1 Introduction to Microsoft Enterprise Desktop Virtualization (MED-V)... 3 1.1 Terminology... 4 1.2 Key Capabilities... 4

MED-V v1

Contents 1 Introduction to Microsoft Enterprise Desktop Virtualization (MED-V)... 3 1.1 Terminology... 4 1.2 Key Capabilities... 4 2 High-level Architecture... 6 2.1 System Requirements for MED-V v1... 7 3 Virtual Image Overview... 8 3.1 Managing a virtual machine... 10 4 The MED-V Client... 11 4.1 Authentication and Policy Enforcement... 11 4.2 Virtual Machine Operation... 11 4.3 Virtual Image Encryption... 12 4.4 Offline Mode... 12 4.5 Published Applications and Menus Single Desktop User Experience... 13 4.6 Web Browser Redirection... 13 4.7 Printing... 14 4.8 File Transfer... 14 4.9 Copy and Paste Control... 14 5 MED-V Client Deployment... 15 5.1 Client Deployment and Image Delivery Methods... 15 5.2 Customized, First-time Setup... 15 6 MED-V Image Delivery and Update... 16 6.1 MED-V Trim Transfer Technology... 17 7 MED-V Management Server... 18 7.1 Workspace Policy... 18 7.2 Events Database and the MED-V Dashboard... 18 8 MED-V Enterprise Architecture... 19 8.1 Scalability and Multi-Locations... 19 8.2 High Availability... 19

1 Introduction to Microsoft Enterprise Desktop Virtualization (MED-V) Microsoft Enterprise Desktop Virtualization (MED-V), a core component of the Microsoft Desktop Optimization Pack (MDOP)for Software Assurance, enables deployment and management of Microsoft virtual PC Windows desktops to enable key enterprise scenarios. Primarily, MED-V helps enterprises upgrade to the latest version of Windows even when some applications are not yet functional or supported. MED-V builds on top of Virtual PC to run two operating systems on one device, adding virtual image delivery, policy-based provisioning, and centralized management. With MED-V, you can easily create, deliver and manage corporate Virtual PC images on any Windows -based desktop. Enable legacy applications and accelerate upgrades to new operating systems Incompatibility of applications with newer versions of Microsoft Windows can delay enterprise operating system (OS) upgrades. Testing and migrating applications can be time-consuming, and meanwhile users are unable to take advantage of the new capabilities and enhancements offered by the new OS. By delivering applications in a Virtual PC that runs a previous version of the OS (e.g., Windows XP or Windows 2000), MED-V removes the barriers to OS upgrades), MED-V removes the barriers to operating system upgrades and allows administrators to complete testing and to deal with incompatible applications after the upgrade. From the user s perspective, these applications are accessible from the standard desktop Start menu and appear side-by-side with native applications so there is minimal change to the user experience. 3

1.1 Terminology Host The operating system instance installed on the end-user s physical device. Virtual PC / Machine An additional instance of an operating system running concurrently with the host on the same physical device using virtualization software (such as, Microsoft Virtual PC). Guest The operating system installed on a virtual machine. Virtual image A file that represents the file system of a virtual machine and can be delivered to multiple endpoints independent of their hardware or software. 1.2 Key Capabilities MED-V adds the following additional layers to Microsoft Virtual PC to enable enterprise deployment of desktop virtualization: Virtual images repository and delivery MED-V provides the following mechanisms for simplifying the process of creating, testing, delivering, and maintaining virtual images from a central location: Administrator console for virtual image creation and testing. Centralized virtual images repository for image storage, versioning, and delivery based on Microsoft IIS web servers. A client component (standard MSI installation) that automatically retrieves virtual images from the centralized repository. Auto-installation package for self-deployment of the client component and the virtual images via removable media (such as DVD) or from a website. An efficient, bandwidth-conserving, Trim Transfer mechanism for delivering and updating virtual images over the network. Support for image delivery through standard enterprise content distribution systems. Centralized management and monitoring MED-V helps administrators manage the entire lifecycle of virtual machines deployed on desktops throughout the enterprise. The centralized management and monitoring capabilities MED-V provides include: A central management server that controls all deployed virtual machines. Integration with Microsoft Active Directory Domain Services to enable provisioning of virtual images based on group membership or user identity. User authentication prior to accessing the virtual image (whether the host is online or offline). 4

