Using Application Virtualization (App-V) and Microsoft Enterprise Desktop Virtualization (MED-V) to Enhance Your Windows 7 Deployment

  • Article

Today in the world of IT, much of the focus is on Windows 7 as well as virtualization.  Adopting a new operating system in any organization is never a simple undertaking; however the Windows 7 operating system along with the Microsoft Desktop Optimization Pack for Software Assurance (MDOP) provides technologies to enhance the deployment experience. 

You might consider a traditional desktop and management strategy, but, it might be time to look into the virtualization offerings for the desktop. 

There are some main topics that should be of interest when looking at desktop virtualization technologies.  Let’s discuss three topics and how they relate to enhancing your deployment of Windows 7.Desktop virtualization helps IT more efficiently deploy and support Windows 7:

  • App-V reduces the cost deploying and maintaining applications on Windows 7.
  • MED-V provides a solution to supporting incompatible applications in Windows 7

Breaking the Traditional Desktop Model

The traditional desktop model is one in which the operating system, applications, user-data are all connected or bonded to each other.  This model has served well over many years, but has some large drawbacks when implementing across an organization. For instance, the installation of an application might break another application or provide instability in the operating system.  Deploying a new operating system may leave users with critical data or settings from their original machines missing.

Desktop Virtualization

Using virtualization technologies, these components can be separated from each other and operate independently, providing benefits to support and management costs as well as allowing IT to react more quickly to changing business requirements.  The following is a brief description of each desktop virtualization technologies with links to more information:

Reduce Support and Management Costs

At the user data and settings layer, Microsoft provides a set of technologies to virtualize the user state.

Roaming Profiles are a namespace of user specific folders isolated for user and application data

Folder Redirection is a client side technology that provides an ability to change the target location of predetermined folders found within the user profile and is seamless to the user.

At the application layer, Microsoft provides a set of technologies to virtualize applications or the presentation of applications. 

App-V enables the transformation of applications into centrally managed virtual services to reduce the cost of application deployment, eliminate application conflicts and reboots, simplify your base image footprint to expedite PC provisioning, and increase user productivity

RemoteApp programs are programs that are accessed remotely through Terminal Services and appear as if they are running on the end user's local computer

Enable quick reaction to changing business requirements

At the OS layer, Microsoft provides technologies to virtualize the user’s desktop environment.

Virtual PC creates separate virtual machines on your Windows desktop—each of which virtualizes the hardware of a complete physical computer—and switch between them as easily as switching applications—with a mouse click.  Windows XP Mode is a new benefit of Windows 7 Professional and Windows 7 Ultimate and provides additional application compatibility. Windows XP Mode was designed for the small and medium business user who doesn’t have a lot of resources to spend on IT or on revamping important software.  Windows XP Mode extends the lifecycle of many older Windows XP applications to continue providing business value.

MED-V enables deployment and management of Microsoft Virtual PC Windows desktops to address key enterprise scenarios, typically upgrade to latest version of windows when some applications are not functional or supported.

Remote Desktop Services makes it possible to run an application or an entire desktop in one location, but have it be controlled in another.

Microsoft VDI is an alternative desktop delivery model that allows users to access desktops running in the datacenter.  Unlike Terminal Services, in VDI each user gets access to a personal desktop from any authorized device, thereby improving desktop flexibility. IT departments can take advantage of all the benefits of centralization, including centralized management of desktop workloads and improved business continuity.

With desktop virtualization technologies, some of the challenges with traditional desktops can be eliminated:

  • Often users require access to specific applications and user-data no matter where they log on from.This can be achieved with App-V and User-State Virtualization
  • Recovery from lost or stolen mobile computer is possible with user-state virtualization and App-V
  • Accelerating deployment of Windows 7 before all applications have been tested and remediated can be accomplished with MED-V.
  • Rapid deployment of desktop computing environment for temporary workers using the Microsoft VDI or Remote Desktop Service.

Why you should use App-V in your Windows 7 deployment

Let’s focus now on App-V as part for Windows 7. Planning and testing of an operating system deployment is a large project.  Applications will need to be inventoried, analyzed, tested, and remediated before installing on Windows 7 as well as developing a deployment strategy, creating images, and testing from the operating system perspective.  Microsoft App-V should be considered in any operating system deployment for both short-term and long-term benefits in terms of cost and management.  When planning a deployment to Windows 7 it is the perfect time to stop installing software in a traditional method that places file, registry, and other settings on the operating system, making it more difficult to support.

