-V server configuration by using the MED-V Management Console. You
have the option of installing this console on the MED-V client, and you cannot install it on a server
operating system. You should install the MED-V Management Console on the administrative workstation,
from where you manage the MED-V environment. By using MED-V Management Console, you can
configure policy, images, and reports.
Question: Which tool can you use for configuring a MED-V Management Server? What can you configure
by using this tool?
Implementing Microsoft Enterprise Desktop Virtualization 3-23
Lesson 3
Implementing a MED-V Client
Only managed desktops support a MED-V client, which is a required component of a MED-V solution. The
MED-V client provides an environment for running legacy applications and a seamless integration with
the host. The MED-V client is available for Windows XP, Windows Vista, and Windows 7, and it depends
on a Virtual PC 2007 SP1, which is a prerequisite. You can deploy the MED-V client in several ways,
including manually or through a software distribution system.
You can use the MED-V client to perform centralized administration, apply the MED-V Workspace,
provide communication between virtual machines and hosts, and publish applications to a host.
3-24 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Before installing the MED-V client, you first must install the Microsoft Virtual PC 2007 SP1 on the desktop
along with hotfix 958162. The MED-V client does not work with Windows Virtual PC.
Operating System
system Edition Service pack architecture
Windows XP Professional 1 GB
Windows 7 x64 3 GB
The MED-V client is not supported in a Hyper-V environment for production use.
The MED-V Workspace supports following operating systems in a virtual machine:
Implementing Microsoft Enterprise Desktop Virtualization 3-25
Question: You evaluate MED-V 1.0 in the test environment, and you find that you cannot install a MED-V
client to the Windows 7 host. What must you do to use MED-V with Windows 7 clients?
3-26 Implementing and Managing Microsoft Desktop Virtualization
Key Points
You can deploy the MED-V client by:
Installing it manually. MED-V client is available as a Windows Installer package, and you can install it
manually. While you can use this method for setting up a test or pilot environment, this is not a good
approach if you want to deploy MED-V clients in a production environment.
Including it in the standard desktop image. You can include the MED-V client in the standard desktop
image. When you use this approach, the MED-V client deploys to all new clients.
Deploying it via software distribution system. If a company has an existing software distribution
system, such as Microsoft System Center Configuration Manager 2007 R2, you can use that for
deploying the MED-V client. When you install the MED-V client through a distribution system, you
may choose to retrieve the virtual image from the image repository or deliver it to a predefined
location by using the software distribution system. In this scenario, the MED-V Client would not
download the image from the repository.
Creating and installing the MED-V deployment package. By using MED-V Management Console, you
can create a deployment package. This provides a method of installing the MED-V client, its required
prerequisites, and any settings that the administrator predefines. The packaging wizard walks you
through the package creation by creating a folder on your local computer and transferring all
required installation files to it. You then can move the folders contents to multiple removable media
drives for distribution.
The MED-V client is available as a Windows Installer package, and it includes the MED-V client and the
MED-V Management Console. You must install the MED-V client on client computers for running MED-V
Workspaces. The MED-V Management Console is an administrative tool that you can use for creating and
maintaining images, MED-V Workspaces, and policies.
Implementing Microsoft Enterprise Desktop Virtualization 3-27
Note: You can install the MED-V client and MED-V Management Console only on Windows 7,
Windows Vista, and Windows XP-based computers. You cannot install them on server products.
During the MED-V client installation, you must accept the Microsoft Software License Terms, select a
destination folder for client installation, and then define the MED-V client settings. MED-V client settings
include the MED-V Management Servers address, the port and protocol it is using, the folder for the
virtual machines images, and the option to install the MED-V management application.
Question: What is the benefit of installing a MED-V client by using the MED-V deployment package?
3-28 Implementing and Managing Microsoft Desktop Virtualization
Key Points
The MED-V Management Console is the primary MED-V administration tool. You can install it only on a
client operating system, and it is available as part of the MED-V client installation. You can use it for
managing the MED-V image life cycle through managing policies, images, and reports.
The MED-V Management Console user interface (UI) has the following sections:
MED-V management buttons. They correspond to the following three modules that you can manage
through the console.
Policy. You can use the Policy module to define the MED-V Workspace, their related settings, and
permissions. This includes the virtual machine configuration, published applications, and their
integration settings.
Images. You can use the Images module to manage the MED-V Workspace images. This module
enables you to create test images, and then package and upload those images to the image
repository.
Reports. You can use the Reports module for generating and viewing MED-V reports. Three
report types are available: Status, Activity log, and Error log.
Toolbar. This displays shortcuts, relevant to the selected management module, and user permissions.
For example, you can save a policy, add a workspace, and refresh or create a new report here.
Display pane. This displays configuration options corresponding to the selected management module.
You can configure policy, images, or reports options in this section.
You must log on to the MED-V Management Console before you can use it. For security reasons, the first
user that logs on to the MED-V Management Console becomes the only user on that computer that can
access the Management Console. The domain user name and password is used for MED-V management
login.
Implementing Microsoft Enterprise Desktop Virtualization 3-29
Question: Is the MED-V Management Console available as a Microsoft Management Console (MMC)
snap-in?
3-30 Implementing and Managing Microsoft Desktop Virtualization
Key Points
In this demonstration, you will see how to create a MED-V installation package by using the Packaging
Wizard, which is available as part of the MED-V Management Console.
Demonstration steps:
1. On NYC-CL1, start the MED-V Management Console, and then log on as contoso\medv-admin with
a password of Pa$$w0rd.
2. Run the Packaging Wizard, and then on the Deployment Package page, click Next.
3. On the Workspace Image page, click Next without selecting Include image in the package.
4. On the MED-V Installation Settings page, point the MED-V installation files to where the installation
files are stored, and then click Next.
5. On the Additional Installation page, clear the Virtual PC and .NET Framework check boxes, and
then click Next.
6. On the Finalize page, enter the package destination, and then click Finish.
7. Open Windows Explorer, and then verify that the package has been created.
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. Ensure that the 10324A-NYC-DC1, 10324A-NYC-CL1, and 10324A-NYC-CL2 virtual machines are
running.
2. If required, connect to the virtual machines. Log on to the virtual machines as
Contoso\Administrator using the password Pa$$w0rd.
3-32 Implementing and Managing Microsoft Desktop Virtualization
Task 1: Verify that a MED-V database does not exist on Microsoft SQL Server
1. On the NYC-DC1 server, open Windows Explorer and browse to E:\Labfiles\Mod03\SQL_Update.
Install SQLSysClrTypes.msi and SharedManagementObjects.msi.
2. On the NYC-DC1 server, run the Import and Export Data (32-bit) tool.
3. Verify in the Server name field that you are connected to NYC-DC1
\SQLEXPRESS.
4. Expand the Database drop-down box, and then verify that MED-V related database, medv, is not
available. Click Cancel.
Results: After this exercise, you should be logged on to all three computers, and you should have
added the required server roles and features to support a MED-V deployment.
Implementing Microsoft Enterprise Desktop Virtualization 3-33
Task 2: Configure an IIS Web server for the MED-V image repository
1. On the IIS server on NYC-DC1, add the vimages virtual directory, and then point it to the C:\MED-V
Server Images folder.
2. Configure BITS Upload for the vimages IIS virtual directory, and then set it to Allow clients to
upload files.
3. Add two MIME Types for the vimages IIS virtual directory: .ckm file extension with
application/octet-stream MIME type, and .index file extension with application/octet-stream
MIME type.
Results: After this exercise, you should have installed and configured the MED-V Server, and
confirmed the creation of the MED-V database.
3-34 Implementing and Managing Microsoft Desktop Virtualization
Task 2: Verify connectivity to the MED-V Management Server, and create a MED-V
deployment package
1. On NYC-CL1, run MED-V Management, and then authenticate as Contoso\medv-admin with the
password Pa$$w0rd.
2. Run the Packaging Wizard.
3. For MED-V installation file, point to E:\Labfiles\Mod03
\MED-V_1.0.105.msi, and then verify that nyc-dc1 is entered as the Server address.
4. For virtualization software, point to D:\Labfiles\Mod03\VPC 2007 SP1 x86.msi, and for installation
of Virtual PC QFE, point to E:\Labfiles\Mod03\KB974918 x86.msp. Uncheck Include installation
of Microsoft .NET Framework 2.0.
5. Enter E:\Labfiles\MED-V Client as the Package destination.
6. After you create the deployment package, explore the content of the E:\Labfiles\MED-V client folder
in Windows Explorer.
Results: After this exercise, you should have installed and configured MED-V clients on NYC-CL1 and
NYC-CL2, and created a MED-V client deployment package.
Review Questions
1. Can you use MED-V to administer Windows XP Mode on Windows 7 computers?
2. Can you administer MED-V implementation from a MED-V server?
3. Is the complete virtual image always transferred to the MED-V client?
Module 4
Configuring and Deploying MED-V Images
Contents:
Lesson 1: Configuring MED-V Images 4-3
Lesson 2: Deploying MED-V Images 4-16
Lab: Configuring and Deploying MED-V Images 4-25
4-2 Implementing and Managing Microsoft Desktop Virtualization
Module Overview
Lesson 1
Configuring MED-V Images
MED-V provides a virtualized environment that users can use to run legacy applications. MED-V virtual
machine images offer several benefits. Before creating MED-V images, you must be aware of their
requirements, such as supported operating systems. You can use the VM Prerequisite tool to further
prepare and optimize the operating system in the image for virtual environment. After you create an
image, you should test it. To test a MED-V image, you need to create a basic policy for testing.
4-4 Implementing and Managing Microsoft Desktop Virtualization
Key Points
MED-V enables you to extend the user environment with published MED-V applications, while hiding the
complexity of the virtual machine environment from the end-user. You can use a virtual machine to
provide a separate environment to run legacy applications, even when the applications are not
compatible with the host operating system. End-users do not have to deal with the deployment or
management of the virtual machine or the integration of the virtual machine with the host operating
system. MED-V enables you to keep the updating and monitoring of MED-V images transparent from the
user.
A virtual image can be revertible or persistent. Changes in a virtual image can be persistent, like on a
desktop computer, or can be temporary and each time the virtual environment starts from the same
state. The concept of revertible and persistent virtual images is similar to Undo disks in Windows
Virtual PC. You would typically use a persistent virtual image when you want to preserve changes in
the virtual image, such as when a MED-V virtual machine is a domain member. You would use
revertible virtual image when you do not want to preserve changes in virtual image and you want to
start from the same state always.
4-6 Implementing and Managing Microsoft Desktop Virtualization
Key Points
A virtual image is represented by a Virtual Hard Disk (VHD) file and it is used by Virtual PC 2007 SP1,
which runs on the MED-V client. A virtual image contains an installed Windows operating system and
legacy applications that are available inside the virtual environment.
To create a virtual image, you must first install the supported operating system on a Virtual PC virtual
machine. MED-V supports the 32-bit editions of the Microsoft Windows 2000 Professional SP4
operating system and Windows XP Professional SP2 or SP3 operating systems in a virtual image. Newer
operating systems, such as the Windows Vista operating system and the Windows 7 operating system,
are supported as MED-V clients, but are not supported as an operating system inside the virtual image.
Because you use the same image for multiple MED-V clients, you must follow the Windows licensing
agreement and install a volume licensing copy of the operating system in the image. You must also install
the latest version of the Virtual Machine Additions in the image.
Note: You should be aware of the support timelines for the operating system and products that are
included in the virtual image. If antivirus is installed in the virtual image, you should ensure it is
updated.
To use a virtual image with MED-V, the image must include Microsoft .NET Framework 2.0 SP1 or newer,
which also requires the installation of Windows Installer 4.5. The virtual image should include all Windows
updates.
To prepare an operating system in the image for the virtualized environment, you must perform
additional configuration. These configuration tasks include:
Disable all unnecessary services inside the virtual machine or set them to manual.
Set power scheme to always on.
Configuring and Deploying MED-V Images 4-7
Disable hibernation.
Disable the automatic restart after a system failure.
Disable Undo Virtual PC disks, floppy disk and Shared Folders, because they are not supported by
MED-V.
After you install and configure the operating system, you need to install additional applications, which will
be published from the MED-V environment. You must follow the licensing requirements of the
applications and you should include their latest updates.
Before using a virtual image with MED-V, you should install and run the MED-V VM Prerequisite Wizard in
the virtual machine. This wizard helps to improve the virtual machine performance and streamline its
integration.
Note: If virtual image will be deployed to MED-V clients as persistent workspace, it should be
generalized. The only supported tool for that is Sysprep, a system preparation utility for the Windows
operating system.
Question: Can you have a MED-V image that has a 64-bit operating system installed?
4-8 Implementing and Managing Microsoft Desktop Virtualization
Key Points
One of the steps in preparing a MED-V virtual image is to install and run the
MED-V VM Prerequisite Wizard. You can use this wizard to automate several of the prerequisite tasks and
configure the virtual machine for running optimally in the MED-V environment. For example, you can use
it to clear unnecessary temporary data, disable sounds, configure Internet Explorer settings, and enable
Windows Auto Logon.
The VM Prerequisites Wizard is part of the MED-V deployment and you can install it in the virtual machine
by running the MED-V_Workspace_1.0.105.msi Windows Installer package.
Note: The user running the virtual machine prerequisites tool must have local administrator rights and
must be the only user logged on.
Note: Make sure that Group Policy objects do not overwrite the mandatory settings set in the
Prerequisites Tool.
Question: Is it mandatory to run the VM Prerequisite Tool before you deploy a MED-V image?
4-10 Implementing and Managing Microsoft Desktop Virtualization
Key Points
A MED-V virtual machine can be either in the workgroup or can be a domain member. As a domain
member, it has the same access as any other domain computer. Published MED-V applications can access
domain resources such as database servers or Windows SharePoint sites. To join a MED-V virtual
machine to the domain, you must use a persistent workspace.
If you want to join MED-V virtual machines to a domain, you need to perform additional tasks for
preparing the virtual images. These preparation steps are similar to the steps you need to perform when
you prepare the desktop computers deployment. All deployment tools and documentation are available
on the Windows XP CD ROM, (or Windows 2000) in the Deploy.cab cabinet file, which can be found in the
Support\Tools folder. You can use Sysprep to generalize the image and reset machine security ID (SID).
After you run Sysprep, the virtual machine shuts down, and you can then upload the virtual image to
image repository. After the MED-V client downloads the image from the repository, the initial mini setup
of the virtual image is performed without user interaction; and all the answers must be provided in an
unattended answer file, sysprep.inf. You can create this answer file by using the Setup Manager tool,
which is also included in Deploy.cab cabinet. After the initial mini setup, the folder containing sysprep.exe
and the answer file are automatically deleted.
You can control the initial virtual machine setup by using a MED-V Policy. In the policy, you can add setup
actions such as Check Connectivity, Join Domain, Rename Computer, or Restart Windows. You can also
define a virtual machine computer name pattern and use variables such as username, host name, domain
name, and random characters. You can configure some of the settings such as computer name or if a
virtual machine is joined to a domain in unattended answer file (sysprep.inf), as well as in MED-V Policy. If
you plan to use the virtual machine in a MED-V environment, you should use a MED-V policy to configure
these settings.
Configuring and Deploying MED-V Images 4-11
Important: Be aware that the initial MED-V VM setup process when you join the computer to the
domain can be a lengthy process. The MED-V Diagnostic mode can provide additional information
about its progress.
Question: What is the main difference between preparing a MED-V image for the domain environment
and having the MED-V image in the workgroup?
4-12 Implementing and Managing Microsoft Desktop Virtualization
Key Points
After you create and prepare a virtual image for the MED-V environment, you should test the image to
verify how it behaves in the end-user environment. Testing is not mandatory, but we strongly recommend
testing because it is easier to remove possible issues before you deploy the image to the users.
To configure testing of the MED-V image, you need to use the MED-V Management console. In this tool,
you can import a prepared MED-V image into the test environment by creating a local test image. Next,
you need to apply policy settings to the test image and verify that the image behaves as expected.
There are many different policy settings that you can configure, but when testing the MED-V image, you
would typically configure the following settings:
Assigned Image. Use this option to specify the image that will be used for testing. The image must
be first created as a local test image and you can identify this image because it has (test) at the end
of its name.
Seamless Integration. Use this option to specify how published applications are integrated with the
host and if there is a frame around each window of the published application.
Deployment. Use this option to specify who can test the image.
Data Transfer. Use this option to specify whether the Clipboard can be shared and if file transfer
should be supported between the host and the virtual environment.
Device Control. Use this option to enable printing to the printers connected to the host and to
specify if the virtual environment can access the host CD/DVD drive.
Published Applications and Published Menus. Use this option to specify which applications and
menus from the virtual machine will be published to the host.
Web Browsing. Use this option to specify which URLs use the browser from the host and which
applications use the browser from the virtual environment.
Configuring and Deploying MED-V Images 4-13
After you configure the policy, you must save it to the MED-V server.
Note: The following characters cannot be included in the image name: space " < > | \ / : * ?
Question: What do you configure in a MED-V policy for testing and what is the main difference between
testing policy and the policy that is used in production?
4-14 Implementing and Managing Microsoft Desktop Virtualization
Key Points
You perform the actual testing of the MED-V image on the MED-V client. When you log on to the MED-V
client, you can choose to use the local (test) or the deployed image. If you opt to use the local image, the
MED-V workspace starts faster and you can perform the testing. Based on the policy settings, you should
verify if the image behaves as expected. For example, you can test if all published programs are available
on the Start menu and you can successfully run them.
When the testing is finished, you can stop the MED-V workspace by right-clicking the MED-V client icon
on the notification bar.
Demonstration steps:
1. Open MED-V Management on the NYC-CL1 and go to the Images module.
2. Add a new Local Test Image by selecting XP.vmc in E:\LabFiles\VPC folder. Enter XP in the Image
name field, and then click OK.
3. In the Policy module, create a new workspace, and assign the XP (test) image to the workspace.
Enable the workspace for Everyone, publish Notepad application, and then save the Policy.
4. Run the MED-V client on NYC-CL1, log on as contoso\medv-user, and then select the created
workspace.
5. Verify that the published programs from the MED-V virtual image are listed. Start XP Notepad. Verify
that there is a red line around the Untitled Notepad window.
6. Open Help in Notepad, verify that Notepad is running in Windows XP and that the virtual machine
has 256 megabytes (Mb) physical memory available.
7. Copy some text and paste it to the Notepad window that is running on
NYC-CL1
Configuring and Deploying MED-V Images 4-15
Note: When testing an image, no changes are saved to the image between sessions; instead, they are
saved in a separate, temporary file. This is to ensure that when the image is packed and run on the
production environment, it is the original,
clean image.
Question: What happens to the changes that are performed in the virtual environment when you test the
MED-V image?
4-16 Implementing and Managing Microsoft Desktop Virtualization
Lesson 2
Deploying MED-V Images
After you create and test the MED-V image, you should deploy it to the clients. Before clients can
download the virtual image from the image repository, you must first pack the image and then upload it
to the repository. Packing compresses the image and you can use the Hypertext Transfer Protocol (HTTP)
or HTTP Secure (HTTPS) protocol with Background Intelligent Transfer Service (BITS) to use the remaining
bandwidth for the upload. This lesson describes the procedures for updating and deploying the virtual
image to the clients.
Configuring and Deploying MED-V Images 4-17
Key Points
If you want to upload the image to the image repository and deploy it to MED-V clients, you must pack
the image. You must pack the image on the administrative workstation and then upload the packed
image to the image repository on the MED-V server. Only after the image is uploaded to the server, can
you assign it by using a MED-V Policy.
Packing the image is the process of compressing the MED-V image to reduce its size. Image packing can
take a considerable amount of time, however, a compressed image takes less space and transfers faster.
The content of the packed image is the same as it was before packing. The MED-V image packing process
can often reduce the image size down to 50% of its initial size. For example, you can compress an 8
gigabytes (GB) image to 4 GB by simply packing the image.
Although you should first test a MED-V image before packing, you can still pack an image without prior
testing. If image testing was performed, changes made during testing are not included in the packed
image. You can use the MED-V Management console for image packing and by default packed images
are stored in the local MED-V Images\PackedImages folder. A packed image consists of two files: .index,
which has the list of files in the image, and .ckm (Kidaro Compressed Machine), which stores the actual
compressed image.
When you pack an image, you can either create a new packed image or create a new version of the
existing packed image. If you create a new packed image,
MED-V clients can download the whole image. If you create a new version of the existing image and the
MED-V clients have a previous version of the image, the clients download just the changes in the image.
This makes the download much smaller and faster when you modify the existing image such as when you
install an application update.
You can further reduce the image size by implementing pre-packing and pre-compaction steps in the
image build procedure. Typical steps to reduce the image size during a build procedure include:
Removing unnecessary files and folders, including unneeded drivers.
4-18 Implementing and Managing Microsoft Desktop Virtualization
Question: Why is it important to pack the image before uploading it to the MED-V server?
Configuring and Deploying MED-V Images 4-19
Key Points
Local test images and local packed images are available only locally on the MED-V administrative
workstation, where the MED-V Management console is installed. But before you can deploy virtual images
to MED-V clients, you must first upload them to the image repository on the MED-V server. Depending on
the configuration, you can use either the HTTP or the HTTPS protocol for image uploading. You also need
BITS on the image repository Web server. If BITS is not configured on the server, you cannot upload the
MED-V image.
Note: Before uploading an image, verify that a Web proxy is not defined in your browser settings and
that Windows Update is not currently running.
After you pack a MED-V image, you can upload it to image repository by using the MED-V Management
console. If multiple versions of the same packed image are available, only the latest version is uploaded.
Upload can take a considerable amount of time because an image can be several GBs in size and BITS
uses only the unused bandwidth to transfer the image. After you upload the image, you can assign it to
the MED-V workspace and distribute it to the MED-V clients. Local test images can be deleted after the
upload.
During an image upload, the .index and .ckm files are transferred to the MED-V server and by default,
they are stored in the MED-V Server Images folder.
Question: How can you specify the users who can upload images to MED-V server?
4-20 Implementing and Managing Microsoft Desktop Virtualization
Key Points
As part of the management tasks, you should update MED-V virtual images from time to time just like
you update normal computers. There are various reasons for updating the image, which include installing
the update to the operating system or applications in the image (update management), installing new
applications in the image, or changing the configuration and modifying the content inside a virtual
image.
There are two different ways of updating a MED-V image. If a virtual machine in the image is joined to the
domain, you can use the same updating mechanism that is in place for updating other domain
computers. In such a case, you can manage the MED-V virtual machines in the same way as any other
computer on the network.
You can use the second option when a virtual machine is not joined to the domain. In this case, you can
open the image inside Virtual PC, update the image, for example by installing the Windows update, and
then rerun the VM Prerequisite tool. After the update is complete, shut down the virtual machine, pack
the updated image as a new MED-V image version, and then upload it to the image repository. For some
updates, such as installing new applications in the virtual image, you need to also modify or create new
MED-V policy to benefit from the update.
When MED-V clients download a new version of an existing image, the clients download only the parts
that have changed, and not the entire virtual machine image. This significantly reduces the download size
and delivery time.
Note: When a new version is deployed on the client, it overwrites the existing image. When updating
an image, ensure that no data on the client needs to be saved.
Configuring and Deploying MED-V Images 4-21
Note: If you name the image a different name than the existing version, a new image will be created
rather than a new version of the existing image.
Key Points
A MED-V image must be available locally before it can be used. After creating and testing a virtual image,
you can deliver it to MED-V clients by using different delivery options.
Note: Image pre-staging is useful only for the initial image download. It is not supported for image
update.
When the MED-V client starts, it looks in the specified directory for an image (ckm file and index file). If it
finds an image, it imports it. If the image is not located in this path, it downloads it from the server.
Question: What is the main benefit of using the Web download method for deploying virtual images?
4-24 Implementing and Managing Microsoft Desktop Virtualization
Key Points
In this demonstration, you will see how to pack and upload the image to a MED-V server. You use the
MED-V Management console for both operations and you should first test and then pack the image.
Packing compresses the image and decreases the time, needed for transferring the image. Image is
packed on the administrative workstation and stored in the MED-V Images\PackedImages folder.
Demonstration steps:
1. Open MED-V Management on NYC-CL1 and go to Images module.
2. Add a new Packed Image by selecting XP.vmc in E:\LabFiles\VPC folder. Enter XP in the Image name
and click OK.
3. While image is packing, click Browse Local Images and show content of PackedImages folder.
4. On NYC-DC1, view the content of C:\MED-V Server Images folder and confirm that no .ckm or
.index files are available.
5. After Image Packing is complete on the NYC-CL1 computer, verify the image size in Local Packed
Images section, verify that compressed file size.
6. Select the XP packed image and click Upload.
7. Switch to NYC-DC1 and verify that .ckm and .index files are available in C:\MED-V Server Images
folder.
Question: What tool can you use for packing and uploading the image to MED-V server?
Configuring and Deploying MED-V Images 4-25
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. Ensure that the 10324A-NYC-DC1 and 10324A-NYC-CL1 virtual machines are running.
2. If required, connect to the virtual machines. Log on to the virtual machines as
Contoso\Administrator using the password Pa$$w0rd.
4-26 Implementing and Managing Microsoft Desktop Virtualization
1. Start the virtual machine on NYC-CL1 and review its initial configuration.
2. Install and run VM Prerequisites Wizard.
3. Verify the changes performed by VM Prerequisites Wizard.
Task 1: Start the virtual machine on NYC-CL1 and review its initial configuration
1. On NYC-CL1, start Microsoft Virtual PC and then start the XP virtual machine. Log on as User1 with
the password of Pa$$w0rd.
2. Create a new text file with your name in the C:\Documents and Settings\User1\Local
Settings\Temp folder.
3. From the Services console, verify service startup type for Security Center, Task Scheduler and
System Restore Service.
4. From the Sounds and Audio devices applet in the Control Panel, verify that Windows Logon and
Windows Logoff have sounds assigned. You have now reviewed some of the initial configuration
settings of the Windows XP virtual machine.
Results: After this exercise, you installed and ran the VM Prerequisites Tool in the XP virtual machine.
You also verified some of the modifications, performed by the tool.
4-28 Implementing and Managing Microsoft Desktop Virtualization
Results: After this exercise, you have created a local test image, imported and assigned a basic MED-V
testing policy, and tested the local MED-V image.
Configuring and Deploying MED-V Images 4-29
Results: After this exercise, you have updated the XP image with a Windows update and custom
application. You have also packed the local image and uploaded it to the MED-V server.
4-30 Implementing and Managing Microsoft Desktop Virtualization
Note: Because it takes a long time to pack, upload, and deploy the image, you will not perform these
steps in this lab exercise, but will only perform the tasks related to generalizing the image.
Results: After this exercise, you have created Sysprep answer file and run Sysprep.exe to prepare
virtual machine for domain environment.
Review Questions
1. Why would you use the VM Prerequisite Tool? Is this tool mandatory?
2. Do you need to upload a MED-V image to the image repository if you want to test it?
3. What are the typical steps in virtual image life cycle?
4. Which protocol is used for MED-V virtual image download?
5. How can MED-V virtual image be deployed? What is the benefit of using the Web download option?
Module 5
Managing a MED-V Deployment
Contents:
Lesson 1: Implementing the MED-V Workspace Policy 5-3
Lesson 2: Working with a MED-V Workspace 5-17
Lesson 3: Reporting and Troubleshooting MED-V 5-26
Lab: Managing a MED-V Deployment 5-34
5-2 Implementing and Managing Microsoft Desktop Virtualization
Module Overview
Managing the Microsoft Enterprise Desktop Virtualization (MED-V) environment typically is one of the
most time-consuming activities for MED-V administrators. After you deploy the MED-V infrastructure, you
must define MED-V Workspaces by configuring MED-V policies, and then enable the workspaces for users
and set options to configure the workspaces that will be available to users.
MED-V users work in two separate environments: the host operating system and the MED-V Workspace. If
you integrate published applications seamlessly with the host, users typically cannot tell that they are
different from applications that are installed locally on their computers.
Besides a configurable virtual environment and a seamless integration with the host, MED-V also provides
reporting and diagnostics capability. The reporting feature requires Microsoft SQL Server, and it logs
MED-V events, and provides three basic report types. The MED-V client provides a diagnostics mode,
policy updates, and diagnostic log gathering that you can use to troubleshoot MED-V issues.
Managing a MED-V Deployment 5-3
Lesson 1
Implementing the MED-V Workspace Policy
A MED-V Workspace policy is an essential part of a MED-V implementation. It defines how to configure
the virtual environment of MED-V clients, which virtual image to use, and which applications to publish to
the host, among other things. You create and manage a MED-V Workspace policy in the MED-V
Management Console, and users must have the Changes Allowed permission on the MED-V server to save
a policy that they create or modify.
A MED-V policy has many settings, which are saved in an XML file on the server. MED-V applies the policy
to the MED-V client when it starts, and then reapplies it every 15 minutes. You also can update it
manually.
5-4 Implementing and Managing Microsoft Desktop Virtualization
Key Points
A MED-V Workspace is the desktop environment that MED-V provides for you to interact with the virtual
machine. As a MED-V administrator, you create and customize the MED-V Workspace, which consists of
an image and a policy that defines its rules and functionality. You can create multiple MED-V Workspaces,
and you can customize each with its own configuration, settings, and rules. You then can apply the
workspace to the same image or to multiple images. You can associate a MED-V Workspace with a user or
group, or multiple users or groups, making the MED-V Workspace available only to the associated users
or group members. You can configure a MED-V Workspace centrally, and then apply it to clients that you
assign to this workspace. You can define a MED-V Workspace in the MED-V Management Console by
using the policy module, and then store it on the MED-V server. The MED-V policy applies to users when
they log on and during periodic refreshes, which is every 15 minutes by default. You also can update the
policy manually, by using the Diagnostics option in the MED-V client.
The MED-V Workspace is separated from the users local desktop, and is a virtual image that runs inside
Virtual PC and which you can configure by using MED-V. For example, if you launch a locally installed
copy of Microsoft Office Word, create a document, and then save the document, MED-V saves it, by
default, in your Documents folder on the local host. But if you launch a copy of Office Word from within
the MED-V Workspace, create a second document, and save the document, then by default, MED-V saves
this document in the My Documents folder in your workspace, meaning in the virtual machine that is
running on the local host. This means that you will have two Documents folders on the same MED-V
client computer: one on the local host, and then one in your MED-V Workspace in the virtual machine.
There are different options to work around this, such as using the MED-V file transfer tool or configuring
folder redirection.
Note: Each MED-V Workspace image can be used only by one Windows user.
Managing a MED-V Deployment 5-5
Note: You can control the MED-V Workspace from a command prompt by using
KidaroCommands.exe, which is located in Management subfolder of the MED-V installation folder.
Question: Can you create a MED-V Workspace without assigning it a virtual image?
5-6 Implementing and Managing Microsoft Desktop Virtualization
Key Points
A MED-V Workspace policy is a group of configurable settings that define how the virtualized
environment and applications that you install in that environment perform on the host. By using a MED-V
Workspace policy, you can specify how a MED-V virtualized environment is configured on the client and
how it interacts with the host. You can define several workspace settings, which include:
The image that is assigned to the workspace.
Settings for integration and data transfer between the workspace and the host.
The user for whom the MED-V Workspace policy is enabled.
Settings for device control.
The published applications and the virtual machine configuration.
You can create and manage MED-V Workspace policies by using the MED-V Management Console, which
stores them in a single file, ClientPolicy.xml, on the MED-V server. You also can import or export a
workspace policy as an XML file on the MED-V client, by using the Import or Export options in the Policy
menu in the MED-V Management Console.
Note: When you configure a policy, a warning symbol appears next to the mandatory fields for which
you did not enter values. If a mandatory field is empty, the warning symbol also appears on the
settings tab.
It is important to decide the MED-V Workspace type that you want to use before you deploy the MED-V
Workspace policy. We do not recommend that you change the MED-V Workspace type after you deploy a
policy to users.
Persistent. In a persistent MED-V Workspace, all changes and additions that you make to the MED-V
Workspace are saved in the MED-V Workspace between sessions. You typically use a persistent MED-
V Workspace in a domain environment.
Revertible. In a revertible MED-V Workspace, at the completion of each session, when the MED-V
Workspace stops, the MED-V Workspace reverts to its original state during deployment. Changes or
additions that you made are not saved on the MED-V Workspace between sessions. You cannot use a
revertible MED-V Workspace in a domain environment.
Question: What is the difference between a MED-V Workspace and a MED-V Workspace policy?
5-8 Implementing and Managing Microsoft Desktop Virtualization
Key Points
You can use the General tab in the MED-V policy to configure the workspace name, description, support
contact information, and basic user-experience settings when working with a MED-V Workspace. You can
define whether the MED-V Workspace appears in seamless integration or full desktop mode. Seamless
integration publishes legacy applications on the host Start menu, and they appear as if they were installed
locally on the host. You also can configure the frame color for the legacy applications, which distinguishes
them from the local applications on the host. The full desktop presents the desktop of the MED-V
Workspace operating system in a separate window. You also can define the command that must be run
successfully on the host before the workspace will start.
You must assign a Microsoft Virtual PC image to every MED-V Workspace, and you can configure this
from the Virtual Machine tab in the MED-V policy. An assigned image can be one of three types:
Local test images. These are unpacked images on the local computer. The word test follows these
image names in parentheses, and you can use these images for testing purposes only.
Local packed images. These are packed images on the local computer, and the word local follows the
image name in parentheses. Clients cannot download these images until the administrator uploads
them to the server. Clients can select a local image if you create a package that is distributed to the
client via removable media, such as a USB drive or DVD.
Packed images on a server. These are images that are on the server and that are available for
download by clients. The word server follows the image name in parentheses.
On the Virtual Machine tab, you also can configure the workspace type to be persistent or revertible. If
you choose a persistent workspace, you can specify if a user should use a Windows logon for the virtual
machine. You also can configure workspace lock settings and image update settings, such as the number
of previous image versions to retain and if you want to use Trim Transfer when downloading images.
Managing a MED-V Deployment 5-9
Note: You should use Trim Transfer when it would take you less time to index the hard drive than to
download the new image version. For example, it would be more efficient to use Trim Transfer when
you download a new image version that is similar to an existing image on the client.
On the Deployment tab in the MED-V policy, you can assign a MED-V Workspace to domain users and
groups. You can specify the time until which the workspace is available, and whether the user can use it in
the offline mode without first connecting to the MED-V server. You also can define the conditions under
which the workspace is deleted automatically and the data-transfer options between the host and
workspace. Additionally, you can configure device-control options, such as whether printers from the host
are available for printing in the workspace or if the workspace can access the hosts CD or DVD drive.
Note: To support file transfer in Windows XP Service Pack 3 (SP3), you must disable offline file
synchronization in the virtual image.
Question: How can you control to whom the MED-V policy applies?
5-10 Implementing and Managing Microsoft Desktop Virtualization
Key Points
You can run applications within the MED-V Workspace that are incompatible with the host operating
system, and start them from within the workspace as you would with a locally installed application on
thefrom either the Start menu or from a shortcut on the host. Workspace applications, which are
available from the host, are called published applications. The MED-V policy defines them.
Note: If the application command line includes spaces, enclose the entire path in quotation marks.
If you publish the whole menu, you can define the menus display name, under which MED-V lists all of
the workspace menus content on the host Start menu. The published menu location is a relative path
Managing a MED-V Deployment 5-11
from the Programs folder in the workspace, and if you leave it blank, all programs from the workspace
Start menu will publish to the host.
Note: If you want to rename the published application, you can right-click on it, and then select
Rename. When you reapply the MED-V policy, the application name will not revert. But when you
restart the workspace, the individually published applications will be listed multiple times, with their
published and modified names, while applications on published menus will revert to their original
workspace names.
All published applications and menus appear as shortcuts on the hosts Start menu under All Programs in
MED-V Applications. You can change this folders name in the Start-menu shortcuts folder field on the
Applications tab in MED-V policy.
5-12 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Some Web sites and Web applications are not compatible with the hosts Microsoft Internet Explorer
version, and do not work correctly even when you use the compatibility view in Internet Explorer. If you
need to access such Web sites, you can use older Internet Explorer versions. You do not need to open a
browser manually in the MED-V Workspace to view specific Web sites. MED-V automatically redirects you
to the browser in MED-V Workspace from the browser in the host, and vice-versa.
On the Web tab in the MED-V policy, you can define a list of Web browsing rules for a MED-V
Workspace. Users can browse all sites that the rules include, either in the MED-V Workspace browser or in
the hosts browser. Users can browse all sites that the rules do not define, from the environment in which
the sites were requested. However, you also can configure these sites as a group, which users can browse
in the MED-V Workspace or in the host.
Note: MED-V applies Web settings only to Internet Explorer. It does not apply Web settings to other
browsers.
You can configure network settings for MED-V Workspace on the Network tab in the MED-V policy. On
this tab, you can define if a workspace uses Network Address Translation (NAT) to share the hosts IP
address for outgoing traffic, or if it has its own network address, which it typically obtains from the
Dynamic Host Configuration Protocol (DHCP) server. You also can configure Domain Name System (DNS)
options, such as whether the workspace uses the hosts DNS server or if you want to use a specific DNS
server, and you can define DNS suffixes that MED-V uses for name resolution. You should configure these
settings appropriately if you plan to have network connectivity for your MED-V Workspace in scenarios
where the workspace is joined to the domain or it includes software that the organization will update over
the network.
Managing a MED-V Deployment 5-13
On the Performance tab in the MED-V policy, you can adjust the virtual machine memory, based on how
much physical memory the host has. By using this configuration, you can allocate more memory to the
virtual machine when the host has more memory available. For example, if a host has 1 gigabyte (GB) of
random access memory (RAM), you can allocate the virtual machine 128 megabytes (MB) of memory, and
if a host has 2 GB RAM, you can allocate 512 MB of memory to the same virtual machine.
Question: Do you need to publish Internet Explorer from the virtual image to use it for browsing certain
Web sites that are incompatible with the hosts version of Internet Explorer?
5-14 Implementing and Managing Microsoft Desktop Virtualization
VM Setup Settings
Key Points
You can configure the virtual machines setup settings on the VM Setup tab in the MED-V policy. By
using this tab, you can configure setup options, which MED-V performs when you deploy the virtual
machine and run it for the first time on the MED-V client. For example, you use these settings for joining
the MED-V virtual machine to the domain environment. You need to configure the virtual machine setup
differently for persistent and revertible MED-V Workspaces.
Note: You must use a persistent workspace for domain-joined virtual machines.
For the persistent workspace, you can configure options to run VM Setup, and then use a script editor to
configure actions such as checking connectivity, renaming a computer, joining a domain, or running
custom commands from the command line. For most of the actions, you can specify additional
parameters, such as the IP address for which you want to test connectivity or user credentials, and the
domain name to which you want to join the MED-V virtual machine. If you enable VM setup, you also can
define the message that displays on the MED-V client while the script is running.
Note: VM Setup only runs the first time that you start a workspace, after the Windows log on is
complete. After you complete the VM Setup steps, the Windows operating system inside the virtual
machine shuts down.
For a revertible workspace, you can configure options only to rename the virtual machine.
For both persistent and revertible workspaces, you can define a virtual computer-name pattern. In this
pattern, you can include the user name of the logged-on user, the domain name, host name, workspace
name, virtual machine name, and the selectable number of random characters.
Managing a MED-V Deployment 5-15
Note: When you join a virtual machine to the domain, only root-level organizational units (OUs) are
supported for creating a computer account.
Question: What are the scenarios in which you would configure and use MED-V VM Setup?
5-16 Implementing and Managing Microsoft Desktop Virtualization
Key Points
In this demonstration, you will see how to use the MED-V Management Console to configure a MED-V
policy on an administrative workstation.
Demonstration Steps
1. Run MED-V Management. Log on to the MED-V server by using the administrator credentials.
2. Add a new workspace, which will create a new MED-V policy.
3. Switch through configuration tabs, and set various options.
4. Save the policy to the server.
5. Switch to the MED-V server, and notice that all changes are saved in c:\program files\microsoft
enterprise desktop virtualization
\servers\ClientSettings.xml file.
Managing a MED-V Deployment 5-17
Lesson 2
Working with a MED-V Workspace
After you create and enable the MED-V Workspace for the users or groups, you can deploy the MED-V
Workspace. The first time that you deploy a workspace to the MED-V client, the process can be lengthy
because you need to download the virtual image first, and then configure it according to the MED-V
policy.
You can integrate the MED-V Workspace seamlessly with the host, or you can run it in a separate window.
Most customers use seamless integration. But you should be aware that MED-V users work in two
separate environments: the host operating system and the workspace. Users can share the Clipboard
between the two environments, and MED-V provides a transfer tool so that users can transfer files and
folders between both environments. If you join a workspace to a domain, you can provide better
integration by using additional options, such as sharing the folders between the host and the workspace,
or using a Group Policy object (GPO) to configure folder redirection.
5-18 Implementing and Managing Microsoft Desktop Virtualization
Key Points
You can deploy a MED-V Workspace only to the workstations on which you install the MED-V client. The
MED-V client runs on top of Virtual PC, applies MED-V policy to the virtualized environment, and
integrates the MED-V Workspace with the host. Before you can access the MED-V Workspace and run
published applications, you first must log on to MED-V. You can log on to MED-V by using the account of
the currently logged-on Windows user or by providing an alternate user account. You can enter the user
name in two different ways: domain\username or username@domain. The AD DS domain controller
performs user authentication, and the MED-V server performs authorization. If you want to use MED-V,
you must have an AD DS user account, and you must enable the
MED-V Workspace for your account or the group to which your account belongs. You can log on to the
MED-V Workspace automatically by using your Windows user account, or manually by starting the MED-V
client, and then providing user credentials. You can configure how the MED-V client starts at logon by
right-clicking on the MED-V icon in the notification area, and selecting the Settings option. By using the
Settings option, you also can configure MED-V server settings.