A mechanism for automating the first-time setup of virtual machines at the endpoint, including assignment of a unique computer name, performing initial network setup, and joining the virtual machine to a corporate domain. Support for deployment throughout a heterogeneous environment, adjusting memory allocation for the virtual PC according to the available RAM of the endpoint, and changing network settings according to the local network. A central database of client activity and events facilitating monitoring and remote troubleshooting. Usage policy and data transfer control MED-V client enforces the following user or group usage policies, access permissions to virtual images, and data transfer permissions: Virtual image protection that prevents unauthorized execution. A configurable expiration for the virtual image or a time limit for offline use (to force the user to reauthorize before continuing to work offline). The ability to allow or block data transfer between the virtual machine and the endpoint, via copy and paste, file transfer, or printing. Web browser redirection of administrator-defined domains (such as the corporate intranet or sites that require an older version of the browser) from the endpoint browser, to a browser within the virtual machine. Seamless end-user experience The following can be configured in MED-V to provide a seamless experience, making users unaware of the virtual machines running in the background. It reduces the training required for deploying virtualization to non-technical users: Invisible virtual machine A simplified work process for operating virtual machines through a user-friendly tray menu. The user is not required to learn the principles of virtualization or view an additional desktop as is usually required when running a virtual PC. Published applications Applications installed on the virtual machine are available through the standard desktop Start menu. These applications run in Virtual PC, but are seamlessly integrated into the user desktop and appear side-by-side with native applications. Power user mode Technical users and administrators can view the virtual machine loading processes and desktop if required. 5

2 High-level Architecture The MED-V solution comprises the following elements: Administrator-defined virtual machine Encapsulates a full desktop environment, including an operating system, applications and optional management and security tools. Image repository Stores all virtual images on a standard IIS server and enables virtual images version management, client-authenticated image retrieval, and efficient download (of a new image or updates) via Trim Transfer technology. Management server Associates virtual images from the image repository along with administrator usage policies to Active Directory users or groups. The Management Server also aggregates clients' events, and stores them in an external database (Microsoft SQL Server ) for monitoring and reporting purposes. Management console Enables administrators to control the management server and the image repository. 6

End-user client 1. Virtual image life-cycle Authentication, image retrieval, enforcement of usage policies. 2. Virtual machine session management Start, stop, lock the virtual machine. 3. Single desktop experience Applications installed in the virtual machine seamlessly available through the standard desktop Start menu and integrated with other applications on the user desktop. All communication between the client and the servers (management server and image repository) is carried on top of a standard HTTP or HTTPs channel. 2.1 System Requirements for MED-V v1 Management Server Operating system: Windows Server 2008 Standard/Enterprise Edition x86 & 64-bit Recommended hardware: Dual Processor (2.8 GHz), 4GB RAM Active-directory : Management server should be joined to a domain Scale: The setup above was tested with 5000 concurrent active clients. Other setups can scale to support larger number of users. Additional Server Components Image repository: Web server(s) based on Microsoft IIS Reporting database (optional): Microsoft SQL Server 2005 SP2 Enterprise Edition SP2 or Microsoft SQL Server 2008 Express/Standard/Enterprise editions Client Operating system: o Windows Vista SP1 (Enterprise, Home Basic, Home Premium, Business, Ultimate) 32-bit (2GB RAM Recommended) o Windows XP SP2 or SP3 (Professional, Home) 32bit (1GB RAM Recommended) Languages: The user interface is only available in English. Support is available for a localized Western-European operating system. Virtual PC: Microsoft Virtual PC 2007 SP1 with KB958162 (or newer) is required Note: MED-V v1 is supported on managed desktops only. It is recommended to install the end user client within IT-managed desktop environments on desktops that are members of a Microsoft Active Directory Domain. Guest Operating System Windows XP SP2 or SP3 32bit Windows 2000 SP4 32bit 7