Using App-V, applications do not need to be installed again on an operating system.  App-V allows applications to be separated from the operating system and provides many benefits while reducing the long term costs of managing and maintaining applications.  Virtual applications are prepared and then deployed to clients in various methods described below.  The virtual applications run on the user’s desktop and are even available if the user is offline.  But, the application is not installed in a traditional method which means that no registry modifications or files are placed on the operating system.   

Simplify application delivery – for IT and for users

Virtual applications can drastically reduce the number of images required for deployment and provide long –term reduction in support costs.  This is realized as multiple images do not need to be configured with base software for different departments and organizations within an enterprise.  Virtual applications are delivered on demand to users and a fresh Windows 7 image can be production ready for users in a fraction of the time when compared with traditional software deployment.  Users will receive software when they need it and can be productive more quickly.

Application Management Benefits

Using App-V with Windows 7 not only helps with application conflicts but it greatly reduces the time you spend on application management after deployment of Windows 7 including application updating and deployment.  Updating traditionally installed applications requires extensive testing and also lengthy roll-outs.  With App-V, an application can be updated and introduced to the infrastructure.  Then, the next time a user opens the application the updated version will be automatically brought to the machine on demand, no waiting for installation, no reboots.  

Additionally, when virtual applications are no longer need they can be easily removed as they were never installed on the operating system.  Depending on the deployment option, procedures to remove virtual applications will be different, but the end result is an operating system without any lingering files or settings from the application removed, a benefit in long term support of computers.

Deployment Options with App-V

App-V offers flexible deployment options that meet varying business needs. App-V provides management infrastructure in the box at no additional cost.  App-V is fully integrated with System Center Configuration Manager, App-V can be integrated with 3rd party PC Management solutions, and App-V can function without any infrastructure at all.  Identify your business requirements and YOU DECIDE which App-V option is right for your business.  With flexibility built-in, every organization can find the right solution when deploying applications with App-V, especially in Windows 7.

Application-to-Application Compatibility Benefits

App-V helps with application-to-application compatibility issues or application conflicts.

  • Enable multiple versions of the same application to run simultaneously.Allow users to have multiple versions of Microsoft Office on the same machine without conflict.
  • Enable applications that are known to conflict with one another to run without conflict by isolating the application’s files and registry from the operating system and other applications.
  • Reduce the amount of time associated with application compatibility testing as conflicts are eliminated.Eliminate regression testing that is both costly and time-consuming.

For additional technical information on App-V please visit:  https://technet.microsoft.com/en-us/appvirtualization/default.aspx

What’s new in App-V 4.5 SP1 for Windows 7

Moving to Windows 7 will require users to gain additional knowledge of the new operating system to allow them to be productive.  Using Windows 7 and Microsoft Application Virtualization together provides a seamless experience for users and simple management with increased control of the desktop for IT.  App-V strives to create a seamless user experience to ensure that the user is not confused by launching a physical or virtual application.  App-V also capitalizes on additional benefits of Windows 7 by taking advantage of new features of the operating system.  There are several new features in App-V 4.5 SP1 that further improve the experience of using App-V to enhance a Windows 7 deployment. 

Seamless User Experience

A new feature of App-V 4.5 SP1 is the integration with Windows 7 user-interface.  Users are able to pin applications to taskbar and leverage jumplists to navigate between applications.   The result is that users will not be able to distinguish between traditionally installed applications and virtual applications.  This means that no additional training is required for users beyond the new features of Windows 7.

AppLocker Integration

It departments strive to have the greatest control over the desktop experience for users to control costs associated with support and management.  Windows 7 introduces a new feature called AppLocker, which enforces compliance of applications with group policies.  App-V integrates AppLocker to allow IT professionals the greatest level of control over running applications regardless of how they are delivered or the type of application (traditional or virtual) they are. 

For additional technical information on AppLocker please visit:  https://technet.microsoft.com/en-us/library/dd723686(WS.10).aspx

For more information watch videos on App-V with AppLocker:  https://technet.microsoft.com/en-us/windows/dd421892.aspx

Scenario 1

An organization has decided to use AppLocker to control where application executables can be launched from.  AppLocker policies have been configured to only allow applications to run from the follow paths:  C:\program files and C:\windows to ensure that no unapproved software can be executed.  App-V applications execute from the Q:\ drive by default so they would be restricted from running based on the current policy.  This scenario assumes that virtual applications are being delivered to the machine and the goal is to allow all or some virtual applications to be available to users of the computer or just specific users of the computer.  Using group policies and AppLocker an administrator can configure the specific application path (Q:\) to allow virtual applications to execute or specifically name individual applications by their full path.  This would allow for complete control over which applications will launch for specific computers or users.

 The settings for AppLocker are available using the Group Policy Editor under the following path:  Computer or User Configuration|Windows Settings|Security Settings|Application Control Policies|AppLocker.  