If user authentication is successful and you have enabled multiple workspaces, MED-V prompts you for
the workspace that you want to use. You can select one of the workspaces from the list, and make it the
default choice. The MED-V server then provides an encryption key to the client, which you can use to
decrypt the virtual machine image on the client. If the image is not available on the client, MED-V
transfers it from the image repository on the MED-V server. After you decrypt the virtual machine, the
MED-V client uses Virtual PC to launch the virtual machine, which initializes the MED-V Workspace. After
the MED-V Workspace starts, you can interact with it.
Note: You can deploy multiple virtual images to the client, but you can run only one Virtual PC image
at a time. If you enable more than one workspace for a user, then when the user starts the MED-V
client, MED-V prompts the user to select the workspace to run.
Managing a MED-V Deployment 5-19
You can control the MED-V Workspace by right-clicking the MED-V icon on the notification area. If the
workspace is running, the MED-V icon has a green check mark. By using the MED-V options in the
notification area, you can perform the following tasks:
Start, stop, or restart the workspace.
Lock the running workspace to prevent access to published applications while the workspace is
locked.
Modify the workspace settings.
Access tools or help, including workspace support information, which the MED-V policy defines.
Question: How can users log on to MED-V? What happens if they have enabled multiple MED-V policies?
Question: What is the difference between the first logon and successive logons to a workspace?
5-20 Implementing and Managing Microsoft Desktop Virtualization
Key Points
You can access published applications from the MED-V Workspace by using the hosts Start menu in the
same way as you access locally installed applications. In the MED-V policy, you can control which
applications you want to publish and at what spot on the Start menu that they publish. Because published
applications integrate with the Start menu on the host, you can use the Search function to find them, and
then you can run them in the same way as you would run locally installed applications.
Note: If you want to publish applications in the submenu, you can use the \ character when defining
the shortcut folder for the Start menu in the MED-V policy.
In the MED-V policy, you can specify how applications are published. You can configure applications to
have a frame around the application window, which helps distinguish them from locally installed
applications. You can start another application from a published application, and then you can run
multiple published applications at any time. Be aware that only a single workspace is used at any time,
and that all published applications must be from the same virtual image.
If you want to protect access to published applications, you can lock the workspace. A MED-V policy can
define the idle time after which a workspace locks automatically. Alternatively, you can lock a workspace
manually, by right-clicking the MED-V icon, and then selecting the Lock Workspace option. This hides all
opened published applications, and you can run a new published application or access running published
applications only after you unlock the workspace by providing the MED-V user password.
Apart from the Start menu, you also can run published applications from the command prompt on the
host. The MED-V Workspace in which you define the published application must be running, and you can
run the published application by using the following syntax:
Managing a MED-V Deployment 5-21
Note: Be aware that the published application name and the MED-V Workspace name are both case-
sensitive.
Question: What methods can you use to run published applications from the MED-V Workspace?
Question: How can you distinguish between local and published applications?
5-22 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Published applications integrate with the host, and provide a look and feel that is similar to locally
installed applications. For example, if an application has an icon in the notification area, this icon is
available from the notification area on the host and its context menu. You can press ALT+TAB to switch
between running applications on the host, and the list of running applications includes the published
applications. However, these applications run in the virtual environment, so in an older operating system,
Flip3D, live thumbnail preview, and transparency do not work for published applications. Based on the
MED-V policy configuration, you can use Copy and Paste to transfer content between published
applications and applications running on the host.
Published applications run in the virtual environment, and they access the folder structure on the virtual
hard disk. If you want to save data from the published application to the host, you can save it first to the
virtual environment, and then use the MED-V File Transfer tool to transfer it from the virtual environment
to the host. In the MED-V File Transfer tool, you can choose to transfer an individual file or a folder.
In the MED-V policy, you can define the following:
The direction in which files can be transferred: host to workspace, workspace to host, or both.
The file extensions that can be transferred.
Whether you want to enable the running of commands on the received files once you transfer them
to the host.
Because transferring files from the workspace to the host can be time consuming, you can use different
options, such as sharing folders between the host and the workspace, or using Group Policy to configure
folder redirection, if the workspace is joined to a domain.
Note: The File Transfer Tool is enabled only when the MED-V Workspace is running.
Managing a MED-V Deployment 5-23
Published applications are displayed on the host in the same way as RemoteApp programs are displayed
when you use Remote Desktop Services (RDS).
Question: How can you access a data file that you saved in the MED-V Workspace?
Question: What are the alternatives to using the File Transfer tool to access data files that are saved from
published applications?
5-24 Implementing and Managing Microsoft Desktop Virtualization
Key Points
One of the workspace settings that you can control through MED-V policy is the URL addresses that users
can browse by using Internet Explorer. You can use this option if Web sites or Web applications are
incompatible with Internet Explorer on the host, but they work correctly with the workspaces older
version of the Internet Explorer browser. You do not need to publish Internet Explorer from the host to
use this feature. You can specify the list of URLs by adding domain suffixes and IP prefixes. You also can
select all local addresses, and then define whether a browser from the workspace or from the host will be
used for browsing them. Then you can specify how you will browse all other URLs, either by using the
browser in the workspace or in the host. When you browse URLs, transitions between the hosts Internet
Explorer and Internet Explorer in the workspace is automatic. If you define a URL in the MED-V Policy as a
workspace URL, and then type it in the host Internet Explorer window, an Internet Explorer window from
the workspace opens and accesses the URL. This browser transition works in reverse, as well, from the
workspace browser to a browser on the host.
Note: Web settings are applied only to Internet Explorer. Web settings are not applied to other
browsers.
Another option that you control through a MED-V policy is the ability to print from published
applications. You can print either to locally installed printers in the workspace or to printers that are
connected to the host. The Enable printing to printers connected to the host option in the MED-V
policy controls access to printers that are connected to the host. When you prepare a virtual image, and
then install the VM Prerequisites Tool, it adds a printer driver that is represented as the Local Printer. This
printer enables you to use any printer that is connected to the host, without installing any additional
device drivers inside the virtual image. When you run a published application, you can select to print to
the Local Printer, which is the workspaces default printer. You get an additional dialog box, where you
select which host printer to use and what print job is sent to that printer.
Managing a MED-V Deployment 5-25
Question: Do you need to install additional printer drivers in the workspace to print to host printers?
Question: You are not able to find the Windows XP driver for a printer that is connected to your
Windows 7 host. Can you still print from the published application that is running in Windows XP SP3
workspace on this printer, if you configure the printer in the Windows 7 host?
5-26 Implementing and Managing Microsoft Desktop Virtualization
Lesson 3
Reporting and Troubleshooting MED-V
Reporting and troubleshooting are an integral part of MED-V. You use Microsoft SQL Server for storing
the MED-V log events, and then you can view them in the MED-V Management Console. MED-V provides
three report types, and enables you to use features such as filtering, grouping, sorting, and exporting
MED-V events to a Microsoft Office Excel file.
A MED-V client provides troubleshooting capabilities, which includes gathering the diagnostics logs,
updating the MED-V policy on the client, enabling the diagnostic mode, and browsing the image store.
Features such as the diagnostic mode can be beneficial when you run the workspace for the first time, as
it displays a Virtual PC window that shows what is occurring in the virtual environment.
Managing a MED-V Deployment 5-27
Key Points
The reporting feature in MED-V gathers, stores, and presents information about client status, user activity,
and errors to MED-V administrators in the form of reports. If you want to use MED-V reporting, you must
have SQL Server 2005 Service Pack 2 (SP2) or SQL Server 2008 installed locally on the MED-V server or
available on a remote server. You can use any SQL Server edition--Express, Standard, or Enterprise--and if
you want to use SQL Server on the remote server, you must install Microsoft SQL Server Management
Objects on the MED-V server. By default, MED-V adds an additional database, medv, to the SQL Server.
This database has six tables, and SQL Server uses it only for logging events, errors, and status messages.
You can create and configure a MED-V database through the MED-V Server Configuration Manager on
MED-V server. From this tools Reports tab, you can perform the following tasks:
Configure a connection string for connecting to the SQL database.
Create a MED-V database.
Test connectivity.
Configure database maintenance, such as how long data will be stored in the medv database before
MED-V deletes it automatically.
You can select the report type, provide additional parameters, and view reports in the MED-V
Management Console, which is available on the MED-V administrative workstation. Before you can view a
report, you first must select the report type, and then provide additional parameters, which can include:
Number of days. This is the number of days for which MED-V should include events in the report.
User name contains. This is the portion of the user name that MED-V should include in the report. If
you specify this, MED-V displays only events that any user performs who meets these criteria. If you
do not specify this parameter, the report includes events by all users.
5-28 Implementing and Managing Microsoft Desktop Virtualization
Host name contains. This is the part of the host name that you are looking for and that you want the
reports to include. If you specify this parameter, MED-V displays only events that comply with this
parameter. If you do not specify this parameter, the report includes events that happen on any host.
After you specify the parameters, MED-V generates a report, and adds a new tab to the detailed view. You
can:
Sort the reports entries by clicking on the column heading.
Filter events by clicking the filter icon in the column heading.
Group events by dragging the column heading to the top of the report or right-clicking on the
column heading.
You also can export reports to Office Excel.
Key Points
The MED-V client generates the MED-V events, and then stores them in SQL Server when the client is
online. The medv database, which contains six tables, stores events. You can use tools such as Excel or
Microsoft Office Access to access the log data in the database and create your own reports. Alternately,
you can use the MED-V reporting capability that MED-V provides by default. You can use the MED-V
Management Console for generating and viewing MED-V reports. The MED-V Management Console
provides three report types:
Status. You can view the current status of all active users and all MED-V Workspaces for each user,
based on the period of time that this report defines. You can view information such as:
Computers that are connected to the server currently, and the date and time that they were last
connected to the server.
The status of each computer.
Relevant information, such as the workspace used, policy version that was applied, and the MED-
V client version on the host.
Activity Log. You can view events that originated from a specific host or user in a defined date range.
In this report, you can find events such as:
When a virtual image download has started or completed.
When a MED-V Workspace has started.
Whether a user was authenticated before using the workspace.
This report has the most detailed information on user activity. In larger MED-V implementations, it
contains many events.
5-30 Implementing and Managing Microsoft Desktop Virtualization
Note: When you work with reports, you can use a filter or the group by command to categorize your
results.
Error Log. You can view errors that originated from a specific host or user in a defined date range. In
this report, you can view:
At which host the error originated.
When the error occurred.
The identity of the user.
In which workspace the error occurred.
The errors description.
Note: If the client is working offline, the server receives the reports when the client reconnects to the
network.
Managing a MED-V Deployment 5-31
Key Points
In the MED-V Management Console, you can monitor clients by generating a report that contains
detailed information about client events. In this demonstration, you will see how to generate and work
with MED-V reports.
Demonstration steps:
1. Log on to MED-V Management Console as medv-user, and go to the Reports module.
2. Select Generate Report with default parameters.
3. Review the data on the Status tab.
4. Generate the Activity Log by accepting the default parameters.
5. Review data on the Activity Log tab.
6. Sort data by the Event Id heading. Use Filtering to display a specific Event Id.
7. Group rows by Event Id. Reorder columns of the Export data report on the Status tab to Excel.
Question: How can you drill down into MED-V reports and view specific information in the log data?
5-32 Implementing and Managing Microsoft Desktop Virtualization
Key Points
If you experience problems with starting, downloading, or running a MED-V Workspace, there are several
troubleshooting options available. One of them is MED-V reporting. By using MED-V reporting, you can
find errors that the MED-V clients report. But you can get more help to troubleshoot specific MED-V client
issues by using MED-V Diagnostics, which you can access by right-clicking the MED-V icon in the
notification area, and then selecting Help/MED-V Diagnostics.
When you start MED-V Diagnostics, the following four sections are available:
System. This section provides information about the amount of RAM on the host, as well as the host
name, operating system, and Windows user that currently is logged on. You can select the Gather
diagnostic logs option, which creates a compressed file with many diagnostic files that are necessary
for troubleshooting the MED-V client. The compressed file is saved on the desktop, and includes
information such as client configuration files, the virtual machine that the workspace is using, the
local host configuration, and its events. You also can gather the diagnostic log from the MED-V
Diagnostics Tool that is installed with MED-V client.
Policy. This section provides information on the MED-V policy version and the time at which it was
updated last. The MED-V client updates the policy automatically every 15 minutes, by default, but
you also can update it manually by clicking Update policy. You get a notification when the policy is
refreshed, and MED-V applies the policy changes immediately.
Note: You can update a policy from a command prompt by running, on the host, the
KidaroCommands.exe with the /Refresh parameter.
Workspace. This section provides information on the active workspace, such as its status, expiration
date, and the image used, as well as its location, version, and size. In this section, you also will find
information regarding whether the MED-V client is connected to the MED-V server or if it works
offline. You can use the Enable diagnostics mode option, which shows the Virtual PC desktop, and
Managing a MED-V Deployment 5-33
which is useful in troubleshooting issues in the initial setup of the virtual environment. If you enable
the Diagnostics mode, published applications open in the Virtual PC window, not on your host. After
you disable the Diagnostics mode, the Virtual PC window hides, and published applications again are
visible on the host.
Note: You can enable MED-V diagnostic mode from the command prompt by running, on the host,
KidaroCommands.exe with the /TroubleShootingMode parameter.
Image Store. This section provides information on where the image store is located, its size, and the
available free disk space on the host. You can click Browse image store, and the local image store
opens in Windows Explorer. You also can start browsing local images from the MED-V Management
Console.
5-34 Implementing and Managing Microsoft Desktop Virtualization
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. Ensure that the 10324A-NYC-DC1 and 10324A-NYC-CL1 virtual machines are running.
3. If required, connect to the virtual machines. Log on to the virtual machines as
Contoso\Administrator using the password Pa$$w0rd.
Managing a MED-V Deployment 5-35
Task 1: Create a MED-V Workspace policy, and configure it to use an existing image
1. On NYC-CL1, start MED-V Management, and log on as contoso\medv-admin with Pa$$w0rd as
the password.
2. Create a new workspace with the name Legacy Workspace. Provide a workspace description and
support information.
3. Verify that the policy defines Seamless Integration for published applications, and then select the
pink (255,0,255) frame color.
4. Select XP-Updated (server) as the assigned image. If the image is not available, click Refresh.
5. Select Synchronize Workspace time zone with host.
Results: After this exercise, you should have created a new policy, defined a new MED-V Workspace,
and configured various policy options, including which applications the workspace will publish.
Managing a MED-V Deployment 5-37
Task 2: Explore the published programs, and manually update the MED-V policy
1. On NYC-CL1, verify that published applications are listed in the Start menu and that there is a
Published subfolder.
2. Use search on the Start menu to start the XP XML Notepad application. Verify that the application has
a pink frame around the window. Drag the XML Notepad window around, like the window of the
locally installed application. Close the XML Notepad application.
3. In the MED-V Management Console, remove the Published menu, and save the policy.
4. On NYC-CL1, update the policy, and then verify that four published applications are still listed on the
Start menu, even though the Published subfolder is no longer present.
Results: After this exercise, you should have deployed a MED-V Workspace, worked with published
applications, learned how to lock and unlock the workspace, and verified that the workspace is
configured as defined in the MED-V policy.
Managing a MED-V Deployment 5-39
Results: After this exercise, you should have reviewed information provided in MED-V reports, worked
with MED-V report formatting, gathered MED-V diagnostics logs, and viewed how to use the MED-V
diagnostics mode.
Review Questions
1. What is the MED-V Workspace?
2. How can you configure a MED-V virtual environment?
3. What defines a MED-V Workspace?
4. What must you do to configure a MED-V policy?
5. What is the difference between a persistent and revertible workspace?
6. How can you specify the virtual image to which the MED-V policy should apply? What image types
can you assign in MED-V?
7. Can you print to the host printers from the published application in the workspace?
8. What is the easiest way to gather MED-V diagnostic logs on the MED-V client?
9. How can you find out what is going on inside the MED-V virtual environment during initial setup,
when you join a virtual machine to the domain?
You modified the MED-V policy, but the changes are not
reflected in the client workspace.
Managing a MED-V Deployment 5-41
Module 6
Implementing Microsoft Application Virtualization
Contents:
Lesson 1: Introduction to Application Virtualization 6-3
Lesson 2: Planning for Application Virtualization 6-15
Lesson 3: Deploying Application Virtualization Servers 6-27
Lab: Implementing Application Virtualization 6-36
6-2 Implementing and Managing Microsoft Desktop Virtualization
Module Overview
The Microsoft Application Virtualization 4.5 Service Pack 1 (App-V 4.5 SP1) and the App-V 4.6 client and
sequencer software provide the latest updates to application virtualization technology. This release
includes new capabilities that make it easy for enterprise information technology (IT) organizations to
support large-scale, global application virtualization implementations. This module provides an overview
of application virtualization and App-V components. The module also covers the App-V infrastructure, the
deployment scenarios, and the procedures for installing and configuring App-V servers and App-V clients.
Implementing Microsoft Application Virtualization 6-3
Lesson 1
Introduction to Application Virtualization
Application virtualization is a sophisticated technology that allows organizations to reduce costs and
simplify software deployment. Application virtualization allows you to run applications on client
computers without having to install them locally.
Other virtualization technologies such as Windows XP Mode or Microsoft Enterprise Desktop
Virtualization (MED-V) deliver an entire virtual machine to the client computer, whereas App-V delivers a
virtual application hosted in a virtual environment based on the host operating system. App-V does not
provide a virtual machine. App-V is not an application compatibility product, but instead it is an
application management product.
This lesson provides an introduction to the concepts behind application virtualization, and the tasks that
you can use to manage it.
6-4 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Application virtualization allows you to run applications on client computers as if they were installed
locally. You never install a virtualized application, in the traditional sense, locally on an end users
computer. However, a virtualized application behaves as a locally installed application, from the end users
perspective. The virtualization client software that you install on the client computer provides an
environment that simulates the local operating system. Blocks of the applications code are loaded into
this virtual environment on demand. The virtual server initially downloads only the code necessary to start
the program, which typically is 20 to 40 percent of the total code. No further code is sent to the client
until the user requests it by using features of the application. These blocks of code may be streamed from
a network location or reside in a cache on the local hard disk.
Streaming is the process of obtaining content from an application package. The application runs as if it is
interacting with the physical operating system, when in fact it is interacting with virtualized operating-
system components, such as registry, .ini files, and dynamic-link library (DLL) files. However, the
application never interacts directly with the actual operating system.
When the session terminates, the virtual server saves application settings and profiles in a nonvolatile
cache, which provides instant access for subsequent use. The cached code enables applications to run
locally with full functionality, even without a network connection.
Running multiple versions of the same application without conflicts. Users sometimes need to run
older versions of an application to support their customers, but they might also need access to the
latest version. App-V enables users to run multiple versions of the same application by providing
virtual environment isolation.
Reduced application conflicts. Sometimes applications are unable to coexist on the same operating
system due to DLL or API conflicts. Virtual environment isolation means that applications are unaware
of each other and therefore, do not have these types of conflicts.
Scalable infrastructure. You can deploy multiple virtualization servers to stream virtual applications to
clients across the enterprise, and you can manage these servers from a single console, and load
balance them for redundancy. Stand-alone client installers can extend virtual applications to users
who do not connect to the local area network (LAN).
Accessible applications. Because you can target applications at particular users or groups, they are
available at any workstation to which a user logs on, as long as that workstation has the App-V client
installed. If users have roaming profiles, any personal configuration application settings will be
available.
Remote Desktop server support. App-V allows an application to run simultaneously with any other
application on a Remote Desktop server, eliminating the need for application silos and increasing
utilization. This results in the need for fewer servers, and it enables applications that were not
designed to run in multiuser mode to run on a single terminal server. There is separate virtual client
software for Remote Desktop servers.
Note: For the Windows Server 2008 R2, operating system, Terminal Services has been renamed to
Remote Desktop Services.
Reduced license compliance risks. App-V helps to manage license compliance by controlling the
number of users permitted to access an application. You can associate applications with license
groups to enforce compliance.
Usage reporting. You can generate several different reports to track application usage, audit software,
and track system utilization and errors.
6-6 Implementing and Managing Microsoft Desktop Virtualization
Key Points
A virtualization solution consists of a number of components that work together to provide virtualization.
Depending on the deployment model that you implement, you might require some or all of the following
components:
Microsoft Application Virtualization Management Web Service. This service acts as an intermediary
between the Application Virtualization Management Console and the Application Virtualization Data
Store. The Web service accepts data from the management console and sends it to the database. For
example, when a new application is imported, the Web service makes the data store aware of the new
application and its configuration. You must install Microsoft Internet Information Server (IIS) 6.0 or
newer on the server.
Microsoft Application Virtualization Management Console. This component interacts with the Web
service to provide policies. Virtual application deployments, updates, and terminations are managed
by using policies, and administered through the App-V management console. You can install this
console on the Windows XP operating system or newer versions, the Windows Server 2003
operating system or newer versions that have the Microsoft Management Console (MMC) 3.0 and the
.Net Framework 2.0 or newer versions installed.
Microsoft Application Virtualization Management Server. This component stores the application
packages in a shared folder for distribution to the clients. During startup, it requests policy
information from the data store on a Microsoft SQL Server. The App-V Management Server
authorizes and authenticates requests against Active Directory Domain Services (AD DS), and then
provides the application streaming, security, metering, monitoring, and data gathering services.
Microsoft Application Virtualization Streaming Server. This component provides a lightweight solution
for application virtualization. This server only provides streaming services using Real-Time Streaming
Protocols (RTSP) and RTSP Secure (RTSPS). It does not provide the full set of management capabilities
that the management server delivers. Therefore, it does not require the same infrastructure as the full
management server.
Implementing Microsoft Application Virtualization 6-7
Microsoft Application Virtualization Client. This component is a small software program that resides
on the computers running the virtual applications. These clients communicate and authenticate with
the application virtualization server to receive application code, and then locally execute the
application.
Microsoft Application Virtualization Sequencer. This is a wizard-based tool, which sequencing
engineers use to create virtual application packages. Sequenced applications perform as if they are
installed on the local machine when users launch them. You perform sequencing on a computer that
represents the operating system on which the virtual application will be run.
SQL Server. This is required to act as the data store for a full installation of an App-V environment.
SQL Server 2005 Express Edition SP2 or newer is required. This data store stores all application
records, licensing, logging information, permissions, virtualization server configurations, and
reporting.
6-8 Implementing and Managing Microsoft Desktop Virtualization
Key Points
App-V streaming servers natively use RTSP or Transport Layer Security (TLS) and RTSPS to stream
applications to clients. A new feature in App-V 4.5 is the ability to stream over HTTP protocol.
You can use RTSPS if you need only a single port and an encrypted application stream. The default port is
322 in RTSPS. This is a change from previous Microsoft SoftGrid versions that used port 332 to comply
with industry standards. However, you can redirect the port to 443.
RTSPS uses a single port for both RTCP and RTP traffic, and for all connections to the Application
Virtualization Management Server. This can have an effect on performance. RTSPS requires a valid
certificate installed on the management server. The streaming server can be set up to support RTSP,
RTSPS, or both.
Streaming over HTTP is accomplished by creating a virtual directory that maps to the content folder that
holds the sequenced applications. Also, you must add the following Multipurpose Internet Mail Extensions
(MIME) types:
OSD with the type of App-V Application
Virtualized-enabled application file (SFT) with the type of App-V Application
Then, the hypertext reference (HREF) value in the OSD file must reflect that you are using the HTTP
protocol and port 80. For secure HTTP, the HREF value must reflect HTTPS protocol and port 443.
HTTP streaming is optimized for Internet or intranet delivery over wide area networks (WANs). Therefore,
we recommend it for Internet-facing scenarios and businesses that require streaming capabilities across
large, disperse networks. Active Upgrade is not available when you are using HTTP streaming.
6-10 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Application packaging is the process of preparing virtual applications for deployment on client computers.
You can create an application package, also called a sequenced application, by using the App-V
Sequencer. Sequencing is typically the first step of implementing a virtualized application. You can use the
App-V Sequencer to monitor and record the application installation and capture the files that the
application uses to run. The App-V Sequencer then packages all required files into a virtualized, self-
contained environment for deployment to
App-V clients. Each package created by the sequencer defines its own virtual environment.
Packaging is a separate operation from deployment, and you perform it on a separate computer from the
deployment or management servers. After you sequence the application, you copy the resulting package
to the deployment server for distribution.
Key Points
After packaging the application, you can deploy it. Deployment typically involves streaming the package
to the App-V client, which you must install on the client computer prior to application deployment. You
can place the virtual application package on App-V streaming servers so that you can stream the package
to the clients on demand and also have it cached locally. You also can use file servers and Web servers as
streaming servers.
You can deploy multiple streaming servers to support large distributed environments. There is no built-in
method in App-V to replicate application packages between multiple streaming servers delivering the
same applications. Package replication must be achieved through other means such as Distributed File
System (DFS), scripting, or manually.
Application streaming is the exchange of data between the desktop virtualization client and an
application streaming component on the server. Its purpose is to move the entire application package or
parts of the applications code, known as feature blocks, from the virtualization server to a users hard
disk, and then import it into the desktop virtualization framework. Most software packages are cached on
the user's hard disk after the initial download. This reduces the network impact for subsequent launches of
the application.
By default, an App-V client goes through the process of desktop configuration refresh (DC Refresh) at
logon to get the list of applications that it is allowed to run. The client also populates the host operating
system with those applications icons so that the user can access them.
Application licensing and user validation also is performed against the virtualization management server.
As an example, when a user launches an application package that previously was downloaded, the
virtualization client software first calls the management server to verify that the current user remains
authorized to run the application. You also can create policies that enable mobile workers to run the
application in an offline mode, during which the policy determines how long an application can run
without contacting the servers streaming component. For example, the streaming server administrator
6-12 Implementing and Managing Microsoft Desktop Virtualization
may set the policy to allow offline applications to continue to run for seven days without contact. The
desktop virtualization client enforces the policy, and then can disable or remove the application after the
specified period of stand-alone use.
Implementing Microsoft Application Virtualization 6-13
Key Points
When you virtualize an application, it runs inside its own virtual environment. This provides the following
advantages:
No installs. You can stream Microsoft App-V packages to client systems without having to install the
applications on each client. Stand-alone scenarios are possible. In this situation, the application is not
streamed to the client computer. Rather, you package the virtual environment and install it for use by
the virtual client software component on the client computer.
No client footprint. Because you do not install the application, you can remove the package easily
without leaving a footprint. This means that there are no orphaned files or registry settings, which
typically are left behind in a traditional application uninstall.
No wasted resources. Virtualized applications can use local and network drives, CPU, random access
memory (RAM), printers, and other local resources on the App-V client.
Pre-configuration of applications. Virtual applications are self-contained, and include all .ini files and
registry settings. During the sequencing operation, the sequencing engineer can configure the
application settings, which enables you to deploy the application in the way you want to present it to
end users. However, users can make personal configuration changes to the application just as if the
application was installed normally, and those settings are stored permanently in a user-specific file
named UsrVol_sftfs_v1.pkg in the users profile in the %AppData% directory.
6-14 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Updating applications with updates and new revisions can be time consuming and costly for an
organization. App-V enables an organization to centralize these tasks, which simplifies how you can
update and support applications.
Application Updates
An applications life cycle typically involves updates, which typically are in the form of service packs or hot
fixes. When you use virtual applications, however, you need to apply updates only to the package source
files. The updated package then replaces the original package on the App-V server, and the App-V client
seamlessly receives the updated files the next time it launches the application. There is no interruption in
service, and the end user is unaware that an update has been applied.
Application Support
The Microsoft App-V platform can solve other support-related issues, by reducing conflicts between
applications because each virtual application runs in its own virtual environment.
Virtual applications are almost immune to users inadvertently or intentionally deleting critical files that are
needed to run that application. This effectively reduces the number of help-desk calls that an organization
receives.
App-V enables organizations to control the number of users who can gain access concurrently to App-V-
enabled applications through enforcement of license compliance.
Implementing Microsoft Application Virtualization 6-15
Lesson 2
Planning for Application Virtualization
Before deploying a virtual solution, you must have an understanding of the supporting infrastructure
components and the considerations for planning the deployment. The process for implementing
application virtualization is very flexible and scalable. Large deployments require more planning and
different components. This lesson will discuss the different considerations and models for application
virtualization deployment.
6-16 Implementing and Managing Microsoft Desktop Virtualization
Key Points
All deployment models require the presence of the App-V client software on the client computer. You can
achieve the delivery of virtual applications to the App-V client through four main delivery models:
App-V full infrastructure (Enterprise) model
App-V lightweight infrastructure model
Stand-alone deployment model
System Center Configuration Manager 2007 R2 integrated model
The App-V Sequencer packages the publication information, shortcuts, and the install routines into the
MSI, and the virtualized application into an SFT file. When executed, the installer adds the virtual
application package to the App-V client, and configures the publication information to load applications
from a local location rather than stream them across a WAN.
Stand-alone deployments require the client to go into stand-alone mode, which only allows MSI-based
updates of the virtual applications. You do not configure the App-V client to connect to any App-V server,
and applications are delivered to the client through an MSI package. The MSI holds all metadata of the
sequenced application, except for the binary SFT file that holds the actual application.
Streaming is not allowed in the stand-alone model, which is for those users who connect to the corporate
network rarely and do not have access to a server, but who require the power of virtualized applications.
The stand-alone delivery scenario enables an organization to deploy virtual applications in situations
where no servers are available to support other deployment methods for virtual applications. Use stand-
alone deployment when:
Remote users cannot connect to the App-V infrastructure.
Software management systems, such as System Center Configuration Manager or a third-party ESD
system, are in place already.
Network bandwidth limitations prevent ESD. In this case, you can use virtual application delivery on
physical media.
Because the stand-alone model employs an MSI file, you can distribute it by using an existing software
distribution infrastructure, such as Group Policy objects, shared folders, CD or universal serial bus (USB)
flash drives, and others.
By default, stand-alone applications are available to all users that log on to the computer. This may not be
desirable in some environments. To change this behavior, you can use the SFTMIME command-line utility
with the /NOGLOBAL option during the MSI install.
This model requires both the App-V client and the Configuration Manager client on each managed
system. It does not use any of the server components of application virtualization, but instead uses the
existing Configuration Manager distribution points to deliver the virtual application to the client.
Application delivery to the client works differently from the App-V Full Infrastructure scenario. In the Full
Infrastructure scenario, the App-V client manages its own content, and it can refresh instantly against the
6-18 Implementing and Managing Microsoft Desktop Virtualization
Configuration Manager supports two types of delivery methods for virtual applications:
You can enable streaming delivery on Configuration Manager distribution points. This option streams
the virtual application to the client through HTTP or HTTPS.
Local delivery uses the Configuration Manager 2007 client to first download all the files needed for
the application through Background Intelligent Transfer Service (BITS). After downloading the files,
the package is loaded (fully) into the App-V client cache.
This model requires in-depth knowledge of System Center Configuration Manager, and is not the focus of
this course.
Implementing Microsoft Application Virtualization 6-19
Key Points
Before deploying App-V to your enterprise, you must ensure the supporting infrastructure is in place and
configured to support the App-V environment.
Firewall Considerations
After you install the App-V management server or streaming server, and configure it to use the RTSP or
secure RTSPS protocols, you must create firewall exceptions for the App-V programs. Create a firewall
exception for sghwdsptr.exe and sghwsvr.exe. These programs are in the C:\Program Files\Microsoft
System Center App Virt Management Server\App Virt Management Server\bin folder on a 32-bit
operating system. If you are using a 64-bit operating system version, the folder is located in the
corresponding location under C:\Program Files (x86).
Load-Balancing Considerations
You can use load balancing to allow a farm of App-V Servers to continually grow to meet company
requirements and provide a level of fault tolerance. After you configure load balancing, you need to
change the HREF tag in the OSD file to point to the load-balanced IP address or DNS name. For example:
HREF="rtsp://{virtual IP or virtual host name}:554/DefaultApp.sft"
Key Points
The App-V Management Server performs the publishing and streaming functions for virtual applications.
App-V Management Servers have direct connectivity to the client workstations, and they deliver virtual
applications on-demand to App-V Clients, using RTSP or RTSPS protocols. App-V Management Servers
also provide the following services:
Authorize and authenticate requests for applications through AD DS.
Secure connections to the client through certificates.
License enforcement for applications.
Application monitoring and gathering of data about application usage.
You can control the management server through the App-V Management Console.
The management server stores all application packages in its Content share. The Content folder is a
standard shared folder. During installation, the user is prompted to provide a location for the content
shared folder. You can use any local directory, existing network share, or network accessed storage (NAS),
but the default location is in the installation directory.
During installation, you will provide the location of a SQL Server and database. The management server
must be deployed in the same location and, if possible, on the same LAN as the SQL Server. This ensures
good connectivity between the management server and the App-V configuration information that is
stored in the SQL Server database. One or more App-V management servers can share a single
Application Virtualization SQL data store.
The App-V management server has the following requirements and interactions:
Windows Server 2003 or newer.
6-22 Implementing and Managing Microsoft Desktop Virtualization
A shared folder in which to store the application packages content. This could be a physical file share
on the server itself, or it could be a network-accessible location, such as a DFS or storage area
network (SAN) device.
Requires that the data store is previously installed.
Uses open database connectivity (ODBC) to communicate with the data store.
Important: When you install SQL Server and the App-V Management server on the same computer,
the Application Virtualization Management Server service fails to start after a server restart if the SQL
Server service is not started fully. Because both services try to start at the same time, the Application
Virtualization Management Server service detects that the SQL Server service is not running, and
therefore, will not start. Setting the Application Virtualization Management Server service to
Automatic (Delayed Start) will remedy this. Otherwise, you must start the service manually.
Note: You can install App-V management components on a single server or spread them across
multiple computers. For example, a common scenario would be to install the Management Console
on a Windows 7 computer and the App-V server and Management Web service on a Windows server,
while you place your SQL Server on a separate Windows server or cluster.
Implementing Microsoft Application Virtualization 6-23
Key Points
You can use the Application Virtualization Streaming Server for those organizations that want to take
advantage of the virtualization and the streaming capability of Microsoft Application Virtualization, yet do
not want a full App-V management server. There are no AD DS or SQL Server requirements, and there is
no user interface for the streaming server. You manage it through registry keys. You must configure
clients through the App-V client software during client installation or configure the local registry to point
to the streaming server if the client software is installed already.
The Application Virtualization Streaming Server is a streaming server only. It does not perform any
application publishing or management functions. It does not have any application licensing or metering
capabilities. It streams the virtual application files (.sft files) from its shared Content directory to the App-V
Clients that request them, using the RTSP suite. The Application Virtualization Streaming Server
automatically polls its Content directory for applications and packages, and then places this information in
RAM to service application requests. It does not authenticate requests to AD DS, but uses NTFS file system
permissions on the Content folder for authorization.
Because the streaming server does not support desktop configuration refresh, the client is not aware
automatically of the applications that are available for streaming. You must add applications to the client
in an alternative way, such as using the SFTMIME.exe command-line utility or by using a desktop
configuration policy on an App-V management server in a remote location.
6-24 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Although you can use the streaming server by itself as a lightweight deployment solution, you typically
use a streaming server in conjunction with a full infrastructure scenario, or use it with System Center
Configuration Manager to deploy to branch offices or areas with poor WAN connectivity to the SQL
Server. In this way, you can use a streaming server to increase scalability.
leveraging their existing System Center Configuration Manager 2007 solution in conjunction with the
App-V client, while removing the need for the entire backend infrastructure of the management server,
SQL data store, management Web service, and management console. Taking advantage of a System
Center Configuration Manager 2007 solution means that organizations can provision application
virtualization packages to hardware devices, rather than just basing them on user accounts. Additionally,
organizations can deploy Application Virtualization packages and precache them to devices based on the
System Center Configuration Manager 2007 policies.
One of this scenarios key prerequisites is that you must install the new App-V streaming server on an
existing distribution point for the System Center Configuration Manager 2007 solution.
You can use the SFTMIME command to set up and maintain the applications, file type associations, and
Desktop Configuration Servers that the App-V client manages.
6-26 Implementing and Managing Microsoft Desktop Virtualization
Key Points
In Remote Desktop Services deployments, application conflicts can lead to silos of Remote Desktop (RD)
Session Host servers. To avoid application conflicts, you typically must test applications extensively to
determine which have conflicts. You must separate these, and run them on different session host silos.
Separating multiple RD Session Host servers to accommodate specific applications typically results in the
underutilization of servers, because each one is locked into a specific configuration, and is capable of
serving only a limited set of nonconflicting applications.
The Microsoft Application Virtualization for Remote Desktop Services client allows administrators to
deliver any application to any Remote Desktop Services server. Installing the App-V client for Remote
Desktop Services on the remote desktop server has the following advantages:
Enables applications that cannot run in multiuser mode to be run on remote desktop servers.
Consolidates remote desktop servers and increases hardware efficiency while decreasing both
hardware and administrative costs.
Enables you to prevent users from modifying operating system settings, yet allow applications that
require full rights to run properly.
Enhances Remote Desktop Server license compliance and usage tracking.
Supports roaming profiles and policies.
Implementing Microsoft Application Virtualization 6-27
Lesson 3
Deploying Application Virtualization Servers
It is important to understand the hardware and software requirements of an App-V solution before you
implement it. If you are running a previous version of SoftGrid, you will need to know the implications of
upgrading to the latest release. This lesson covers the installation of the server components and what you
should consider before you upgrade.
6-28 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Before installing the App-V management server, ensure that the App-V server computer meets all
prerequisites for infrastructure, and hardware and software. You can use the App-V Management Server
Installation Wizard to install the management server and to configure the basic settings of the
components.
delegation. Therefore, the Management Web Service will not be able to connect to the App-V data
store.
4. If you choose to use the Secure Connection Mode for communications between the Management
Console and the Management Web service, then the server has to have a server certificate
provisioned to it from a public key infrastructure (PKI). If a server certificate is not installed on the
server, this option is unavailable, and the user cannot select it. You must grant the Network Service
account Read permission to the certificate being used.
1. Sharing the Content folder. Ensure the App-V users group have Read permission and the users who
will be uploading sequenced applications to the share has Full Control. Ensure that the corresponding
NTFS permissions have been granted.
Note: You may perform this task before installation, but you must create a folder that will act as the
content folder.
2. If SQL Server is running on the same computer, set the Application Virtualization Management Server
service to Automatic (Delayed Start) as the Startup Type, and ensure the service is started.
3. Create firewall exceptions.
4. After you deploy the App-V client software, use the App-V Default Application to test whether App-V
is functioning correctly.
Key Points
In this demonstration, you will see how to install all of the App-V management components on a single
computer that is a domain member server and on which SQL Server is preinstalled.
Demonstration steps:
Create and populate Active Directory groups.
a. Start Active Directory Users and Computers.
b. Create global security groups named ContosoAppVAdmins and ContosoAppVUsers.
c. Add the Domain Admins group to the ContosoAppVAdmins group.
d. Add the Domain Users group to the ContosoAppVUsers group.
Prepare the App-V Management Server.
Add the Web Server (IIS) role with the default settings and the following role services:
ASP.NET
Windows Authentication
IIS Management Scripts and Tools
IIS 6 Management Compatibility, with all subcomponents
Install App-V Management Components.
a. Run the installation wizard as a custom setup, and accept all the defaults to install the
management server.
b. Restart the server.
Configure the Startup type for the Application Virtualization Management Server service to be
Automatic (Delayed Start) and start the service.
Create a firewall exception for sghwdsptr.exe and sghwsvr.exe.
Implementing Microsoft Application Virtualization 6-31
Share the Content Folder to Everyone for Read permission, and grant Domain Administrators full
control.
6-32 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Before installing the App-V Streaming Server, ensure that the App-V server computer meets all hardware
and software prerequisites. The server hardware requirements are the same as the App-V Management
server, except that the supporting infrastructure is much smaller. There is no requirement for a data store
or AD DS. The App-V client is directed to stream applications from the local streaming server by how you
configure its registry or from a desktop configuration policy on a remote App-V management server.
Note: Make sure that the App-V Management Server is not installed on this computer. You cannot
install the App-V Management Server and the App-V Streaming Server on the same computer.
Demonstration steps:
1. Run the installation wizard, and accept all defaults to install the streaming server. Restart the server.
2. Open the Start menu, point to Administrative Tools and verify that there is no App-V management
console for this server.
3. Share the Content Folder to Everyone for Read access and grant Domain Admins Full Control.
4. Copy an application package to the Content folder.
5. Configure firewall exceptions.
6. Restart the Application Virtualization Streaming Server service.
7. On the client computer, edit the HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\SoftGrid\4.5\Client\Configuration\ApplicationSourceRoot key with the following
value: RTSP://<servername>:554.
8. Use the SFTMIME command line utility to add the package to the client cache.
9. Test the application.
Implementing Microsoft Application Virtualization 6-33
Question: During installation, several options are available for configuration. How can you change them
after installation?
6-34 Implementing and Managing Microsoft Desktop Virtualization
Key Points
To realize the benefits of the App-V 4.5 SP1 and App-V 4.6 client release, you need to upgrade your
existing App-V infrastructure. Before upgrading to App-V 4.6 or newer versions, you must upgrade
versions earlier than App-V 4.1to App-V 4.1. You must upgrade the App-V clients first, and then upgrade
the server components.
Note: For more information, see the TechNet article App-V Upgrade Checklist at
http://technet.microsoft.com/en-us/library/ff361462.aspx.
6-36 Implementing and Managing Microsoft Desktop Virtualization
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. Ensure that the 10324A-NYC-DC1 and the 10324A-NYC-SVR3 virtual machines are running.
3. If required, connect to the virtual machines. Log on to the computers as Contoso/Administrator
using the password Pa$$w0rd.
Implementing Microsoft Application Virtualization 6-37
Question: How would you distribute virtual applications to the branch office?
Question: How would you distribute virtual applications to the field engineers?
Results: After this exercise, you should have an understanding of how to plan for an App-V
deployment.
6-38 Implementing and Managing Microsoft Desktop Virtualization
Scenario
The main tasks for this exercise are:
Results: After this exercise, you should have installed the prerequisites for the App-V management
server, and installed the default installation of the management server.
