Lots of enterprises want VDI and desktop as a service (DaaS) without the burden of running their own infrastructure, says Microsoft 365 corporate vice president Brad Anderson. “They’re saying ‘hey, we want out of the business of having to build this infrastructure, we want to do it all from cloud’. And they would prefer to do it from Microsoft’s Cloud because then they have the builder of the operating system, the builder of the tool, the builder of the cloud all in one stack and it’s just far more simple for them. I want to move to the cloud, Office is the most commonly virtualized app on the planet, I’m already using Microsoft management, and I’m increasingly using Microsoft security. This is the best integrated solution for me.”
SEE: 10 essential tools for remote workers (free PDF) (TechRepublic)
That simplicity is more than having only one organization to go to with support problems. Microsoft’s Windows Virtual Desktop (WVD) service, now generally available, comes with some obvious advantages — including usage rights included in Windows E3 and Office 365 Pro Plus licences for the only multi-user cloud VDI where you don’t have to pay for hardware dedicated to your clients. You also get three free years of extended security updates for Windows 7, if you’re not going to have your migration done by January 2020.
Performance and security
Microsoft knows quite a lot about running Windows, not just inside the company itself, which isn’t like any enterprise outside Redmond, but for the customers who pay it to run Windows and PCs via Microsoft 365. “Because Windows Virtual Desktop is a first-class citizen in Microsoft 365, all of our management security that we build applies to it — the manageability and the security, and unique ways that we’re using data there, Windows Virtual Desktop inherits all of that,” says Anderson.
WVD takes advantage of optimisations already in Office, like the way Teams allows clients to negotiate peer-to-peer connectivity and stream AV directly between two devices to avoid latency and problems with echo cancellation on video calls. That latency would be even worse with WVD, points out Scott Manchester, the principal engineering lead for WVD.
“There’s two hops: you’re talking to your machine on one end of the call and going up to the Azure VM hosting your workload, and then from that VM to the other endpoint for the call. That’s a poor experience when people are trying to communicate and waiting for a pause to talk, and it just gets awkward. As part of the Windows Virtual Desktop architecture, we can overlay the AV stream that’s happening locally over the top of the remote window. Your local machine is negotiating the call between the caller on the other side, and the AV stream is being sent directly between those two endpoints and we’re overlaying it over the top of the window. You have the Teams apps hosted in Azure, but the video stream is coming directly from the other user.”
WVD also gets some performance benefits that come from changes in Office and Windows, and by adding support for FSLogix. Microsoft didn’t limit the existing FSLogix technology to WVD when it bought the company, so you can use it to speed up Office in any VDI setup, but having the developers in the same company lets Microsoft do deeper integration with Office. “We’ve done work in the Office Pro apps to optimise them for Windows Virtual Desktop, and that provides a far better experience than any other configuration. Once we got Randy [Cook] and the team inside of Microsoft, we were able to have engineer-to-engineer conversations at a much deeper level. Their technology drove change inside of Office that just gives this wonderful user experience,” Anderson says.
Non-Office apps get benefits, too. To avoid users having to sit through their cloud desktop doing a lot of configuration and setup each time, WVD attaches the user profile, and the apps assigned to the user, to whatever VM they end up using each day (the same way it attaches the virtual disk for their user profile) without the complexity of sequencing apps for virtual deployment or the overhead of streaming them into a VM. This new App Attach feature relies on changes made in Windows to support dynamic delivery of the MSIX packages that are Microsoft’s new app installer technology.
Customers have been using PowerShell to deploy and manage WVD during the preview, but the team is working on an Azure Portal user interface. “We prioritised having a rich set of REST APIs and PowerShell because we know that’s what enterprise customers will ultimately use when they deploy the service,” Manchester told TechRepublic. The portal will simplify testing: “We know sometimes customers want an easy ability to build out a test deployment — just click a couple buttons and get something up and running,” Manchester said.
The portal will also make it easy to manage apps for App Attach. “In the portal, you’ll be able to point to where apps are, and say ‘allow these apps to be part of this app group’ — and we already have a model where you can assign users to app groups,” Manchester explained. “It’s just that app groups can now be composed of physically installed apps on the machine or MSIX apps that get mounted at the time the user logs into the machine. You just build your MSIX, as you normally do; you don’t have to modify it or touch it. You post that on a share somewhere, and then, using our GUI, you can assign that app to that user.”
More modern Windows management
If they prefer, enterprises can also use System Center Configuration Manager to work with WVD. Microsoft will demo that at the Ignite conference, Anderson told TechRepublic. “We’re doing the integration, first with Config Manager, and then we’ll do it with Intune, to where WVD just becomes another application type inside of the management tool that IT professionals use to deploy apps for their users.”