3 Virtual Image Overview The following describes the typical process of creating, deploying, and utilizing a MED-V virtual image: Create a virtual image within Microsoft Virtual PC. Define a MED-V workspace. Create a list of applications installed in the virtual image, which are to be made available to end users through their standard desktop Start menu. Define Web sites that should be viewed inside or outside the virtual machine browser and that are redirected to the appropriate location by MED-V client. Provision the MED-V workspace to Active Directory users and groups. Set usage policy (such as expiration, permission to work offline) and data transfer permissions (such as file transfer, copy andpaste, and printing) to the various users and groups. Test the Image through the MED-V management console, and load it to the MED-V Image Repository. Deploy the MED-V client via one of the following methods: Enterprise software distribution tools The MED-V client and Virtual PC software can be deployed as standard Windows Installer files. Self-install package Deliver a MED-V installation package, which includes MED-V client installation and Virtual PC software using one of the following: o o A self-service Website. Removeable media for example, CD, DVD). The installation process is automated, silent and easy for end users.. 8

Deliver the virtual image: Over the network After the MED-V Client is installed, the virtual image can be retrieved over the network using standard HTTP or HTTPs tunnel. Trim Transfer technology will accelerate download speed and reduce required bandwidth, as described in a following section. Using enterprise distribution mechanisms Administrators may choose to deliver packaged virtual PC images (created by the MED-V management console) by using existing systems. The MED-V Client will look for the package in a pre-defined path, and extract the image. Via removable media (for example, DVD) When delivering removable media to the end user, it is possible to add the virtual image to the self-install package. As part of the installation, the virtual image is copied to the local drive. End-users start working Users authenticate against the MED-V management server and they are ready to work within the virtual machine. After the first online authentication, offline work is also supported, if permitted by the administrator. Manage and update the MED-V workspace The management console enables administrators to easily update usage policies, provision MED-V workspaces to additional users, deprovision existing users, and update the virtual images. All updates are automatically distributed to relevant users when they work online. Monitoring clients The MED-V management console presents an updated report of all the users. It provides detailed information on all client events, and when an error occurs, it can help the administrator understand the source of the problem remotely and instruct the user on how to solve it. The MED-V diagnostic tool runs automatically when client installation fails, and can be executed manually in other cases of malfunction. The report can assist Microsoft support in understanding the cause of the problem and recommending the administrator on how to fix it. 9

3.1 Managing a virtual machine After the first version of a virtual image is deployed, it becomes a desktop operating system that requires corporate IT management. This includes delivering new applications, patching, updating security definitions and policies, and more. Administrators can choose one of the following two methods of virtual machine management: Domain-managed virtual machine Manage virtual machines just like physical corporate devices. MED-V provides a first-time customization process for every deployed virtual image, where the administrator can choose to join the virtual machine to an Active Directory domain. This way, administrators can patch, update, deliver applications, and apply policies using existing tools. Self-cleaning (revertible) virtual machine MED-V offers a unique method for managing an easy to support virtual desktop environment. It takes advantage of hardware independence enabled by virtualization, and maintains the exact same image across multiple endpoints. All user changes to applications or the OS are discarded once the virtual PC session ends, and the virtual machine reverts to the original image, as packaged and delivered by the administrator. This can significantly simplify management, support, and troubleshooting for virtual machines. Updates, patches, new applications, and settings changes are applied to the master virtual image, tested by the administrator, and uploaded as a new version of the virtual image to the MED-V image repository. The new version is delivered to all endpoints using Trim Transfer technology, removing the need to update each endpoint separately. This method is applicable only where no user data or settings need to be kept in the virtual image (for instance, when all user data and settings are stored on a network location). Also when using the revertible method, the virtual machine should not be part of an Active Directory domain. 10