6-40 Implementing and Managing Microsoft Desktop Virtualization
Results: After this exercise, you should have installed an App-V streaming server, shared the Content
folder, and copied a package to the Content folder.
6-42 Implementing and Managing Microsoft Desktop Virtualization
Task 2: Use the Sftmime utility to load the package into the client cache
Execute the following command on NYC-CL1:
sftmime add package:Word03 /manifest \\\NYC-
SVR3\Content\Word03\Wordviewer03_manifest.xml
Note: The UNC path in the command requires three backslashes at the beginning of the path
Results: After this exercise, you should have edited the client registry key to configure the client to use
the streaming server.
Review Questions
1. What is the primary function of the OSD file?
2. How can you replicate application packages between multiple streaming servers?
3. How are App-V administrators determined?
Secure communications between server components with Internet Protocol Security (IPsec) in high
security environments.
Use HTTP streaming for Internet facing clients.
Use Network Load Balancing (NLB) to provide redundancy.
Planning and Deploying App-V Clients 7-1
Module 7
Planning and Deploying App-V Clients
Contents:
Lesson 1: Overview of the App-V Client 7-3
Lesson 2: Installing and Configuring the App-V Client 7-14
Lab A: Deploying the App-V Client in Stand-Alone Mode 7-24
Lesson 3: Managing Client Configuration Features 7-28
Lab B: Managing Client Configuration Features 7-41
7-2 Implementing and Managing Microsoft Desktop Virtualization
Module Overview
The Microsoft Application Virtualization (App-V) Client software is the one component that you always
require to implement App-V solutions. Therefore, before you deploy the App-V Client, you must consider
various factors very carefully. You should consider the best client to deploy, the deployment method that
you will use, and the configurations that your intended deployment will require. You also should be aware
of the prerequisites for installing the client.
This module provides an overview of the desktop and remote desktop client, including the several
installation methods. The module also describes the recommendations for deploying and managing the
App-V Client.
Planning and Deploying App-V Clients 7-3
Lesson 1
Overview of the App-V Client
There are two different types of App-V Client software: the App-V Client for Remote Desktop Services
(RDS), which you use on Remote Desktop Session Host (RD Session Host) server systems, and the App-V
Desktop Client, which you use for all other computers. RDS formerly was known as Terminal Services. As
the network administrator, you must deploy the client software to all host computers on which you want
to run virtualized applications.
This lesson describes the characteristics of the App-V Clients and the features of the desktop and remote
desktop clients. The lesson also describes the configuration options that are available to the client
software and the considerations for configuring these options.
7-4 Implementing and Managing Microsoft Desktop Virtualization
Key Points
The Microsoft App-V Desktop Client is a small program that runs on startup on desktops and laptops.
Users might never know that the App-V Client is installed because it runs in the background. Although it
is possible for users to access the client software, in most cases users do not interact directly with the App-
V Client. The App-V Management Console is stored in the Administrative Tools folder, and most users do
not have access to that folder. Applications that run in the App-V Client look and feel like normally
installed applications. In a typical deployment, the App-V desktop clients communicate and authenticate
with the App-V Management Server so that it can stream the application to the client. The client sets up
the runtime environment, and then executes the application code locally.
The App-V Client software controls all aspects of the virtual application, including communicating with
the streaming server and verifying the .osd file. The Client executes any scripts that the .osd file specifies.
The App-V Client also is responsible for setting up the client cache, publishing program shortcuts and
icons, dealing with file-type associations, and saving any client-side configurations to the users profile.
Finally, the App-V Client is responsible for disconnecting from the management server.
The App-V Desktop Client makes virtual applications available over networks such as local area networks
(LANs); wide area networks (WANs); virtual private networks (VPNs); wireless networks; and the Internet.
You can use this accessibility feature without rewriting any application source code.
Key Points
A number of steps occur in the background when the App-V Client starts and attempts to stream an
application to the users computer. The events are transparent to the user, but it is useful to know how
this process works in case you have to troubleshoot it.
In a typical scenario, the following sequence of steps occurs when a user launches a virtual application:
1. When users log on to their workstations, the App-V Client service starts, captures the users token,
and then passes it to the App-V Management Server that you configure the App-V Client to use.
2. The App-V Management Server gets each applications group information from the application
records in the data store.
3. The App-V Management Server compares the information in the users access token to the groups to
which you assign permissions in the application records.
4. For any applications that App-V determines need to be provisioned to the user, the App-V
Management Server sends the location of the icon (.ico) and Open Software Description (OSD) files.
5. The App-V Client retrieves the designated ICO and OSD files from the configured location, and then
copies them to the local system.
6. When a user launches an application, the App-V Management Server uses an Open Database
Connectivity (ODBC) connection to return to the data store and verify if that user still has permissions
to the application record.
7. If you implement licensing on that application, the App-V Management Server also queries the data
store to see if there is an available license for that user. If the location is an App-V streaming-only
server, the streaming server checks the NTFS permissions of the content folder that contains the
package. If users have the correct permissions, they will see the application shortcuts to which they
have access, and they then can launch an application by double-clicking the shortcut. When the user
launches an application, the streaming server will access the \Content share, and then mount the
virtualized-enabled application file (SFT) file into the servers random access memory (RAM) to stream
Planning and Deploying App-V Clients 7-7
it to the client. Note that the streaming server does not mount the entire SFT file into its RAM at one
time.
8. The App-V Management Server caches application code on the client computer so that the streaming
server does not have to stream subsequent launches. After the initial launch, the App-V Management
Server caches the code, which is known as Feature Block 1, at the client workstation, and then the
application launches, and the user can use it as if it were installed locally.
9. On subsequent launches, the client checks with the management server to ensure that access to the
application is still valid, but uses the code in the local cache to launch and run the application when
possible. If the user attempts to use new application features, the App-V streaming server streams the
requisite code, known as Feature Block 2.
7-8 Implementing and Managing Microsoft Desktop Virtualization
Key Points
The App-V Client for Remote Desktop Services is installed only on the Remote Desktop Session Host
(RDSession Host) servers. The Client for Remote Desktop Services performs the same function and
behaves in the same way as the App-V Desktop Client, only on a RD Session Host server. When users
connect to the RD Session Host server and launch an application, the application runs in a virtual
environment on the RD Session Host server. Application code executes on the RD Session Host server, and
users access their Remote Desktop applications in the normal fashion. Users are unaware that they are
using a virtual application.
This can alleviate situations where you have application conflicts and have to deploy multiple RD Session
Host servers because of these conflicts. Virtualization allows multiple instances of an application to run
concurrently on RDS servers, you can deploy applications that typically are designed for a single user in a
Remote Desktop environment on a single server. This eliminates the need for application silos, where
multiple RD Session Host servers are required to support multiple applications because those applications
cannot coexist on the same computer.
You can use Windows Server 2008 or Windows Server 2003 Remote Desktop Services to take advantage
of App-V virtual applications. After you load an application on a RD Session Host server in the App-V
cache, any user who has permissions for that application can use it on the RD Session Host server.
The App-V Client for Remote Desktops is a separate installation executable. Installing the App-V Remote
Desktop Services Client is no different than installing other applications on a RD Session Host server.
Installing applications on a RD Session Host server requires using the install mode for the RD Session Host
server.
Planning and Deploying App-V Clients 7-9
Key Points
The App-V Client component stores data in multiple locations on the local computer. This data includes
the client cache, the OSD and Icon cache directories, and the Shortcut_ex.dat file. The App-V Client
assembles that data at application runtime, and presents it to the user as a locally running application.
Client Cache
One of the functions of the App-V Client is to create the App-V cache on the client hard disk. The cache is
instantiated as a single file, known as sftfs.fsd. When a user launches the application, the contents of the
file are mounted to the virtual drive that the App-V Client creates. Normally, this is drive Q. Users see
drive Q in Windows Explorer as a normal volume in the graphical user interface (GUI), but users cannot
access it. This virtual drive provides access to the file system and the files in the application package. After
the initial streaming of Feature Block 1, the App-V Client stores packages in the cache file persistently for
subsequent launches.
The sftfs.fsd file is in the Public profile on Windows Vista and newer operating systems, and in the All
Users profile on Windows XP. Both operating systems share the same path in their respective profile,
which is Documents
\SoftGrid Client, though you can choose a location as the caches path during installation. If you change
the path post-installation, you must restart the client computer.
Note: The size of the cache is set during client installation, and you cannot change it without
destroying the contents of the cache.
Note: Microsoft has released the Application Virtualization Cache Configuration Tool. The App-V
Client cache resizing tool (AppVCacheSize) allows administrators to increase the App-V Client cache
size through a scriptable command-line interface. AppVCacheSize uses the parameters you specify to
configure the desired cache size, and to toggle between using a threshold for free disk space or the
maximum cache size. This is a free download from the Microsoft Download Center. However, Microsoft
does not support this application.
7-10 Implementing and Managing Microsoft Desktop Virtualization
An icon cache directory also is created for each individual user, which stores per user icons. By default, this
icon cache directory is stored under the users profile at \AppData\Roaming\SoftGrid Client\ on Windows
Vista and newer operating systems, and it is stored under the users profile at \Application Data\SoftGrid
Client on Windows XP.
Key Points
Before installing the desktop or remote desktop App-V Clients, you need to plan the client configuration.
The considerations for either client are similar, but some of the settings require additional consideration
for deployment on a RD Session Host server.
free disk space for the cache. The default value is 6 gigabytes (GB). For most users who run a few
virtual applications, this space is sufficient. If you know that you will be running large virtual
applications, you should set the cache accordingly. Consider what future applications you might
deploy virtually and leave room for expansion.
Use free disk space threshold: This method sets the cache to increase as long as there is a
predetermined amount of available disk space on the server. When you use this option, the cache
uses all the free disk space available except for a predetermined amount. The default size is 5 GB.
You can use this method when you want to ensure that you leave enough free disk space for
other purposes, but you also want as much disk space as possible available for the cache.
Note: You should give special consideration to the cache size for RD Session Host servers that host
multiple applications to ensure the cache is large enough.
Planning and Deploying App-V Clients 7-13
Key Points
The App-V Client supports four standard deployment methods. Because the App-V Client is an application
itself, you can use any method of installation that your organization uses to deploy the client software.
There are several standard installation methods, including:
Manual: Use a portable media, such as a CD or a USB flash drive, a network share, or the Setup file.
This requires that the user log on as a local administrator.
Group Policy object (GPO) Deployment: Deploy the Setup.msi file to the machine or user. This
method does not require that the user is logged on as a local administrator, but it does require that
you install the prerequisite software. Because this method uses the MSI installer file, the prerequisite
software is not installed automatically. You must ensure that the prerequisites software is installed on
the client computer in order for this method to succeed.
Systems Center Configuration Manager 2007 or Systems Management Server (SMS) 2003: Deploy the
Setup.msi file to the user or a machine. This method does not require the user to be an administrator,
but does require the prerequisite software to be installed.
Imaging: Install the App-V Client to the reference computer, and then image it using your
organizations standard imaging methods. You must have local administrative rights.
If you use Active Directory Domain Services (AD DS), Group Policy software deployment is a good
choice. You can use a GPO to deploy the client software to selected computers or users. Large
organizations may prefer to use System Center Configuration Manager. You can schedule the installation
of the software to occur at a particular time using this method. If you have a current imaging solution,
and want all users to have the App-V Client you can choose to embed the client in the standard desktop
image. This also allows you to embed the prerequisite software. Many organizations have a role based
approach to imaging. For example, you might deploy images with the client installed and configured
differently based on location or type, such as desktop or laptop.
7-14 Implementing and Managing Microsoft Desktop Virtualization
Lesson 2
Installing and Configuring the App-V Client
You can use several ways to deploy virtual applications that require using different back-end components.
However, no matter what virtualization scenario you use, you would require the App-V Client. This lesson
describes the ways to install and configure the App-V Client for different scenarios.
Planning and Deploying App-V Clients 7-15
Key Points
Before installing the App-V Client, you should be aware of the recommended hardware and software
prerequisites for the App-V Desktop Client and the App-V Client for RDS.
In general, the requirements are similar for each. Both clients have two installer files. To install the App-V
Desktop Client, you need an executable named Setup.exe, and to install the App-V Client for Remote
Desktop Services, you need an MSI file named Setup.msi. The behavior of these installers differs in certain
aspects.
Setup.exe checks for the following prerequisite software:
Microsoft Visual C++ 2008 Service Pack 1 (SP1) Redistributable Package [x86] (4.6 client only)
Microsoft Visual C++ 2005 SP1 Redistributable Package [x86]
Microsoft Application Error Reporting
Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)
If these components are not present, the Setup.exe client installer installs them.
The MSI.exe also checks for the prerequisite software, but does not install it. You must install the
prerequisite software using some other method. If the Setup.msi does not detect the prerequisite
software, the installation returns an error and fails.
The App-V Client does not require processor or random access memory (RAM) capacity beyond what is
needed for the operating system being used.
The App-V Client requires a minimum disk space of 30 megabytes (MB) for installation and 6 GB for
cache.
Note: App-V 4.5 SP1 supports only 32-bit architecture. The App-V Client 4.6 release is the first version
of App-V to support both x64 and x86 Windows platforms. The primary focus of this release is to
enable App-V to take advantage of 64-bit Windows platforms, including Windows 7 and Windows
Server 2008 R2.
Key Points
In this demonstration, you will see how to install the App-V Desktop Client by using the Setup.exe file
Demonstration steps:
1. Launch Setup.exe.
2. Perform a custom installation. Notice the software requirements and install them.
3. Accept the defaults, except using Microsoft Updates, to complete the installation wizard.
7-18 Implementing and Managing Microsoft Desktop Virtualization
Key Points
The Application Source Root (ASR) value configures the App-V Client to stream Application Virtualization
package files from an alternate location other than the application's specified OSD file.
In a typical scenario, the OSD file has a line of XML code known as a hypertext reference (HREF) tag, which
indicates a protocol, server name, and path from where you can find and stream the SFT file. If you wish
to have the client stream the SFT file from a location other than the Management Server, such as a branch
streaming server, or use a different protocol, such as HTTP, you can set the ASR on the client. Setting this
value on the client overrides the HREF tag value.
You can set the ASR value during the client installation process. After installation, you must configure the
ASR value for the application virtualization client by using a Group Policy object or by manually modifying
the registry in the HKLM\software\Microsoft\SoftGrid\4.5\Configuration key. The two available options
are:
A URL: <protocol>://<server>:<port>
A UNC: \\computername\sharefolder\subfolder1
Configuring the ASR value replaces sections of the OSD file on the App-V Client with the values from the
ASR.
For example:
If the OSD file has the following HREF tag:
Rtsp://sgserver:554/Microsoft_Office_2007/Microsoft_Office_2007.sft
The App-V Client will use the ASR value to override the OSD file and look for the
Microsoft_Office_2007.sft in the following Universal Naming Convention (UNC):
\\BOS-1\SoftGrid\Microsoft_Office_2007
7-20 Implementing and Managing Microsoft Desktop Virtualization
Key Points
The Microsoft App-V Client uses sfttray.exe for displaying pop-up status messages in the notification area.
These messages report the applications current load percentage and successful launch.
In the event of an error, the sfttray.exe reports in the notification area, Launch Failed. If the user clicks on
that message once, an error code displays. This error code, along with any message, is written to the
clients log file, sftlog.txt, for future reference.
Sfttray.exe places an icon in the notification area that enables users to perform a limited set of actions for
virtual applications. From the Notification tray icon or sfttray.exe, you can:
Refresh the list of available applications, shortcuts, and file-type associations from a defined
publishing server.
Fully load applications in the cache for use while in disconnected mode. If you are not connected to
the streaming server, an error generates. Applications load one at a time, and you can skip individual
applications during the load process.
Cancel loading of applications into the cache.
Toggle between working online and offline.
Exit from the client.
By default, the Notification tray is shown in the notification area only when the client is in use. You can
configure this behavior in the properties of the App-V Client on the Interface tab. You also can run
sfttray.exe from the command prompt to force the icon to display in the notification area.
Planning and Deploying App-V Clients 7-21
Key Points
The disconnected operation mode lets the App-V Client run applications that are in the local file system
cache if the client cannot connect to the App-V Management Server.
Clients automatically go into the disconnected mode when the user chooses to work offline or when there
is a server failure, network outage, or network disconnection.
To work in the disconnected mode, right-click the App-V notification area icon, and then click Work
Offline. You also can configure the disconnected mode by setting the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SoftGrid\4.5\Client
\Network\AllowDisconnectedOperation registry key value to 1.
Mobile users may want to load the applications fully into the cache to use them during the disconnected
operation. If an application is not 100 percent cached, and the user tries to perform an operation that
requires additional code from the server, the system warns the user, and then shuts down the application
in two minutes. By default, the disconnected operation mode is enabled, and the time-out is 90 days. The
maximum time-out optional setting is 999 days.
You also can configure time limits on the disconnected mode by setting the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SoftGrid\4.5\Client
\Network\LimitDisconnectedOperation registry key value to 1 and setting the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SoftGrid\4.5\Client
\Network\DOTimeoutMinutes registry key to a value, in minutes, between 1 and 999999. To allow
unlimited use of disconnected operation mode, set this value to zero.
To load the application(s) fully, right-click the App-V Client notification area icon, and then click Load
Applications.
Note: For Remote Desktop Clients, you should allow unlimited use of disconnected operation mode.
7-22 Implementing and Managing Microsoft Desktop Virtualization
Key Points
The Stand-Alone mode is meant for those users who connect rarely, and who need virtualized
applications, but who do not have access to a streaming server. For the Stand-Alone mode, you require an
MSI file that the App-V sequencer and the App-V Client software create. This MSI file contains the ICO,
OSD, and Manifest.xml files that are necessary for publishing the application on the machine from which it
is run from and information on how to import the SFT file into the App-V Client cache. You do not need
any additional App-V infrastructure. The SFT file is not part of the MSI that generates during sequencing,
and it needs to be in the same directory as the MSI to complete successfully by default. If the SFT file is in
an alternate location, such as a network share, then you can use the SFTPATH parameter to specify the
location. For example:
Msiexec.exe /i \\PathToMsi\packagename.msi SFTPATH=\\server\share
\package.sft /q
Note: Applications installed in Stand-Alone mode are available to all users who log onto the
computer.
You can configure the Stand-Alone mode during installation, through the registry after installation, or by
using GPOs with the App-V ADM Template. To configure the Stand-Alone mode during installation,
configure settings on the Runtime Policy Package Configuration page by performing the following
steps:
1. Clear the Require User authorization even when cached check box.
2. Select the Allow streaming from file check box.
3. Clear the On Launch check box.
4. Clear the On Logon check box.
Planning and Deploying App-V Clients 7-23
You also can use GPOs to configure these settings, though by definition, the client computers may not be
able to receive the policy because they are disconnected from the network. These settings are in the
Group Policy App-V ADM Template in the Communications folder.
Note: You cannot set up the client to be in Stand-Alone mode and streaming mode simultaneously.
7-24 Implementing and Managing Microsoft Desktop Virtualization
Lab Setup
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
Ensure that the 10324A- NYC-DC1 and 10324A- NYC-CL2 virtual machines are running.
If required, connect to the virtual machines. Log on to the virtual machines as
Contoso\Administrator using the password Pa$$w0rd.
Important: Start the NYC-DC1 virtual machine first, and ensure that it starts fully before you start the
other virtual machines.
Planning and Deploying App-V Clients 7-25
Task 2: Examine the properties of the package file and the data locations
1. Launch the Application Virtualization Client from the Administrative Tools in Control Panel.
2. In the Applications node, access the properties of the Microsoft Office Word Viewer 2003
application.
3. Click the Package tab, and then observe the Current Statistics:
Question: What is the Package Size?
Question: What is the Size in Cache?
Question: What is the Launch Data Size?
4. Click Cancel, and then close the Application Virtualization Client and Control Panel.
5. Show hidden files and folders.
6. Open Windows Explorer, browse to the global data location at
C:\ProgramData\Microsoft\Application Virtualization Client
\SoftGrid Client, and then examine the contents.
Question: What is the size of the sftfs.fsd file?
7. Navigate to the user-specific data location at
C:\Users\Administrator.CONTOSO\AppData\Roaming\SoftGrid Client, and notice the
shortcut_ex.dat and the userinfo.dat files. These files maintain per-user shortcut and identity
information.
8. Close all open windows on NYC-CL2.
2. Right-click the virtual machine name in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
7-28 Implementing and Managing Microsoft Desktop Virtualization
Lesson 3
Managing Client Configuration Features
The App-V Client Management Console enables you to configure some aspects of the client, such as
logging and permissions, and some settings of the virtual applications, such as file type associations and
publishing servers. Though you can configure most of these settings from the server or through GPOs, the
client settings allow you to have configurations for individual clients that might need special settings.
This lesson describes how to configure App-V Client nodes.
Planning and Deploying App-V Clients 7-29
Key Points
Although configuration of the client is done during the installation process, there may be times when you
need to modify those settings. The property pages of the client software allow you to modify many of the
client settings. You can access the properties from the root nodes shortcut menu in the App-V Client
Management Console.
Six tabs in the Properties dialog box control the following settings:
The General tab contains the following options:
Logging. This option controls logging levels and location of log files.
Global Data Directory. This option controls the location of the App-V data that all users share.
User Data Directory. This option controls the location user-specific App-V data.
The Interface tab:
Run Settings. This option controls when to show the App-V Client icon in the notification area.
Popup Messages. This option controls how or if to display error and information messages.
The File System tab:
Client Cache Configuration Settings. This option controls the size of the client cache.
Drive Letter. This option controls the virtual drive letter used (Q by default).
The Import Search Path tab. This option controls the SFT search path when you are importing
applications.
The Connectivity tab. This option controls disconnected operation values to limit the number of days
allowed and if the user can work offline. If you allow offline mode, the App-V Client does not attempt
to connect to streaming or publishing servers.
7-30 Implementing and Managing Microsoft Desktop Virtualization
The Permissions tab. This option controls the permissions that users have over virtual applications on
this computer. These permissions are for all users, and you cannot assign them on a per-user basis.
Administrators always can perform all tasks.
Planning and Deploying App-V Clients 7-31
Key Points
You can use the App-V Client Management Console to manage virtual applications in the client cache.
The Applications node allows an administrator to view and manipulate the applications on the App-V
Client. By right-clicking the Applications node, a context-sensitive menu displays, which enables you to
add a new application and export a list of applications to a text file.
By right-clicking an application in the details pane, you can display a menu from which you can:
Create new shortcuts to be associated with the application.
Create a new file type association.
Unload an application, which removes it from the client cache.
Clear an application. Clearing an application removes the settings, shortcuts, and file type associations
that correspond to the application and removes the application from the users list of applications.
Repair an application. Repairing an application will remove any custom user settings and restore
default settings.
Lock the application from being removed from the client cache.
7-32 Implementing and Managing Microsoft Desktop Virtualization
Key Points
The File Type Association node allows you to view, add, and manipulate the file types on the App-V Client.
When you select the File Types Association node, a list of available file types is displayed in the App-V
Client Management Console Results pane. By right-clicking the node, you display a menu that allows you
to add new file type associations and link them to applications.
By right-clicking an existing file extension, you can delete an extension or modify the properties
associated with that extension, including:
Changing the icon
Changing the associated application
Creating or modifying launch parameters
Modifying the Content Type
Planning and Deploying App-V Clients 7-33
Key Points
You can use the Desktop Configuration Servers node to create, delete, edit, and manually refresh the
clients designated management server, known as a publishing server. By right-clicking the Desktop
Configuration Servers node, you display a menu that allows you to add a new publishing server. A client
can receive applications from multiple publishing servers simultaneously.
The New Publishing Server Wizard allows the administrator to provide a display name and type of
publishing server. You can select the following types of publishing servers:
Application Virtual Server. This selection uses port 554, by default.
Enhanced Security Application Virtual Server. This is the default selection, and uses port 322.
Standard HTTP Server. Uses port 80, by default.
Enhanced Security HTTP Server. Uses port 443, by default.
Note: When selecting HTTP or HTTPS protocol, you must provide a folder path.
After you configure a server, you can modify the properties. You can modify all the properties that were
configured during installation, and you can configure the server refresh setting. The desktop client queries
the Management Server at intervals to receive information from the server about new applications or
changes to existing applications, such as package upgrades. This process is known as DC Refresh. The
client also uses this time to populate the host operating systems with the icons for those applications so
that users can access them. You can configure the client to:
Refresh at logon (default setting).
Refresh every number of days.
Manually refresh immediately.
7-34 Implementing and Managing Microsoft Desktop Virtualization
Key Points
In this demonstration, you will see how to configure the App-V Client with a publishing server.
Demonstration steps:
1. Launch the App-V Client.
2. Add a new publishing server of the Application Virtualization Server type with the host name NYC-
SVR2.contoso.com.
Planning and Deploying App-V Clients 7-35
Key Points
Sftmime.exe is a command-line interface that you can use to manage many client configuration settings.
Sftmime operations are either commands or queries. Commands are actions that have some effect on the
computers state, such as a command that loads an application into the cache. Queries are requests for
information that generate output. These commands are most useful in scenarios where you need to
configure App-V Clients by using scripts.
Sftmime Commands
All commands have a similar structure. The sftmime command is followed by a verb, an object, and
additional parameters.
The following examples illustrate the more common uses for SFTMIME:
Remove all applications from cache, their file type associations, and shortcuts for all users:
sftmime remove obj:app /global /complete
Add applications:
sftmime add app:"MSProject" /osd http://server/Microsoft SoftGrid Application
Virtualization/MSProject.osd
Load applications:
sftmime load app: MSProject
Sftmime Queries
All queries start by using the /query verb and are followed by an object type that identifies whether the
query applies to applications, servers, or file type associations. You can use the available queries to list all
applications, all Multipurpose Internet Mail Extensions (MIME) servers, and all file type associations. For
example:
To find the package that you want to configure, run the following command:
7-36 Implementing and Managing Microsoft Desktop Virtualization
This command returns each discovered package name as a globally unique identifier (GUID) in the first
column of output. For example, the return might be {AF78ABE1-57D4-4297-89DE-C308684AEDD6}.
To list all the publishing servers the client is configured to use, run the following command:
sftmime query obj:server
To have the output of the command redirected to a file, use the /log parameter. For example, to have
the query output of the previous command redirected to a text file in the C:\logs directory, run the
following command:
sftmime query obj:server /log:C:\logs\serverquery.txt
Note: The command does not create the destination directory. You must create it prior to running the
command.
Planning and Deploying App-V Clients 7-37
Key Points
You can use the Microsoft App-V ADM template to configure client settings for the App-V Desktop Client
and for the App-V Client for Remote Desktop Services. The ADM template manages common client
configurations centrally by using the existing Group Policy infrastructure.
The template allows you to configure 37 different registry settings that affect the App-V Client. These
settings fall into three categories, and common settings are grouped together under the following
categories in the templates Group Policy Editor:
Communication
Permissions
Client Interface
Although the settings appear in the Policies container in the Group Policy Management Editor, you
implement the ADM template for App-V as Group Policy preference settings. Preferences behave
differently than policies in Group Policy objects. Preferences do not make permanent registry changes,
which means that users can change the settings either by editing the registry or by using the application.
Also, even if you remove the GPO, the settings are not removed.
Setup Considerations
After you apply the ADM template, it updates the preference settings of client computers that already
have the App-V Client installed. However, if you install the App-V Client after you apply the ADM
template settings to a computer, the installer overwrites the preference settings from the ADM template
with the installers default settings. This causes inconsistencies between clients.
You can implement an optional switch during the client setup to ensure that the template preferences do
not overwrite the registry settings:
setup.exe KEEPCURRENTSETTINGS=1
7-38 Implementing and Managing Microsoft Desktop Virtualization
Note: Parameters are case-sensitive and must be entered all in uppercase letters, as the above
example shows. Additionally, you must enclose all parameter values in double quotes.
What Is Autoload?
Key Points
Autoload governs how the primary (Feature Block 1) and secondary (Feature
Block 2) sections of an application are delivered to the client. Normally, the primary feature block streams
and provides the code to launch an application initially. This usually represents only 10 to 30 percent of
the applications code. Feature Block 2, which is the rest of the applications code, downloads only in parts
on demand. You can configure the client to ensure that after Feature Block 1 downloads, the client
continues to stream Feature Block 2 in the background until the application is 100 percent in cache. The
autoload feature is especially useful for mobile clients and other clients that might not have constant
communications with the management or streaming server.
Use of autoload triggers can increase the initial network traffic of SFT streaming following an installation.
Autoloading occurs over Real-Time Streaming Protocol (RTSP), and is set as a lower priority process so
that it does not affect or degrade performance for the user. Feature Block 1 is loaded as quickly as
possible. Feature Block 2 is loaded in the background to enable foreground operations to take priority
and to provide optimal performance.
You can implement autoload for the App-V Client in any of the following ways:
By using the client installation wizard during the installation.
By using parameters while you run the installer manually.
By editing the registry after you install the client.
By using the Sftmime command-line utility.
By using a Group Policy object that utilizes the App-V template.
Autoload Options
You can configure autoload to load the application on the following triggers:
7-40 Implementing and Managing Microsoft Desktop Virtualization
On Launch. Background streaming begins when the application launches for anything outside of the
primary feature block.
On Login. User-authorized applications start background streaming when the user logs on.
On Publishing Refresh. A new application that is granted to the user begins streaming in the
background following the periodic publishing refresh.
You can control the applications that will be affected by autoload by using the following options:
Do not automatically load applications. No applications will be loaded.
Automatically load previously used applications. Applications previously assigned to the user, and
which a user launched previously, will autoload into the cache via background streaming.
Automatically Load all applications. All applications assigned to the user will be loaded into the cache
via background streaming.
Planning and Deploying App-V Clients 7-41
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. Ensure that the 10324A-NYC-DC1, 10324A-NYC-SVR2, and 10324A-NYC-CL1 virtual machines are
running.
3. If required, connect to the virtual machines. Log on to the virtual machines as
Contoso\Administrator using the password Pa$$w0rd.
7-42 Implementing and Managing Microsoft Desktop Virtualization
Task 2: Configure the DC Refresh settings, and then refresh the client manually
1. On NYC-CL1, in the Publishing Servers node, access the Contoso App-V Management properties,
and then click the Refresh tab.
2. Set the refresh interval to be every 2 Hours.
3. Click Refresh to perform an immediate refresh.
7-44 Implementing and Managing Microsoft Desktop Virtualization
Task 1: Inspect the properties, and then load the application into the cache
1. On NYC-CL1, in the Application Virtualization Client, click the Applications node. Notice the current
Package Status is Idle.
Note: You may have to refresh the view to see the application listed.
2. Open the Properties of the Microsoft Word Viewer application, and answer the following questions
Question: What is the Package Size?
Question: What is the Launch Data in Cache?
Question: What is the Launch Data Size?
3. Load the package into the client cache
4. Access the Properties of the application again.
Question: What is the Launch Data in Cache?
Question: What is the Launch Data Size?
Task 2: Add the template to the Group Policy Object Editor of the Default Domain Policy
1. On NYC-DC1, start the Group Policy Management Console.
2. Edit the Default Domain Policy.
3. Add C:\AppVADMTemplate\AppVirt.adm to the Administrative Templates.
Review Questions
1. Where should the user-specific data location be for roaming users?
2. What is the major difference between the two client installer files: Setup.exe and Setup.msi?
3. What command-line utility allows you to query the client?
4. What is the ASR value used for?
Planning and Deploying App-V Clients 7-47
Module 8
Managing and Administering Application Virtualization
Contents:
Lesson 1: Using the Application Virtualization Management Console 8-3
Lesson 2: Publishing Applications into the App-V Environment 8-12
Lab A: Publishing Applications in the App-V Environment 8-27
Lesson 3: Performing Advanced Administration Tasks for
Application Virtualization 8-32
Lab B: Implementing License Enforcement 8-43
8-2 Implementing and Managing Microsoft Desktop Virtualization
Module Overview
After you deploy the Microsoft Application Virtualization (App-V) infrastructure, you should be able to
manage and administer the App-V solution by using the Application Virtualization Management Console.
This console enables you to control the entire App-V environment from a single workstation. You deploy
the Application Virtualization Management Console on the administrative workstation, and then use it to
perform administrative tasks, such as modifying and publishing virtualized applications, and configuring
version upgrades.
This module provides an overview of the Application Virtualization Management Console and the
permissions that users must have to administer the App-V Management Server. The module also covers
the steps you must take to perform these administrative tasks, and how to enforce license compliance and
manage server groups and server objects.
Managing and Administering Application Virtualization 8-3
Lesson 1
Using the Application Virtualization Management
Console
You can perform all tasks related to Application Virtualization management and administration in the
Microsoft Management Console (MMC) snap-in called the Application Virtualization Management
Console. As an administrator, you would need to manage applications, packages, servers, users, and
administrators, and you may have to create policies to configure connection settings and application
access for users. The Application Virtualization Management Console provides several features and
functionalities that you can use for performing these administrative tasks.
This lesson provides an overview of the console and explains how to control administrative access, and
describes the functionality and administrative functions that the console provides.
8-4 Implementing and Managing Microsoft Desktop Virtualization
Key Points
The Application Virtualization Management Console is the main configuration tool for the App-V
environment. The Management Console does not connect directly to the App-V Management Server.
Rather, it connects to the Web service, which in turn connects to the computer that is running the
Microsoft SQL Server database and the Management Server. To perform any administrative tasks, you
first must connect to the Web service with the proper credentials. You can configure how users must
connect to the local App-V Web service in several ways:
On initial startup of the App-V Management Console.
By configuring the connection in the root node of the Management Console.
By using the Configure Connection link on the Management Server object.
When you first start the Application Virtualization Management Console, it prompts you to connect to a
specific App-V Web service. You can host this Web service on a specific server, or configure it on multiple
servers for load balancing and redundancy. The Web service in turn connects to the configuration
database.
Users can connect to the Web service by using a standard HTTP port such as 80, or by using Secure HTTP
(HTTPS) on 443 for a secure connection. We recommend that you use secure connections between these
components. To connect to the Web service using HTTPS, you need to obtain a Secure Sockets Layer (SSL)
certificate, and bind it to the Web service.
Users making this connection must be members of the App-V Administrators Group, or provide the login
credentials of one of the groups users.
Option Value
Web Service Host Specifies the IP address or host name of the App-V Web service to which the
Name snap-in connects.
Use Secure Connection Specifies that the Management Consoles connection to the Web service be
over a secure connection. Port 443 is the default port.
Port This field specifies the port number to which the Web service listens for
requests from the Management Console. Port 80 is the default port.
Use Current Microsoft Specifies that the credentials of the currently logged-on user will be used to
Windows Account connect to the Web service.
Specify Windows Specifies that account credentials entered in the Name and Password fields
Account will be used when opening the Management Console session.
Name Specifies the account name that is authorized to access the Web service. The
format is Domain\username.
Password Specifies the password that authorizes the account identified in the Name
field, which provides access to the Web service.
8-6 Implementing and Managing Microsoft Desktop Virtualization
Key Points
The Console pane in the Application Virtualization Management Console consists of several default
containers that display existing objects, and that provide access to object properties and wizards that
assist in creating additional objects.
The Application Virtualization Management Console contains the following nodes:
Applications. This node displays a list of applications that are available within the Application
Virtualization system. You can use this node to create application groups; create or import new
applications; and move, copy, or duplicate applications to other virtualization management systems.
File Type Associations. This node displays a list of file type associations. You can use this node to add
new file type associations that applications require.
Packages. This node displays a list of packages configured on the App-V system. You primarily will use
this node when you need to introduce a new version (.sft file) for a specific package or application.
Application Licenses. You can use this node to configure application access based either on a specific
number of concurrent users or by specific user names.
Server Groups. You can use this node to create a logical container and grouping of any App-V servers
that should share a common provider policy Logging configuration, and a set of virtualized
applications.
Provider Policies. You can use this node to configure general rules for any user connecting to the
Application Virtualization system. The Application Virtualization system initially configures a default
provider to provide default connection settings for clients.
Administrators. You can use this node to add or remove security groups responsible for App-V system
administration.
Reports. You can use this node to create and view various types of reports related to system
utilization and application activity.
Managing and Administering Application Virtualization 8-7
Key Points
You can use the App-V Administrators container to view the group that is responsible for App-V system
administration. You specify this group during installation. You also can add or remove security groups
from this container.
If the Active Directory Domain Services (AD DS) domain functional level is Windows Server 2003 or
newer, you can use any security group. If the domain functional level is earlier than Windows Server 2003,
you can use Global Groups only.
You might have situations where you need to reset the security groups that you want to allow to manage
the App-V system. For example, if you delete the security group that the App-V Administrators container
specifies from within AD DS, no one would be able to log onto the Management Console. In this situation,
you must reset the App-V Administrators group.
To reset the App-V Administrators group, you can launch the Management Console, right-click
Application Virtualization Systems, and then click Reset Administrators to launch the Reset
Administrators Wizard. You must provide database connection information to the configuration database.
You then can add or remove security groups to provide the necessary administration permissions for the
App-V system.
Question: Can you assign an individual to be an App-V administrator through the App-V Management
Console?
8-8 Implementing and Managing Microsoft Desktop Virtualization
Key Points
You can control certain system-wide options by right-clicking the Server container in the Application
Virtualization Management Console. These options include the Default Content Path, Database sizing
controls, and Usage History.
Default Content Path: This option allows you to set the default Universal Naming Convention (UNC)
share or URL location for .sod and .icon files, which specify application records and file-type
associations. For example, a default content path can be \\SERVERNAME\ContentSharePath or
HTTP://SERVERNAME/content.
App-V uses the Default Content Path when you import or copy applications from another system.
Note: If you use the actual physical path to the content share, such as C:\Content, or if you specify
nothing at all, your published applications will not work.
Database Size: The App-V system has the ability to limit the size to which the database can grow. The
default maximum size is 1024 megabytes (MB), but you can set this value to be between 1 MB and
2,147,483,647 MB.
The database contains configuration information and stores usage information for the App-V
infrastructure. The following is a list of App-V Infrastructure operations that use the database:
Publishing refreshes
Application load
Application launch authorization
Server management console
Application usage data collection and metering
Most of these operations place a small load on the SQL server. The growth rate of the database is
dependent on the number of application launches and the amount of reporting information that
Managing and Administering Application Virtualization 8-9
you are collecting. You will have to monitor the database over time to determine the correct
values when limiting database size.
The system automatically cleans up obsolete data and orphaned transactions to ensure that your
database does not reach this size limit. The default high watermark is 95 percent of the defined size,
and the default low watermark is 85 percent. When your database reaches the 95-percent mark, the
system deletes 10 percent of the usage data, and leaves 85 percent of the data. The system deletes
both package and application usage data.
Usage History: You can specify how many months worth of data you wish to keep. On a monthly
basis, the database ensures that the database retains data only from the number of months that you
specify. It deletes the rest. The default specification is set to six months, but you can configure it to be
anywhere between one to 120 months.
Note: You must set the SQL Server Agent to start automatically if you want to enable management of
the databases size. By default, App-V begins the database sizing action on the first of every month at
02:00.
8-10 Implementing and Managing Microsoft Desktop Virtualization
Key Points
When planning your App-V management strategy, there are several factors regarding credentials and
connections that you should consider, including:
Credentials. Determine the credentials that a user must provide to connect to the Web service. You
must use an account that has App-V management rights, but you should avoid using a domain
administrator account.
Connection. Determine whether you need to use a secure connection to the Management Console. If
so, you must consider the strategy for deploying SSL certificates. Typically, you should use secure
connections.
Security groups. Determine the security groups that require App-V administrative rights. Ensure that
the proper users are in the security groups that have the administrative rights. Only use accounts that
have enough rights to perform the required tasks.
Content path and protocol. Ensure that the content path is correct and uses the proper protocol.
Ensure you use a UNC or URL, and not a local path. Consider using a storage area network (SAN) that
has room for expansion to hold the content folder, which can become very large as you deploy
hundreds or thousands of applications.
Managing and Administering Application Virtualization 8-11
In this demonstration, you will see how to connect the Application Virtualization Management Console to
the App-V Web service. You then will see how to use the Management Console to configure system
options and to add Domain Admins as App-V administrators.
Demonstration steps:
1. Launch the Application Virtualization Management Console.
2. Configure the Connection Login Credentials.
3. Configure the System Options settings.
4. Add the Domain Admins group as an App-V Administrator group.
8-12 Implementing and Managing Microsoft Desktop Virtualization
Lesson 2
Publishing Applications into the App-V Environment
One of the primary App-V administrative tasks is to publish virtualized applications so that you can make
them available to authorized clients. When you publish virtualized applications, the client software can
discover the virtual application, and then download it to the client computer. To publish an application,
you first need to import it into the App-V system, and then you must configure various options, including
general properties, shortcut options, file type associations, and access permissions.
This lesson explains how to manage application groups, and how to publish applications into the
virtualized environment.
Managing and Administering Application Virtualization 8-13
Key Points
The first container in the Application Virtualization Management Console is the Applications container.
For an administrator, this is one of the most important and most utilized containers. You use the
Applications container to either manually add or import applications into the virtualization system, so that
authorized users can access them.
To add a new application manually, you need to provide detailed publishing information about the
application to the New Application wizard. The import function uses the Sequencer Project (SPRJ) file or
the Open Software Descriptor (OSD) file to provide that information about the application.
You also can use the Applications container to view, add, remove, or change properties for any
application within the system.
By default, an application record for the default application populates the Applications container. You use
this free application only to test connectivity between the App-V Client and the App-V Server.
As organizations begin to use the Application Virtualization system, the number of applications easily can
number in the triple digits. When organizations approach these numbers, you would require a way to
organize those applications logically within the Application Virtualization Management Console. You can
use the New Application Group Wizard to create containers that can store common application types.
These containers act similar to folders in the file system and simply allow you to organize applications into
a more manageable format.
When you import or move applications into a specific application group, you can modify the following
entire groups properties, which affects all of the groups applications:
Description
Enabled
Application License Group
8-14 Implementing and Managing Microsoft Desktop Virtualization
Server Group
Shortcuts
Access Permissions
If you delete an application group, this deletes all applications within that group. If you do not want to
delete a specific application, you can right-click the application, and then move or copy it to another
application group or to a different Application Virtualization system.