WVD also changes the security implications of accessing virtualised resources, Manchester said, by using the Azure Active Directory authentication methods built for Microsoft 365 that let IT teams set policies for what devices are trusted to get access.
“The typical virtualization model is that you initiate a connection from your endpoint into your environment — and those inbound connections are always security holes. If you have to open any kind of a port into your network to allow connectivity from the outside world, you’ve created a security hole. With WVD, it’s a negotiated connection — we call it a ‘reverse connect’ — where the connection is actually established as an outbound connection from those VMs that are managing and hosting your apps and desktops and the gateway that’s between that connection, and your endpoint is Azure AD. Which means you can set all those policies like conditional access policies: you can require that all the endpoints connecting to the service are fully managed and meet all the security requirements, and you can restrict access by IP addresses or time of day. And you know that there is no backdoor because all the connectivity is as an outbound SSL connection from the customer’s environment.”
Manchester had been surprised by how many customers were ready to use Azure AD this way, and to move on from the ubiquitous System Center Configuration Manager to Intune. “They didn’t want to take forward their dependencies on AD into the cloud, and they wanted to be able to leverage Intune,” he said.
Microsoft was also surprised by how global the need for VDI was. The original plan was to launch in the US first and wait for customer interest in other parts of the world, but enterprises want to use VDI for employees in many different countries. WVD is now a worldwide service: it’s a ‘ring one’ service rather than one of the ‘ring zero’ services that are in every Azure data centre. However, Microsoft monitors demand and has already deployed extra resources in European data centres to improve performance and reduce latencies for WVD users in those areas.
Taking VDI to new ways of working
The other advantage of WVD is that it’s much cheaper than your own virtual desktop infrastructure — so much cheaper that enterprises will do it alongside their own infrastructure even if that means using two management tools, says Manchester. “They’re saying ‘I can reduce my cost significantly, because WVD is something I’m already entitled to, so I’m going to move whatever use case scenarios and whatever users I can up into WVD. And then for any workloads that I can’t move to the cloud, I’ll continue to use my on-prem solution’ — whether that’s Citrix or VMware or other solutions.”
To simplify that, WVD has the same broad partner ecosystem as Remote Desktop Services, where customers can use the Microsoft service or turn to partners either for extra features or just to avoid retraining IT staff. “Citrix managed desktops, Citrix virtual apps and desktops, and the Citrix Essentials products all support WVD worldwide on day one,” Manchester points out, and the VMware partnership announced in April also applies to WVD. “VMware is adapting their VMware Horizon product to be able to run on top of Windows Virtual Desktop, so they have a new flavour of that called VMware Horizon on Azure that will also sit on top of the web platform.” That will be in preview around the end of 2019, with the launch planned for Q1 2020.
Other partners can add their own features to WVD. “Value-added partners are the folks like Liquidware, Lakeside or Thinprint that provide layering solutions or app management solutions or alternative GUIs,” Manchester explains. “There are thousands of these partners out there today and we worked with the whole ecosystem to allow them to get exposure of the service offerings, so customers can go into the Azure Marketplace, type in Windows Virtual Desktop, and discover all these solutions.”
This is where partners can integrate App Attach, Manchester says. “Take a solution provider like Liquidware, who provide a variety of different layering solutions. They now will be able to take an App-V package, an MSIX package or their layers and through a single portal allow customers to choose which option they want to make those apps available to end users in their web environment.” Citrix is integrating App Attach into Unidesk and its other app layering technologies and VMware is doing the same with its app volumes technologies.
SEE: 20 pro tips to make Windows 10 work the way you want (free PDF) (TechRepublic)
The point of WVD isn’t just to be another way of doing VDI, or even just a cheaper way of doing VDI. “Our overall intention was not to simply shift one user from one solution to the other, but to actually extend the reach of virtualization,” Manchester explains. “Any time you can reduce the IT overhead for building, managing and deploying Windows, you’re increasing the total market.”
“Today VDI is used in financial services as a security boundary, in M&amp;A activities to quickly onboard new users into the environment of the acquiring company, and then for seasonal employees where it’s easy to onboard and offboard [people].” Making VDI cheaper, simpler and faster can take it beyond those known niche workloads, Manchester suggests.
Customers are already starting to move high-end graphics workloads to the cloud, Manchester notes. “They can take a designer that’s typically been chained to the desk where they had the high-end graphics machine, and get them out into the field, working with different people across the company or in remote areas closer to where their customers are and make them productive even when they’re not in the office.”
Ironically, it even means custom hardware for WVD. Specific hardware for virtual desktops isn’t the oxymoron it sounds, Manchester explains. “There are some vertical markets that use thin-client devices as dedicated endpoints that are tamper proof or highly protected devices that can be used in industrial environments.” Building custom endpoints for WVD will put Windows applications in places you’d never put even a rugged PC.