4 The MED-V Client 4.1 Authentication and Policy Enforcement The MED-V client requires authentication to ensure that only authorized users access the MED-V virtual images. This verification is performed against the management server, which queries Active Directory for user and group information. Therefore, the management server must be part of the domain to which the user is trying to authenticate. MED-V leverages Active Directory security policies. When an account is disabled or locked in Active Directory (for instance, if the user typed a wrong password three times), the user is not allowed to tart the MED-V workspace. In addition, if the password is about to expire, the user is offered to change the password before completing the MED-V authentication. Once the authentication process is complete, the MED-V client queries the MED-V management server for the most recent policies and settings. This action ensures that the endpoint is using the most updated MED-V workspaces and allows administrators to control and monitor active users, as described in following sections. The domain credentials used for authenticating the MED-V client are also used to login to the Windows instance inside the virtual machine, so that the user is not required to type the domain credentials twice. The user may choose to save the credentials for future sessions of the same user, so that they are automatically used by MED-V client the next time the user attempts to start a MED-V workspace. Note that the user is required to authenticate by the MED-V client, even if the host and the guest operating system use the same credentials. When the virtual machine is running in a MED-V session, it is locked after a predefined idle time or when the physical device enters hibernation or sleep mode. The authenticated user is required to type his password to unlock the virtual machine and continue working. MED-V v1 only supports authentication based on Active Directory domain credentials (username and password). Future releases may include two-factor authentication (such as smart card certificates). 4.2 Virtual Machine Operation MED-V uses Microsoft Virtual PC to run a virtual machine locally on the endpoint. The MED-V client controls all aspects of virtual machine management, including retrieving or updating a virtual image, customizing the virtual machine for the specific user or device, initiating, suspending or terminating a virtual machine session, and monitoring the virtualization engine for malfunctions (watchdog). End users remain unaware that a virtual machine is running in the background. The MED-V client can be configured to take a snapshot of the virtual machine (similar to a laptop sleep mode) at the end of each work session or when the user logs off the host workstation. This reduces the time required for re-initiating the virtual machine. When a virtual machine is suspended, and a different, authorized user attempts to use it, the virtual machine shuts down first (pending user confirmation). The existing session is lost, similar to Windows behavior when an authorized user attempts to access a locked device. 11

4.3 Virtual Image Encryption Virtual images are encrypted by the management console when packaged for distribution (over the network or media) to protect the virtual image from unauthorized use (such as, unauthenticated users, on users not complying with the administrator-defined usage policies). For each image, encryption keys are generated on the server and are securely transferred to clients authorized to work with the specific image. The virtual images remain encrypted on the endpoint local drive, and decryption is completed on the fly when the virtual machine is running. Any new data is saved encrypted. 4.4 Offline Mode If users are authorized to work with the virtual machine offline, the policy files and encryption keys are cached locally after a first successful online authentication. If there are multiple authentication failures, further attempts will be delayed (similar to Windows login). Additionally, if the user account is disabled, locked, expired in Active Directory, or if the account password has changed, MED-V client deletes the locally cached credentials when connecting to the management server. Offline work permissions may be limited by the administrator to a predefined period of time, after which the user must reconnect to the management server and re-authenticate. This ensures users are kept up to date with the most recent policy and permissions, and enforces expiration and de-provisioning settings on end users. 12