When you delete an application, App-V does not remove the package that references the application.
Therefore, you have to delete the package specifically to remove all traces of the previous application.
Note: Even when you use application groups, you must provide unique names to all applications
imported into the Application Virtualization system. For example, if you have one application group
called Office 2003, and another application group called Office 2007, only one of these groups can
contain an application called Microsoft Word. However, each group could have its own Microsoft
Word application if the applications were each given a unique name, such as Microsoft Word 2003 and
Microsoft Word 2007.
Managing and Administering Application Virtualization 8-15
Key Points
When you import an application, you must verify that the .osd path matches the server\content directory.
If the path in the .osd file is incorrect, the App-V client software cannot locate the applications sft file.
If you specify a system variable for the server name, you need to configure each client to resolve the
variable. A system variable is useful for configuring the placement of a single package on multiple servers.
In this case, you do not have to modify the .osd file to specify a specific server name. By using the system
variable, you easily can change the name of the streaming server on the client computers if that becomes
necessary.
Note: You can set the %SFT_SOFTGRIDSERVER% variable in the system properties of the client or
through Group Policy preferences.
You can publish shortcuts on the users desktop, Quick Launch toolbar, Start menu, Send To menu, or a
specific location. Users typically are familiar with these shortcuts. The location for shortcuts is something
that you should discuss and determine with your stakeholders.
During the Application Sequencing task, App-V detects file associations automatically. You can, however,
add or remove specific file associations when you are importing the application. You first need to
determine the file type associations that you want to use with the application, including any custom
associations for extensions that you do not specify in the sequenced application.
Access permissions are applied based upon the Active Directory security group membership. You should
determine who needs access to the application, and then create a specific application-based security
group. For example, if you import Microsoft Word 2007 as an application, you may want to create a
global security group called Microsoft Word 2007 Users. You may need to create new groups in AD DS to
accommodate this. Consider using role-based groups to define who should have access to specific
applications. Remember that there are no levels of permission. Either users have the ability to use the
8-16 Implementing and Managing Microsoft Desktop Virtualization
application, and all of its features, or they do not. You cannot place restrictions on application usage
through App-V permissions.
Managing and Administering Application Virtualization 8-17
Key Points
When you publish applications, you first must import them from the Content shared folder into the
Application Virtualization Management Console. This populates the database with the applications
configuration information. The New Application Wizard walks you through the steps to provide the
information required for publishing the application.
After you sequence an application, you must complete the following tasks to import the application into
the App-V system:
Copy the package to the content location: You must copy the entire sequenced package to the
shared content location, which you configured in the System Options of the Application Virtualization
Management Console. Make sure that all of the packages files are in the same location as the .sprj
file
Import the .sprj or .osd file using the New Application Wizard: When you import an application, you
can select the .sprj file or the .osd file. The .sprj file contains the information required to import a
single sequenced application or a suite of sequenced applications. The .osd file, which you can import
directly, contains only information about a single application.
Note: When you import a suite of applications by importing the .sprj file, the suite is not enabled by
default. However, when you import a single application (by .sprj or .osd), it is enabled by default.
8-18 Implementing and Managing Microsoft Desktop Virtualization
Key Points
During the import process, App-V imports a number of configurations settings automatically, such as the
Open Software Description (OSD) path and file associations. You can modify these options during or after
the import process. You also can configure other options, such as the server or license group. You can
modify the configuration settings of individual applications after you import them. Do this by accessing
their properties through the Management Console.
The Properties dialog box has four tabs with the following options:
The General tab allows you to specify the following:
Version identifier
Enabled checkbox
Description field
OSD Path
Icon Path
Application License Group (no group is specified by default)
Server Group (no group is specified by default)
The Shortcuts tab allows you to publish shortcuts to any or all of the following:
Publish to Users Desktop
Publish to Users Quick Launch Toolbar
Publish to Users Send To Menu
Publish to Users Start Menu (Default selection)
Advanced: other specific locations
Managing and Administering Application Virtualization 8-19
The File Associations tab allows you to add, edit, or remove file associations. This tab is not available
for application groups properties.
The Access Permissions tab allows you to add or remove user groups that have access to the
application. You cannot grant permissions directly to individual users. You must assign them to AD DS
security groups. There are no different levels of permissions to an application. Either you allow users
to use the application or you do not.
8-20 Implementing and Managing Microsoft Desktop Virtualization
Key Points
In this demonstration, you will see how to import a sequenced application into the App-V system. You
then will see how to create an application group, and move the application into the new group. Finally,
you will examine the properties of the published application.
Demonstration steps:
Import a sequenced application
1. Copy the sequenced application to the content folder.
2. Launch the Application Virtualization Management Console. Notice that the Default Application is
preinstalled. You can use it for testing connections between client and server. Additionally, the
Microsoft Word Viewer 2007 application currently is published.
3. Import the Word03 sequenced application from the C:\Content directory. Review the settings in the
General Information tab.
4. Publish a shortcut to the users desktop.
5. Keep the default file associations.
6. Grant permission to Domain Users.
Create an application group and move the viewer applications into the new group
1. Create an application group named Office Viewers.
2. Move both of the Microsoft Office Word Viewer applications into the Office Viewers group.
Examine the properties
1. Open the properties of the Office Viewers group, and review the configurable properties.
2. Modify permissions so that only the AppVUsers group has access.
Managing and Administering Application Virtualization 8-21
Question: Which property page is unavailable for the Application Group properties?
8-22 Implementing and Managing Microsoft Desktop Virtualization
What Is a Package?
Key Points
A package is the output of the sequencing process. A package in the Packages node is a representation of
the virtual application, and it contains information about the relative path in the content folder and the
version of the .sft file. You can use packages to control virtualized application versions, which you use for
client computer Active Upgrades.
When you import an application into the Applications container by referencing a .sprj or .osd file, App-V
creates a new package automatically in the Packages node of the Management Console, with a version
number of 1. The packages name follows the name of the .sft file. However, App-V replaces the .sft
extension with the word Package. For example, if an applications .sft file is named Excel.sft, than the
package that App-V generates is named Excel_Package.
If you create a new application record without using the Import Applications feature, you need to create a
package manually for the application by referencing the .sft file in the New Package Wizard.
Managing and Administering Application Virtualization 8-23
Key Points
Over time, you might need to upgrade most applications. Distributing the upgrades to multiple users
typically is a time-consuming and expensive process. App-V simplifies that process by allowing the
sequencing engineer to upgrade the application, and then seamlessly distribute an updated .sft file to the
users as a new version of the package.
Active Upgrade
Active Upgrade refers to the functionality that allows you to upgrade a package seamlessly without
requiring users to disconnect or Virtual Application servers to restart.
When you upgrade a package by using the Add Version process, App-V adds a version identifier
automatically to the resulting .sft file. For example, if the packages .sft file were named
Microsoft_Office_2003.sft before the upgrade, the packages .sft file would be called
Microsoft_Office_2003 _2.sft after you complete the package upgrade.
You must perform the following steps to add a new package version and make it available for Active
Upgrade:
1. Apply the upgrade, and then resequence the application.
2. Copy the new .sft file to the same Content share as the existing packages .sft file
3. In the Application Virtualization Management Console, right-click the package name, and then select
Add Version.
4. Enter the full path to the .sft file.
5. Enter the relative path from the Content share to the .sft file.
6. Verify that the information is correct to finish the upgrade.
8-24 Implementing and Managing Microsoft Desktop Virtualization
Any user who has an active connection to the previous .sft file continues to receive data from that file
until the user disconnects. Any user who makes a new connection to the application in the package
receives the updated data from the new .sft file version.
Note: Users do not lose any specific applications when an upgrade occurs.
Key Points
Publishing virtual applications does not always require an App-V full infrastructure. You can use an
Internet Information Server (IIS) to publish applications over HTTP. This solution only provides publishing
features, such as DC Refresh. Because there is no SQL database collecting the information, it does not
provide the full set of features that the App-V management server provides, such as usage history,
reporting, licensing and metering.
Note: It is possible to create customized HTTP solutions that collect and use information stored in
corporate databases or AD DS to deploy applications to users intelligently.
.SPRJ: application/softricity-sprj
Note: If you are using SSL, than the appropriate certificates must be generated and installed on the
server.
The document consists of a single parent section that contains two child sections--the Policy section and
the Applist section.
The Policy section allows you to specify the Publishing Refresh frequency, in minutes and a boolean that
determines if publishing refresh occurs when the user first logs in. All of the application-specific
publishing information is placed in the Applist section. App-V takes this information directly from the
manifest files that were generated by the Sequencer. The Applist section should contain all the
information from all of the applications that you wish to publish using this method. When complete, App-
V places the publishing document in the root of the Content shared folder and serves it to requesting
App-V clients.
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. Ensure that the 10324A-NYC-DC1, 10324A-NYC-SVR2, and 10324A-NYC-CL1 virtual machines are
running.
3. If required, connect to the virtual machines. Log on to the 10324A-NYC-DC1 and 10324A-NYC-
SVR2 virtual machines as Contoso\Administrator using the password Pa$$w0rd
4. Do not log on to 10324A-NYC-CL1 until directed to do so.
8-28 Implementing and Managing Microsoft Desktop Virtualization
Task 2: Configure the default content path and the duration for database usage
1. Open System Options, and ensure that the UNC path \\NYC-SVR2\Content is specified.
2. Set the duration for database usage for 12 months.
Results: After this exercise, you should have changed the login credentials for the App-V Web service,
and then confirmed the default content path and set the database to retain its history for 12 months.
Managing and Administering Application Virtualization 8-29
Results: After this exercise, you should have granted administrative access to the Domain Admins
security group.
8-30 Implementing and Managing Microsoft Desktop Virtualization
Task 4: Move the Microsoft Office Viewer applications into the Application Group
Move the Microsoft Office Word Viewer 2003 and the Microsoft Word Viewer from the
Applications node into the Microsoft Office Viewers group.
Results: After this exercise, you should have added a sequenced application to the content folder and
imported the application. You also should have created an application group, and populated it. Lastly,
you should have modified the permissions of the application group.
Managing and Administering Application Virtualization 8-31
Results: After this exercise, you should have verified the functionality of the virtual applications by
testing user permissions.
Important: Keep the virtual machines running for the next lab.
8-32 Implementing and Managing Microsoft Desktop Virtualization
Lesson 3
Performing Advanced Administration Tasks for Application
Virtualization
In some organizations, you may need to track application usage or enforce licensing. This helps the
organization to comply with license regulations for applications, and can reduce costs if an organization
does not have to license applications that users are not using. You can use provider policies to configure
user connection settings and to apply license enforcement. The App-V Server provides a number of
advanced administration settings that you can configure to manage server connections and application
licenses.
This lesson describes how you can manage server connections by using Provider Policies and Server
Groups. This lesson also explains what an Application License is, and how you can use it to monitor or
control the use of applications that are streamed within the virtualized environment.
Managing and Administering Application Virtualization 8-33
Key Points
Provider policies specify a set of rules that you apply to users that are connecting to virtualized
applications. As connections come into the Server Group (Provider), the server appends several rules
(Provider Policy) to the connection. If the users connection does not specify a custom provider policy, the
system applies the rules of the default provider policy.
To create a new provider policy, use the New Provider Policy Wizard. The following table describes the
wizards options, which also are available when you modify an existing provider policy.
Note: After creating a new provider policy, you must restart the Application Virtualization
Management Server service.
Manage Client Specifies that App-V will apply the Application Virtualization Management
Desktop Using the Console settings defined for application shortcuts and file-type associations to
Management Console all clients. If there are conflicting settings at the client, then the servers
settings will take precedence. This is selected by default.
Refresh Desktop Specifies that an App-V Client will contact the App-V Server for updated
Configuration when a desktop-configuration information whenever the user logs on.
user logs on
Refresh Configuration Specifies that an Application Virtualization Client will refresh desktop
every n days configuration information at the defined interval. Intervals can be set for a
specified number of days, hours, or minutes.
8-34 Implementing and Managing Microsoft Desktop Virtualization
Field Description
Group Assignment Designates the AD DS groups that will be assigned to the policy.
Enforce Access Specifies, when selected (the default), that access to all applications will be
Permission Settings resolved against Access Permissions configured under the application record.
Log Usage Specifies, when selected, that a metering module is enabled in the Provider
Information Policy to measure user sessions from start to normal end (application ended
by client), or abnormal end (application ended by server). The logged
information also contains which server and applications were used.
Licensing Specifies, when selected, that a licensing module is enabled in the Provider
Policy to track or grant licenses (default is not selected). The following license
types are available:
Audit License Usage Only: Will not prevent a user from launching an
application if the specified maximum license quantity is reached.
Enforce License Policies: Will require every user who makes a connection
by using the Provider Policy to have an available and valid license for the
application in order to launch it.
Important: You must configure applications to use custom provider policies by modifying the
hypertext reference (HREF) tag in the applications osd files. For example, if your custom provider
policy is named Sales, you would modify the HREF tag in the osd file of the application as illustrated
here:
HREF="rtsp://sgserver:554/Excel.sft?Customer=Sales"
Question: You have created a new provider policy and associated it with an application. Now certain
users cannot access the application. What area might you troubleshoot to resolve this issue?
Managing and Administering Application Virtualization 8-35
Key Points
In this demonstration, you will see how to create a new provider policy.
Demonstration steps:
1. In the Application Virtualization Management Console, use the New Provider Policy Wizard to create
a new policy named Office_Viewers.
2. Add the AppVUsers group as the Group Assignment.
3. Set licensing to be Enforce License Policies.
4. Restart the Application Virtualization Management Server service.
Question: Can you describe scenarios where you would want to use a custom Provider Policy with which
users can connect?
8-36 Implementing and Managing Microsoft Desktop Virtualization
Key Points
A Server Group is a logical collection of App-V servers. You can use Server Groups to provide a common
Provider policy, and configure logging properties of all servers that are members of the group.
Most organizations only have one server group--the Default Server Group. However, an organization that
consists of multiple physical sites can create a server group that represents each site.
For example, your organization may have multiple physical locations that contain App-V servers. To
ensure that each server does not log information over the wide area network (WAN) connection, you can
create a Server Group for each location, and then configure each Server Group to log only information to
a local computer that is running SQL Server.
You can manipulate the characteristics of all servers in a Server Group by using three property pages. The
configuration settings are available in the following tabs:
General. Use to set the default Provider policy for the Server Group, and to enable or disable the
Server Group.
Logging. Use to control how App-V Servers record their information within the virtualization system.
There are two ways to store usage information: logging to a file or logging to a SQL Server database.
The recommended method is to allow the default behavior, which is to log to the data stores SQL
Server database.
Applications. Use to view which applications belong to this Server Group. You also use it to verify the
Enabled or Disabled status of applications. This tab is for informational purposes only.
Managing and Administering Application Virtualization 8-37
Key Points
For every App-V Server that you install, App-V creates a matching server object in the Server Group that
you specified during installation. This is the Default Server Group. The App-V Server object provides
several property pages to configure the characteristics of the specified App-V Server, including:
General. Use to provide the Domain Name System (DNS) host name of the App-V Server
Ports. If you need to change any of the default port values for application virtualization, you need to
make this change on the Ports tab. Changing any of the values on this page requires a restart of the
App-V service. If you also require that any .sft files streamed over a network connection must be
encrypted with a Transport Layer Security (TLS) header, you need to add the Real-Time Streaming
Protocol Secure (RTSPS) protocol, and associate an available SSL/TLS certificate to the Server object.
The default RTSPS port is 322.
Advanced. From the Advanced tab, you can change how the selected Virtual Application Server
utilizes system resources, including random access memory (RAM) and CPU. You would use this tab
only for advanced configuration of the App-V system.
8-38 Implementing and Managing Microsoft Desktop Virtualization
Key Points
License enforcement provides you the ability to create an application license that is stored in the
Application Virtualization data store. Every time a user attempts to launch an application, the system
queries the data store for an available license. If a license is available, the user can launch the application.
However, if there is no available license, the application reports Launch Failed, and an error message
displays that indicates that there is no available license.
The Application Licenses node in the Application Virtualization Management Console provides the ability
to create Application License Groups. Application License Groups contain generic application licenses, and
are not application-specific. Therefore, you might apply one Application License Group to multiple
applications, although typically, you create most with specific application requirements in mind.
Licensing control in App-V refers to licenses that you create within the App-V system. These license
options have no impact on license agreements, such as Microsoft Software License Terms, but typically are
tied logically to the number of end user licenses that the company has purchased.
You can create and assign the following types of licenses to virtualized applications:
Unlimited License. This enables any number of users to have simultaneous access to the applications
that have been associated with the license. Unlimited License Groups can be effective in evaluating
the number of licenses that the organization would need for an application. When used in
conjunction with reporting, Unlimited Licensing can assist in purchasing decisions.
Concurrent License. This permits a limited number of users to have simultaneous access to
applications that have been associated with the concurrent license. Concurrent License Groups are the
most common type of licensing implemented on virtualized applications. For example, even in an
enterprise-size organization, only a select number of users need to run a specialized drafting
program. Between the different shifts that the employees work, a maximum of 10 employees will run
that application at any one time. For this situation, you could create a Concurrent License Group to
limit the maximum number of simultaneous launches of that application to 10. The system refuses
Managing and Administering Application Virtualization 8-39
any additional people who attempt to launch the application, and an error appears indicating that
there are no more licenses available.
Named License. This permits only explicitly named users to have access to an application associated
with the license. For example, an organization has a sales group within AD DS that assigns
permissions to several general-use applications, including a management database program.
However, only certain individuals within that sales group should actually be able to run this
management application. You could create a Named License Group, and specify only those
individuals who should run it. If a user is not in the license, and then attempts to launch the
application, the system refuses the user.
Question: What type of license would be appropriate when distributing an application to all employees
with a volume license agreement in place?
8-40 Implementing and Managing Microsoft Desktop Virtualization
In this demonstration, you will see how to create a concurrent license, and then associate it with an
application. You also will see how to enforce it through the default provider policy.
Demonstration steps:
1. Open the Application Virtualization Management Console, and then use the New Concurrent License
Wizard to create a new Application License Group named Word_Viewer_2003.
Provide the following description: Allows 25 concurrent users.
Set the Concurrent License Quantity to 25.
2. In the Applications node, access the properties of Microsoft Office Word Viewer 2003, and set the
Application License Group to be the Word_Viewer_2003 group.
3. Modify the .osd file to use the Office_Viewers provider policy.
Managing and Administering Application Virtualization 8-41
Key Points
The Reports node in the App-V management console allows you to generate a variety of different reports
about usage and system error tracking. You can generate report information by querying the App-V SQL
database. Reports do not run automatically. You must run each report explicitly.
You can create the following types of reports by running the New Report wizard:
System Utilization Report. Graphs the total daily usage, to help you determine the load on your
application virtualization system. Usage is reported by day of the week and hour of the day.
Software Audit Report.Lists the usage information during the reporting period for all applications
defined in the database to help you determine which applications are the most heavily used. The
report provides information about the number of sessions and the number of times an application
was used.
Application Utilization Report. Tracks usage information for a specified application to help you
determine how heavily a specific application is used.
System Error Report.Tracks the number of errors and warnings logged over time during the specified
reporting period for the specified server or server group.
Note: The amount of usage reporting data available is dependant on how long you elect to retain
usage history in the database. You can configure that in the App-V System Options. For example, if
you want to track one year of usage data then the database must keep at least one year of usage
history.
After you create a report, the management console displays the output. You can export the report to
either PDF format or to a Microsoft Office Excel spreadsheet.
8-42 Implementing and Managing Microsoft Desktop Virtualization
Creating a Report
Run the New Reports wizard from the Reports node of the management console. You must provide the
following information to the wizard:
Report Name
Report Type (The remaining information required by the wizard will depend on the selection.)
Report period
Server nameApplication
Managing and Administering Application Virtualization 8-43
Lab Setup
For this lab, you will use the available virtual machine environment that should be running from Lab A.
Before you begin the lab, you must:
1. Ensure that the 10324A-NYC-DC1, 10324A-NYC-SVR2, and 10324A-NYC-CL1 virtual machines are
running.
2. If required, connect to the virtual machines. Log on to the 10324A-NYC-DC1 and 10324A-NYC-
SVR2 virtual machines as Contoso\Administrator using the password Pa$$w0rd.
3. Do not log on to 10324A-NYC-CL1 until directed to do so.
8-44 Implementing and Managing Microsoft Desktop Virtualization
Task 3: Modify the Excel .osd file to use the new provider policy
1. On NYC-SVR2, open Windows Explorer, and then browse to C:\Content\Excel.
2. Use Notepad to modify the Microsoft Office Excel Viewer 12.0.6219.1000.osd file as follows:
HREF= RTSP://NYC-SVR2:554/Excel/Excel.sft?Customer=Licensed"
2. Right-click the virtual machines used in this lab, and then click Revert.
Review Questions
1. An administrator has accidentally deleted the AD DS security group that is managing the Application
Virtualization servers. What can you do to address this issue?
2. You would like to import an application that your Sequencing Engineer has provided. What are the
standard configuration settings that you need to consider?
3. Describe scenarios where you would want to use a custom Provider Policy with which users can
connect.
Module 9
Sequencing Applications for Virtualization
Contents:
Lesson 1: Overview of Application Sequencing 9-3
Lesson 2: Planning and Configuring the Sequencer Environment 9-11
Lesson 3: Performing Application Sequencing 9-19
Lesson 4: Advanced Sequencing Scenarios 9-27
Lab: Sequencing Applications for Virtualization 9-37
9-2 Implementing and Managing Microsoft Desktop Virtualization
Module Overview
To use applications in a Microsoft Application Virtualization (App-V) solution, you must first package
them into a form that can run in a virtualized environment. You can create these application packages by
using the App-V Sequencer.
You can sequence applications that you plan to deploy by using the App-V infrastructure or stand-alone
installation. By using App-V sequencing, you create a set of files that contain all the information that the
application requires to run in a virtual environment. The App-V Sequencer provides several packaging
options that you can choose based on your specific requirements.
This module describes how to install and configure the App-V Sequencer to create application packages.
The module also describes how to upgrade existing packages and create stand-alone packages.
Sequencing Applications for Virtualization 9-3
Lesson 1
Overview of Application Sequencing
The App-V Sequencer collects information from the Microsoft Windows installation procedures, and
converts the files, registry information, and .ini files into a cohesive package. In many environments,
application developers who are familiar with the applications carry out the sequencing process. As an
App-V administrator, you likely will have to troubleshoot App-V deployments, so you need to understand
the sequencing process. It can help you determine if the problem is with the configuration of the
implantation or if the problem occurred during the sequencing process.
This lesson describes the functionality of App-V Sequencer, the features of a virtual environment, and it
explains how virtual environments communicate.
9-4 Implementing and Managing Microsoft Desktop Virtualization
Key Points
The App-V Sequencer is a wizard-based software application that you can use to create Microsoft App-V
application packages. You can then deploy these packages to App-V-enabled desktops and Remote
Desktop servers. The Sequencer captures an applications installation, and then organizes the applications
unique data so that it can operate in the App-V environment. This process also determines the files and
data that are applicable to all users and the information that users can customize. The software allows the
sequencing engineer to determine what makes up Feature Block 1 and provides the ability to add files,
registry settings, associate file types, and many other tasks to the application package.
The sequencer also creates logical divisions in the applications program data, so that an App-V Streaming
Server can stream the application in chunks to an App-V Client. Optionally, the sequencer can package
applications as a self-contained Microsoft Installer package, a .msi file, which you can then deploy via an
electronic software distribution (ESD) system such as Systems Management Server (SMS) or System Center
Configuration Manager. To use the App-V Sequencer effectively, you must understand how to configure
and deploy your applications
Note: App-V Sequencer Release 4.6 is now available. This release supports 64-bit platforms, and it can
sequence both 32-bit and 64-bit applications. You can sequence applications on 32-bit systems, and
then run the applications on 64-bit systems, and vice versa.
Sequencing Applications for Virtualization 9-5
Key Points
Sequencing is the process of creating a version of an application that can run in a virtual environment on
a client computer. You can use special sequencing software to record the installation steps and the files
that the application uses. You can use that information to create a package that you can stream down to
software on the client computer.
You run sequenced applications (packages) in virtual environments that software creates on the client
computer. The virtual environment controls all the communication between the application and the
operating system. You can run multiple virtual environments with each environment hosting its own
virtual application.
The sequencing process is broken down into five steps:
1. The Sequencer monitors an applications standard installation process. The standard setup routine
installs files and registry settings, configures environment variables, register dynamic-link libraries
(DLLs), as well as other steps. Additionally, it records any changes to the system.
2. The Sequencer then creates a virtual environment, and loads the application into it, along with all
information that was recorded during the installation phase.
3. If the application is large, you can stream it in multiple chunks of code that the App-V Streaming
Server delivers to the client on demand. To do this, you must start the application and perform the
most common tasks to determine what the minimal startup requirements are for the application.
After the Sequencer determines which bits are required to start the application, it packages these
application bits into a Feature Block 1, which is the minimum amount of data necessary to start an
application and perform the most common tasks. Therefore, you only need to transfer Feature Block
1 from the App-V Server to the App-V Client when you initially run the application. As users access
additional application features, App-V streams the bits required to execute those features in the
background as additional Feature Blocks.
9-6 Implementing and Managing Microsoft Desktop Virtualization
Note: If you do not launch application at all during this phase, the entire application becomes Feature
Block 1. This means App-V streams the entire application down to the client and caches it. This usually
is not desirable for large applications.
4. You can now package the virtual application, and create the supporting files. These include the .sft file
that holds the application data, and the .ico file that is a capture of the applications default icon.
Additionally, the .sprj, .osd, and .xml files provide information about the application.
5. You then move all of these files to the App-V server, which imports the application for distribution.
Key Points
A sequenced application is a collection of files that the sequencing process generates, which includes five
major files:
The .sft file contains the sequenced Windows application. The file must be located on each server that
will stream applications. The .sft files can contain multiple applications, for example, a suite of
applications such as Microsoft Office.
The .sprj file is an .xml-based text file that contains parse items and exclusions for application suites,
and which manages multiple .osd files. For example, Office 2007 contains multiple applications, each
with its own .osd file, and each with possible additional requirements. You can specify these
requirements as exclusions and parse items in the .sprj file. If this file does not import with the
application, it may cause issues such as file conflicts or missing information.
Note: A parse item is the Virtual File System equivalent of an actual directory. For example, an
application may install a DLL file to the System32 directory. During sequencing, the Sequencer
intercepts the DLL file and places it in the packages virtual drive folder. When the application later
makes a call for that DLL file to the System32 directory, it parses the call, and then redirects it to the
Virtual File System.
The .ico files are icon files that are used for application shortcuts to provide a consistent end-user
experience. When a user double-clicks an icon as they normally would, the .ico file initiates the .osd
file, which in turn causes the application to load on the App-V Client.
The .osd file provides information necessary to launch the application, such as the protocol to use and
the streaming server that holds the sft file. Each application requires an .osd file.
The Manifest.xml file stores information required for the App-V Streaming Server to stream
applications. You would use Streaming Servers in branch-office deployment scenarios where it is not
feasible to deploy a complete App-V infrastructure. The Manifest.xml file informs the App-V Client
where to find the sequenced application.
9-8 Implementing and Managing Microsoft Desktop Virtualization
Question: Which file provides information about the .sft files location?
Sequencing Applications for Virtualization 9-9
Key Points
Dynamic Suite Composition (DSC) allows virtual environments to communicate with each other. This
eliminates the need to sequence dependent applications with every primary application that requires
them. For example, in previous versions of App-V, (formerly known as Microsoft SoftGrid Application
Virtualization,) if an application has a dependency such as the Java Runtime Environment, you would have
to sequence that dependent application with every primary application that required it.
DSC is an App-V feature that enables you to sequence applications separately from the plug-ins and the
middleware applications they rely on, while you can still utilize the virtual resources such as file system
and registry settings, in the virtual environment. The packages run and interact with one another as if they
were all installed locally on a computer. The primary package also assumes the entire virtual environment
of the secondary package, including the virtual file system.
in the tag. The following sample code shows an example of the resulting section of primary
applications osd file with a dependency on a secondary application named Midware.
<VIRTUALENV TERMINATECHILDREN=FALSE>
<POLICIES>
</POLICIES>
<DEPENDENCIES>
<CODEBASE HREF=RTSP://%SFT_SOFTGRIDSERVER%:554/midware/midware.sft
GUID=06DCD3EF-1D70-4282-A117-2241BE970C27
SYSGUARDFILE=midware\osguard.CP MANDATORY=TRUE/>
</DEPENDENCIES>
<ENVLIST/>
</VIRTUALENV>
Lesson 2
Planning and Configuring the Sequencer Environment
The Application Sequencer is capable of detecting the smallest change in the Windows environment.
Therefore, it is very important that you follow proper steps when planning the Sequencers environment. If
extraneous elements such as anti-virus scans, which do not belong in the sequenced environment, get
included in the sequencing process, the application might not function correctly when you deploy it.
This lesson provides details about the Sequencer hardware and software requirements, and describes the
best practices for configuring the sequencer environment. The lesson also describes the most common
ways of configuring the Sequencer.
9-12 Implementing and Managing Microsoft Desktop Virtualization
Key Points
The sequencer should reflect the computing environment of the computers to which you plan to deploy
the applications. If the majority of computers run the Windows XP Service Pack 3 (SP3) operating system,
you should configure the sequencer to run the same operating system.
Hardware Requirements
The hardware requirements for the App-V sequencer are very basic and generally reflect the hardware on
the computers to which you will deploy the virtual applications.
The minimum requirements are:
A Pentium III 1 gigahertz (GHz) or higher CPU, and either a 32-bit or a 64-bit processor. The
sequencing process is a single-threaded process, and it does not take advantage of dual processors.
1 gigabyte (GB) or more of random access memory (RAM).
A physical drive designated to represent the virtual drive. This can also be a partition on a single
drive. The drive letter assigned on the workstations where you install the Application Virtualization
Sequencer should match the drive letter assigned to the Application Virtualization Client. This is
usually drive Q.
You also have the option of hosting the sequencer on a virtual machine. This can affect the sequencer
performance, but you can revert the virtual machine to a base state very quickly.
Software Requirements
Windows XP SP2 or newer
Windows Vista Business, Enterprise, or Ultimate
Windows 7 Professional, Enterprise, or Ultimate
Sequencing Applications for Virtualization 9-13
Key Points
When you configure the sequencing computer, there are a number of considerations:
Always use a clean operating system install. The sequencer should match the computers to which you
will deploy the application. For example, if the typical client in the enterprise is running Windows XP
with SP3 and Office 2007, the sequencer should match that configuration.
Sequence to the lowest operating system version used in the target environment. If your client
computers run multiple operating systems at various service pack levels, and it is not practical to
sequence the applications multiple times, sequence to the lowest common denominator. However,
there is no guarantee that an application sequenced on one operating system functions as expected
on a different operating system. For example, if you know that an application does not function on
Windows 7, then it will not work to sequence it on Windows XP and deploy it to Windows 7.
Do not install monitoring agents, antivirus software, or any other software that runs background
tasks. These types of program interact with the operating system core components and can alter the
results of the sequencing operation thus affecting the package.
Reset the environment after you create each package. Create the sequencer image again, or if you
use a virtual machine, reset the virtual machine.
9-14 Implementing and Managing Microsoft Desktop Virtualization
Key Points
You should sequence applications on the lowest operating system version in the environment. For
example, if the environment is currently running Windows XP and Windows Vista, you should base the
sequencers configuration on Windows XP. There is no guarantee that an application that you sequence
on an older operating system will function correctly on a newer one. However, applications that function
correctly on both operating systems should function correctly when you virtualize them on the older
system.
You can mount the application package on a drive other than drive Q, when the client is using it.
However, you should maintain consistency throughout the environment. If an application hard-codes a
path into its configuration during setup, this can cause problems if you have defined a letter other than
the one used during sequencing for the client.
To avoid problems with long file name references in applications, you must use the 8.3 naming
convention for the package root directory. For example, when you install Microsoft Office, this creates a
short-path shortcut called Micros~1. Some applications still refer to these short paths. This can cause
problems because the sequencer sequences each application in an isolated, clean environment. In this
example, every application that starts with Microsoft is abbreviated to Micros~1. By using the 8.3 format,
you can be sure that applications will always refer to the correct folder. The 8.3 format consists of a
maximum of eight characters with a three-character extension. For example, a folder named
Word2003Vwr could be renamed to Word2003.Vwr to comply with the 8.3 format.
Question: If you have a computing environment consisting of the Windows XP, Windows Vista, and
Windows 7 operating systems, on which operating system should you perform sequencing?
Sequencing Applications for Virtualization 9-15
Key Points
The installation of the App-V Sequencer software is a very simple process. First, you should perform a
fresh install of a supported operating system. Ensure you create at least two partitions. Ideally, you would
have two separate hard disks: one to hold the operating system and one that would become drive Q. As a
best practice, if you choose to use a virtual machine, you should create a second virtual hard disk (VHD).
Note: Do not install the App-V sequencer on a computer that hosts the App-V Server or the App-V
Client.
Locate and launch one of the installer files for the App-V Sequencer. Similar to the App-V Client, there is a
Setup.msi and a Setup.exe. Also just like the client, you first need to install prerequisite software such as
Microsoft Visual C++ 2005 SP1. The Setup.exe file installs the software, while the Setup.msi file only
detects the presence or absence of the software. The Setup.msi installation fails if it cannot detect the
prerequisite software.
The InstallShield Wizard performs the installation. After you launch the wizard, you must allow it to install
the prerequisite software. Then you simply accept the license and allow the wizard to install the sequencer
software. Other than declaring the installation folder, you do not need to perform any configuration
during setup.
In this demonstration, you will see how to install the App-V Sequencer on a Windows 7 computer, and
then create drive Q.
Demonstration steps:
1. Run Setup.exe.
2. Perform a default installation of the App-V sequencer.
3. Use Computer Management to create a new simple volume using the unallocated space.
9-16 Implementing and Managing Microsoft Desktop Virtualization
Question: What is the benefit of installing the sequencer by using the Setup.exe file versus the Setup.msi
file?
Sequencing Applications for Virtualization 9-17
Key Points
After you install the sequencer, you can configure a number of settings by using the Options menu item
in the Tools menu. This opens the Options dialog box, which has three tabs that provide access to several
configuration settings. The following sections detail these tabs.
Setting Description
Scratch directory Specifies the path to the location where the sequencer will temporarily save files
that it generates during sequencing. Scratch, the default folder, resides in the
installation folder.
Log directory Specifies the path to where the log files will be saved. Logs, the default folder,
resides in the installation folder.
Allow use of MSI Allows interaction between the sequencer and the application installer.
installer
Allow virtualization Allows you to virtualize low-level, operating-system activities of the application
of events when you run a sequenced application package on App-V desktop clients.
Allow virtualization Allows virtualization of services that the application requires when the application
of services runs on App-V desktop clients.
Append package Automatically appends the sequenced version number for the application package
version to filename to the file name.
We recommend that you do not make any changes to these options, and instead accept the default
settings.
9-18 Implementing and Managing Microsoft Desktop Virtualization
An example of data that you should not capture is Internet cookies. If you configure the Sequencer to
capture the cookies in the virtual environment, it links the application installation permanently to the user
who initially set up the virtual environment.
Typically, you should exclude any data that is unique to a specific user or a specific session from the
Sequencer.
Sequencing Applications for Virtualization 9-19
Lesson 3
Performing Application Sequencing
Sequencing applications is often the most labor-intensive aspect of deploying virtualized applications. It
requires a thorough knowledge of the application that you are sequencing, and you need to pay close
attention to the details that the sequencer captures.
This lesson describes the sequencing process, and explains the functionality of the Sequencing Wizard.
The lesson also provides details about the best practices that you should implement when you sequence
applications.
9-20 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Sequencing applications correctly is the most important part in deploying virtual applications. There are
several things that you should keep in mind and follow some best practices to help ensure a successful
deployment.
Perform a local install. Familiarize yourself with the application installation procedure before
sequencing it. This is very important. You should understand all of the application dependencies, as
well as all of the steps required to make the application usable for the end-user.
Document the install process. This is also a very important step. Knowing how you installed an
application prepares you better for creating the sequenced package, or upgrading the application
should it become necessary. Following a step-by- step procedure while you are sequencing
applications leads to more successful sequencing sessions.
Set compression to Off, and use the optimal 64-kilobyte (KB) block size. This allows your client
workstations to have the best performance during usage, because they will not have to decompress
the sequenced software.
Use an 8.3 naming convention for the Install path. As previously mentioned, this helps avoid
application short name path conflicts. Make sure each path is unique to all sequenced applications.
Sequence all dependent applications under the same paths.
Always choose the Run from My Computer or Not Available options when you select the method
of installing application components in the Application Setup Wizards. Do not select the Install on
First Use option because this causes the application to search for its install source files. This will not
work because even if the application can find the install source files, the application cannot update
the install on the client.
Disable the applications Automatic Updates option while sequencing occurs. The virtual
environment does not allow you to update the application once it is running on a client. If an update
is unnecessary, you should update it on the Application Virtualization Sequencer by upgrading the
package.
Sequencing Applications for Virtualization 9-21
The post installation process completes the application configuration while the Sequencer is still
monitoring the installation process. This provides you the opportunity to open the application and set
the initial startup environment. You can configure default options that you always want end users to
see when they start the application. This may cause the application to access DLLs and other system
items that it did not previously use during the Setup Wizard. This may include application activation.
You also can capture and virtualize this information.
Always reply Yes to reboot requests. The Sequencer detects the reboot task and notifies the
sequencing specialist that it has processed a reboot request. It then continues the installation as if the
reboot had occurred.
9-22 Implementing and Managing Microsoft Desktop Virtualization
Key Points
The 4.6 version of the App-V Sequencer displays a splash screen at launch that allows the sequencing
engineer to perform three tasks:
Create a package
Edit a package
Upgrade a package
When you click Create a Package, the Sequencing Wizard launches, and then simplifies the sequencing
process into six major steps, which the following sections detail.
Package Information
As the first step, fill in the package name with any display name that you wish. You also can input
comments, such as the platform on which the application was sequenced and the name of the sequencing
engineer. You also can select to see the Advanced Options page.
Advanced Options
On the Advanced Options page, you can select to allow Microsoft Update to run during monitoring or to
rebase DLLs. Allowing Microsoft Update simply allows the application to update from the Internet if
required. Rebasing DLLs remaps DLL libraries to a contiguous space in RAM, and may save memory and
improve performance. These selections are unselected by default.
Monitor Installation
This page allows you to start the monitoring process. Before you can start the actual application
installation, you need to specify where the application is installed. This is a folder on drive Q. The name of
this folder must adhere to the 8.3 naming convention, but subfolders under it do not. Each application
you sequence must have a separate directory.
Sequencing Applications for Virtualization 9-23
After selecting the install folder, you must wait while the virtual environment loads and monitoring can
commence. Then install the application as you would normally install it on the client, and select the folder
that you specified on drive Q as the install destination. During monitoring, the App-V Sequencer adds all
new and changed application components to the application package.
When you finalize the applications installation, you need to return to the App-V wizard, and use the Stop
Monitoring button.
Configure Applications
This page displays the available shortcuts and file type associations for an application. You can edit, add,
or remove the shortcut and file types. For example, if the application is a video player, you may want to
associate many different video file types with the application.
Launch Applications
This phase serves two purposes. For some applications, you might need to perform some configuration at
first launch, such as accepting license agreements. Additionally, the sequencer adds any steps that you
perform during this launch to Feature Block 1. Therefore, the sequencing engineer should perform the
most common actions, such as opening files, creating files, and whatever other actions a normal end user
would most often perform.
Sequence Package
This step completes the sequencing of the application and finishes the wizard. There is no configuration
during this step.
9-24 Implementing and Managing Microsoft Desktop Virtualization
Key Points
After you create the sequencer package, you can adjust the settings that the wizard creates. You would
typically do this when a package needs special modifications to make it operational in the virtual
environment.
You can view the properties, such as the applications GUID, and edit the package name.
The Deployment tab is one of the most important post-configuration considerations. You must configure
deployment properties such as the protocol, the hostname of the streaming server, the port number, and
the relative path inside the content folder. You can also determine which operating systems are allowed
to receive this virtual application and generate a Windows installer file for the virtual application.
You can view the history of any changes to the package in addition to many other pieces of information
about the package such as Windows version. This information is read-only.
You can edit the Virtual Registry to remove registry data that may not pertain to the application. The
Installation Wizard is preconfigured to ignore changes to certain registry keys. Sometimes, you might
need to configure those changed registry keys, and sometimes other registry keys for the sequencers
other software might change during sequencing.
You can add or remove files from the Virtual File System. This is useful to correct any errors made when
files that are erroneously detected by the installation wizard, are removed to keep the sequenced
application as small as possible.
During sequencing, App-V identifies and sequences a list of embedded services. These embedded services
assist the operation system. You can edit the properties of individual services, such as the startup type,
required by the application.
You can edit the .osd file before App-V incorporate it into the sequenced package. This can be useful if
you need to customize an element of the .osd file, such as defining a dependency for DSC. Refer to
Sequencing Applications for Virtualization 9-25
product documentation for details about the different elements with which you can configure the .osd
file.
After you save the application, transfer the folder to the content folder on the App-V Server. If you create
an MSI package, you can provide the MSI package to enterprise deployment systems as needed.
Question: What name must you use for the folder into which you save the package?
9-26 Implementing and Managing Microsoft Desktop Virtualization
Key Points
In this demonstration, you will see how to use the sequencing wizard to sequence an application and
configure the applications protocol, port, and path.
Demonstration steps:
1. Launch the App-V sequencer, and create a package.
2. Create a folder on drive Q as the installation folder, and begin monitoring.
3. Install the application drive Q.
4. Stop monitoring, and then click Next.
5. Launch and close the application, and then complete the wizard.
6. In the dialog box, click the Deployment tab, and then configure the protocol as RTSP.
7. Configure the Hostname to match the server name that will host the application.
8. Configure the relative path.
9. Save the package.
10. Open the folder, and then examine the contents.
11. Use Notepad to open the osd file, and then examine the HREF tag.
Sequencing Applications for Virtualization 9-27
Lesson 4
Advanced Sequencing Scenarios
When you perform sequencing tasks, some application types require special considerations. For example,
you may have applications that are hard-coded to install on drive C. Additionally, you may need to
upgrade existing sequencer packages, or create a package branch that allows you to upgrade an existing
package, and then run it side-by-side with the original package. You can use several advanced sequencing
techniques in such scenarios, and this lesson describes how to perform them.
9-28 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Over time, you would need to upgrade applications to newer versions. This is a costly process for most
organizations. Active upgrade provides a method that allows you to apply updates on an existing package
and to redistribute it seamlessly to the client computer. This method does not require a server restart or a
client disconnect from the server. Users continue to use the currently streamed application until they
disconnect. When they reconnect, the updated version streams automatically.
You can accomplish this functionality within the sequencing process by tagging the changed blocks of
code with the new version number. When the client launches the application, App-V compares the version
information within the .sft file to the version on the streaming server, and then downloads only the
required blocks of code to the client.
Important: Active upgrade is not supported for Hypertext Transfer Protocol (HTTP) or Server Message
Block (SMB) streaming. You must change the HREF tag explicitly in the .osd file to point to the location
of the applications new version.
Question: How would you upgrade packages that are streaming over HTTP?
9-30 Implementing and Managing Microsoft Desktop Virtualization
Key Points
In this demonstration, you will see how to upgrade an existing application
Demonstration steps:
1. Launch the sequencer, and click Upgrade a Package.
2. Open the sprj file that you want to upgrade.
3. Begin monitoring.
4. Run the upgrade installation file.
5. After installation completes, stop monitoring.
6. Save the package.
7. Open the package folder, and examine the contents. Note that the .sft file now has a 2 at the end of
its name. The entire folder now is copied into the content folder, and has replaced the original folder
on the App-V Server. You have upgraded the original package to a new version, which users will
receive the next time they launch the application.
Sequencing Applications for Virtualization 9-31
Key Points
Occasionally you may wish to make changes to an application package without having to resequence the
entire application. For example, you may need to generate an .msi file for stand-alone clients, or create a
new file type association for an application. The Edit a Package feature allows you to open a package and
make certain types of changes, including:
Editing registry settings.
Adding or removing allowed operating systems.
Generating a .msi file.
Modifying the .osd file.
Adding file type associations.
Viewing package properties.
Renaming shortcuts.
Editing mappings for virtual file systems.
Limitations of Editing
You can perform only limited actions by using this method. Most importantly, you cannot apply updates
to an application, and additionally, you cannot:
Review all associated operating system file properties for a package.
Add additional services.
Add additional files.
Collect and configure associated security descriptors.
Apply security updates or upgrade to a new version.
9-32 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Package branching allows you to modify an existing package in some way, and then save it as a new
package. The primary advantage of this method is that you can run the upgrade process simultaneously
with the existing version. This allows users to run both versions. Users can test the updated application,
while still having access to the old version. Package branching is useful in the following circumstances:
You can stream upgraded applications versions while still providing access to the previous versions.
You can use complex packages as a baseline for creating new or updated packages.
You can create specialized packages for specific users.
The process for branching is very similar to active upgrade. The difference is at the end of the process.
In active upgrade, you save the new package to overwrite the old one. In package branching, you
perform a Save As at the end of the process. The result of the Save As is essentially a completely new
SFT file. This is a new version of the application and you can import it to the App-V Management
Console.
When you want to branch an existing package, perform the following steps:
Copy the original application package that you want to modify, to a clean Sequencer workstation.
In the Sequencer application, select the File menu, and then click Open. You can then select the
name of the .sprj file to be branched.
Use the Package Configuration Wizard to provide new values for the package name, and path.
Update the HREF tag information on the Deployment tab. You will need to modify the Path
parameter to reflect the name of the new folder you will save the package to). Modify any other
required wizard options.
In the Sequencer application, select the File menu, and then click Save As. Choose a new file name
and Save In location. Be sure to select the check box next to Save As New Package. Provide a
unique Package root directory name and a new Package name.
9-34 Implementing and Managing Microsoft Desktop Virtualization
Key Points
You may be able to install certain applications only on the local drive C, while other applications may
provide you with a choice of destination paths during installation. The latter are hard-coded applications.
You can still sequence hard-coded applications, and then stream them to run from the clients virtual
drive (typically drive Q). You can accomplish this by performing a Virtual File System of the install. Note
that during the sequencing of a hard-coded application, the entire application runs from the Virtual File
System.
A high-level view of sequencing a hard-coded application includes the following steps:
1. During the Sequencer installation phase, you create a directory on drive Q for the application to use.
2. During the Monitoring task, you will receive a prompt in which you can select the primary directory
to which you want to install the application. Select both drive Q and the directory that you created
for the application. This causes the App-V Streaming Server to copy the entire applications assets to
the Virtual File System located on drive Q.
3. Let the application install, as required, to drive C.
4. The next sequencing task is the execution phase. During this phase, execute the application from the
virtual drive and root directory that you created during the installation phase. This will order the
blocks of code into units that the App-V Streaming Server will stream to the client in Feature Block 1
or Feature Block 2.
9-36 Implementing and Managing Microsoft Desktop Virtualization
Key Points
For clients that are unable to connect to the streaming server, you can use the stand-alone deployment
model. In this model, you do not configure the App-V Client to connect to any App-V Management
Server delivery system. To deliver the virtual application to the client, you can create an .msi file that you
can deliver by using ESD technologies such as Microsoft System Center Configuration Manager.
The .msi file holds all .osd files, icons, and other information of the packaged application except for the .sft
file that makes up the actual application. The .sft file is not inside the .msi file because of size limitations of
Windows Installer.
The .msi file loads the metadata to the client, and it then uses the SFTMIME.exe utility to add and load the
application from the installation directory to the App-V Client cache. Additionally, you configure the .msi
file to load, by default, the .sft file from the same directory as the .msi file.
Note: For more information on deploying the .msi file, see Configuring a Client for Stand-Alone
Operation in Module 7 of this course.
To create the .msi file, you simply select the Generate Microsoft Windows Installer (MSI) Package
check box on the Deployment tab after the sequencing wizard completes. Then, when you save the
application, the App-V Management Server creates and saves the msi file in the same directory as the rest
of the package files.
You can also generate an .msi file for applications for which sequencing occurred when you opened the
package for editing.
Question: From what location will the msi file attempt to load the application code by default.
Sequencing Applications for Virtualization 9-37
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. Ensure that the 10324A-NYC-DC1, 10324A-NYC-CL1, 10324A-NYC-SRV2, and 10324A-NYC-CL2
virtual machines are running.
3. If required, connect to the virtual machines. Log on to 10324A-NYC-DC1, 10324A-NYC-CL2, and
10324A-NYC-SRV2 as Contoso\Administrator using the password Pa$$w0rd.
4. Do not log on to 10324A-NYC-CL1 until directed to do so.
9-38 Implementing and Managing Microsoft Desktop Virtualization
Results: After this exercise, you should have installed the App-V sequencer and created drive Q.
Sequencing Applications for Virtualization 9-39
Results: After this exercise, you should have sequenced the Microsoft Office Word Viewer 2003.
9-40 Implementing and Managing Microsoft Desktop Virtualization
Results: After this exercise, you should have copied the application to the content folder, and then
imported and tested the application.
Sequencing Applications for Virtualization 9-41
Results: After this exercise, you should have upgraded a sequenced application, copied the application
to the Content folder, upgraded the package version, and tested the deployment.
Sequencing Applications for Virtualization 9-43
Results: After this exercise, you should have sequenced a hard-coded application.
Review Questions
1. After you upgrade an application by using active upgrade, what task must users perform to receive
the updated application?
2. When performing package branching, what must you do at the end of the sequencing wizard to
create a new package.
3. What prerequisite software do you need to install the App-V sequencer?
3. You have deployed version 1 of an application, but version 2 now is available. You want to deploy it
to your users, and you must ensure that their personal settings from the applications current version
carry over to the new version. How do you accomplish this?
Module 10
Configuring Remote Desktop Services and RemoteApp
Contents:
Lesson 1: Overview of RDS 10-3
Lesson 2: Publishing RemoteApp Programs by Using RDS 10-13
Lesson 3: Accessing RemoteApp Programs from Clients 10-27
Lab: Configuring RDS and RemoteApp Programs 10-42
10-2 Implementing and Managing Microsoft Desktop Virtualization
Module Overview
Remote Desktop Services (RDS) provide a form of virtualization known as presentation virtualization.
Although you connect to a remote desktop or to individual remote applications, your experience is similar
to running local applications on your computer. RDS features such as device redirection, single sign-on
(SSO), and Remote Desktop (RD) Easy Print mean that it is not easy to distinguish between whether you
are using remote or local applications.
This module provides an overview of RDS and related role services, and the procedures for connecting to
an RD Session host. The module also describes RemoteApp programs and the methods for accessing
them. The module also explains how to use RD Gateway to access RDS infrastructure securely from an
external network.
Configuring Remote Desktop Services and RemoteApp 10-3
Lesson 1
Overview of RDS
RDS is the new version of Terminal Services and it is a Windows Server 2008 R2 server role. Users can
access session-based desktops, virtual machine based desktops and remote applications from anywhere.
Clients connect to an RDS server by using Remote Desktop Protocol (RDP). RDP 7.0 provides improved
and new features, such as Windows Media redirection, Windows Aero Glass support, and true
multimonitor support. To benefit from the new and improved RDP features, you must use the Remote
Desktop Connection (RDC) 7.0 client, which is in Windows 7 and Windows Server 2008 R2. You also can
download the RDC 7.0 client for Windows XP Service Pack 3 (SP3), Windows Vista Service Pack 1 (SP1),
and newer operating systems.
10-4 Implementing and Managing Microsoft Desktop Virtualization
What Is RDS?
Key Points
RDS, formerly known as Terminal Services, provides technologies that enable you to access session-based
desktops, virtual machine-based desktops, and remote applications that are running on centralized
servers. You can establish secure connections from a local network or from Internet. RDS provides a rich
desktop and application experience and you can connect securely from managed or unmanaged devices.
Application consolidation. You can run and install programs from an RD Session Host server, and
eliminate the need for updating programs on each client computer.
Remote access. Users can access remote programs from devices such as home computers, kiosks, low-
powered hardware, and operating systems other than Windows.
Branch office access. RDS provides better program performance for branch office users who need
access to centralized data stores. Data-intensive programs often are not optimized for low-speed
connections, and such programs often perform better over an RDS connection than a typical wide
area network (WAN).
Key Points
The RDS role provides six role services, which have new names in Windows Server 2008 R2, and which
provide additional and improved features. RDS in Windows Server 2008 R2 introduces a new role service,
known as RD Virtualization Host. You use it in VDI scenarios to provide users with access to virtual
desktops.
The RDS role includes the role services that the following sections detail.
RD Session Host
You require the RD Session Host server role to enable RDS. The RD Session Host server runs Windows-
based programs and provides users with remote access to these programs or the full Windows desktop.
Users can connect to an RD Session Host server by using RDP, and then can run programs, save files, and
use network resources on that server.
RD Licensing
To use RDS, you must deploy an RD licensing server in your environment. When a client, either a user or a
device, connects to an RD Session Host server, the RD Session Host server determines if an RDS Client
Access License (CAL) is necessary. You can use RD Licensing to install, issue, and track the availability of
RDS CALs. For small deployments, you can install the RD Licensing and RD Session Host role service on the
same server.
Note: You must configure RD licensing mode within 120 days of adding the RD Session Host role
service, or RDS stops working.
RD Connection Broker
The RD Connection Broker role service provides load balancing and session reconnection services for RDS
sessions. When users connect to an RDS environment, and you deploy RD Connection Broker in the
Configuring Remote Desktop Services and RemoteApp 10-7
environment, RD Connection Broker can balance the client connections across the available RD Session
hosts, and can reconnect clients to the same session host if the client is disconnected. RD Connection
Broker also connects users to the appropriate virtual machine in a VDI deployment.
RD Gateway
RD Gateway is an optional role service in an RDS deployment. RD Gateway enables remote users to access
applications running on session hosts by tunneling RDP traffic through Hypertext Transfer Protocol Secure
(HTTPS). This means users outside the company network can securely access the RDS environment without
first establishing a VPN.
RD Web Access
RD Web Access provides a user with an aggregated view of remote applications and desktop connections
via a Web browser or through the Start menu on Windows 7 computers. Using RD Web Access, a user can
view all remote applications and virtual desktops (personal virtual desktops and virtual desktop pools)
published to that user.
RD Virtualization Host
RD Virtualization Host integrates with the Microsoft Hyper-V role to host virtual machines and provide
them to users as virtual desktops. You can assign a unique virtual desktop to each user in your
organization or provide them shared access to a pool of virtual desktops.
Question: What is the new RDS role service that is included in RDS?
10-8 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Windows Server 2008 R2 enhances the Remote Desktop client experience for computers that are running
Windows 7, Windows Server 2008 R2 or RDC 7.0 clients. These enhancements improve the experience of
remote users by providing a look and feel similar to what users experience when they access resources
locally.
The following enhancements are available to Remote Desktop users when they connect to an RD Session
Host server:
Windows media redirection. This feature provides high-quality multimedia by redirecting Windows
media files and streams so that servers can send audio and video content in its original format to the
client, and render the content by using the clients local media playback capabilities.
True multimonitor support. This feature enables support for up to 16 monitors in any size, resolution,
or layout. The applications function just as they do when they run locally in multimonitor
configurations.
Audio input and recording. This feature supports any microphone connected to a users local
computer. It enables audio recording support and speech recognition for RemoteApp and Remote
Desktop. This may be useful for organizations that use voice chat or Windows Speech Recognition.
Aero Glass support. This feature provides users with the ability to use the Aero Glass for client
desktops, ensuring that the Remote Desktop sessions look and feel like local desktop sessions. You
must connect from Windows 7 or Windows Server 2008 R2 client to take advantage of the Aero Glass
support.
Enhanced bitmap redirection. This feature improves the remote display of three-dimensional (3D) and
other media-rich applications, such as Adobe Flash and Microsoft Silverlight on the server.
Improved audio and video synchronization. RDP improvements provide closer synchronization of
audio and video.
Configuring Remote Desktop Services and RemoteApp 10-9
Language bar redirection. This feature provides users with the ability to control the language settings
easily and seamlessly in RemoteApp programs by using the language bar.
Task scheduler. This feature ensures that scheduled applications never appear to users connecting
with RemoteApp and reduces user confusion.
Windows Server 2008 R2 and Windows 7 include RDC 7.0, and it is available for Windows XP SP3,
Windows Vista SP1, Windows Embedded Standard 2009, Windows Embedded POSReady 2009, and
newer operating systems.
Question: Are enhanced features that RDP 7.0 provides available just on Windows 7 and Windows Server
2008 R2 clients?
10-10 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Windows clients connect to RD Session Host by using RDC client. RDC is included with the Windows
operating system and uses RDP to transfer user actions, mouse movements, keyboard inputs, and
redirected devices to the RD Session Host and graphical display from RD Session Host to the RDC client.
The RDC client can display the entire remote desktop or just the window of the running remote
application (RemoteApp program).
RDC is available in the Accessories folder in the Start menu, and it has the following configuration tabs:
General. On this tab, you can specify the RD Session Host server to which a user can connect and
user credentials. You also can save RDC connection settings in a text file with an .rdp extension.
Display. On this tab, you can choose the size of the remote desktop window, including the option to
run the remote desktop in full screen mode. You can select to use all local monitors for the remote
session, select color depth, and enable connection bar when the remote desktop is running in full
screen mode.
Local Resources. On this tab, you can set remote audio settings, such as whether you want to enable
remote audio playback and recording. You also can specify the location where Windows shortcuts are
applied, and whether local devices and resources in remote session are available. For example, you
can enable the option to make clipboard, local drives and printers, and devices that you plug in later
available in the remote session.
Programs. On this tab, you can specify the program that will start when you connect to the remote
computer. When you close the program, your session will log off.
Experience. On this tab, you can select the connection speed to optimize performance. You can
enable different features such as:
Desktop background
Font smoothing or visual styles in RDC
Configuring Remote Desktop Services and RemoteApp 10-11
Note: We do not support Aero Glass for connections for which you enable multiple monitor support.
In this scenario, Aero Glass support is turned off.
10-12 Implementing and Managing Microsoft Desktop Virtualization
Key Points
To establish a remote desktop connection, you must add the RDS role to the remote server and you must
have RDC, which is already included in the Windows operating system. Your user account must also be a
member of Remote Desktop Users group on the remote server or has appropriate user rights. You can
establish a remote desktop connection by running the RDC client, and then configuring the desired
options or loading them from the saved .rdp file.
In this demonstration, you will see how to establish a remote desktop connection.
Demonstration steps:
1. On the NYC-DC1 server, verify that Remote Desktop is enabled.
2. On the NYC-CL1 computer, start the RDC client and review its options.
3. On NYC-CL1, in the RDC client, configure the display resolution to 800 x 600 and NYC-DC1 as the
computer to which you want to connect, and then save the settings to a file.
4. Open the RDC configuration file, and then review the settings.
Configuring Remote Desktop Services and RemoteApp 10-13
Lesson 2
Publishing RemoteApp Programs by Using RDS
When you install an RD Session Host server, users can access the entire remote desktop, including the
Start menu and all installed applications. However, on an RD Session Host server, you can publish
individual applications and make them available to remote users, without providing the user access to the
full remote desktop. Those published remote applications are called RemoteApp programs, and they
integrate seamlessly with local applications that run on the client. You can list remote applications on the
RD Web Access Web page and by using RemoteApp User Assignment, and you can make remote
applications visible only for selected users.
10-14 Implementing and Managing Microsoft Desktop Virtualization
Key Points
In previous versions of Windows Server, when you connect to Terminal Server, you always access the full
remote desktop. Full remote desktop looks similar to the local desktop and you could easily be confused
between the local and remote environments. In Windows Server 2008 and newer versions, users have the
option to choose between a full remote desktop and an individual remote application window. The
individual application window integrates with the client desktop, runs in its own resizable window, and
has its own entry in the taskbar. If the remote application uses a notification area icon, this icon appears in
the client's notification area. RDS redirects the dialog boxes and other windows to the local desktop. You
also can redirect local drives and printers can be redirected and make them available in the remote
applications. The applications that run on the RD Session Host server and appear as if they were running
on the local computer are called RemoteApp programs. Users might not be aware that RemoteApp
programs are running remotely and such programs run side by side with locally installed applications. If
you run more than one remote application on the same RD Session Host server, RemoteApp programs
share the same RD session.
There are several scenarios where RemoteApp programs are especially useful:
Remote users: Users often need to access applications from remote locations, such as while working
from home or while traveling. RemoteApp programs allow these users to access these applications
over an Internet connection. Using RemoteApp programs with RD Gateway helps ensure secure
remote access to the applications. Additionally, you can choose to allow users to access remote
applications through a Web page or integrate the applications on the Start menu of Windows 7 users
with RD Web Access.
Line of Business applications deployment: Companies often need to run consistent Line of Business
(LOB) applications on computers that are running different Microsoft Windows versions and
configurations. Instead of deploying the LOB applications to all the computers in the company, you
can install applications on a RD Session Host server and make them available as RemoteApp
programs.
Configuring Remote Desktop Services and RemoteApp 10-15
Roaming users: In some companies, a user may work on several different computers. If users are
working on a computer where the application is not installed, they can access the application
remotely through RDS.
Branch offices: In a branch office environment, there may be limited local IT support and limited
network bandwidth. By using RemoteApp programs, you can centralize management of applications
and improve the performance of remote applications in limited bandwidth scenarios.
To access RemoteApp programs, you must be using at least RDC 6.0 and to access RemoteApp programs
through RD Web Access, you must be using RDC 6.1 or newer.
10-16 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Before you can access and run RemoteApp programs, you must first configure the server to host them,
make them available, and then allow RDP user connections to the server. Because you run RemoteApp
programs on the RD Session Host server, you must first add the RDS role to the server, and then add the
RD Session Host role service. After that, you need to install the applications that will be available as
RemoteApp programs, such as Microsoft Office suite.
Note: If you have programs that have dependencies on each other, you should install the programs on
the same RD Session Host server. For example, you should install Microsoft Office as a suite on the
same server instead of installing individual Office programs on separate RD Session Host servers.
When you add the RD Session Host role service, you enable remote desktop connections by default, even
if they were not enabled before. If users or groups need to connect to the RD Session Host server to
access Remote Desktop or run RemoteApp programs, then you must add them to the Remote Desktop
Users group or grant them privileges to Allow log on through Remote Desktop Services.
After you prepare the RD Session Host server, you can use RemoteApp Manager to manage RemoteApp
programs. To make a RemoteApp program available, you must add the program to the RemoteApp
Programs list.
Note: The Choose programs to add to the RemoteApp Programs list page displays the same
programs that the All Users Start menu on the RD Session Host server contains. If the program that
you want to add to the RemoteApp Programs list is not visible in Choose programs to add to the
RemoteApp Programs list, click Browse, and then specify the location of the program's .exe file.
Configuring Remote Desktop Services and RemoteApp 10-17
Note: In Windows Server 2008 R2, you can install Windows Installer packages normally on the RD
Session Host server, and then propagate the per-user install settings correctly. This removes the need
to put the server in install mode.
You can configure global deployment settings that apply to all RemoteApp programs in the RemoteApp
Programs list. Windows uses these settings by default if you create .rdp files or Windows Installer
packages from any of the listed RemoteApp programs. These global deployment settings include:
RD Session Host server settings
RD Gateway settings
Common RDP settings
Custom RDP settings
Digital signature settings
Question: Which RDS role service do you require to publish a RemoteApp program?
10-18 Implementing and Managing Microsoft Desktop Virtualization
Key Points
You can distribute links to RemoteApp programs in different ways. One of the options is to use RD Web
Access, where you can control visibility of the RemoteApp programs by using RemoteApp User
Assignment. You can also specify if a RemoteApp program is available through RD Web Access or not.
Other distribution options include creating and copying a .rdp file that connects and starts a remote
application or creating and deploying a Windows Installer package that installs a link to the RemoteApp
program. By using one of these two methods, you can specify additional settings, such as the RD Session
Host server or the RD farm to which a user should connect to run a RemoteApp program, as well as the
RD Gateway that is used when users run the RemoteApp program over a public network. When you create
a Windows Installer package, you also can specify if you want to associate file extensions with a
RemoteApp program.
You can use RemoteApp Manager on the RD Session Host server to create and configure an .rdp file or a
Windows Installer package for a RemoteApp program. This creates an .rdp or .msi file in the local
Packaged Programs folder, and you can deploy them to the clients by using one of the following
methods:
Copying the .rdp file or installing the .msi file
Using Group Policy
Configuring Group Policy preferences
Using a software distribution system, such as Microsoft System Center Configuration Manager
Depending on the deployment method that you use, you can run RemoteApp programs by:
Clicking a link to the program on RD Web Access Web site
Double-clicking a .rdp file (which could be available locally or on file share)
Double-clicking a program icon on the desktop or in the Start menu
Configuring Remote Desktop Services and RemoteApp 10-19
Double-clicking a file with a file extension that is associated with the RemoteApp program
Question: Why would you distribute links to published RemoteApp programs to your users?
10-20 Implementing and Managing Microsoft Desktop Virtualization
Key Points
RD Connection Broker enhances the user experience when connecting to RD Session Hosts that are part
of a load-balanced farm. RD Connection Broker supports load balancing and reconnection to existing
sessions on virtual desktops, Remote Desktop sessions, and RemoteApp programs. RD Connection Broker
also aggregates a list of available RemoteApp programs and virtual desktops from multiple servers.
RD Connection Broker keeps track of user sessions in a load-balanced RD Session Host server farm. The
RD Connection Broker database stores session information, including the name of the RD Session Host
server where each session resides, as well as the session state, session identifier (ID), and the user name
associated with the session. RD Connection Broker uses this information to redirect a user who has an
existing session to the RD Session Host server where the users session resides.
If a user disconnects from a session intentionally or because of a network failure, the applications that the
user is running will continue to run on the RD Session Host server. When the user reconnects, the Remote
Desktop client queries the RD Connection Broker to determine whether the user has an existing session,
and if so, on which RD Session Host server. If there is an existing session, RD Connection Broker redirects
the client to the RD Session Host server where the session exists.
The RD Connection Broker load balancing feature enables you to distribute the session load between
servers in a load-balanced RDS server farm. When a user without an existing session connects to an RD
Session Host server in the load-balanced RD Session Host server farm, RD Connection Broker load
balancing redirects the user to the RD Session Host server with the fewest sessions. If a user with an
existing session reconnects, RD Connection Broker load balancing redirects the user to the RD Session
Host server where the users existing session resides. To distribute the session load between more
powerful and less powerful servers in the farm, you can assign a relative server-weight value to a server.
To participate in an RD Connection Broker farm, the RD Session Host server must be a member of the
following:
An Active Directory Domain Services (AD DS) domain
Configuring Remote Desktop Services and RemoteApp 10-21
The Session Broker Computers local group on the RD Connection Broker server
A load-balanced RD Session Host server farm
Note: To avoid a single point of failure, you can configure the RD Connection Broker role service in
the Windows Server 2008 R2 failover cluster.
Question: Is it necessary to use RD Connection Broker if you want to list RemoteApp programs from
multiple sources on the RD Web Access Web page?
10-22 Implementing and Managing Microsoft Desktop Virtualization
Key Points
RD Web Access is the RDS role service that provides a single place to list available RemoteApp programs,
remote desktops, and virtual desktops. You can access RD Web Access from a Web browser. Then, on
Windows 7 clients, you can integrate the list of available resources with the Start menu by using
RemoteApp and Desktop Connections. When you install RD Web Access, Web Server, or Microsoft
Internet Information Services (IIS), also is installedas a required component.
Benefits of using RD Web Access include:
Authorized users can quickly access a list of available RemoteApp programs, remote desktops, and
virtual desktops from anywhere, on the Web page.
You can modify the list of available resources easily without the need to distribute, install. and
uninstall applications on the local computers.
RD Web Access provides a simple out-of-the box solution, while providing an infrastructure that can
be used for more complex scenarios.
Users can launch the RDC client from the RD Web Access Web site, which enables users to connect
remotely to the desktop of any computer where they have Remote Desktop access.
Note: RD Web Access does not require Windows 7 clients, but to establish a connection, the client
computers must be using RDC 6.1 or newer, and Internet Explorer 6 or newer.
When a user starts a RemoteApp program, an RDS session also starts on the RD Session Host server that
hosts the RemoteApp program. When a user connects to a virtual desktop, the RD Session Host Server
makes a RDC to a virtual machine that is running on a RD Virtualization Host server.
Configuring Remote Desktop Services and RemoteApp 10-23
Note: RD Web Access only provides a link to launch RemoteApp programs or to connect to a Remote
Desktop session. RD Web Access does not proxy the client request. For the user to run the application,
or connect to the virtual machine or remote desktop, the client must be able to communicate with the
RD Session Host server, the RD Virtualization Host server, or with the computer on which you enable
the remote desktop.
Key Points
RDS introduces the RemoteApp User Assignment feature in Windows Server 2008 R2, and it provides you
with the ability to configure a personalized list of RemoteApp programs. Before this feature became
available, the same list of RemoteApp programs and Desktop Connections was available for all users. With
RemoteApp User Assignment, each user gets a personalized list, which displays the users available
RemoteApp programs, desktop connections, and virtual desktops.
You can implement the RemoteApp User Assignment feature by adding an access control list (ACL) to the
RemoteApp program link. When a user logs on to RD Web Access, it obtains from the RD Session Host
servers the list of available RemoteApp programs for the user or group of which the user is a member. If
you configure RD Web Access to obtain the list of available RemoteApp programs from one or more RD
Session Host servers, RD Web Access directly queries the servers. If you configure RD Web Access to
obtain the list of available RemoteApp programs from RD Connection Broker, the RD Connection Broker
server queries the RD Session Host servers, and then filters the list of RemoteApp programs. By default,
when you publish RemoteApp program, all users can see the published RemoteApp program. You can
change the User Assignment through RemoteApp program properties or by using Windows PowerShell.
Here are some factors to consider when you are establishing a RemoteApp User Assignment:
You can assign the RemoteApp programs only to domain users or domain groups, not local users or
local groups.
The computer that performs the check of a users credentials against the RemoteApp User
Assignment settings must be a member of the domains Windows Authorization Access Group or be
joined to a domain that is running in Windows 2000 compatibility mode.
Configuring Remote Desktop Services and RemoteApp 10-25
Note: RemoteApp User Assignment is not a security feature. It is a discoverability mechanism. There
are other ways to secure access to an RD Session Host server, and the RemoteApp User Assignment
feature does nothing to change or improve upon these methods This feature only helps reduce the
number of unnecessary applications that display to users.
Key Points
In this demonstration, you will see how RD Web Access can retrieve and aggregate a list of available
RemoteApp programs from multiple RD Session Host servers. You also will see how to assign RemoteApp
program to a user or group.
Demonstration steps:
1. On the NYC-SVR1 server, configure RD Web Access to retrieve the aggregated list of RemoteApp
programs from the NYC-SVR1 and NYC-DC1 servers.
2. Publish Calculator and Paint as RemoteApp programs on NYC-DC1.
3. Publish Notepad and WordPad as RemoteApp programs on NYC-SVR1.
4. On NYC-SVR1, on the RD Web Access page as administrator verify the available RemoteApp
programs.
5. On the NYC-SVR1, assign the WordPad RemoteApp program to contoso\ruser.
6. On NYC-SVR1, refresh Internet Explorer, and then verify that WordPad is not listed.
Configuring Remote Desktop Services and RemoteApp 10-27
Lesson 3
Accessing RemoteApp Programs from Clients
If you configure RemoteApp programs properly, you can seamlessly integrate these programs and users
usually cannot distinguish between RemoteApp programs and local applications. You can access
RemoteApp programs in different ways: via the RD Web Access Web site, by using the .rdp file, by clicking
on the installed RemoteApp icon, by opening file with extension associated with RemoteApp program, or
by running it from Start menu. When you configure additional options, such as a trusted .rdp publisher,
SSO, and device redirection, user experience with RemoteApp programs is almost identical to locally
running applications. With the RD Easy Print feature, printing from remote applications is similar to
printing from local applications.
When you configure and use RD Gateway, you can access RemotaApp programs from anywhere. RDP
protocol provides security by encrypting the traffic, but RD Gateway provides additional level of security,
by encapsulating and encrypting RDP traffic inside HTTPS packets. RD Gateway enables secure access to
RDS servers from a public network, without first establishing a VPN connection.
10-28 Implementing and Managing Microsoft Desktop Virtualization
Key Points
When you log on to RD Web Access, RD Web Access displays the list of available RemoteApp programs.
You can start RemoteApp programs from the RD Web Access Web page, but you should be aware that
you use RDC to connect to the RDS server. RD Web Access provides links only to start the remote
applications. You can also start a full remote desktop session from RD Web Access or connect to a virtual
desktop, when the VDI infrastructure is in place. You use the HTTP protocol for connecting to RD Web
Access Web site and the RDP protocol to connect to remote applications or remote desktops.
When you start a RemoteApp program in the default configuration, you will see a warning that the
publisher of the RemoteApp program cannot be identified, and that you must decide if you want to
continue. This is because the .rdp files are unsigned. To avoid this warning, you must configure the digital
signature settings, and then specify a trusted digital certificate on the RD Session Host server. However,
even when you configure digital signing, users will continue to receive notifications when they run
RemoteApp programs. The only way to avoid notifications is to configure thumbprints of the trusted .rdp
publisher certificates in Group Policy.
You also receive a prompt to enter your user credentials. Even when you are logged on to the domain
account, you need to provide credentials for running a RemoteApp program. You can avoid this prompt
by configuring SSO. This lesson details SSO later.
After the RemoteApp program starts, its look and feel is similar to a locally installed application. You can
recognize a RemoteApp application by the (Remote) suffix in Task Manager and the slightly modified
icon on the taskbar.
Question: How is running a RemoteApp program in default configuration different from running a locally
installed application?
Configuring Remote Desktop Services and RemoteApp 10-29
Key Points
In Windows Server 2008 R2, RDS provides the ability to group and personalize RemoteApp programs, as
well as virtual desktops, and make them available on the Start menu of a computer that is running
Windows 7. This feature is known as RemoteApp and Desktop Connections.
RemoteApp and Desktop Connections works with a new feature of RD Web Access--the RemoteApp and
Desktop Connections feed. Instead of presenting RemoteApp programs in the form of a Web page, this
feed presents the programs in the form of an XML document, which it parses and displays on the Start
menu of the Windows 7 or Windows Server 2008 R2 client. With RemoteApp and Desktop Connections,
you subscribe to a feed of RemoteApp programs by providing the client with the feeds URL, typically in
the form of https://contoso.com/RDWeb/Feed/webfeed.aspx. Then, it updates and places a list of
published resources automatically in the users Start menu.
The RemoteApp and Desktop Connections feature offers several benefits, which include:
RemoteApp programs launch from the Start menu, just like a locally installed application.
Published RDCs and virtual desktops are included together with RemoteApp programs on the Start
menu.
Changes to the available resources, such as newly published RemoteApp programs, update
automatically.
Users can access and launch RemoteApp programs easily with Windows Search.
RemoteApp and Desktop Connections does not require domain membership for client computers.
RemoteApp and Desktop Connections is built on standard technologies, such as XML and HTTPS,
which makes it possible for developers to build solutions around it.
You can create a client configuration file (.wcx) in the Remote Desktop Connection Manager console and
distribute it to the users. You can also write and distribute a script to run the client configuration file
10-30 Implementing and Managing Microsoft Desktop Virtualization
automatically, so that RemoteApp and Desktop Connections is set up automatically when the user logs on
to a Windows 7 computer.
Note: If users are not running Windows 7, they can access resources available through RemoteApp
and Desktop Connections from a Web browser, by signing on to the RD Web Access server.
Note: If you require Secure Sockets Layer (SSL) for clients to access the RD Web Access server and you
deploy RemoteApp and Desktop Connections, you must install a certificate that client computers trust
on the RD Web Access server. If the clients do not trust the certificate, the updates from the RD Web
Access server will fail.
Configuring Remote Desktop Services and RemoteApp 10-31
Key Points
In this demonstration, you will see how to access a RemoteApp program by using RD Web Access Web
page and locally available RemoteApp program link. You will also see how to package and distribute links
for RemoteApp programs.
Demonstration steps:
1. On NYC-CL1, navigate to the RD Web Access Web page as contoso\ruser.
2. Start the Notepad RemoteApp program, compare it with the local application, and then close it.
3. On the NYC-SVR1 server, create a Windows Installer package for the WordPad RemoteApp program.
Select to associate client extensions with this RemoteApp program, and share the folder to which the
Windows Installer package is saved.
4. On NYC-CL1, run the Windows Installer package from the share.
5. On NYC-CL1, create a file with a .docx extension. Double-click it, and verify that it opens in the
WordPad RemoteApp program.
Question: What is the benefit of using the Windows Installer package to distribute RemoteApp programs
instead of using an .rdp file?
10-32 Implementing and Managing Microsoft Desktop Virtualization
What Is SSO?
Key Points
SSO is an authentication method that allows domain users to log on once, using a password or a smart
card, and then gain access to remote servers without having to enter their credentials again. If you use the
same user account on your local computer and RD Session Host server, enabling SSO will allow you to
connect to RD Session Host server seamlessly, without having to type your password again. You typically
use SSO when you deploy line-of -business (LOB) applications or centralized applications.
Due to lower maintenance costs, many companies prefer to install their LOB applications on an RD
Session Host server, and then make these applications available as RemoteApp programs or through
remote desktop. SSO makes it possible to give users a better experience by eliminating the need for them
to enter credentials every time they initiate a remote session.
To implement the SSO functionality in RDS, ensure that you meet the following requirements:
Users can use SSO for remote connections only from a Windows XP SP3 or newer operating system to
connect to a Windows Server 2008 Terminal Server or Windows Server 2008 R2 RDS Session Host.
If the server to which you are connecting cannot be authenticated via Kerberos or SSL certificate, SSO
will not work.
If you have saved credentials for the target machine, they take precedence over the current
credentials.
If the terminal server is configured to Always prompt or RDP file setting Always prompt, then SSO will
not work.
User accounts that are used for logging on have appropriate rights to log on to both the RD Session
Host and the Windows client.
The client computer and RD Session Host must be joined to a domain.
Configuring Remote Desktop Services and RemoteApp 10-33
Note: You can enable SSO by using domain or local Group Policy. You should configure the Allow
Delegating Default Credentials setting in the Computer part of Group Policy.
Question: What is the advantage of using SSO when you start a RemoteApp program?
10-34 Implementing and Managing Microsoft Desktop Virtualization
Key Points
When you configure device redirection, you can use the redirected device in a remote desktop session.
You can redirect most devices, including printers, smart cards, serial ports, drives, Plug and Play devices,
media players based on the Media Transfer Protocol (MTP). You can redirect digital cameras based on the
Picture Transfer Protocol (PTP). When the user connects to the RD Session Host server, the Plug and Play
device that is redirected automatically installs on the remote RDS server and Plug and Play notifications
appear in the notification area on the remote computer. If you select the Devices that I plug in later
check box in the RDC client, the Plug and Play device is installed on the remote computer when you
connect the device in the local computer during the remote desktop session. After RD Session Host server
installs the redirected Plug and Play device on the remote computer, the Plug and Play device is available
for use in a session. For example, if the digital camera is redirected, you can access it from Scanner and
Camera Wizard on the remote computer in the Remote Desktop session.
Plug and Play device redirection is not supported over cascaded RDCs. This means that when you connect
remotely to one RD Session Host server, and from within that session you connect to another RDS server,
the second connection is cascaded. For example, you can redirect, and then use, a Plug and Play device
attached to your local computer when you connect to a remote computer. However, if you connect to a
second remote computer from the first one, you cannot redirect and use the Plug and Play device with
the second computer.
Note: Due to security restrictions, you cannot copy a file from a remote computer to the root folder of
a drive on the computer unless you are logged on using the default computer administrator account.
Note: You can control device redirection by using Group Policy settings.
Configuring Remote Desktop Services and RemoteApp 10-35
Question: Can you redirect only the devices that are connected locally when you establish a remote
connection?
10-36 Implementing and Managing Microsoft Desktop Virtualization
Key Points
In this demonstration, you will see how to use the device redirection feature.
Demonstration steps:
1. On NYC-CL1, establish an RDC as Administrator to the NYC-DC1 server, without redirecting the
printers to the session.
2. Verify that the local drives are redirected and available in the remote session. Assess the redirected C:
drive.
3. Verify that the files are on the local drive C, and then log off the RDC.
Configuring Remote Desktop Services and RemoteApp 10-37
Key Points
The RD Easy Print feature enables you to print from a RemoteApp program or from a Remote Desktop
session to the local or network printers that you configure on the client computer, without having to
install printer drivers on the RD Session Host server. The RD Easy Print feature uses the print drivers
installed locally on the client to print from a RD session, which results in a consistent printing experience
between local and remote sessions.
When you print from the RD session to a local printer, you can see the full printer properties dialog box
from the client and you can access all of the printer functionality. RD Easy Print universal driver acts as a
proxy and redirects all printing-related work to the client, even if the drivers are not available on the RD
Session Host server. RD Easy Print renders the document to be printed in XPS format on the RD Session
Host server and then transfers it to the client, where the local print driver prints the document. Since you
can create and print XPS documents on x86 and x64 platforms and are platform-independent, there are
no cross-platform compatibility issues when using RD Easy Print.
You can use Group Policy to configure RD printer redirection options, such as limiting the number of
printers that are redirected to just the default printer or using the RD Easy Print printer driver first.
To use the RD Easy Print feature, clients must run the RDC 6.1 or newer and have at least Microsoft .NET
Framework 3.0 Service Pack 1 installed. Both of these components are included with the current Windows
operating systems and are available for download for Windows Vista and earlier client operating systems.
10-38 Implementing and Managing Microsoft Desktop Virtualization
Key Points
RD Gateway is a role service in the RDS role that allows authorized remote users to connect to RD Session
Host and remote desktop computers that you host behind firewalls on private networks and across
Network Address Translation (NAT) devices. More specifically, RD Gateway enables authorized remote
users to connect to terminal servers, RD Session Host servers, and remote desktops on the corporate
network from any Internet-connected device that is running RDC 6.0 or newer. RD Gateway tunnels all
RDP traffic over HTTPS to provide a secure, encrypted connection. All traffic between the users client
computer and RD Gateway is encrypted while in transit over the Internet.
When the perimeter network receives data through an external firewall, RD Gateway decrypts HTTPS and
contacts the domain controller to authenticate the connection. RD Gateway also contacts the network
policy server to verify if the user can cross the gateway and contact the RDS host. If the user receives
validation, and the connection is allowed, RD Gateway passes the RDP traffic to the destination host and
establishes a security-enhanced connection between the user who sends the data and the destination
host.
RD Gateway eliminates the need to configure VPN connections, enabling remote users to connect to the
corporate network through the Internet, while providing a comprehensive security configuration model
that enables you to control access to specific resources on the network. The RD Gateway Management
snap-in console provides a single, one-stop tool that enables you to configure policies to define
conditions that users must meet to connect to resources on the network.
RD Gateway:
Provides a comprehensive security configuration model that enables you to control access to specific
internal network resources.
Provides a secure and flexible RDP connection that allows users to access resources to which their
RDP host has access, and prevents remote users direct network connectivity to all internal network
resources. This helps protect the internal resources.
Configuring Remote Desktop Services and RemoteApp 10-39
Enables remote users to connect to internal network resources that are hosted behind firewalls on
private networks and across NAT devices.
Enables you to configure authorization policies to define conditions for remote users to connect to
internal network resources by using RD Gateway Manager.