4.5 Published Applications and Menus Single Desktop User Experience Administrators may publish applications or submenus installed on the virtual machine, making them available to end users through the host Start menu. The applications launch from the Start menu or desktop shortcuts and appear side-by-side with native applications on the user desktop, optionally differentiated by a colored frame. The virtual machine desktop is not visible, simplifying user experience and avoiding changes to user workflows. The single desktop mode simplifies training and work processes and is therefore recommended for most users. However, administrators can set the virtual machine to work in a full desktop mode, when advanced users prefer to view the whole virtual machine. In this mode users have to manually toggle between their physical desktop and the virtual machine desktop. 4.6 Web Browser Redirection For Web applications, administrators can define a set of Websites (based on allow or deny lists of domain suffixes or IP prefixes) to be launched in a browser running on the virtual machine. Corporate Websites or incompatible Web applications can start in the virtual machine, while all other sites still work in the host browser normally. The MED-V client manages the browser redirection automatically, providing a seamless browsing experience for the end user. 13

4.7 Printing When a MED-V policy allows printing from MED-V workspace applications (in the guest operating system) to locally installed printers, no driver needs to be installed for locally attached or network printers inside the virtual machine. 4.8 File Transfer Files can be transferred between the virtual machine and the endpoint or vice versa, according to administrator-defined permissions. File transfers are subject to centrally defined filters that allow inbound and outbound transfer of specific file types and may be pending on anti-virus scanning upon their destination. 4.9 Copy and Paste Control Copy and paste operations between a MED-V workspace and native applications can be allowed or denied based on administrator policies. All copy and paste operations inside the virtual machine (between guest applications), and between endpoint host applications, are always allowed; the MED-V Client does not interfere with existing copy and paste behavior. 14

5 MED-V Client Deployment 5.1 Client Deployment and Image Delivery Methods MED-V can be deployed in the following ways: Software distribution system The MED-V client installation is based on a standard Windows.msi package. Therefore, when deploying MED-V, administrators can use any existing software distribution system. The MED-V.msi package does not include Virtual PC software that should separately be deployed to all endpoints. When installing MED_V through a distribution system, administrators may choose to let the MED-V client retrieve the virtual image from the image repository according to the user policy, or deliver the virtual image package using other methods to a pre-defined location, so that MED-V client will use it and not download it from the repository. "MED-V deployment package Administrators can provide end users with an installation package that includes the MED-V client, Microsoft Virtual PC, and optionally, the virtual image. The process requires almost no user interference, and automatically installs everything required for MED-V operation on the local drive. The package can be delivered on a removable media (such as CD or DVD), or downloaded from a self-service Web server by the end-user. 5.2 Customized, First-time Setup MED-V allows administrators to customize every deployment of a virtual image. This procedure can include allocating a unique computer name for the virtual image (according to user name, endpoint parameters, or a random ID) so that, for instance, administrators can assign the virtual machine an identifier that is based on the host computer name, and therefore easily identify this virtual machine in software management systems. Other customizations include Sysprep to allocate a unique SID for the virtual machine, joining the virtual machine to the corporate Active Directory domain, or running an administrator script. The MED-V Client handles first time setup automatically and transparently for the end user, including repeating failed steps or the whole process, and reporting back to the management server in case troubleshooting is required. 15

6 MED-V Image Delivery and Update The MED-V images repository contains all available virtual machine images. The MED-V management console provides an easy way to create, manage, update or delete images from the MED-V images repository. Whenever administrators provision a new virtual machine or update an existing one, the MED-V management server detects the change in the image repository and notifies MED-V clients on their next policy query, referring them to the most recent virtual machine from the respective images repository. Delivery is implemented using MED-V Trim Transfer technology over the network. Alternatively, virtual machines can be delivered via removable media (such as DVDs) or by other preferred methods of network delivery. The images repository is based on Microsoft IIS Web servers. Therefore when using Trim Transfer delivery, organizations may leverage standard Web scalability and high availability infrastructure. To improve download performance, organizations can create images repository replicas at branch offices or remote geographic locations. Administrators can choose whether the download is done over a standard HTTP or HTTPs session. 16