Enables you to configure RD Gateway servers and Remote Desktop clients to use Network Access
Protection (NAP) to enhance security.
Provides tools to help you monitor the RD Gateway connection status, health, and events. By using
RD Gateway Manager, you can specify events such as unsuccessful connection attempts to the RD
Gateway server that you want to monitor for auditing purposes.
Key Points
To function correctly, RD Gateway requires that you install, and run, several other Windows Server 2008
R2 role services and features. When you install the RD Gateway role service, the required server roles and
services are installed and started automatically, if they are not already installed.
In this demonstration, you will see how to configure the RD Gateway by performing following steps:
Install the TS Gateway role service.
Obtain and configure a SSL certificate for the RD Gateway server.
Create a Remote Desktop connection authorization policy (RD CAP).
Create a Remote Desktop resource authorization policy (RD RAP).
Limit the maximum number of simultaneous connections though RD Gateway (optional).
Demonstration steps:
1. On the NYC-SVR1 server, configure RD Gateway to use the external.contoso.msft digital certificate.
2. On the NYC-SVR1 server, create a new Connection Authorization Policy, and then name it
Authorized Remote Users.
3. Allow RD Users to connect through RD Gateway, and accept default options for other settings.
4. On the NYC-SVR1 server, create a new Resource Authorization Policy, and then name it
Authorized Target Computers.
5. Allow members of RD Users group to connect to computers in RD Web Computers group and
accept other default settings.
Question: What will be the consequences if you skip one of the steps in configuring RD Gateway such as
not configuring RD CAP?
Configuring Remote Desktop Services and RemoteApp 10-41
Key Points
Although you can set most RD connection properties by using the administrative tools or the RDC client,
you might want to set them by using Group Policy. Using Group Policy typically is a simpler method for
configuring RDS, especially in an environment with multiple RDS servers.
Group Policy provides many RDS related settings in Computer, as well as in User configuration. They are
available under Administrative Templates, in Windows Components part of the Group Policy settings. By
using Group Policy, you can configure the following properties:
RD Licensing and Security settings, such as client connection encryption level and prompt for
password.
Remote Session and Environment settings, such as display resolution, color depth, font smoothing, or
session time limits.
RDC Client settings, such as trusted .rdp publisher.
RD Client settings, such as redirection of devices, printers, and resources.
Do not forget that some Group Policy settings, such as Credentials Delegation, which is required for SSO,
also apply for remote desktop sessions!
Note: RDS settings that you configure by using Group Policy take precedence over the user account
properties that you configure in the Active Directory Users and Computers snap-in, and the per-
connection settings that you configure by using the Remote Desktop Session Host Configuration snap-
in.
Question: What is the result if you configure the same RDC Group Policy setting in the Computer
Configuration node, as well as in the User Configuration node?
10-42 Implementing and Managing Microsoft Desktop Virtualization
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. Ensure that the 10324A-NYC-DC1, 10324A-NYC-SVR1, and 10324A-NYC-CL1, virtual machines are
running.
3. If required, connect to the virtual machines. Log on to 10324A-NYC-DC1, and 10324A-NYC-SVR1
as Contoso\Administrator using the password Pa$$w0rd.
4. Log on to 10324A-NYC-CL1 as Contoso\ruser using the password Pa$$w0rd.
Configuring Remote Desktop Services and RemoteApp 10-43
Task 1: Add the Remote Desktop Service role to the NYC-DC1 server
1. On NYC-DC1, add the Remote Desktop Session Host role service of the Remote Desktop Services
role. Specify Require Network Level Authentication for Authentication Method, and then accept
the default values for the other settings.
2. After the restart, log on to NYC-DC1 as Contoso\Administrator with Pa$$w0rd as password.
Task 2: Add the Remote Desktop Service role to the NYC-SVR1 server
1. On NYC-SVR1, add the Remote Desktop Session Host, Remote Desktop Connection Broker, and
Remote Desktop Web Access role services of the Remote Desktop Services role. Specify Require
Network Level Authentication for Authentication Method, and accept the default values for the
other settings.
2. After the restart, log on to NYC-SVR1 as Contoso\Administrator with Pa$$w0rd as password.
Results: After this exercise, you should have added the RDS role to the NYC-DC1 and NYC-SVR1
servers and configured group membership to allow access to the RD Web Access server.
10-44 Implementing and Managing Microsoft Desktop Virtualization
Task 3: Configure Remote Desktop Web Access to use Remote Desktop Connection
Broker
1. On NYC-SVR1, use Remote Desktop Web Access Configuration to configure to use NYC-
SVR1.contoso.com as the RD Connection Broker server.
2. Verify that the Enterprise Remote Access Web page displays four RemoteApp published
applications.
Results: After this exercise, you have several published RemoteApp programs on two RD Session Host
servers. You also have configured RD Web Access to use RD Connection Broker, which aggregates a list
of available RemoteApp programs, and you tested access to the RD Web Access Web page and
RemoteApp User Assignment.
10-46 Implementing and Managing Microsoft Desktop Virtualization
Note: Do not highlight the leading or ending space in the thumbprint box!
3. Paste Thumbprint field value to the Comma-separated list of SHA1 trusted certificate thumbprints
entry box of the Group Policy setting.
4. On NYC-CL1, in Internet Explorer, click Notepad, and then verify that it starts without any prompts.
Results: After this exercise, you have configured digital signing for .rdp files, trusted .rdp publisher
and enabled SSO for NYC-CL1 computer. You also created Windows Installer package for RemoteApp
program, install it and test how RemoteApp and Desktop Connections works.
Review Questions
1. Do you need to install the RDS role if you only want to provide Remote Desktop access for remote
administration?
2. Is the RD Web Access role service required if you want to provide RemoteApp program access for
your clients?
3. Can you connect from Windows Vista SP1 client to RD Session Host server on Windows Server 2008
R2?
4. How can you control who sees the RemoteApp program link on the RD Web Access Web page?
5. What benefits does SSO provide when you run RemoteApp programs and where can you configure
it?
6. Does RD Gateway provide full end-to-end protection of RDP traffic?
Module 11
Implementing User State Virtualization
Contents:
Lesson 1: Overview of User State 11-3
Lesson 2: Configuring Roaming Profiles and Folder Redirection 11-15
Lab: Implementing User State Virtualization 11-30
11-2 Implementing and Managing Microsoft Desktop Virtualization
Module Overview
User state virtualization is a concept that allows administrators to provide more flexible client
environments, and to provide users with ability to have documents and settings following them from
computer to computer. Also, this concept provides better ability to backup and centralize user data, as
well as to prevent data loss. By virtualizing user state, you provide ability to users to have their data always
with them, no matter on which machine they log on. This technology can be combined with other
virtualization technologies.
This module discusses technologies that provide user state virtualization and various ways to provide
virtualization. This module also discusses how to configure roaming profiles and users folder redirection
as part of user state.
Implementing User State Virtualization 11-3
Lesson 1
Overview of User State
User state consists of several operating system files from users documents, data and settings. The user
state presents whole environment that makes user unique to the system. Many users spend significant
time customizing and configuring their environment items such as desktop wallpaper, screen savers, and
other unique Windows operating system elements. They usually expect these settings to be available to
them, no matter which computer they use.
Files and settings that contain user states are usually stored locally on computer where the user is
working. They can also be placed on a network location, and they can follow user on all computers that
the user logs on to.
This lesson discusses user state and user profiles, their types and scenarios of usage.
11-4 Implementing and Managing Microsoft Desktop Virtualization
Key Points
User state is a general term to describe several categories that determine user environment, user data and
settings. User state cannot be identified in one specific file or setting, but it rather presents a set of various
files and settings. In operating systems such as Windows Vista and Windows 7, the user state separates the
user environment, files and settings from files and settings specific to the installed operating system as
well as those belonging to applications.
Also, user state is specific to each user of computer, which means that every user has its own user state
that is mostly independent of other users.
The user state includes users data as well as application or operating system configuration settings.
Traditionally, users PCs contain the authoritative copy of users data and settings.
Note: User state is often equivalent with a user profile, however, when it comes to virtualization, the
term user state is used to describe the process of how data from a user profile moves with user.
Application data. This is one of the folders that are part of user state. This folder contains mostly
application settings specific for a user. For example, if a user installs Microsoft Word, and personalizes
its settings to fit his needs (e.g. adjust toolbars, set language, etc.) these settings will be stored in the
Application Data folder. In Windows 7 this folder is called AppData and it is stored inside users profile
folder. Unlike previous version of Windows, such as Windows XP, where Application Data folder stores
application-related data with little or no separation of user-related or computer-related application
settings, in Windows 7, the AppData folder replaces Application Data, and provides a high degree of
separation for user-related and computer-related application settings.
User data. This component contains all user specific data, such as files in My Documents folder,
Favorites folder, Pictures folder, etc.
Question: What is the main difference in handling user state in Windows XP comparing to Windows Vista
and Windows 7?
11-6 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Before discussing virtualization of user state, let us discuss some main challenges to user state
management in general.
There are three main challenges with managing the user state.
The first challenge is how to back up user data and settings that are scattered from PC to PC and then
restore users productivity after a computer replacement or after a laptop is lost or stolen. Many users
make a lot of changes to their environment, and save a lot of data inside their user profiles. Since files are
stored locally, it might be hard to backup these data, as well as restore them on new PC if necessary.
The second challenge is how to migrate the user state during operating system migrations. Currently, this
challenge is mostly addressed by using Windows Easy Transfer and User State Migration Tool utilities.
While Windows Easy Transfer is mostly intended for single use, USMT can be used in enterprises during
operating system migrations. However, users might not be aware or familiar with these utilities, and also
usage of these utilities requires additional time and resources.
The final challenge is how to make the data available to the user regardless of the PC being used. In many
companies, users are using several computers, sometimes even in different office locations. It might be
pretty tricky to enable user to have access to his data and settings all the time and on every computer.
Also, if you want to provide users with same environment when they are using Remote Desktop Services
(RDS) with Terminal Services or with Virtual PC (like Windows XP Mode), it might be difficult to achieve
that if user profiles are located locally.
The result is that users are free to roam, and their data and settings follow them from computer to
computer. The whole point of this concept is to separate data that are user-specific (and can roam) from
data that are computer-specific and must be stored locally.
User state virtualization can also mitigate productivity loss of PC replacement. The central copy of the
data is on the network, so it is easily restored in case of a lost or stolen PC and the users settings can be
re-applied automatically. When the IT department sets up the policy to allow offline access to the
redirected folder, Windows BitLocker Full Volume Encryption can be applied to the PC to help ensure data
safety. A typical example of this type of virtualization is using Windows with Windows 7 Folder Redirection
with Offline Files and a Roaming User Profile, which will be discussed later.
Question: How your companies address user state management challenges presented in this topic?
11-8 Implementing and Managing Microsoft Desktop Virtualization
Key Points
A user profile consists of a folder hierarchy, or namespace, files, junctions and registry settings that store
the appropriate and often personalized settings for a users computer and application environment.
In Windows Vista and Windows 7, user profile is located in %SystemDrive%\Users folder, inside
NTUSER.DAT file, on partition where operating system is installed. User profile is always named after user
logon name, and it contains several folders inside. Some folders inside user profiles are hidden and can be
viewed only after option for showing hidden files and folders are enabled while others are accessible by
default.
The first time a user logs on to a computer, the Windows operating system creates the desktop
environment according to various defaults and administrator-configured settings. Any changes made to
that environment during the session are saved automatically when the user logs off, thereby ensuring that
the settings are available for future sessions. However, other users can also log on that very same machine
and create their own environment.
Local. This folder contains application settings and data that are computer specific. These data should
not be roaming, or are too large to be used for roaming. Content of this folder is essentially the same
as content of folder Local Settings\Application Data that was used in Windows XP.
Roaming. This folder contains data and settings that are roaming when Roaming user profiles are
configured and used. Data inside this folder are not computer dependent, so they can roam with user
from computer to computer. Content of this folder is the same as content of Application Data folder
in root folder of user profile in Windows XP.
LocalLow. This folder has very specific intention of usage. It did not exist in Windows XP. Data stored
in this folder is written by processes that could potentially compromise operating system security or
functionality. For example, applications running within Internet Explorer Protected Mode are using
this location for their data and settings.
In general, there are two main types of user profiles: Local and Roaming. Local profiles are located on
users machine, and can not be automatically moved to another machine, without using specific utilities
such as Easy Transfer or User State Migration Tool (USMT). Roaming profiles are located on network
location, and they are used on each machine where user logs on. Both Local and Roaming profiles have
additional profile subtypes, which will be discussed later.
11-10 Implementing and Managing Microsoft Desktop Virtualization
Key Points
When a user logs on for the first time, Windows creates their initial profile by using either the default local
profile or the default network profile which depends on how the system is configured. Windows connects
to the specified profile path (locally it is %SYSTEMDRIVE%\Users), and creates a subfolder beneath the
specified path that matches the users account name. Similarly, this will also happen on network profile
location, if one is specified. After subfolder is created, Windows assigns full-control NTFS file system
permissions to the user account on the subfolder, and marks the user account as the folder owner. This
process creates a structure of user profile folder. Initially, content of default profile (either local or
network) is copied inside users profile folder while folders that contain user data (such as Documents,
Pictures, etc.) are mostly empty. Now the user can begin to customize its settings and environment, as
well as to store data inside his profile.
Registry node HKEY_CURRENT_USER (HKCU) plays very important role in working with user profiles. All
settings related to user-specific environment are stored in registry while user is logged on. All changes to
the user environment are also reflected in registry.
Each time when user logs on, content of NTUSER.DAT file is loaded to registry node HKCU. During user
session, when user changes his environment, changes are performed in registry. When user logs off,
changes are saved back to NTUSER.DAT file, so they are retained for future use. Since each user has its
own NTUSER.DAT file, each user can have its own set of settings, loaded in registry node HKCU while user
is logged on.
However, there are some settings that are common to all users of one computer. For example, application
installed on a computer might be used by all users, so it creates its shortcut in common location in Start
Menu or Desktop.
For that purpose, a profile called Public is used in Windows Vista and Windows 7 (earlier, it was AllUsers
profile in Windows XP). The content of this profile is accessible to all users of the computer. Unlike regular
profiles, this profile does not have specific registry node, since this profile is never directly loaded. Settings
Implementing User State Virtualization 11-11
contained in this profile are written to HKEY_LOCAL_MACHINE (HKLM) and they are applied to each user
that logs on to that computer.
If, for any reason, user profiles cannot be loaded into registry, a temporary user profile is used. Temporary
profiles are deleted at the end of each session, and changes made by the user to their desktop settings
and files are lost when the user logs off. If user is logged on using temporary profile, warning message will
be issued at logon. Logging to temporary profile is not normal, and it requires troubleshooting.
It is also important to know that not all user data are stored in the registry. Inside the users profile there
are several folders that contain user documents such as, music, pictures, etc. These data can also be
virtualized by using folder redirection which will be discussed in Lesson 2.
Question: From the perspective of user profiles, what is the main difference between HKCU and HKLM?
11-12 Implementing and Managing Microsoft Desktop Virtualization
Key Points
There are several user profile types available in Windows Vista and Windows 7 used in various scenarios.
In general, Local and Roaming user profiles are the main types, but they both have its subtypes.
These types are:
Default profile. Windows stores a default profile in the C:\Users\Default folder. Windows uses this
default profile to build the users initial desktop environment. This default profile can also be stored
on a domain controller in the Netlogon shared folder.
Note: It is recommended to use Group Policy to configure Default Profile path. Also, some issues may
arise if you have different versions of client operating systems.
Local user profile. As descried earlier, when a user logs off, their desktop environment is saved in a
local user profile file (NTUSER.DAT). This profile is used the next time the user logs on to the same
computer. The Local User profile is not accessible if the user logs on to a different computer. Local
user profiles are stored in the C:\Users folder, in a subfolder related to the users account name.
All users/Public. Previous Windows versions provided the All Users desktop profile. Windows Vista and
Windows 7 replace all users with the public profile. Windows merges the Public profile folder
contents. For example, Desktop and Start menu, with the users own profile during logon.
Roaming profile. Domain user accounts with a roaming profile location can be configured. When the
user logs off, the desktop environment is saved to the designated folder so that it is available at next
logoneven if that logon is to a different computer. Roaming profiles will be discussed in more detail
in later topics.
Temporary user profile. A temporary user profile is issued each time an error condition prevents the
user's profile from loading. Temporary profiles are deleted at the end of each session, and changes
made by the user to desktop settings and files are lost when the user logs off.
Implementing User State Virtualization 11-13
Mandatory profile. A mandatory profile is a read-only version of roaming profile that is preconfigured
and secured by the network administrator to ensure a consistent look and behavior for all users. Users
cannot modify settings in mandatory profile. When user account is configured to use mandatory
profile, each time user logs on to machine, profile content will be downloaded from network share,
just like with roaming profiles. However, if a user makes changes during their session, these changes
will not be stored in their profile when user logs off. In the next logon session, the user will be
presented with original settings and environment specified in mandatory profile.
You can create mandatory profiles similar to creating roaming profiles. If Windows cannot
successfully load the mandatory profile, the user can still log on. Windows creates a transient profile
in this situation, but this condition usually needs troubleshooting.
Note: If you use mandatory profiles, you must configure folder redirection in order to allow users to
save files to their personal folders that are part of their profile, since no changes can be made to
mandatory profile.
Super mandatory profile. The super mandatory profile is a mandatory profile with extra security.
However, unlike mandatory profile, if the user is configured to use super mandatory profile, he will
not be able to log on if super mandatory profile is not available, or can not be loaded into registry for
any reason. Therefore, super-mandatory user profiles should be used only in environments in which
the network infrastructure is very reliable and the presence of the user profile is critical.
Special identitys profiles. In Windows Vista and Windows 7, special identities are used for service
accounts such as Local system, Local service, and Network service. These accounts also use profiles.
These profiles are located on following locations:
LocalSystem - %WinDir%\system32\confi g\systemprofile
LocalService - %WinDir%\serviceprofiles\Localservice
NetworkService - %WinDir%\serviceprofiles\Networkservice
In this demonstration, your instructor will show you how to access and browse user profile folders, and
how to use roaming and mandatory profiles.
Demonstration steps:
1. Unhide protected/hidden files and folders using Control Panel Folder Options applet on NYC-DC1.
2. Browse to folder C:\Users\Administrator and see the folder structure.
3. Create a folder called Profiles on NYC-DC1 and share it as Profiles with Authenticated Users.
4. Create a folder called mandatory.v2 within the Profiles folder.
5. From NYC-CL1 computer, copy default profile to \\NYC-DC1\Profiles
\mandatory.v2 location. After files are copied, browse this folder on NYC-DC1 and rename file
NTUSER.dat to NTUSER.man.
6. In Active Directory Users and Computers console, configure Candy Spoon to have her profile located
at \\NYC-DC1\Profiles\%username%. Configure Terri Chudzik to have her profile located at
\\NYC-DC1\Profiles$
\mandatory.
7. Log on to NYC-CL1 as Candy Spoon, make some changes to desktop environment and log off.
8. Log on to NYC-CL2 as Candy Spoon, and verify that all changes that are made on NYC-CL1 are
retained.
9. Log on to NYC-CL1 as Terri, and make some changes to desktop environment.
10. Log off and log back on and verify that no changes are retained.
Implementing User State Virtualization 11-15
Lesson 2
Configuring Roaming Profiles and Folder Redirection
Roaming profiles and Folder Redirection are two technologies that provide companies with the ability for
users to roam between computers and access their personalized desktop environments with their personal
data and settings. Corporate roaming also provides enterprises with flexibility in seating arrangements.
Users need not be guaranteed the same computer each time they come to work, such as in a call center
where users have no assigned desk or seating and must therefore share computers with other users at
different times or on different days, but still want to retain their personal settings and data.
11-16 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Roaming User Profiles allow enterprises to store users profiles on a central network location instead
locally on client computers. Roaming profile structure is the same as with local profiles, however the
location of roaming folder is not.
The main benefit of storing user profiles on network location is that users can access their desktop,
application settings, and data from any computer they have access to. When a user logs on to his
machine, instead of loading local NTUSER.DAT file into registry the roaming profile from network is
loaded. During the users session, he might change his environment, and create and save data. All these
changes will be copied to roaming profile location after user logs off, so they are retained for next session.
Also, if a user changes his computer, all data and settings will be available to him, as roaming profile will
be used from network.
Default network user profiles are optional. You do not need to create them if you do not want to. Also, it
is not mandatory to use default network profile if you are using roaming profiles and vise-versa.
Key Points
Roaming profiles are not enabled by default. You must first prepare infrastructure before you enable user
accounts to use roaming profiles.
Before you create a roaming user profile, you need to create each user account. Then, log on to a server
as an administrator to create a network share to store the roaming user profiles, designate the groups of
users to receive the roaming user profiles, and grant all users Full Control permissions.
Let us discuss steps that need to be performed to configure roaming user profiles and enable users to use
them.
First we need to prepare storage location for roaming profiles. In order to achieve that, you must
complete following steps:
1. Create a shared folder. Create a shared folder on an appropriate file server. In a large organization,
you might use a departmental server to host this shared folder. In a smaller organization with a single
server, you might use the domain controller to host the shared folder. The folder should be
identifiable, and therefore use a recognizable share name such as Profiles. If you have many users,
you might need to create a shared folder for roaming profiles on multiple servers or use DFS to
achieve better availability.
2. Secure the shared folder. Users require at least Change permissions on the shared folder. Therefore,
remove the default shared folder permission, and enable the Allow Change permission for the
Authenticated Users group.
After location is prepared, you should configure user accounts to use roaming profiles. You should do
following:
3. When configuring a user account to use a roaming profile, you typically designate a Universal
Naming Convention (UNC) path that includes the variable %username%. For example, you can
specify the path
\\sea-dc1\profiles \%username%, where the users name is substituted for the username variable
when the profile is created during the logoff process.
4. Windows then creates a folder named username.v2 in the parent shared folder.
Key Points
Although Roaming User Profiles provides several benefits to both end users and administrators, there are
some limitations that you must be aware of when using this technology.
Note: Beginning in Windows 7, users with roaming user profiles will have their current user settings in
HKCU (in other words, the entire NTuser.dat from their profile) periodically synchronized back to the
server while they are logged on to their computers. This is a change from Windows Vista and earlier
versions, in which roaming user profiles were synchronized back to the server only on logoff.
Simultaneous logons. There are potential sync issues that can arise if you use simultaneous logons on
several computers. For example, if a user logs on to one computer, edits and saves a document stored
in the Documents folder, leaves the computer logged on and then moves to a second computer, logs
on, edits and saves the same document, and then logs off from both computers, the computer from
which the user logs off of last will take precedence. That is, the edits made to the document on that
computer will be the only edits that will be preserved. The edits done on the other computer will be
11-20 Implementing and Managing Microsoft Desktop Virtualization
lost. It is important to remember that when conflicts like this occur, roaming user profile (RUP)
resolves them on a last-writer-wins basis.
Application inconsistencies. If an application makes changes to a user profile that might not produce
expected result on all computers that user is using. For example, if user installs an application and it
creates a shortcut on desktop, that shortcut will be shown on all computers where that user logs on.
However, not all computers will be able to start that application if it is not installed.
Note: you can use the Exclude Directories On Roaming Profile Group Policy setting to prevent
roaming the Desktop folder, which will prevent this inconsistency from arising.
Enabling on individual basis. If you want to use roaming user profiles you must enable them on per-
user basis by configuring user account Properties or by using a script. You can also use template
accounts to enable roaming profile for each new user.
Coexistence with older platforms. If you have a user that roams between various operating system
platforms, you might not be able to use roaming profiles for that user. Each operating system
platform has its own folder structure, and they are not compatible.
Implementing User State Virtualization 11-21
Key Points
Before discussing Folder Redirection, let us focus on one limitation of using Roaming Profiles. If a user is
configured to use Roaming Profile, each time he logs on, whole profile is downloaded to its local machine.
Since profile contain users folders like My Documents, Music, Videos and Downloads, and these folders
usually contain large amount of data, process of downloading these data can take significant amount of
time. This can result in very slow logons. Similar, when user logs off, whole profile is synchronized back to
network location, and that cause very slow log offs. Based on this process, it is very convenient if we
separate user data content from users profile, but still be able to keep that on network location so data
can follow users but do not slow down logon and logoff procedures. Technology that enables this is
called Folder Redirection.
Folder redirection is a client-side technology that provides the ability to change the target location of user
specific folders, such as My Documents, found within the user profile. This redirection is transparent to the
user and gives the user a consistent way of saving their data, regardless of its storage location.
Folder redirection provides a way for administrators to divide user data from profile data. This division of
user data decreases user logon times because Windows downloads less data when user is logging on, and
that directly speed up logon process. Windows redirects the local folder to a central location, giving the
user immediate access to their data when they save it, regardless of the computer they are using. This
immediate access removes the need to update the user profile.
Folder Redirection can be used with or without Roaming profiles. If you need only data to follow users,
but not their settings of environment, Folder Redirection is enough. Also, if user is simultaneously using
computers with various operating systems (such as Windows 7 and Windows XP), usage of roaming
profiles can result in incompatibility issues. Folder Redirection is agnostic to this, so it can be safely used
on various operating system platforms.
11-22 Implementing and Managing Microsoft Desktop Virtualization
Folder Redirection is configured by using Group Policy settings. Besides just setting up location for
redirected users folders, there are several other options that can be configured. This will be discussed in
next topic.
You must be aware that not all folders are redirected. This mostly depends on operating system used on
client side. Core user folders that can be redirected on all client platforms from Windows XP are:
Documents, Pictures, Desktop
Start Menu, Application Data
Additional folders can be redirected in Windows Vista and Windows 7:
Pictures
Music
Videos
Favorites
Contacts
Downloads
Links
Searches
Saved
Games
Implementing User State Virtualization 11-23
In this demonstration, your instructor will show and explain to you available options for Folder
Redirection.
Demonstration steps:
1. Open Group Policy Management Console on the Domain Controller.
2. Create new Group Policy Object.
3. Start Group Policy Management Editor.
4. Browse through Folder Redirection options.
11-24 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Usage of Folder Redirection can provide many benefits to both end users and IT administrators. However,
in order to have full potential from Folder Redirection and avoid issues, you should follow these
guidelines:
Do not redirect folders to your home directory unless you have legacy home directories in your
organization. The Documents folder and its subfolders allow you to select the Redirect to the users
home directory redirection option. This redirects the Documents folder, and optionally, its subfolders,
to the home folder path configured in the user objects properties. Unless you are using legacy home
folders in this way, avoid configuring this option.
Let Windows create folders for each user. To ensure that the folders required for Folder Redirection
are created and secured properly, do not manually create the folders. Instead, let Windows create and
secure them when users log on. You must create the parent folder and share it with the previously
described permissions.
Use the Follow Documents folder setting. The Music, Pictures, and Videos folders support the Follow
Documents folder setting. This setting redirects these folders as Documents folder subfolders. This
option causes the selected subfolder to inherit Folder Redirection options from the parent Documents
folder, and it disables other Folder Redirection options for the selected folder. Consider using this
setting to store all user data folder structure elements in one place without the need to individually
configure Folder Redirection for each subfolder.
Consider the impact of removing a Folder Redirection Group Policy setting. The default behavior for
Folder Redirection removal settings is for the redirected folder to remain in its location even after you
remove the policy setting. In some scenarios, you might want to copy the files back to the original
locationthat is, to the users local profile. Bear in mind that changing a Folder Redirection policy
setting can have an impact on network performance. For example, if you select to redirect the folder
back to the local user profile location when the policy setting is removed.
Implementing User State Virtualization 11-25
When troubleshooting Folder Redirection, be aware that this technology relies on shared folders stored
on remote file servers. You should verify network connectivity to the target folders before you investigate
more complex reasons for Folder Redirection failure. Pay special attention to NTFS and shared folder
permissions. If you have implemented Advanced Redirection for specific Windows security groups, verify
that the user experiencing the problem belongs to the appropriate groups. Also, verify Group Policy
settings. Because you implement Folder Redirection with Group Policy settings, determine if the problem
is related to a Group Policy problem.
11-26 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Offline files allow mobile users to download and use shared files on their local computers when they are
not connected to the network. This benefit also applies to onsite workers who temporarily lose network
connectivity due to technical problems.
When you designate a shared file for offline use, the local computer downloads, or caches, a local copy of
the file. You can then continue to work using this file even if you are not connected to the network. When
the computer connects to the network again, the operating system automatically compares any changes
made to the offline file, with the copy stored on the server, and resolves any differences
In Windows Vista and Windows 7, you can encrypt your offline files to help secure private information.
When you encrypt offline files, only your user account can access the cached data.
Offline files can be used together with Folder Redirection. This enables you to provide access to redirected
folders even when user is not connected to network. Since Folder Redirection is used to redirect user
personal folders, if you make these folders available for offline access, users will always be able to have
their documents. These two technologies can also be combined with Roaming User profiles to achieve full
functionality.
Offline files are very convenient in scenarios where user is connected to a slow network. Since local copy is
cached on users computer, he can work on these files without being affected by slow network.
mode, all changes are performed on local level, while Offline Files client is trying to access network
copy every two minutes. During Auto Offline Mode user cannot initiate manual synchronization, nor
can he access previous versions of file.
Manual Offline Mode. In this mode, user manually puts network resources in Offline Mode. This
means that all file operations are performed on local cached copy. Synchronization is preformed only
if user initiates it manually. Offline mode remains active until computer restarts or until user manually
switches back to Online Mode.
Slow-link Mode. This mode is dependent on Group Policy setting that specifies slow link detection. If
this setting is configured, it will be applied to Offline Files. When slow link is detected, Offline Files will
automatically switch to Offline Mode and also will switch back to Online mode if network conditions
are improved.
Offline files are configured on several locations. You must enable Offline caching on shares for which you
want to allow caching. Also, you should configure Offline caching behavior on user side. At the end,
Group Policy can be used to control Offline Files.
Transparent caching is not enabled by default. IT administrators can use a Group Policy setting to
enable transparent caching, improve the efficiency of the cache, and configure the amount of hard
disk drive space that the cache uses.
Implementing User State Virtualization 11-29
In this demonstration, your instructor will show you how to configure Offline Files.
Demonstration steps:
1. Create a CorpData folder on (C:) drive on NYC-DC1, share it and configure permissions so that
Authenticated Users have Full control on share and NTFS permissions. Configure caching options on
this folder so that only the files and programs that users specify will be available offline.
2. Open Default Domain policy GPO, and navigate to Computer Configuration, Policies,
Administrative Templates, Network, and select Offline Files.
3. Enable option Administratively assigned offline files, and enter
\\NYC-DC1\CorpData as a location.
11-30 Implementing and Managing Microsoft Desktop Virtualization
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. Ensure that the 10324A-NYC-DC1, 10324A-NYC-CL1, and 10324A-NYC-CL2 virtual machines are
running.
3. If required, connect to the virtual machines. Log on to 10324A-NYC-DC1 as Contoso\Administrator
using the password Pa$$w0rd. Do not log on to the client machines until directed to do so.
Implementing User State Virtualization 11-31
1. Configure a roaming profile and configure a pilot group of users to use roaming profiles.
2. Make changes to user environment.
3. Log on to a second computer, and verify roaming of the changes.
Task 1: Configure a roaming profile and configure a pilot group of users to use roaming
profiles
1. On NYC-DC1, configure C:\Profiles as follows:
Shared as Profiles
Share permissions: Authenticated Users: Change, Administrators: Full control
Caching: No files or programs should be available offline
2. Configure the User Accounts Candy Spoon and Terri Chudzik to use roaming profiles to the \\NYC-
DC1\Profiles\%username% location, by editing Properties of their user accounts in Active Directory
Users and Computers on NYC-DC1.
Question: Do the Desktop personalization options appear as you configured them, including the
desktop shortcut?
Question: Is the shortcut to drive C retained on Desktop?
Results: After this exercise, you should have configured and tested Roaming User Profiles.
11-32 Implementing and Managing Microsoft Desktop Virtualization
Task 2: Verify that folders are redirected and not stored in the profile
1. Log on to NYC-CL1 as Contoso\Adam with the password of Pa$$w0rd.
2. Open the Documents folder and verify the path. Create a text document in the Documents folder.
3. Log off of NYC-CL1.
4. Log on to NYC-CL1 as Contoso\Bart with the password of Pa$$w0rd.
5. Open the My Documents folder and identify the path.
Question: What path is revealed?
Results: After this exercise, you should have configured and tested Folder Redirection.
Implementing User State Virtualization 11-33
Results: After this exercise, you should have configured and tested Offline Files.
Review Questions
1. What is a User Profile? What types of User profiles exist?
2. What is the main benefit of User state virtualization?
3. List some limitations and drawbacks when using Roaming Profiles.
4. Which technology will enable users that are disconnected from network to access data on specific file
shares on network servers?
5. You want to configure permissions for the Administrator user account on all users roaming profile
folders, but you do not want to make this change folder-by-folder. How can you achieve this
objective quickly and easily?
Common Issues related to user state virtualization
Issue Troubleshooting tip
A. Datum IT Admins team wishes to create a standard desktop that loads each time a user logs on for the
first time.
Occasionally, network outages prevent users from completing important project work. Where possible, it
must be ensured that users can continue working on important files.
It is important to incorporate users files into the backup regime by placing them on file servers. In
addition, it must be ensured that users can recover their own local files when the need arises.
Tools
Tool Used for Where to find it
Offline Files Setting client options for Control Panel Sync Center
Management Offline Files feature
Configuring Virtual Desktop Infrastructure 12-1
Module 12
Configuring Virtual Desktop Infrastructure
Contents:
Lesson 1: Overview of Windows Server 2008 R2 Hyper-V 12-3
Lesson 2: Introduction to VDI 12-17
Lesson 3: Configuring Personal and Pooled Virtual Desktops 12-31
Lab: Configuring Virtual Desktop Infrastructure 12-42
12-2 Implementing and Managing Microsoft Desktop Virtualization
Module Overview
Using virtualization technologies for desktop virtualization can be very convenient. Microsoft provides
virtual desktop infrastructure (VDI) as a technology that relies on Windows Server 2008 R2 Hyper-V
and Remote Desktop Services (RDS) to enable administrators to configure virtual desktops as working
environments. To use VDI, you should be familiar with Hyper-V and RDS, as well as with VDI features and
configuration procedures.
Configuring Virtual Desktop Infrastructure 12-3
Lesson 1
Overview of Windows Server 2008 R2 Hyper-V
Windows Server 2008 R2 Hyper-V is a latest Microsoft virtualization platform that enables you to run
multiple virtual machines on a single server in production environments. Hyper-V leverages the latest
hardware technologies to provide a reliable virtual environment that performs well. To implement Hyper-
V, you should be familiar with its key concepts and with the key components that you need to build a
virtual machine. This lesson provides a high-level overview of Hyper-V technology, and also provides
information about virtual hard drives and virtual networks, which are key components to building and
using virtual machines.
12-4 Implementing and Managing Microsoft Desktop Virtualization
What Is Hyper-V?
Key Points
Hyper-V provides software infrastructure and basic management tools in Windows Server 2008 that you
can use to create and manage a virtualized server-computing environment. You can use this virtualized
environment to address a variety of business goals that improve efficiency and reduce costs.
Hyper-V provides the engine, or hypervisor, that supports the operation of multiple virtual machines on
top of standard server hardware. The hypervisor is a thin layer of software that resides between the
operating system and the hardware.
Because it integrates with the Windows Server operating system, Hyper-V benefits from the existing
Windows Server feature set. Additionally, Hyper-V relies on the Designed for Windows hardware
specification, which provides access to thousands of validated platform configurations.
Type 1 Hypervisor
Hyper-V is a Type 1 hypervisor, which is a bare-metal hypervisor that runs directly on top of hardware.
Another name for Type 1 hypervisors are hardware virtualization engines. Hyper-V uses a 64-bit
hypervisor, which allows multiple virtual machines to access physical memory and CPU resources without
conflicts. Also, it allows creation of 64-bit guest operating systems. In combination with virtualization-
aware hardware, including processors that use Intel VT and AMD V technology, the Hyper-V hypervisor
enables high performance and excellent scalability for guest operating systems.
Because the Hyper-V hypervisor takes advantage of Intel VT and AMD-V technology, the processing
hardware performs more of the work of virtualizing multiple operating systems, so the virtualization stack
and hypervisor have to do less work.
Type 2 Hypervisor
Microsofts previous hypervisor offerings, such as Virtual Server 2005 or Virtual PC 2007, were Type 2
hypervisors that operated as applications on top of existing operating systems, and provided software
virtualization. Virtualization platforms that rely on software emulation of hardware must frequently
Configuring Virtual Desktop Infrastructure 12-5
interrupt guest operating systems by performing on-the-fly translation of hardware requests into a form
that is compatible with the virtualization environment.
The new Microsoft operating system, Windows 7, includes a similar software-based virtualization
solution, called Windows Virtual PC, which allows users to run virtual machines with supported operating
systems installed.
Question: What is the main benefit of using a Type 1 hypervisor versus previous Microsoft virtualization
solutions that used Type 2 hypervisors?
12-6 Implementing and Managing Microsoft Desktop Virtualization
Hyper-V Features
Key Points
Hyper-V provides you with a dynamic, reliable, and scalable virtualization platform that combines with a
set of integrated tools to manage both physical and virtual resources. Hyper-V enables the data centers of
business enterprises to be highly responsive and dynamic.
Hyper-V in Windows Server 2008 R2 includes features such as Live Migration, dynamic virtual machine
storage, improved virtual hard disk (VHD) performance, enhanced processor support, and enhanced
networking support.
Live Migration allows you to move virtual machines from one node of the failover cluster to another
node in the same cluster, without dropping the network connection or impacting end users with any
perceived downtime, because the virtual machines continue to run.
Failover clustering is a group of independent computers that work together to increase the
availability of applications and services across an environment. You connect the clustered servers,
called nodes, by physical cables and software. If one of the cluster nodes fails, another node provides
service. This process is known as failover clustering, and it means that end users experience minimum
disruption in services when a node fails.
12-8 Implementing and Managing Microsoft Desktop Virtualization
Note: Live Migration requires that you add and configure the failover clustering role on the servers
that are running Hyper-V. Additionally, failover clustering requires shared storage for the cluster
nodes. On a server running Hyper-V, only one Live Migration, to or from the server, can be in
progress at any given time. You cannot use Live Migration to move multiple virtual machines
simultaneously. Also, you should be aware that you can achieve zero downtime when you use Live
Migration to move virtual machines between hosts only if both hosts are up and running. If a host
stops working because it fails, then Live Migration moves virtual machines to another host, but there
is a period of downtime.
Cluster Shared Volume (CSV) feature of failover clustering in Windows Server 2008 R2 with Live
Migration. CSV provides increased reliability when you use it with Live Migration and with virtual
machines that you configure in a failover cluster. It also provides a single, consistent file namespace,
so that all servers running Windows Server 2008 R2 view the same storage.
Processor Compatibility Mode, makes it possible for you to move virtual machines or perform Live
Migration between different processor versions within the same processor family, such as Intel or
AMD. You cannot perform Live Migration between different processor vendors.
Note: A hot plug-in and removal of storage requires that Integration Services be present in the
enlightened guest operating system.
These two technologies allow Hyper-V to take advantage of network offload technologies. Instead of a
core CPU that processes the network packets, you can move these packets to the offload engine on the
10 GB network adaptor. This reduces processor usage and improves performance.
Many of the new Hyper-V features, such as VNQ, Chimney, and CPU core parking, require compatible
hardware.
12-10 Implementing and Managing Microsoft Desktop Virtualization
In this demonstration, your instructor will show you how to add and remove a VHD from a running virtual
machine.
Demonstration steps:
1. On the physical host computer, open Disk Management, create a VHD, and then copy some files to it.
2. Add a VHD, as an additional Small Computer System Interface (SCSI) disk, to the 10324A-NYC-CL1
virtual machine while it is running.
3. Initialize and format a new disk from Disk Management on the host machine. Access the disk from
the NYC-CL1 virtual machine, and then add additional content, such as by creating a few text files.
4. Remove a VHD from the virtual machine.
5. Mount the VHD on the physical host computer, and then list its content to verify that all of the files
that you created are there.
Configuring Virtual Desktop Infrastructure 12-11
Key Points
Virtual Network Manager gives you the ability to create a mechanism for binding virtual machines to a
physical network, and to create and manage virtual networks. You can use Virtual Network Manager to
add, remove, and modify the virtual networks. Virtual Network Manager is available from Hyper-V
Manager.
When you create a virtual network, Hyper-V creates a virtual switch that routes traffic based on either the
media access control (MAC) addresses or the virtual local area network (VLAN) Identifiers (ID). The virtual
switch modifies the MAC addresses of packets to route traffic with different MAC addresses than the
physical network cards MAC address. The advantage is that it can bind to any 802.3-complaint physical
Ethernet network adapter.
You cannot connect a virtual network to a wireless network adapter. The virtual switch changes the MAC
address of the source packet so that it does not match its own MAC address. As a result, you cannot
provide wireless networking capabilities to virtual machines, because the 802.11 standard does not
support the MAC address changes. You can attach only one virtual network to a specific physical network
adapter at a time. You cannot attach multiple virtual networks to the same physical network adapter.
When you create a virtual network:
Hyper-V creates a software-based switch.
You can associate only one Hyper-V virtual network with a single physical network adaptor.
Once a virtual network is bound to a physical network adapter, all other protocols are unbound
automatically.
You can use virtual networks to control and secure network traffic that enters and leaves a virtual
machine.
Windows Server 2008 R2 Hyper-V supports three types of virtual networks:
12-12 Implementing and Managing Microsoft Desktop Virtualization
External. An external virtual network binds to a physical network adapter on the Hyper-V server so
that the virtual machine can have access to a physical network. When you create a new external
virtual network, Hyper-V creates a virtual network adapter on the parent partition unless you clear the
option to Allow management operating system to share this network adapter. If you clear this
option, then you dedicate the network adapter to the virtual machine. You would use an external
connection when your virtual machine needs to access or be accessed on the corporate network or
beyond the corporate environment.
Note: When you create an external virtual network, and clear the option to Allow management
operating system to share this network adapter, the physical network adapter will be available
only for virtual machines. It will not be accessible by the host computer. This is a best practice if you
want to isolate virtual-machine network traffic from host network traffic. In this scenario, you must
not clear this option on at least one network adapter, or you must not create a virtual network that
uses one of the physical network adapters, to ensure that the host computer can communicate on the
network.
Internal. When you create an internal virtual network, it allows the virtual machines to communicate
with each other and with the Hyper-V server, but they cannot communicate with the physical
network. You typically would use this scenario to simulate a networked environment with the base
system, and you might use an internal network in a training environment.
Private. The creation of a private virtual network enables the virtual machines to communicate with
each other, but there is no association with any physical network adapter in the parent partition. This
means that the virtual machines can communicate with each other, but not with the host computer or
with other computers on external networks. You can use private networks if you need to isolate
virtual machines for security reasons. You also may have virtual machines that you are using for
testing, and you do not want the virtual machines to access the corporate network inadvertently.
When you create a virtual network through either the Hyper-V Manager or WMI, you also create a new
software-based switch. There is no limit to the number of virtual networks or ports for virtual machine
connections that you can create.
Configuring VLANs
Hyper-V supports VLANs, and because a VLAN configuration is software-based, you can move computers
easily and maintain their network configurations. For each virtual network adapter that you connect to a
virtual machine, you can configure a VLAN ID for the virtual machine. You will need the following to
configure VLANs:
A physical network adapter that supports VLANs.
A physical network adapter that supports network packets with VLAN IDs that are applied already.
On the management operating system, you will need to configure the virtual network to allow network
traffic on the physical port. This is for the VLAN IDs that you want to use internally with virtual machines.
Next, you configure the virtual machine to specify the VLAN that the virtual machine will use for all
network communications.
There are two modes in which you can configure a VLAN: access mode and trunk mode.
When you configure your VLAN in access mode, this restricts the virtual networks external port to a single
VLAN ID in the user interface (UI). You can have multiple VLANs using WMI. Use access mode when your
physical network adapter connects to a port on the physical network switch that also is in access mode. To
give a virtual machine external access on the virtual network that is in access mode, you must configure
the virtual machine to use the same VLAN ID that is configured in the virtual networks access mode.
Configuring Virtual Desktop Infrastructure 12-13
Trunk mode allows multiple VLAN IDs to share the connection between the physical network adapter and
the physical network. To give virtual machines external access on the virtual network in multiple VLANs,
you need to configure the port on the physical network to be in trunk mode. You also will need to know
the specific VLANs that you are using, and all of the VLAN IDs used by the virtual machines that the virtual
network supports. Your physical switch will need to support 802.1q
Question: Which type of network allows a virtual machine to access a physical network? In what scenarios
would you use this type of network?
12-14 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Virtual machine snapshots capture the state, data, and hardware configuration of a virtual machine that is
running. Snapshots provide a fast and easy way to revert the virtual machine to a previous state. For this
reason, virtual machine snapshots mainly are for use in development and test environments. Having an
easy way to revert a virtual machine can be very useful if you need to recreate a specific state or condition
so that you can troubleshoot a problem.
There are certain circumstances in which it may make sense to use snapshots in a production
environment. For example, you can use snapshots to provide a way to revert a potentially risky operation
in a production environment, such as applying an update to the software running in the virtual machine.
Hyper-V snapshots are implemented in the virtualization layer, and can be taken at any time with guest
operating system (even during an operating system installation). Snapshots can be taken whether the
virtual machine is running or stopped. If the virtual machine is running when the snapshot is taken, there
is no downtime involved to create the snapshot.
Snapshot data files are stored as .avhd files, which is a snapshot-specific differencing disk that is used as
the running point of a virtual. After Hyper-V creates the snapshot, all system changes are written to the
AVHD disk going forward, and the base VHD no longer is modified. The AVHD is linked to its parent disk.
If you were to move one of these two files, the virtual machine would break. You can continue to create
additional snapshots, and each one links to its parent in a linear (timeline) arrangement. They cannot link
in a branched tree arrangement because that would create dead branches. When you go back to a
previous point in time (return to a snapshot), everything to the right of the timeline is destroyed
(rendered unusable) because you altered the virtual machine at a previous point.
Snapshot data files are located in the same folder as the virtual machine, by default, unless one of the
following conditions applies:
If you import the virtual machine with snapshots, the snapshots are stored in their own folder.
Configuring Virtual Desktop Infrastructure 12-15
If the virtual machine has no snapshots, and you configure the snapshot setting for the virtual
machine, then the snapshots will be stored in the folder that you specify.
Note: We do not recommend, or support, the use of snapshots on virtual machines that are hosting
the Active Directory Domain Services (AD DS) role, which also is known as domain controllers, or on
virtual machines that are hosting the Active Directory Lightweight Directory Services (AD LDS) role.
For more information, see the Microsoft TechNet article Operational Considerations for Virtualized
Domain Controllers.
You can create snapshots by using Hyper-V Manager or by using the Virtual Machine Connection window.
To create a snapshot by using Hyper-V Manager, select a virtual machine, and then select Snapshot from
the Action menu or panel. To create a snapshot using the Virtual Machine Connection window, click on
the Snapshot button in the toolbar.
Question: Can you list additional scenarios where it would not be appropriate to use snapshots?
12-16 Implementing and Managing Microsoft Desktop Virtualization
In this demonstration, your instructor will show you how to use snapshots in Hyper-V.
Demonstration steps:
1. Create snapshots of the NYC-CL1 virtual machine in Hyper-V Manager.
2. Modify the virtual machine.
3. Apply a previous snapshot, and then identify that modifications no longer are present.
Configuring Virtual Desktop Infrastructure 12-17
Lesson 2
Introduction to VDI
VDI is an alternative desktop-delivery model that allows users to access desktops that are running in a
data center. In VDI, each user gets access to a personal virtual desktop from any authorized device, which
improves desktop flexibility. You can use VDI in two modes: personal and pooled desktops. The Remote
Desktop Connection Broker (RD Connection Broker) role service is one of key components in VDI that
manages a users connection to virtual desktops.
This lesson describes VDI, as well as the benefits of using it, and important components and procedures in
VDI.
12-18 Implementing and Managing Microsoft Desktop Virtualization
What Is VDI?
Key Points
VDI is a centralized desktop-delivery architecture that allows you to centralize the storage, execution, and
management of Windows desktops in a data center. VDI enables you to run and manage Windows 7,
Windows Vista, and other desktop environments in virtual machines on a centralized server. A user can
connect to a virtual desktop with Remote Desktop Client (RDC) or by using Web access.
As a technology, VDI provides better flexibility, improved cost control, and has a smaller environmental
footprint, but it does increase the demand for security and compliance so that corporate data is more
secure. To meet these challenges, Windows Server 2008 R2 updates RD Connection Broker and flexible
presentation virtualization architecture beneath the VDI.
In pooled virtual machines, a single image is replicated. The user state can be stored through profiles and
folder redirection, but it will not continue to stay on the virtual machine after the user logs off. This frees
up some system resources, and provides you with the ability to separate user data from the virtual
machine.
In both cases, the Windows Server 2008 R2 solution supports image storage on the Hyper-V host, and
clients connect to the virtual machine by using Remote Desktop Protocol (RDP). Additionally, in both
cases, administrators can store and maintain a user work area in a data center.
Each device accessing the VDI image requires the Windows Virtual Enterprise Centralized Desktop (VECD)
license.
Configuring Virtual Desktop Infrastructure 12-19
VDI for Windows Server 2008 R2 operated in a previous versions of Windows but under a different name
and form. Hyper-V and RDS roles are key technologies to enable VDI.
Question: Is your organization using VDI? Which environments can benefit considerably by implementing
VDI?
12-20 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Many organizations are considering implementing VDI to optimize resource usage and improve
management of desktop machines. VDI provides several benefits to various types of organizations.
Benefits
Some of the most important benefits are:
Centralized data storage and backup, which reduce losses from stolen devices
Backup and restore in VDI is much more centralized than backups in physical environments. Since you
deploy virtual machines on Hyper-V hosts, you can use a VSS-aware backup utility on enlightened guests.
We recommend that you use Data Protection Manager (DPM) 2010 as it fully supports Hyper-V 2.0 and
VDI backups and restores. Also, since machines are not moving with users, the risk of intellectual property
being stolen from devices is much lower, as is the risk of the devices themselves being stolen.
12-22 Implementing and Managing Microsoft Desktop Virtualization
Types of VDI
Key Points
There are various ways to architect VDI, but in general, there are two types of VDI deployment: personal
virtual desktops and pooled virtual desktops.
When deploying personal virtual desktops, you must be aware that you can assign only one personal
virtual desktop to a user, and that you can assign a virtual machine as a personal virtual desktop to only
one user at a time.
Users should not save files on a virtual machine that is located in a virtual desktop pool. If a user logs off
from a virtual machine in a virtual desktop pool, and then later logs on to the virtual desktop pool, the
user might be connected to a different virtual machine in the virtual desktop pool. If you want to preserve
user data, you have to use some of user state virtualization technologies.
Configuring Virtual Desktop Infrastructure 12-23
Question: What is the main difference between personal virtual desktops and pooled virtual desktops?
12-24 Implementing and Managing Microsoft Desktop Virtualization
Key Points
VDI in Windows Server 2008 R2 consists of several components and technologies. These components
work together to provide users with a seamless and unified experience when they are using desktop
virtual machines. All components that VDI needs are present in Windows Server 2008 R2, so there is no
need to install any additional software. The following sections detail the components and technologies in
VDI in Windows Server 2008 R2.
AD DS
In Active Directory, administrator can assign virtual machines to users, which means that users always use
the same virtual machine. VDI components contact Active Directory to provide information about virtual
machine that a specific user should use.
RD Connection Broker
RD Connection Broker creates a unified experience for traditional session-based remote desktops and new
virtual machine-based remote desktops. RD Connection Broker, as part of the VDI solution, is an
extensible platform for partners; and it includes extensive APIs to add value with regards to the
manageability and scalability of the brokering solution. Extensibility points include the ability to create
policy plug-ins, such as those that determine the appropriate virtual machine or virtual machine pool;
filter plug-ins, such as those for preparing a virtual machine to accept RDP connections; and resource
plug-ins, such as those for placing a virtual machine on the proper host, which you determine based on
the hosts load.
Configuring Virtual Desktop Infrastructure 12-25
The main purpose of this role service is to broker a user connection to an appropriate endpoint, which
involves:
Identifying the virtual machine to which you want the user to make a remote connection.
Preparing the virtual machine for remote connections by communicating with the Remote Desktop
Virtualization Host server (RD Virtualization Host). An example of this is when you wake the virtual
machine from a saved state.
Querying the IP address of the virtual machine by communicating with the RD Virtualization Host
server. This IP address is returned to the Remote Desktop Session Host server running in redirection
mode.
Monitoring user sessions in a virtual desktop-pool scenario. Users with existing sessions in pools are
redirected to the virtual machines that are hosting their sessions.
RD Virtualization Host
RD Virtualization Host is a Remote Desktop Services role service in Windows Server 2008 R2, and it
integrates with Hyper-V to provide virtual machines that you can use as personal virtual desktops or
virtual desktop pools.
An RD Virtualization Host server:
Monitors virtual machine guest sessions and reports these sessions to the RD Connection Broker
server.
Prepares the virtual machine for a remote desktop connection when the RD Connection Broker server
requests this.
In order for RD Virtualization Host to perform these functions, you must configure the guest operating
system to give permission to the RD Virtualization Host.
The RD Session Host server running in redirection mode does not allow interactive user sessions, unless
the user requests an administrative session by using the /admin parameter.
When a user requests a virtual machine, the RD Session Host server running in redirection mode queries
the RD Connection Broker server. The RD Connection Broker server then provisions a virtual machine for
the user and returns its IP address to the RD Session Host server that is running in redirection mode. The
RD Session Host server that is running in redirection mode then redirects the RDP client to connect to the
virtual machine by using the IP address.
12-26 Implementing and Managing Microsoft Desktop Virtualization
We recommend that the RD Connection Broker role service resides on the same machine as the RD
Session Host server that is running in redirection mode. However, we also support the scenario in which
the RD Session Host server is running in redirection mode and the RD Connection Broker role service is
running, on separate machines.
Key Points
RD Connection Broker is one of the key roles in VDI deployment, and it communicates with other
components to provide users with access to the proper virtual machine or application. In earlier Windows
Server versions, it was known as TS Session Broker.
RD Connections Broker maintains a list of available virtual desktops, and when a client makes a request, it
provides the client with the connection information for the most appropriate virtual desktop, or a
response which indicates that an appropriate virtual desktop is not available. In some scenarios, if more
than one appropriate virtual desktop exists, the connection broker will provide the client with a list of
possible candidates for connection.
If a virtual desktop is assigned to the user through AD DS, Remote Desktop Connection Broker will query
AD DS for the users personal virtual desktop.
Since one of main benefits of VDI is optimization of resource usage, you should turn off virtual desktop
systems when they are not in use. RD Connection Broker monitors virtual desktops after you assign them,
12-28 Implementing and Managing Microsoft Desktop Virtualization
and it instructs the virtualization host to shut them off or suspend them when they are idle or logged off.
Similarly, RD Connection Broker also will instruct the virtualization host to start a virtual desktop when
necessary, and after the virtual machine starts, it redirects the client to the virtual machine.
If a user disconnects from a session intentionally or because of a network failure, the applications that the
user is running will continue to run. When the user reconnects, the RD client queries the RD Connection
Broker to determine whether the user has an existing session, and if so, on which RD Session Host server
in the farm. If there is an existing session, RD Connection Broker redirects the client to the RD Session Host
server where the session exists.
Key Points
The way users connect to a virtual machine is based on the VDI configuration. If you configure VDI for
personal virtual desktops, users connect to a virtual machine in the following way:
1. A user initiates the connection to the personal virtual desktop by using RD Web Access or
RemoteApp and Desktop Connection. The user sends the request to the RD Session Host server
running in redirection mode (RD Redirector) by using RD Web Access or RemoteApp and Desktop
Connection.
2. The RD Session Host server that is running in redirection mode (RD Redirector) forwards the request
to the RD Connection Broker server to get information about the target virtual machine.
3. The RD Connection Broker server queries AD DS, and retrieves the name of the virtual machine that is
assigned to the requesting user account.
4. The RD Connection Broker server sends a request to the RD Virtualization Host server to start the
virtual machine.
5. The RD Virtualization Host server returns the IP address of the fully qualified domain name (FQDN) to
the RD Connection Broker server. The RD Connection Broker server then sends this information to the
RD Session Host server that is running in redirection mode (RD Redirector)
6. The RD Session Host server redirects the request to the client computer that initiated the connection.
7. The client computer connects to the personal virtual desktop.
If you configure VDI for pooled virtual desktops, users are connected to a virtual machine in the following
way:
1. A user initiates the connection to the virtual desktop pool by using RD Web Access or by using
RemoteApp and Desktop Connection. The user sends the request to the RD Session Host server
running in redirection mode either by using RD Web Access or RemoteApp and Desktop Connection.
2. The RD Session Host server redirects the request to the RD Connection Broker server.
3. The RD Connection Broker server verifies whether an existing session exists for the requesting user
account. If a session exists, the RD Connection Broker server returns the virtual machine name to the
12-30 Implementing and Managing Microsoft Desktop Virtualization
RD Session Host server that is running in redirection mode. If the session does not exist, the RD
Connection Broker server sends a request to the RD Virtualization Host server to locate and start the
virtual machine. The RD Connection Broker server returns the virtual machine name to the RD Session
Host server that is running in redirection mode.
4. The RD Session Host server redirects the request to the client computer that initiated the connection.
5. The client computer connects to the virtual desktop pool.
Configuring Virtual Desktop Infrastructure 12-31
Lesson 3
Configuring Personal and Pooled Virtual Desktops
A very important part of VDI deployment is configuration of virtual desktops. In Windows Server 2008 R2
VDI, you can configure desktops as personal and pooled, and you can configure additional settings and
specify how users will connect to their virtual desktops. This lesson focuses on configuration of virtual
desktops.
12-32 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Before you use virtual desktops in a VDI deployment, you must configure virtual machines for this
purpose. After you install Windows Server 2008 R2 and the Hyper-V platform, you should create virtual
machines that you can use as virtual desktops by performing the following steps:
Supported client operating systems include Windows XP, Windows Vista, or Windows 7. We
recommend that you use Windows 7, if possible. Also, you should configure the appropriate network
settings in the virtual machines so that they can access your physical network.
2. Join the virtual machines to a domain.
You should join each virtual machine that you will use as a virtual desktop to the AD DS domain. We
recommend that you place these virtual machines inside the appropriate organization unit in your AD
DS structure, so you can manage them easily by using Group Policy.
On each machine, you should enable Remote Desktop functionality in System Properties. Also, you
should add all users that will be using these machines through VDI to the local Remote Desktop Users
group. By using registry editor, you also should allow RPC for RDS. In Windows firewall, you should
create a firewall exception for Remote Service Management and RDS. At the end, you also should add
the RD Virtualization Host server to the permissions list for the RDP-Tcp listener.
Note: You can perform all of these steps by using a Windows PowerShell script. Script examples are
located at Configure Guest OS for Microsoft VDI (Windows PowerShell Script) .
If you will be using virtual machines in a pooled virtual desktop scenario, you should create Hyper-V
snapshots on each virtual machine, and you should name the snapshots RDV_Rollback. These
snapshots will be applied each time a user logs off from a machine.
12-34 Implementing and Managing Microsoft Desktop Virtualization
Key Points
A personal virtual desktop is a virtual machine that a RD Virtualization Host server hosts and assigns to a
specific user account from AD DS. Unlike a virtual desktop pool, where you can configure a virtual
machine to roll back changes when a user logs off, a personal virtual desktop retains all changes made by
the user as well as the users data.
The RD Connection Broker Manager assigns an unassigned virtual machine to a user, and AD DS stores
this assignment as a user account property. The virtual machine name in Hyper-V Manager and user
account property must be the same as the FQDN of the virtual computer.
Personal virtual desktops can only use Windows client operating systems. You cannot install Windows
Server 2008 R2 on a virtual machine and assign it as a personal virtual desktop.
To deploy personal virtual desktops, your schema for the AD DS forest must be at least Windows Server
2008. To use the added functionality provided by the Personal Virtual Desktop tab in the User Account
Properties dialog box in Active Directory Users and Computers, you must run Active Directory Users and
Computers from a computer that is running Windows Server 2008 R2 or a computer that is running
Windows 7 that has Remote Server Administration Tools (RSAT) installed.
You must use a domain functional level of at least Windows 2000 Server native mode. We do not support
the functional levels of Windows 2000 Server mixed mode and Windows Server 2003 interim mode.
The assignment of a virtual machine stays intact even after users log off from their assigned personal
virtual desktops. An administrator can reassign a personal virtual desktop or make changes to the
assignment through RD Connection Broker Manager. You can assign only one machine per user.
Independent software vendors (ISVs) can extend the inbox solution and provide users access to more than
one personal virtual desktop
Configuring Virtual Desktop Infrastructure 12-35
Note: It is incorrect to add a virtual machine designated as a personal virtual desktop to a virtual
desktop pool, if you want to allow only the assigned user to access that virtual machine. When the
designated user makes a connection to his personal virtual desktop, which now is part of a virtual
desktop pool, the connection will fail, and a mismatch event is logged.
12-36 Implementing and Managing Microsoft Desktop Virtualization
Key Points
A virtual desktop pool temporarily assigns a virtual machine to the user. The RD Connection Broker
automatically makes this assignment without any prior assignment configuration. The user-to-virtual-
machine assignment is removed as soon as the user logs off. Since there is no permanent assignment of a
virtual machine in a virtual desktop pool to a user, as long as there is a virtual machine available in the
pool, one will be assigned to the user.
A virtual machine can be a member of only one virtual desktop pool. You configure all virtual machines in
a virtual desktop pool identically, so when users see the same virtual desktop regardless of which virtual
machine in the virtual desktop pool they connect to. Since users might connect to a different virtual
machine in the virtual desktop pool each time they log on, we recommend that you use user state
virtualization technologies to manage user settings and data centrally.
Note: You must configure all virtual machines in a virtual desktop pool identically, including the
installed programs. If you need various configurations of virtual machines, you should create
additional pools.
Virtual desktops can use only Windows client operating systems. You cannot install Windows Server 2008
R2 on a virtual machine and add it to a virtual desktop pool.
To assign a virtual machine from a virtual desktop pool, you choose a Hyper-V server that has the least
number of running virtual machines, and then select a virtual machine belonging to this virtual desktop
pool. A random selection is made if two or more Hyper-V servers have the same number of running
virtual machines. ISVs can enhance the inbox solution by implementing their own load-balancing
algorithm.
When users disconnect from a virtual machine in a virtual desktop pool, they are redirected to their
disconnected virtual machines the next time they log in. However, when a user logs off from the virtual
Configuring Virtual Desktop Infrastructure 12-37
machine, the virtual machine can be configured to rollback to a state determined by an administrator.
You can do this by applying the RDV_Rollback snapshot.
You can make multiple virtual desktop pools available through RD Web Access. The user sees a different
icon for each virtual desktop pool.
12-38 Implementing and Managing Microsoft Desktop Virtualization
Key Points
After you configure the VDI infrastructure, you can set some additional options on a Personal Virtual
Desktop level, by using the Remote Desktop Connection Manager Console in the RD Virtualization host
server node. These improve the users experience when they are using virtual desktops.
General Settings
On the General settings tab, you can configure whether icons for personal desktops will appear in RD
Web Access, if you assign a user to a virtual machine. Also, on this tab, you can configure the behavior of
virtual machines when users log off or disconnect from a session. For example, you can configure that
virtual machine goes into saved state after five minutes when users log off. We recommend this option
because it enables you to save system resources when machines are not in use.
To create an .rdp file from which to copy the settings, do the following:
Key Points
When you create virtual desktop, users can connect to their virtual machines in several ways. Depending
on what type of VDI scenario you use, administrators can choose one or more ways to provide users with
connections to their virtual desktops.
Using Remote Desktop Web Access is very convenient way to connect to virtual desktop, since it is using
Web interface. Users should use the https://servername/RDWeb URL to get to RD Web Access page. From
that page, they can directly access their virtual desktops. Also, from this page, users can choose to connect
to some other computer (if they have the requisite permissions), or they can choose to run Remote
applications, if they are published.
If a user is accessing a virtual machine from Windows 7 client, you can configure remote desktop
connections in the Control Panel applet called RemoteApp and Desktop Connections. To use this feature,
you must configure the connecting URL in form https://servername/RDWeb/feed/Webfeed.aspx. Also, the
server must have an installed, valid certificate that the client trusts. After the connection to the server is
made, connections to the virtual desktop and remote applications (if any) will be published to the users
Start menu inside the RemoteApp and Desktop Connections folder. These connections periodically are
updated automatically or you can initiate the update process manually. This means that if the
administrator changes settings on the server side or publishes new resources, these changes will be
applied to a user during the next update cycle.
Another alternative is for the users to use their classic .rdp file to connect to their virtual desktops. Either
an administrator or the user can create this file in the Remote Desktop Client. This file contains connection
configuration settings. If you are using the Remote Desktop Client to connect to a virtual desktop, there
are additional settings that you can configure to provide a richer user experience.
Configuring Virtual Desktop Infrastructure 12-41
In this demonstration, your instructor will show you how to configure the VDI infrastructure and prepare
virtual machines for VDI.
Demonstration steps:
1. Add the Remote Desktop services role to NYC-SVR1, with the following services: Remote Desktop
Session Host, Remote Desktop Connection Broker and Remote Desktop Web Access.
2. Add the Remote Desktop services role with the Remote Desktop Virtualization Host service to the
physical host computer.
3. Prepare the NYC-VDP1 virtual machine to serve as a virtual desktop.
4. Assign a Personal Virtual Desktop.
5. Connect to RD Web Access, and access the new personal virtual desktop.
12-42 Implementing and Managing Microsoft Desktop Virtualization
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
perform the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. Ensure that the 10324A-NYC-DC1 virtual machine is running.
3. If required, connect to the virtual machine. Log on to 10324A-NYC-DC1 as Contoso\Administrator
using the password Pa$$w0rd.
4. On the physical host machine, open Network and Sharing Center, and then click Change adapter
settings.
5. Open the Properties for the network connection that is labeled Internal Network.
6. Ensure that the IPv4 settings are configured as follows:
IP address: 192.168.10.100/24
16. On NYC-DC1, click Start, and then next to Log off, point to the arrow, and click Shut down. Type
shut down in the comment field, and then click OK.
17. After NYC-DC1 shuts down, restart the physical host computer.
18. After the host computer restarts, log on as the local administrator.
19. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
20. Ensure that the 10324A-NYC-DC1, 10324A-NYC-SVR1, 10324A-NYC-CL1, 10324A-NYC-CL2, and
10324A-NYC-CL3 virtual machines are running. When prompted for user credentials, logon as the
local administrator.
21. If required, connect to the virtual machines. Log on to all virtual machines except 10324A-NYC-CL1 as
Contoso\Administrator using the password Pa$$w0rd. Do not log on to 10324A-NYC-CL1 until
instructed to do so.
22. In Hyper-V Manager, change the 10324A-NYC-CL2 display name to
NYC-CL2.contoso.com.
23. In Hyper-V Manager, change the 10324A-NYC-CL3 display name to
NYC-CL3.contoso.com.
12-44 Implementing and Managing Microsoft Desktop Virtualization
You will do it by adding the RDS role, configuring the RD virtualization host server, and then enabling
Remote Desktop Web Access.
The main tasks for this exercise are:
Results: After this exercise, you should have configured the RDS infrastructure for VDI.
Configuring Virtual Desktop Infrastructure 12-45
Results: After this exercise, you should have configured virtual machines for VDI.
12-46 Implementing and Managing Microsoft Desktop Virtualization
Task 2: Configure digital signing of .rdp files, single sign-on, and the trusted .rdp
publisher
When you want to connect to a virtual desktop, by default, you get a security prompt because the .rdp file
is not digitally signed. You then must provide user credentials for logging on to the virtual desktop. You
can avoid those prompts by configuring digital signing of .rdp files, adding a trusted .rdp publisher, and
configuring single sign-on. For this lab, we will use local Group Policy to configure those settings, but in
real life you would configure them by using domain Group Policy.
1. On NYC-SVR1, in Remote Desktop Connection Manager, configure the digital signature found in the
Properties dialog box of the RD Virtualization Host Servers to use the NYC-SVR1.contoso.com
certificate.
2. On NYC-CL1, log on as Contoso\ruser, and open the Local Group Policy Editor using Run As
Administrator.
3. Expand Computer Configuration, Administrative Templates, System, and click on Credentials
Delegation.
4. In the details pane, double-click Allow Delegating Default Credentials, select Enabled, click Show,
and then enter TERMSRV/* as the Value.
5. From NYC-CL1, browse to https://NYC-SVR1.contoso.com/RDWeb.
6. Run the Add-on, and then log on as contoso\ruser with the password of Pa$$w0rd. Select the This
is a private computer option.
7. Click the My Desktop icon. On Remote Desktop Connection dialog, click NYC-SVR1.contoso.com
Publisher name.
8. In the Certificate window, click the Details tab, and then select Thumbprint. Select the thumbprint
numbers in the details box, copy them by pressing CTRL+C.
Important: Do not select the leading space at the front of the thumbprint.
Configuring Virtual Desktop Infrastructure 12-47
9. Switch to the Local Group Policy Editor, navigate to Computer Configuration,click Administrative
Templates, click Windows Components, click Remote Desktop Services, and then click Remote
Desktop Connection Client.
10. In the details pane, double-click Specify SHA1 thumbprints of certificates representing trusted
.rdp publishers, and then select Enabled.
11. Right-click in Coma-separated list of SHA1 trusted certificate thumbprint entry box, and then
select Paste.
Results: After this exercise, you should have configured and tested personal virtual desktops.
12-48 Implementing and Managing Microsoft Desktop Virtualization
Results: After this exercise, you should have configured and tested the virtual desktop pool.
4. For the NYC-CL2 and NYC-CL3 virtual machines, you will need to delete the RDV_Rollback snapshots
first, and then revert to the first snapshot.
12-50 Implementing and Managing Microsoft Desktop Virtualization
Review Questions
1. Which hypervisor type is used in Hyper-V? What is the main difference between hypervisor in Hyper-
V and in Virtual PC?
2. List some of the most important improvements to Hyper-V in Windows Server 2008 R2.
3. In which modes you can deploy Virtual Desktop Infrastructure?
4. Can you assign the same virtual machine to more than one user?
5. How do you preserve user data in the virtual desktop pool scenario?
Common Issues Related to Virtual Desktop Infrastructure
Issue Troubleshooting tip
considering ways to upgrade client computers to Windows 7. One option is to buy new hardware for
all clients. You are hired as consultant, and you have to prepare proposition of solution to use VDI
instead of buying new client hardware. Contoso managers are interested in this solution but they
have some concerns about managing users data. Currently, all user data is located on local client
machines.
Module 13
Summary of Desktop Virtualization Technologies
Contents:
Lesson 1: Review of Desktop Virtualization Technologies 13-3
Lesson 2: Real-World Usage Scenarios 13-17
13-2 Implementing and Managing Microsoft Desktop Virtualization
Module Overview
This module summarizes all of the desktop-virtualization technologies that this course presents.
Additionally, it helps you identify typical usage scenarios for each technology, and it covers some real-
world scenarios.
Summary of Desktop Virtualization Technologies 13-3
Lesson 1
Review of Desktop Virtualization Technologies
Microsoft provides several desktop-virtualization technologies that include Windows Virtual PC,
Virtual PC 2007 Service Pack 1 (SP1), Microsoft Enterprise Desktop Virtualization (MED-V), Microsoft
Application Virtualization (App-V), Remote Desktop Services (RDS), User State Virtualization, and Virtual
Desktop Infrastructure (VDI).
This lesson summarizes all of these technologies, and it briefly reviews the features and benefits of each
one.
13-4 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Windows Virtual PC is client virtualization software that you can use on a Windows 7 host operating
system to create and run multiple virtual machines. Each of these virtual machines can run a different or
the same one. You can obtain Windows Virtual PC as a free download from the Windows Virtual PC Web
site.
The primary purpose of Windows Virtual PC is to serve as the virtualization engine for Windows XP Mode,
which is a preconfigured virtual machine that is running Windows XP Service Pack that Microsoft provides.
You can deploy Windows XP Mode on Windows 7 Professional, Ultimate, and Enterprise editions.
For guest operating systems, Windows Virtual PC supports Windows XP Service Pack 3 (SP3), Windows
Vista Service Pack 2 (SP2), and Windows 7. To the guest operating system running in the virtual
machine, Windows Virtual PC provides virtual hardware, including a disk, CPU, memory, input/output
(I/O), and other devices.
Extensive networking capabilities, which enable you to configure network connections between a
virtual machine and the host, among multiple virtual machines, and between virtual machines and the
external network.
The use of the Hardware Assisted Virtualization (HAV) feature (Intel VT and AMD-V) that improves
the performance and robustness of virtual machines on HAV-capable hardware. You must have HAV
to use Windows Virtual PC on Windows 7.
To deploy Windows Virtual PC, you do not need any server infrastructure. However, you can integrate
Windows Virtual PC into a standard image that you can use for deploying workstations. Additionally, you
can deploy it, optionally, with Windows XP Mode.
The central vision of Windows Virtual PC is to encourage organizations to use Windows 7 by addressing
the legacy application-compatibility needs of enterprise and small-business users with a very simple,
readily accessible, and seamless presentation of applications and virtual desktops.
Typically, home users, who need to have older or other platforms present on their Windows 7 desktop
computers, use Windows Virtual PC, as do companies that must support older applications, on a smaller
number of computers that are running Windows 7. You also can deploy Windows Virtual PC in larger
enterprise environments, but since there is no native centralized management for this virtual platform,
you need to use other methods to manage virtual machines that are running inside Windows Virtual PC.
You can use Group Policy if you join the virtual machines to domain, or you can use technologies such as
Microsoft System Center Configuration Manager.
13-6 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Virtual PC 2007 SP1 is desktop virtualization software developed for earlier Windows versions, such as
Windows Vista and Windows XP. You also can run Virtual PC 2007 SP1 on Windows 7. However, you
cannot run both Virtual PC 2007 SP1 and Windows Virtual PC on the same computer.
Virtual PC 2007 SP1 does not require hardware virtualization support on the host computer, although it
can partly utilize it if it is available. Therefore, you can install Virtual PC 2007 SP1 on older hardware to
provide a virtualization platform, even if there is no available support for hardware virtualization.
Free downloads of the 32-bit and 64-bit versions of Virtual PC 2007 SP1 are available at the Microsoft
Web site.
Virtual PC 2007 SP1 offers the following key features:
Support for dragging and dropping folders and files between the host and the guest operating
system.
A administration console that enables you to create and manage virtual machines.
It enables you to provide virtualization on older hardware platforms.
It does not require a server infrastructure, but it supports centralized management through MED-V.
Support for application publication, when you use it with MED-V.
You typically would use Virtual PC 2007 SP1 if you have older operating systems, but you need a
virtualization platform for testing or for legacy application support. You also can use it as a managed
client-virtualization platform in enterprise environments where you deploy MED-V.
Summary of Desktop Virtualization Technologies 13-7
Review of MED-V
Key Points
MED-V is a management and deployment platform for desktop virtualization. It provides virtual machines
and application integration in a Virtual PC 2007 SP1 environment that is running on a previous version of
the operating system, such as Windows XP. Applications appear and operate as if they were installed on
the desktop, and for information technology (IT) administrators, MED-V helps deploy, provision, control,
and support virtual environments.
While VDI and RDS provide remote virtual desktops and presentation virtualization, MED-V provides a
local virtual machine with a client operating system in which legacy applications can run.
Additionally, it offers a complete solution for centrally managing client virtual machines; storing, updating,
and distributing virtual images; and monitoring user activity. MED-V is part of the Microsoft Desktop
Optimization Pack (MDOP) for Software Assurance, and the most current version is MED-V 1.0 SP1.
Typically, you would use MED-V in larger environments where it is critical that you maintain compatibility
with older applications and operating systems. In these scenarios, MED-V is beneficial because it enables
you to centralize control, deployment, and monitoring of all virtual images that are running older
applications. The only drawback of MED-V is that users must download the virtual image on a client,
which can take time and consume valuable network resources.
13-8 Implementing and Managing Microsoft Desktop Virtualization
Review of App-V
Key Points
Application virtualization is a sophisticated technology that allows organizations to reduce costs and
simplify software deployment. Other virtualization technologies, such as Windows XP Mode or MED-V,
deliver an entire virtual machine to the client computer. However, App-V delivers a virtual application
hosted in a virtual environment, which is based on the host operating system. App-V does not provide a
virtual machine. It provides only an application and the environment necessary to run the application
independently of the host operating system App-V is not an application-compatibility product, but rather,
is an application-management product.
From an end users perspective, a virtualized application behaves as a locally installed application. The
virtualization client software that you install on the client computer provides an environment that
simulates the local operating system.
The most current version is App-V 4.6. When you use it in conjunction with Windows 7, Windows Server
2008 R2, and Microsoft Office 2010, it provides a seamless user experience, streamlined application
deployment, and simplified application management.
Application management is one of the most time-consuming and costly aspects of an enterprise IT
infrastructure. However, there are many benefits to virtualizing applications, including a reduction of
management and support costs. App-V offers the following key features and benefits:
Centralized management.
The ability to run multiple versions of the same application without conflicts.
Reduced application conflicts.
A scalable infrastructure.
Support for Remote Desktop Servers.
Reduced license-compliance risks.
Summary of Desktop Virtualization Technologies 13-9
Usage reporting.
To deploy App-V, you must build a fairly complex server and client infrastructure that can include many
components, such as the Microsoft Application Virtualization Management Web Service, the App-V
Management Console, the App-V Management Server, the App-V Streaming Server, the App-V Client, the
App-V Sequencer, and Microsoft SQL Server. Depending on your usage scenario, you can deploy some
or all of the components of an App-V solution.
You typically would deploy App-V in your organization if you need to have full control over applications
that deploy to workstations and to address potential compatibility issues. App-V cannot address
incompatibility issues between an operating system and an application, but it enables you to run several
incompatible versions of the same application on a single computer. Also, you can run App-V on RDS
Session Host computers.
13-10 Implementing and Managing Microsoft Desktop Virtualization
Review of RDS
Key Points
RDS provides a form of virtualization known as presentation virtualization.
RDS, formerly known as Terminal Services, provides technologies that enable you to access session-based
desktops, virtual machine-based desktops, and remote applications that are running on centralized
servers. You can establish a secure connection from a local network or from the Internet. Clients connect
to an RDS server by using Remote Desktop Protocol (RDP). RDP 7.0 provides improved and new features,
such as Windows Media redirection, Aero Glass support, and true multimonitor support. To benefit from
the new and improved RDP features, you must use Remote Desktop Connection 7.0 client, which both
Windows 7 and Windows Server 2008 R2 include.
RDS consists of several services, including Remote Desktop (RD) Session Host, RD Licensing, RD
Connection Broker, RD Gateway, RD Web Access, and the RD Virtualization Host. All these services work
together to provide end users with an experience that is similar to running local applications on their
computers. Features such as device redirection, single sign-on (SSO), and RD Easy Print make it difficult to
distinguish between remote and local applications.
You can maintain control centrally of which users can access RDS servers, which RDS servers users can
access, and of additional configuration information, such as device redirection settings.
RDS is part of a Windows Server 2008 R2 operating system, and can be relatively easy to deploy. The most
common usage scenario for RDS is application consolidation and optimization of resource usage. If you
want to centralize application deployment only to application servers, and not to clients, then you can use
RDS services such as RemoteApp and RD Web Access to publish applications to clients. Also, some RDS
services, such as RD Gateway, provide unified access to RDP hosts from any location inside or outside the
company.
13-12 Implementing and Managing Microsoft Desktop Virtualization
Key Points
User state is a general term that describes several categories that determine user environment, user data,
and settings. You do not identify a user state in one specific file or setting, but rather in a set of files and
settings known as User settings, User Registry, Application data, and User data.
If you virtualize the user state, you make available a users data and settings on any computer to which
that user logs on. User state virtualization, unlike other technologies that this course details, is more
conceptual virtualization then technical virtualization. To provide user state virtualization, you can use
technologies in Windows Server 2008, including folder redirection, roaming profiles, and offline files.
To implement any of these technologies as a support for user state virtualization, you must understand
the benefits and drawbacks of each. When you utilize user state virtualization with these technologies, you
receive the following benefits and features:
Access to data and settings from any computer that is a domain member.
A unified user environment on every computer.
A centralized location for users data and settings.
Access to files from network shares, even when a computer is offline.
You do not need additional software to deploy user state virtualization. You can configure most of these
features by using Group Policy in Windows Server. However, you must decide which technology you will
apply and where you want to store user data.
You typically would deploy user state virtualization in environments where user data centralization is
critical. You also would implement this virtualization in scenarios where users frequently change the
computer on which they work, or if a company has several users that work offsite, but who still need
access to company data.
Summary of Desktop Virtualization Technologies 13-13
Additionally, you typically would combine technologies that are part of user state virtualization with other
virtualization technologies, such as RDS and VDI.
13-14 Implementing and Managing Microsoft Desktop Virtualization
Review of VDI
Key Points
VDI is an alternative model for desktop delivery that enables users to access desktops that are running in
a data center. When you use VDI, each user has access to a personal virtual desktop from any device that
you authorize, which improves desktop flexibility.
VDI provides an architecture for desktop delivery that enables you to centralize the storage, execution,
and management of a data centers Windows desktops, and it enables you to run Windows 7, Windows
Vista, and other desktop environments, and then manage them in virtual machines on a centralized
server. Users can connect to a virtual desktop with Remote Desktop Client (RDC), and can initiate a
connection from a preconfigured .rdp file or from their Start Menu or a Web page.
VDI supports two key deployment scenarios: personal virtual machines and pooled virtual machines.
Personal virtual machines have a one-to-one linking for virtual machines and users, which means that you
assign each user a dedicated virtual machine, which that user can personalize and customize. This
preserves any changes that the user makes. You provide the greatest flexibility to end users by deploying
personal virtual desktops.
Pooled virtual machines replicate a single image, and you can store user state information through
profiles and folder redirection. However, the virtual machine does not retain the user state after the user
logs off. This feature can free up system resources, and it enables you to separate user data from virtual
machines.
Key Points
The table provided on the slide compares the different desktop virtualization technologies that this course
covered.
While you can implement each technology and treat it separately, you also can combine many of them
together to achieve better results and increased functionality. However, to implement the technology that
is most suitable for your needs, you should identify the usage scenario and expected results before you
start the planning and deployment of these technologies.
Also, you should consider licensing requirements since they vary with each technology. Some of the
technologies are free, such as Windows Virtual PC, some of them are part of packages such as MDOP,
while certain technologies such as RDS require you to buy a license. You also should evaluate each
technology before making a final decision. Your hands-on experience can greatly help you in choosing a
proper technology. Additionally, Microsoft provides appropriate evaluation resources for each technology
on the Technet and MSDN Web sites.
Summary of Desktop Virtualization Technologies 13-17
Lesson 2
Real-World Usage Scenarios
Based on your organizations requirements and usage needs, you can deploy the virtualization technology
that provides the optimal solution. This lesson covers some of the predefined and real-world scenarios for
desktop virtualization.
13-18 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Contoso, Ltd is a large multinational company that has several offices around the world. The company has
5,000 users with approximately 5,000 workstations in several offices in the United States and Europe, and
its core infrastructure is on Windows Server 2008 AD DS. All domain controllers run on Windows Server
2008, while some member servers run on Windows Server 2003. Client computers run various versions of
the Windows operating system. Approximately 50 percent are running Windows XP Professional, while 20
percent are running Windows Vista SP2 Enterprise, and 30 percent are running Windows 7 Enterprise.