6.1 MED-V Trim Transfer Technology The MED-V advanced Trim Transfer de-duplication technology accelerates the download of initial and updated virtual machine images over the LAN or WAN, thereby reducing the network bandwidth needed to transport a MED-V workspace virtual machine to multiple end users. This technology uses existing local data to build the virtual machine image, leveraging the fact that in many cases, much of the virtual machine (for example, system and application files) already exists on the end user's disk. For example, if a virtual machine containing Windows XP is delivered to a client running a local copy of Windows XP, MED-V will automatically remove the redundant Windows XP elements from the transfer. To ensure a valid and functional workspace, the MED-V client cryptographically verifies the integrity of local data before it is utilized, guaranteeing that the local blocks of data are absolutely bitby-bit identical to those in the desired virtual machine image. Blocks that do not match are not used. The process is bandwidth-efficient and transparent, and transfers run in the background, utilizing unused network and CPU resources. When updating to a new image version (for example, when administrators want to distribute a new application or patch), only the elements that have changed ("deltas") are downloaded, and not the entire virtual machine, significantly reducing the required network bandwidth and delivery time. 17

7 MED-V Management Server The MED-V management server stores and manages all MED-V configurations including user policies. It can be installed on top of Microsoft Windows Server (see system requirements). All server functionality can be controlled from the MED-V management console, which is a standalone client application. All MED-V Clients connect to the MED-V management server, authenticate and retrieve the most updated policy. All sessions (from MED-V clients or management consoles) are carried over HTTP or HTTPS (according to server configuration). 7.1 Workspace Policy Using the MED-V management console, administrators can create a new policy or change existing policies stored on the MED-V management server. Any change is automatically detected and updated by all online clients. Offline clients are updated once they connect. All policies are signed by a private key, generated upon server installation; the MED-V client verifies the authenticity and integrity of every policy it retrieves using a public key it retrieves in its first communication with the server. 7.2 Events Database and the MED-V Dashboard The MED-V management server aggregates events from all MED-V clients. The events include system notifications and MED-V workspace monitoring (Workspace started, stop, failed to start due to lack of memory, etc). All events are stored in an external Microsoft SQL Server (see system requirements) that can be installed on the same server or separately. The MED-V management console provides a report generator that filters events according to date and users. In addition, a dashboard status report enables monitoring of all installed clients including machine name, user name, offline and online indication, client version, image name, image version, etc. The client status enables administrators to monitor virtual image downloads or update progress in real time. 18

8 MED-V Enterprise Architecture 8.1 Scalability and Multi-Locations A typical MED-V management server can support thousands of users, depending on its hardware. The client-server communication is lightweight. Clients are normally configured to poll the server for a policy every 15 minutes and for image updates every 4 hours. If the policy polling time is increased, the server should be able to increase its scale. The only client-server heavy-duty operation occurs when a new image is available, and multiple clients retrieve hundreds of megabytes from the images repository. Since the images repository is a standard Microsoft IIS Web server, it is possible to scale the image delivery based on IIS capabilities. To improve the download rate, optimize bandwidth efficiently, and further balance the load, the image delivery servers can be placed in multiple geographic locations. DNS resolution can be used to direct the MED-V client to the best available location. Alternatively, a separate distribution mechanism can be used to deliver the virtual images to the endpoints. The MED-V client looks for the image in a pre-defined location, and removes the need for image download and MED-V image delivery Web infrastructure. 8.2 High Availability The MED-V client operates independently of MED-V servers. If the management server is malfunctioning or has stopped responding, all clients already running a MED-V workspace may continue working. New attempts to start a MED-V workspace will run in offline mode. Only online authentication, policy changes, and image updates are unavailable, and client events are aggregated at the client side until the server is available again. However, to ensure fast recovery of a server failure, MED-V supports a failover structure, where two identical management servers are placed behind a third-party high-availability cluster: one is active, the other is passive. Once the active server fails, the cluster automatically shifts to the passive server. In this setup, all server resources -- policy files, settings, virtual machine images, and reports database are separated from the management servers to an external highly available, clustered file system. 19

This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista, Active Directory, Microsoft SQL Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 20