Contoso, Ltd uses approximately 40 applications for business and testing, and approximately 10 percent
of those are core business applications that are installed on nearly all computers. The other applications
mostly are used for testing in the developmental department and for the support of the systems of
various vendors. Deployment of these applications is becoming more and more difficult. First, not all
applications are compatible with all of the operating systems deployed at Contoso, Ltd. During the next
12 months, Contoso, Ltd plans to upgrades most computers to Windows 7, which could cause an issue
because some core business applications are not compatible with Windows 7. Additionally, very few
application specialists are available, so end users sometime must wait too long for an application to
deploy to their computers. Lastly, providing support for these applications can be complex because there
is no unified method by which the organization can update applications. Applications that the
development department uses must run in an isolated environment, and therefore, these applications
should access the internal network only after testing is complete.
Some users at Contoso, Ltd work from home. Currently, they access the corporate network through a
VPN, but they have problems with some applications that do not work through a VPN connection.
You are a consultant for Contoso, Ltd, and you need to propose a solution that will address most, if not
all, of their problems with application deployment and support.
To enable fast and secure deployment of core business applications. Additionally, you must deploy
up-to-date applications.
To provide remote access to core business applications in a secure, user-friendly way.
Question: What will you recommend to address issues with core business applications at Contoso, Ltd?
Question: What will you recommend for maintaining those applications that the organization uses for
testing and development?
Question: What are the options for users that are working from home?
13-20 Implementing and Managing Microsoft Desktop Virtualization
Key Points
Northwind Traders is a company in the United States that has five branch offices, with 1,000 users and
approximately 700 workstations. All users and computers are deployed in a single domain. Domain
controllers run Windows Server 2008 R2. Recently, the company bought several servers to use for
virtualization. These servers run Windows Server 2008 R2 with Hyper-V.
Workstations at Northwind Traders are heterogeneous, which means that they run various versions of the
Windows operating systems, from Windows 2000 to Windows 7. Not all users have their own workstation,
so some of them share the same workstation. Since some users do not have dedicated workstations, if
they save data on one workstation, it is sometime hard to access it from another workstation, and is also
can cause version conflicts on documents. Additionally, some users have older computers that are not
capable of running new applications. The organization uses various platforms, so administrators are
having a hard time unifying desktop environments.
Each year, the company employs temporary workers that work outside the company. They use computers
occasionally, when they are in the company office, and then mostly for checking e-mail and information
on the companys intranet portal or for writing work reports. These employees do not need dedicated
workstations, but must be able to use a computer when necessary and save their reports.
You are a consultant at Northwind Traders, which is considering desktop virtualization technologies as a
solution. However, the IT department is not sure which technology will address the companys needs.
Question: What solution would you recommend to unify desktop environments for existing users?
Summary of Desktop Virtualization Technologies 13-21
Key Points
In this topic, you should discuss your environment with the rest of class. During preparation for this
discussion, you should answer the following questions:
1. Do you need any virtualization in your environment?
2. Do you have to support legacy applications?
3. Do you plan to upgrade to Windows 7 in the near future?
4. Do you often face application compatibility issues in your environment?
5. Do you have a need to unify user desktop platforms?
6. Do you have problems with backing up user data that is on desktops?
13-22 Implementing and Managing Microsoft Desktop Virtualization
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential, and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
Lab: Planning Desktop Virtualization Scenarios L1-1
Note: You will need to fill in the information in the spreadsheet twice, once for each user group.
6. No
7. Unanswered
8. No
Business Requirements:
9. No
10. No
11. No
12. No
What is the suggested scenario?
Office Worker
11. No
12. No
Lab: Planning Desktop Virtualization Scenarios L1-3
4. The recommended products and technologies for each type of user group is listed in the following table:
Results: At the end of this exercise, you will have identified the user groups that may require virtualization at
Contoso, identified virtualization solutions that the organization could implement to address its business
requirements, and developed a prioritized list of projects to implement application and desktop virtualization.
Note: If Auto Publish is not enabled, you have to turn off the virtual machine, enable this option, and
then turn on the virtual machine.
3. Switch to Windows XP Mode. Open Windows Explorer, and then browse to the C drive on NYC-
CL2.
4. Open folder Labfiles\Office, and double-click the Setup file.
5. Click OK.
6. Type Admin for the Name and Contoso for the Organization, and then click OK eight times.
7. Click Complete/Custom on the Microsoft Office 4.3 Professional Setup page.
8. In the options list, remove all check marks except for the one next to Microsoft Access, and then
click Continue.
Lab: Implementing Windows Virtual PC and Windows XP Mode L2-3
2. Right-click the virtual machines used in this lab, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
L2-4 Lab: Implementing Windows Virtual PC and Windows XP Mode
Lab: Implementing MED-V L3-1
Task 2: Configure an IIS Web server for the MED-V image repository
1. On NYC-DC1, click Start, expand Administrative Tools, and then click Internet Information
Services (IIS) Manager.
2. Expand NYC-DC1 (Contoso\Administrator), expand Sites, right-click Default Web Site, and then
select Add Virtual Directory.
3. In Alias type vimages, and in the Physical path, point to C:\MED-V Server Images, and then click
OK.
4. Verify that in the Navigation pane, the vimages virtual directory is selected, and in Features View,
double-click BITS Upload.
5. On the BITS Upload page, select the Allow clients to upload files check box. Verify Use default
settings from parent is selected, and then click Apply.
6. Click vimages in the Navigation pane, and in Features View, double-click MIME Types.
7. In the Actions pane, click Add, and in the File name extension box, enter .ckm, enter
application/octet-stream as MIME type, and then click OK.
8. In the Actions pane, click Add, enter .index in the File name extension box, enter
application/octet-stream as MIME type, and then click OK.
9. Close the IIS Manager.
11. Review the configuration file, confirm that all settings from MED-V Server Configuration Manager are
stored there, and then close Notepad.
Task 2: Verify connectivity to the MED-V Management Server, and create a MED-V
deployment package
1. On the desktop of the NYC-CL1 computer, double-click MED-V Management.
2. Enter Contoso\medv-admin as User name, enter Pa$$w0rd as Password, and then click OK.
3. In the MED-V Management Console, on the Tools menu, select Packaging Wizard.
4. On the Deployment Package page, click Next.
5. On the Workspace Image page, click Next.
6. On the MED-V Installation Settings page, for MED-V installation file, point to
E:\Labfiles\Mod03\MED-V_1.0.105.msi.Verify that nyc-dc1 is entered as the Server address, and
then click Next.
7. On the Additional Installations page, select the Include installation of Virtual PC QFE check box,
and then clear the Include installation of Microsoft .NET Framework 2.0 check box. For
virtualization software, point to E:\Labfiles\Mod03\VPC 2007 SP1 x86.exe, and for installation of
Virtual PC QFE, point to E:\Labfiles\Mod03\KB974918 x86.msp and then click Next.
8. On the Finalize page, in the Package destination, enter E:\Labfiles
\MED-V Client, then and click Finish.
9. After the deployment package has been created, click No in the MED-V Management window.
L3-4 Lab: Implementing MED-V
10. Close the MED-V Management Console, and then explore the contents of the E:\Labfiles\MED-V
client folder in Windows Explorer.
2. In Control Panel, open Sounds and Audio Devices, and on the Sounds tab verify that Windows
Logon and Windows Logoff have no sounds assigned.
3. Open the Services console and verify that the Security Center, Task Scheduler, and System Restore
Service services startup type is set to Manual. Those are just some of the Windows XP services that
were set to Manual by the VM Prerequisites Tool.
5. Shut down the XP virtual machine and then close the Virtual PC Console. All of your changes are
saved into the XP virtual machine.
2. In the Start Workspace window, enter contoso\medv-user as User name, Pa$$w0rd as password,
and then click OK. The Medv-user has already been created as a member of the MED-V Users group.
4. Wait while the Starting Workspace window shows progress. You can click the Details >> button to
review details of the progress.
5. In the Windows Security Alert window, click Allow Access for all of the networks to allow Virtual PC
2007 SP1 to communicate.
6. When Starting Workspace disappears, on the Start menu of the NYC-CL1 computer, click All
Programs, click MED-V Programs, and then verify that published programs from the MED-V virtual
image are listed. Click XP Notepad.
7. Verify that there is a red line around Untitled Notepad window.
Lab: Configuring and Deploying MED-V Images L4-3
8. In the Untitled Notepad window, select Help, and then click About Notepad. The About Notepad
window opens, with a red line around it. It shows that Notepad is running on Windows XP and that
the virtual machine has 256 megabytes (MB) of memory available. Click OK and close Notepad.
9. On the Start menu of the NYC-CL1 computer, click All Programs, click MED-V Programs, and then
click XP Remote Desktop.
10. On the Remote Desktop Connection menu, click Help. In Remote Desktop Connection Help, select
some text, right-click on it, and select Copy.
11. On the NYC-CL1 computer, open Notepad, right-click on the Notepad window, and then select
Paste. Verify that the copied text from the published application (Remote Desktop Connection help)
is pasted. This shows that you can copy and paste between published MED-V applications and locally
installed applications.
12. Close Notepad and dont save changes. Close Remote Desktop Connection and Remote Desktop
Connection Help closes automatically.
13. On the Start menu of the NYC-CL1 computer, in the Search field, enter xp. Verify that published
programs from the MED-V virtual image are listed. Click XP Command Prompt.
14. In the command prompt window, enter time, and press ENTER twice. Verify that time is synchronized
between NYC-CL1 and the MED-V virtual machine.
15. Use dir c:\ command to compare the content of the C:\ drive in MED-V virtual machine and c:\ drive
in NYC-CL1 computer.
16. Close the command prompt window.
17. On the notification area of the NYC-CL1 computer, click Show hidden icons, right-click on MED-V
icon, and then select Stop Workspace.
18. Click Yes in the MED-V dialog box and wait until the Workspace is stopped.
Note: The XP_0 virtual machine is the saved image from the previous exercise. You should select the
XP virtual machine for this exercise.
3. Open Windows Explorer in the XP virtual machine, and point it to C:\ drive.
4. Open Windows Explorer on NYC-CL1 and drag and drop the XmlNotepad.msi and WindowsXP-
KB956802-x86-ENU.exe files from E:\LabFiles\Mod04 to the C:\ drive of the XP virtual machine.
5. In the XP virtual machine, in Windows Explorer, double-click c:\XmlNotepad.msi.
6. On the XML Notepad 2007 Setup page, click Next. Accept the terms in the license agreement, click
Next twice, click Install and after program is installed, click Finish.
7. In the XP virtual machine, close Internet Explorer with Welcome to XML Notepad 2007 page and on
the Start menu, click on All Programs and then verify that folder for XML Notepad 2007 is added.
8. In the XP virtual machine, in Windows Explorer, double-click c:\WindowsXP-KB956802-x86-
ENU.exe. Click Next.
9. On the License Agreement page, select I Agree, and then click Next.
10. On the Completing the Security Update page, select Do not restart now, and then click Finish.
11. On the Start menu, click Control Panel, and then double-click Add or Remove Programs.
L4-4 Lab: Configuring and Deploying MED-V Images
12. Select Show updates and verify that Security Update for Windows XP (KB956802) is listed under
Windows XP Software Updates.
13. On the Start menu of the XP virtual machine, click Shut Down, click OK, and then wait until the XP
virtual machine shuts down. Close Virtual PC Console.
3. In the Complete XP-Updated uploaded successfully to the server window, click OK.
4. In the Packaged Images on the Server section in MED-V Management console, verify that XP-
Updated is listed.
5. Switch to the NYC-DC1 server and verify that .ckm and .index files are available in C:\MED-V Server
Images folder. They were uploaded by using Background Intelligent Transfer Service (BITS) in this
task.
deployment tools and documentation from the Deploy.cab cabinet file from Windows XP CD. The
whole folder is automatically deleted after Sysprep.exe tool is used.
5. In the Sysprep folder, double click setupmgr.exe. Setup Manager opens.
6. On the Welcome to Setup Manager page, click Next.
7. On the New or Existing Answer File page, verify that the Create new option is selected and click
Next.
8. On the Type of Setup page, select Sysprep setup option and click Next.
9. On the Product page, verify that Windows XP Professional is selected and click Next.
10. On the License Agreement page, select Yes, fully automate the installation and click Next.
11. On the Name and Organization page, enter MED-V user as Name, Contoso as Organization and
click Next.
12. On the Display Settings, accept default values and click Next.
13. On the Time Zone page, select your Time zone and click Next.
14. On the Product Key page, enter following product key: 11111-11111-11111-11111-11111 and
click Next. Dont forget that virtual image must be based on the volume licensing product and in real
environment you would enter valid volume licensing key. After you use the Sysprep tool, the entire
folder, including answer file, will be automatically deleted.
15. On the Computer Name page, select Automatically generate computer name and click Next. You
will use MED-V Policy for deploying the image and the computer name will be set there.
16. On the Administrator Password page, enter and confirm Pa$$word as Password. Enable the option
When a destination computer starts, automatically log on as Administrator and set it to value
10. This option will be defined by MED-V Policy when you deploy virtual image.
17. Accept default values for other questions. In Setup Manager, select File menu and click Save.
18. Accept default path and file name of C:\Sysprep\sysprep.inf and click OK.
19. In Setup Manager, select File menu and click Exit.
20. In Windows Explorer, verify that sysprep.inf file was created in the C:\Sysprep folder and that it
contains all the answers you provided through Setup Manager.
XP Notepad c:\windows\system32\notepad.exe
8. In the Published Menus section, click Add, enter Published as the Display Name, and Games as
Folder in Workspace.
9. In the Start menu shortcut folder field, type MED-V Published Apps.
10. Click the Web tab, and then select Browse the list of URLs defined in the following table and
Browse all other URLs.
11. Click Add, leave Domain as the Type, and then enter contoso.com as the Value.
12. Review the settings on the VM Setup tab, but do not select any options. Most of these options are
available when you use a persistent workspace and you configure revertible workspaces.
13. Review the settings on the Network tab, but do not select any options.
14. Click the Performance tab, and assign 160 if host has Above 550 MB and assign 200 if host has
Above 1100 MB. Click Add, and then assign 256 MB VM Memory, if host has Above 1400 MB.
15. Verify the Policy Version in the title bar of MED-V Management Console.
16. In the Policy menu, select Commit or click Save Changes in the Toolbar.
17. Confirm that the Policy Version has increased, and then minimize the MED-V Management Console.
Task 2: Explore the published programs, and manually update the MED-V policy
1. On NYC-CL1, click Start, click All Programs, click MED-V Published Apps, and then verify that the
four published applications and the Published subfolder are listed.
2. Click the Published subfolder, and verify that it includes XP games from the workspace.
3. Click Start, point to the Search field, and then enter xp. Verify that the published applications are
listed.
4. Click XP XML Notepad, and verify that the application has a pink frame around the window. Drag
the window around, like the window of the locally installed application. Confirm that the window
content is shown while you drag the window. Click Exit to close the application.
5. Restore the MED-V Management Console. Verify that Legacy Workspace is selected, that you are in
Policy module, and the Applications tab is selected. In the Published Menus section, uncheck
Published, and verify the policy version in the title bar of the tool.
6. Click Save changes, and confirm that policy version has increased. Minimize MED-V Management.
7. On NYC-CL1, in the notification area, right-click the MED-V icon, point to Help, and then click MED-
V Diagnostics. The Diagnostics window opens.
8. In the Policy section, determine the last time that the policy was updated, and then confirm that the
previous version of the policy was used. Click Update policy.
Lab: Managing a MED-V Deployment L5-3
9. A notification window displays that indicates that the policy updated successfully. Verify that the
policy version and update time are updated, and then click Close.
10. On NYC-CL1, click Start, click All Programs, click MED-V Published Apps, and then verify that four
published applications are still listed, but the Published subfolder no longer is present.
Event ID after the Category header. You can reorder the reports columns by dragging column
headers to different positions.
10. Click the Status tab. On the Reports menu, select Export to Excel, select Desktop as destination,
and then click Save. You can export MED-V reports to an Excel .xls format.
11. Minimize the MED-V Management Console.
2. Right-click the virtual machines used in this lab, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
L5-6 Lab: Managing a MED-V Deployment
Lab: Implementing Application Virtualization L6-1
Answer: You can use a Group Policy object (GPO) for the users who are connecting through a local area
network (LAN). For the field engineers, you can use manual deployment via DVD or USB flash drive. You
also can use other options, such as a third-party software distribution system.
Answer: You can deploy an App-V management server with the management Web services. Deploy or
use an existing Microsoft SQL Server to host the data store. Configure licensing and usage metering
policies.
Question: How would you distribute virtual applications to the branch office?
Answer: Deploy the App-V streaming server to the local file server, and then configure the App-V client
to stream from the local server. Branch office clients will receive publishing information from the head
offices management server, but will stream applications from the local server.
Question: How would you distribute virtual applications to the field engineers?
Answer: Create an MSI file during the sequencing process. Deploy the App-V client in standalone mode,
and then distribute the Windows Installer (MSI) file by using DVD or USB flash drives that the field
engineers can install on their laptops.
Other options could involve HTTP streaming via the Internet.
7. In the Allowed Programs dialog box, click OK and then close Windows Firewall.
Note: You are performing this step because the SQL Server is running on the same computer. The
App-V Management service is dependent on the start of the SQL service and occasionally times out if
the SQL service is slow to start.
Task 2: Use the Sftmime utility to load the package into the client cache
1. Click Start and then click All Programs. Notice there is no icon for Microsoft Office Word Viewer
2003.
2. In the Search box, type cmd, and then press ENTER.
3. In the Command Prompt, type the following command and press ENTER:
Note: The UNC path in the command requires three backslashes at the beginning of the path.
Lab: Implementing Application Virtualization L6-5
Task 2: Examine the properties of the package file and the data locations
1. Click Start, click Control Panel, click System and Security, click Administrative Tools, and then
double-click Application Virtualization Client.
2. Click Applications, and in the details pane, double-click Microsoft Office Word Viewer 2003.
L7-2 Lab A: Deploying the App-V Client in Stand-Alone Mode
3. Click the Package tab, and then observe the Current Statistics:
Question: What is the Package Size?
Answer: 39 megabytes (MB)
Question: What is the Size in Cache?
Answer: 39 MB
Question: What is the Launch Data Size?
Answer: 9 MB
4. Click Cancel.
5. Close the Microsoft Application Virtualization Client and Control Panel.
6. Click Start, and then click Computer.
7. Click the Organize drop-down arrow on the toolbar, and then click Folder and search options. Click
the View tab, click Show hidden files, folders, and drives, and then click OK.
8. Navigate to the global data location at C:\ProgramData\Microsoft
\Application Virtualization Client\SoftGrid Client, and then examine the contents:
Question: What is the size of the sftfs.fsd file?
Answer: The file will be approximately 44 MB.
9. Navigate to the user specific data location at
C:\Users\Administrator.CONTOSO\AppData\Roaming\SoftGrid Client, and then notice the
shortcut_ex.dat file and the userinfo.dat file. These files maintain per-user shortcut and identity
information.
10. Close all open windows on NYC-CL2.
Task 2: Configure the DC Refresh settings, and then refresh the client manually
1. On NYC-CL1, select the Publishing Servers node, right-click the Contoso App-V Management
server entry in the details pane, and then click Properties. Click the Refresh tab.
2. Select the Refresh publishing every: check box, set the time interval to be 2 hours, and then click
Apply.
3. Click Refresh to force the immediate refresh to the server manually, and then click OK.
L7-4 Lab A: Deploying the App-V Client in Stand-Alone Mode
Note: You may have to refresh the view to see the application listed.
2. Right-click the Microsoft Word Viewer application, and then click Properties. Inspect the properties.
3. In the Microsoft Word Viewer Properties dialog box, click the Package tab. Answer the following
questions.
Question: What is the Package Size?
Answer: 6 MB
Question: What is the Launch Data in Cache?
Answer: 0 MB
Question: What is the Launch Data Size?
Answer: 0 MB
4. Click Load and then click OK. Notice the Package Status changes to Loading. Press F5 to refresh the
console view.
5. Access the Properties of the application again and click the Package tab.
Question: What is the Launch Data in Cache?
Answer: 2 MB
Question: What is the Launch Data Size?
Answer: 2 MB
Exercise 4: Installing and Configuring Settings by Using the Group Policy App-V
Template
Task 1: Install the App-V Group Policy template
1. On NYC-DC1, open Windows Explorer, browse to E:\Labfiles\Mod07, and then double-click
AppVADMTemplate.msi.
2. Accept the license agreement, and then click Next.
3. On the Select Installation Folder page, click Next.
4. On the Confirm Installation page, click Next. After installation completes, click Close. Close
Windows Explorer.
Task 2: Add the template to the Group Policy Object Editor of the Default Domain Policy
1. On NYC-DC1, click Start, click Administrative Tools, and then click Group Policy Management.
2. Expand Forest, expand Domains, and then expand Contoso.com.
3. Right-click Default Domain Policy, and then click Edit.
4. Expand Default Domain Policy, expand Computer Configuration, expand Policies, right-click
Administrative Templates, and then click Add/Remove Templates.
5. In the Add/Remove Templates dialog box, click Add.
6. In the Policy Templates dialog box, navigate to C:\AppVADMTemplate, click AppVirt.adm, click
Open, and then click Close.
Task 2: Configure the default content path and the duration for database usage
1. Right-click NYC-SVR2, and then click System Options.
2. On the General tab of the System Options dialog box, ensure that the Universal Naming Convention
(UNC) path \\NYC-SVR2\Content is specified.
3. Click the Database tab.
4. In the Usage History section, set the Keep Usage For (Months) field to be 12 months, and then
click OK.
2. Navigate to C:\Content\Word03, click the Wordviewer03.sprj file, and then click Open.
3. In the New Application Wizard, on the General Information page, observe the settings, and then
click Next.
4. On the Published Shortcuts page, click the check box to Publish to Users Desktop, and then click
Next.
5. On the File Associations page, click Next.
6. On the Access Permissions page, click Add.
7. Type Domain Users; AppVUsers in the Select Groups dialog box, click OK, and then click Next.
8. Click Finish to complete the import.
Task 4: Move the Microsoft Office Viewer applications into the Application Group
1. In the Applications node, right-click the Microsoft Office Word Viewer 2003 application, and then
click Move.
2. In the Select Target dialog box, expand Applications, click Microsoft Office Viewers, and then
click OK.
3. Repeat the procedure to move the Microsoft Word Viewer into the Microsoft Office Viewers group.
2. On the Provider Policy Properties page, type Licensed in the Policy Name field, and then click
Next.
3. On the Group Assignment page, click Add.
4. Type AppVUsers, click OK, and then click Next.
5. On the Provider Pipeline page, click the Licensing check box, and then select Enforce License
Policies from the drop-down list.
6. Click Finish.
7. Click OK in the information dialog box.
Task 3: Modify the Excel .osd file to use the new provider policy
1. On NYC-SVR2, open Windows Explorer, and then navigate to C:\Content\Excel.
2. Use Notepad.exe to open the Microsoft Office Excel Viewer 12.0.6219.1000.osd file.
3. Modify the hypertext reference (HREF) tag line by inserting the ?Customer=Licensed text so that the
HREF tag now reads:
HREF="RTSP://NYC-SVR2:554/Excel/Excel.sft?Customer=Licensed"
9. Navigate to C:\Word Viewer 2003, and then double-click the Wdviewer.exe file.
10. Accept the license agreement, and then click Next.
11. Click Browse, navigate to the Q:\Word03 folder, and then click OK.
12. Click Install.
13. On the Microsoft Office Word Viewer 2003 Setup has Completed dialog box, click OK.
14. Close the Word Viewer 2003 window, and return to the App-V Sequencer.
15. Click Stop Monitoring, and then click Next.
16. On the Configure Applications page, in the right pane, click the Microsoft Office 2003
component, and then click Remove. Click OK in the message box, and then click Next.
17. On the Launch Applications page, click Launch All. You are establishing feature block 1.
18. After the application launches, close the application, and then click Next.
19. On the Sequence Package page, click Finish.
20. In the Wordviewer03 dialog box, take note of the Launch Size and the Package Size values, and
then click the Deployment tab.
21. Click the drop-down arrow below Protocol, and then select RTSP.
22. In the Hostname field, type NYC-SVR2.
23. Ensure the port as 554.
24. In the Path field, type Word03. This is the relative path in the content folder.
25. On the Menu bar, click Package, and then click Save.
26. In the Documents folder, right-click, point to New, and then click Folder.
27. Name the new folder Word03.
28. Save the WordViewer03.sprj file into the Word03 folder.
29. Close the sequencer, and then close all open windows.
5. On the Published Shortcuts page, select the Publish to User's Desktop check box, and then click
Next.
6. On the File Associations page, click Next.
7. On the Access Permissions page, click Add.
8. In the Select Groups dialog box, type AppVUsers, click OK, and then click Next.
9. Click Finish.
18. On the Menu bar, click Package, and then click Save.
19. Close the sequencer.
Task 2: Add the Remote Desktop Service role to the NYC-SVR1 server
1. On the Start menu of the NYC-SVR1 server, point to Administrative Tools, and then click Server
Manager. The Server Manager window opens.
2. In Server Manager, right-click Roles, and then select Add Roles.
3. On the Before You Begin page, click Next.
4. On the Select Server Roles page, select Remote Desktop Services, and then click Next twice.
5. On the Select Role Services page, select Remote Desktop Session Host, Remote Desktop
Connection Broker, and Remote Desktop Web Access.
6. In the Add Roles Wizard dialog box, click Add Required Role Services, and then click Next twice.
7. On the Specify Authentication Method for Remote Desktop Session Host page, click Require
Network Level Authentication, and then click Next.
8. Click Next five more times, and then click Install.
9. Wait until installation finishes. On Installation Results page, click Close. In the Add Roles Wizard
dialog box, click Yes to restart the computer.
10. Wait until the server restarts. Log on to NYC-SVR1 as Contoso\Administrator with Pa$$w0rd as
password.
11. After you log on to NYC-SVR1, Server Manager opens. Wait until the Resume Configuration Wizard
finishes. On the Installation Results page, click Close, and then minimize Server Manager.
L10-2 Lab: Configuring RDS and RemoteApp Programs
Task 3: Configure Remote Desktop Web Access to use Remote Desktop Connection
Broker
1. In this task, you will configure Remote Desktop Web Access to provide a list of all RemoteApp
programs that are available on two RD Session Host servers. On the Start menu of the NYC-SVR1
server, point to Administrative Tools, point to Remote Desktop Services, and then click Remote
Desktop Web Access Configuration. The Internet Explorer window opens.
2. Click Continue to this website (not recommended). This error occurs because the Web site
certificate is issued to NYC-SVR1.contoso.msft, and you are connecting to localhost.
3. Enter contoso\administrator as the Domain\username and Pa$$w0rd as Password, and then click
Sign in.
4. Select the An RD Connection Broker server radio button, enter NYC-SVR1.contoso.com in Source
name, and then click OK. The Enterprise Remote Access setting configures the Remote Desktop
Web Access page to retrieve the aggregated list of RemoteApp programs from the RD Connection
Broker computer.
5. Verify that all four RemoteApp published applications are displayed on the Enterprise Remote
Access Web page.
3. Switch to NYC-CL1, and refresh the page in Internet Explorer. As ruser no longer has permissions for
the WordPad RemoteApp program, the WordPad icon no longer is available, and there are only three
RemoteApp programs available on the Enterprise Remote Access Web page.
4. You also can remove the RemoteApp program icon from the RD Web Access Web page for all users.
To test this feature, on NYC-DC1 server, switch to RemoteApp Manager, right-click Paint in
RemoteApp Programs, and then click Hide in RD Web Access.
5. Switch to NYC-CL1, and refresh the page in Internet Explorer. The Paint icon no longer is available,
and there are only two RemoteApp programs available on the Enterprise Remote Access Web page.
3. On NYC-CL1, switch to Internet Explorer, where you have the Enterprise Remote Access page open,
and then click Notepad. In the RemoteApp dialog box, click the NYC-SVR1.contoso.com link.
4. In the Certificate window, click the Details tab, scroll down, and then click the Thumbprint field.
Highlight the thumbprint numbers in the details box, copy them by pressing CTRL+C, click OK, and
then click Cancel in the RemoteApp dialog box.
Note: Do not highlight the leading or ending space in the thumbprint box!
5. Switch to the Specify SHA1 thumbprints of certificates representing trusted .rdp publishers window,
right-click in the Comma-separated list of SHA1 trusted certificate thumbprints entry box, and
then select Paste. Click OK, and then minimize Local Group Policy Editor.
6. In Internet Explorer, on the Enterprise Remote Access page, click Notepad. Verify that the Notepad
RemoteApp program opens without any prompt. With this configuration, users can start RemoteApp
programs in the same way as locally installed programs. Close Notepad.
Question: Do the Desktop personalization options appear as you configured them, including the
desktop shortcut?
L11-2 Lab: Implementing User State Virtualization
Answer: Yes.
Question: Is the shortcut to drive C retained on Desktop?
Answer: Yes.
28. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select (examples) box, type Production, and then click Check Names.
29. Click OK, and in the Permissions for Production$ dialog box, click Production, select the Full
Control check box under Allow, and then click OK.
30. In the Advanced Sharing dialog box, click OK.
31. In the Production Properties dialog box, click Close.
32. Right-click Marketing, and then click Properties.
33. Click the Security tab.
34. Click Advanced.
35. Click Change Permissions.
36. Clear the Include inheritable permissions from this objects parent check box.
37. In the Windows Security dialog box, click Add.
38. In the Advanced Security Settings for Marketing dialog box, click OK, and then click OK again.
39. In the Marketing Properties dialog box, click Edit.
40. In the Permissions for Marketing dialog box, click Add.
41. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select (examples) box, type Marketing, click Check Names, and then click OK.
42. In the Permissions for Marketing dialog box, click OK.
43. In the Marketing Properties dialog box, click Advanced, and then click Change Permissions.
44. In the Permissions entries list, click Marketing (CONTOSO\Marketing), and then click Edit.
45. In the Permission Entry for Marketing dialog box, in the Apply to list, click This folder only, in the
Permissions list select the Create folders / append data check box under Allow column, and then
click OK.
46. Click OK three times to close all dialog boxes.
47. Right-click Production, and then click Properties.
48. Click the Security tab.
49. Click Advanced.
50. Click Change Permissions.
51. Clear the Include inheritable permissions from this objects parent check box.
52. In the Windows Security dialog box, click Add.
53. In the Advanced Security Settings for Production dialog box, click OK, and then click OK again.
54. In the Production Properties dialog box, click Edit.
55. In the Permissions for Production dialog box, click Add.
56. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select (examples) box, type Production, click Check Names, and then click OK.
57. In the Permissions for Production dialog box, click OK.
58. In the Production Properties dialog box, click Advanced, and then click Change Permissions.
59. In the Permissions entries list, click Production (CONTOSO\ Production), and then click Edit.
L11-4 Lab: Implementing User State Virtualization
60. In the Permission Entry for Production dialog box, in the Apply to list, click This folder only, in
the Permissions list, select the Create folders / append data check box under Allow column, and
then click OK four times.
61. Click Start, point to Administrative Tools, and then click Group Policy Management.
62. In Group Policy Management, expand Forest: Contoso.com.
63. Expand Domains, right click Contoso.com, and then click Create a GPO in this domain, and Link it
here
64. In the New GPO dialog box, type Redirection in Name box, and then click OK.
65. Right-click Redirection, and then click Edit.
66. In the Group Policy Management Editor, expand User Configuration, expand Policies, expand
Windows Settings, and then expand Folder Redirection.
67. Right-click Documents, and then click Properties.
68. In the Documents Properties dialog box, in the Setting list, click Advanced Specify locations for
various user groups.
69. Click Add, and in the Specify Group and Location dialog box, in the Security Group Membership
box, type Marketing.
70. In the Target Folder Location list, click Create a folder for each user under the root path.
71. In the Root Path box, type \\NYC-DC1\marketing$ and then click OK.
72. Click Add, and in the Specify Group and Location dialog box, in the Security Group Membership
box, type Production.
73. In the Target Folder Location list, click Create a folder for each user under the root path.
74. In the Root Path box, type \\NYC-DC1\Production$, and then click OK.
75. In the Documents Properties dialog box, click the Settings tab.
76. Under Policy Removal, click Redirect the folder back to the local userprofile location when
policy is removed, and then click OK.
77. In the Warning dialog box, click Yes.
78. In the Group Policy Management Editor, in the tree, right-click Pictures, and then click Properties.
79. On the Target tab, in the Setting list, click Follow the Documents folder, and then click OK.
80. In the Warning dialog box, click Yes.
81. Repeat steps 78-80 for the Music and Videos folders.
82. Close the Group Policy Management Editor.
83. Close Group Policy Management.
84. Switch to the NYC-CL1 virtual machine.
85. Log on to the NYC-CL1 virtual machine as Contoso\Administrator using the password Pa$$w0rd.
86. Click Start, point to All Programs, click Accessories, and then click Command Prompt.
87. At the command prompt, type gpupdate /force, and then press ENTER.
88. Read the message at the command prompt, type Y, and then press ENTER.
Lab: Implementing User State Virtualization L11-5
Task 2: Verify that folders are redirected and not stored in the profile
1. Log on to the NYC-CL1 virtual machine as Contoso\Adam using the password Pa$$w0rd.
2. Click Start, and then click Adam Carter and then double-click My Documents.
3. In My Documents click the Address bar and make sure that path
\\NYC-DC1\marketing$\adam\Documents is revealed.
4. In Documents, right-click some free space in the window, point to New, and click Text Document.
5. Press ENTER to confirm the filename.
6. Double-click the file.
7. Type Updated, and in File menu, click Save.
8. Close the file.
9. Log off of NYC-CL1.
10. Log on to the NYC-CL1 virtual machine as Contoso\Bart using the password Pa$$w0rd.
11. Click Start, click Bart Duncan and then double-click My Documents.
12. In My Documents, click the Address bar.
Question: What path is revealed?
Answer: \\NYC-DC1\production$\Bart\Documents
13. Click Start, click Computer, double click Local Disk (C:).
14. Double click the Users folder and then double click the folder named Bart.
15. Make sure that the folders Documents, Pictures and Videos are not present in Barts local folder.
16. Log off of NYC-CL1.
17. Switch to the NYC-DC1 virtual machine.
18. In Windows Explorer, locate C:\Redirected Folders\Production.
Question: Can you see the Bart folder?
Answer: Yes.
19. Close all open windows.
10. In the Permissions for CorpData dialog box, click Everyone, click Remove, and then click Add.
11. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select (examples) box, type Authenticated Users, and then click Check Names.
12. Click OK, and in the Permissions for CorpData dialog box, click Authenticated Users, under Allow,
select the Full Control check box, and then click OK.
13. In the Advanced Sharing dialog box, click Caching.
14. In the Offline Settings dialog box, ensure that Only the files and programs that users specify will
be available offline is selected, and then click OK.
15. In the Advanced Sharing dialog box, click OK.
16. In the CorpData Properties dialog box, click the Security tab.
17. Click Advanced.
18. Click Change Permissions.
19. Clear the Include inheritable permissions from this objects parent check box.
20. In the Windows Security dialog box, click Add.
21. In the Advanced Security Settings for CorpData dialog box, click OK, and then click OK again.
22. In the CorpData Properties dialog box, click Edit.
23. In the Permissions for CorpData dialog box, click Add.
24. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select (examples) box, type Authenticated Users, click Check Names, and then click OK.
25. In the Permissions for CorpData dialog box, in the Group or user names list, click Authenticated
Users, and then in the Permissions for Authenticated Users list, under Allow, select the Full
control check box.
26. In the Permissions for CorpData dialog box, click OK.
27. In the CorpData Properties dialog box, click Close.
3. Enter Contoso\administrator as Domain\username, Pa$$w0rd as Password, and then click Sign in.
4. Select An RD Connection Broker server, enter NYC-SVR1.contoso.com in Source name, and then
click OK. The Enterprise Remote Access Web page is displayed, but it is empty, as there are no
published RemoteApp programs or virtual desktops available yet.
5. On NYC-SVR1, close Internet Explorer.
2. In the Actions pane of Remote Desktop Connection Manager, click Configure Virtual Desktops.
3. On the Before You Begin page, click Next.
4. On the Specify an RD Virtualization Host Server page, in the Server name box, type name of your
physical host server, click Add, and then click Next.
5. On the Configure Redirection Settings page, in the Server name box, type NYC-
SVR1.contoso.com, and then click Next.
6. On the Specify an RD Web Access Server page, in the Server name box, type NYC-
SVR1.contoso.com, and then click Next.
7. On the Confirm Changes page, click Apply.
8. On the Summary Information page, verify that the Assign personal virtual desktop check box
is selected, and then click Finish.
9. On the Assign Personal Virtual Desktop page, click Select User.
10. In the Enter the object name to select box, type Contoso\ruser, and then click OK.
11. In the Virtual machine box, select NYC-CL2.contoso.com, and then click Next.
12. Confirm that the User name and Virtual machine boxes are correct, and then click Assign.
13. Clear the Assign another virtual machine to another user check box, and then click Finish.
You can verify which virtual machine is assigned to the user in Active Directory Users and
Computers, on the Personal Virtual Page tab of ruser properties.
Task 2: Configure digital signing of .rdp files, single sign-on, and trusted .rdp publisher
When you want to connect to a virtual desktop, by default, you get a security prompt because the .rdp file
is not digitally signed. You then must provide user credentials for logging on to the virtual desktop. You
can avoid those prompts by configuring digital signing of .rdp files, adding a trusted .rdp publisher, and
configuring single sign-on. For this lab, we will use local Group Policy to configure those settings, but in
real life you would configure them by using domain Group Policy.
1. On NYC-SVR1, in Remote Desktop Connection Manager, click RD Virtualization Host Servers,
right-click RD Virtualization Host Servers, and then click Properties.
2. In Virtual Desktops Properties, select the Digital Signature tab, and then select the check box next
to Sign with a digital certificate. Click Select, select NYC-SVR1.contoso.com, and then click OK.
3. In Virtual Desktops Properties, click OK, and minimize Remote Desktop Connection Manager.
4. From the Hyper-V Manager console, connect to NYC-CL1, and log on as Contoso\ruser with the
password Pa$$w0rd.
5. On NYC-CL1, on the Start menu, in the Search field, enter gpedit.msc. In the Programs list, right-
click gpedit.msc, and then click Run as administrator.
6. In User Account Control prompt, enter contoso\administrator as the user name, Pa$$w0rd as the
password, and then click Yes. The Local Group Policy Editor opens.
7. In the Local Group Policy Editor, expand Computer Configuration, expand Administrative
Templates, expand System, and then click Credentials Delegation.
8. In details pane, double-click on Allow Delegating Default Credentials, select Enabled, click Show,
and enter TERMSRV/* as the Value. By doing that, you will allow credentials delegation to any RD
Session Host server. Click OK twice, and then minimize the Local Group Policy Editor window.
9. On NYC-CL1, open Internet Explorer, and navigate to the
https://NYC-SVR1.contoso.com/RDWeb page.
Lab: Configuring Virtual Desktop Infrastructure L12-5
10. Right-click on the information bar, and then select Run Add-on to allow the Microsoft Remote
Desktop Service Web Access add-on to run on the computer. Click Run in the Internet Explorer -
Security Warning dialog box.
11. Enter contoso\ruser as Domain\username, Pa$$w0rd as Password, and select This is a private
computer, and then click Sign in.
12. Verify that there is a My Desktop icon on the Enterprise Remote Access Web page. Click the My
Desktop icon.
13. In the Remote Desktop Connection dialog box, click
NYC-SVR1.contoso.com Publisher name.
14. In the Certificate window, click the Details tab, scroll down, and then select Thumbprint. Select the
thumbprint numbers in the details box, copy them by pressing CTRL+C, click OK in the Certificate
window, and then click Cancel in the Remote Desktop Connection dialog.
Important: Do not select the leading space at the front of the thumbprint.
15. On NYC-CL1, switch to Local Group Policy Editor, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, expand Remote Desktop Services,
and then click Remote Desktop Connection Client.
16. In the details pane, double-click Specify SHA1 thumbprints of certificates representing trusted
.rdp publishers, and then select Enabled.
17. Right-click in Coma-separated list of SHA1 trusted certificate thumbprint entry box, and then
select Paste. Click OK, and then close Local Group Policy Editor.
Exercise 4: Configuring and Testing User State Virtualization and the Virtual
Desktop Pool
Task 1: Configure a roaming profile and folder redirection
1. On NYC-DC1, switch to Server Manager, expand Roles, expand Active Directory Domain Services,
expand Active Directory Users and Computers, and expand Contoso.com, and then click the RDS
Users organizational unit.
2. Right-click the VDI user, select Properties, and then click the Profile tab. Enter \\NYC-
DC1.contoso.com\Profiles\%username% as the Profile path, and then click OK.
3. In Server Manager, expand Features, expand Group Policy Management, expand
Forest:contoso.com, expand Domains, expand contoso.com, and then click RDS Users. Right-click
the RDS Users organizational unit, and then select Create a GPO in this domain, and Link it here.
4. In the New GPO window, enter Folder Redirection as Name, and then click OK.
5. In the Server Manager, expand RDS Users organizational unit, right-click on Folder Redirection, and
then select Edit. The Group Policy Management Editor opens.
6. In the Group Policy Management Editor, expand User Configuration, expand Policies, expand
Windows Settings, and then expand Folder Redirection. Right-click the Desktop node, and then
select Properties.
7. In the Desktop Properties window, select Basic Redirect everyones folder to the same location
setting, enter \\NYC-SVR1.contoso.com\desktops as the Root Path, and then click OK. In the
Warning window, click Yes, because there is not Windows XP or older computers in the environment.
8. Close Group Policy Management Editor, and then minimize Server Manager.
2. Right-click the virtual machines used in this lab, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
L12-8 Lab: Configuring Virtual Desktop Infrastructure
4. For the NYC-CL2 and NYC-CL3 virtual machines, you will need to delete the RDV_Rollback snapshots
first, and then revert to the first snapshot.