Figure 1: AppLocker Executable Rules

Scenario 2

Another option available with AppLocker will address concerns about users installing applications either traditional or virtual without IT approval.  In this scenario the IT department has restricted all unknown MSIs from running.  An organization may want to distribute App-V applications on removable media like a USB flash drive or USB Hard Drive.  Using the AppLocker policies users could be allowed to run certain MSI based App-V installers to install their virtual applications.  This would allow great control over what software could be installed from removable media in both traditional and virtual situations. 

BranchCache to make users productive anywhere and save on IT infrastructure

BranchCache can be used with App-V to reduce the infrastructure costs and management and also give users better access to virtual applications.  With BranchCache, virtual applications can be downloaded to a remote office only once and made available to Windows 7 machines for subsequent downloads.  That means that after the first user loads the application over the slower WAN link; all subsequent requests for the virtual application are made to the local BranchCache on the fast LAN that they are connected to for regular operations.  Prior to Windows 7, App-V had many different delivery options, but they all relied on having a server at any branch office to achieve the best performance for application delivery.  This required additional management to configure replication to ensure all virtual applications are present at each branch location. 

For additional information on BranchCache please visit:  https://go.microsoft.com/fwlink/?LinkID=149834

BitLocker ToGoSecures Application Delivery

IT administrators can confidently and securely deliver virtual applications on a USB drive, as the associated licenses are protected against unauthorized use. Only authorized users have access to the applications, including remote users who may not have connectivity to corporate network.  In scenario number 2 listed above about AppLocker.  The applications being delivered to users via a USB drive could also have been enabled for BitLocker ToGo.  This would ensure that only secure USB drives could be accessed for virtual application delivery by members of the organizations IT management services.

For more information on BitLocker ToGo please visit:  https://technet.microsoft.com/en-us/windows/dd408739.aspx

Integrate with 3rd party LDAP directories

App-V can reduce administrative overhead for customers who maintain their user accounts in a 3rd party LDAP directory, enabling Kerberos via Active Directory trust.  This means that Active Directory isn’t the only way to authenticate users when using App-V.  This will allow organizations that invest in other directory service technologies to still have the benefits of App-V

What if applications aren’t compatible with Windows 7

When facing an upgrade to a new version of Windows, IT is required to map and test all its line of business applications on the new operating system. While Microsoft offers a variety of methods and tools to address applications that are not working properly, in every organization there will be a subset of applications that are not yet officially supported by their vendor, or might not work at all despite all efforts. 

If you cannot get a version of the application to run natively on Windows 7 or mitigation is deemed too costly or time-intensive, there are new desktop virtualization tools to allow you to transition from older versions of Windows to Windows 7.

Windows 7 enables users to seamlessly run a virtual Windows XP environment through Windows Virtual PC. Older applications can operate in their supported operating system, removing the barriers to OS upgrade. Microsoft Enterprise Desktop Virtualization (MED-V) adds the capabilities required for IT-managed deployments of virtual PCs, including virtual image delivery, policy-based provisioning, and centralized management and monitoring.

With MED-V, you can maintain and manage an older version of operating system where the applications are already known to work properly.  Because every application does not have to be tested and made fully functional on the new operation system you can greatly accelerate the time to deployment of a new operating system and provides more immediate returns on investment.  After deploying the new operating system along with a MED-V managed down-level operating system with applications, the rest of the applications can be analyzed, tested, and mitigated, whether it is a new version of the application, a fix, a SHIM, or just a new application.

How MED-V is this different from XP Mode?

As part of Windows 7 Professional and above, Microsoft now offers the Windows XP Mode – a preconfigured Windows XP in a virtual PC image. No additional license is required, and the user can run applications that are not working on Windows 7.The user experience is seamless– applications from the virtual machine are readily available in the Win7 start menu, and once launched, they appear as part of the Windows 7 desktop.

However, Windows XP Mode is designed for a single user or a small business where it’s ok to configure each machine separately.  When IT needs to deploy incompatible applications in scale they need a way to deliver those virtual machines, configure and control them and finally update and support them.  MED-V can be used to develop an infrastructure to create virtual PC images, apply usage policies for the virtual machines on a per user or per group basis, and deliver the image to the user. 

Images can be delivered

Once delivered MED-V takes care of joining the machine to the domain according to the settings the administrator configured, configuring the Virtual PC settings and network configuration, and adjusting the Virtual PC memory allocation based on available RAM on host, so that the Virtual PC does not take significant resources from the user. From here on, the virtual Windows XP images can be managed, patched, updated and maintained with any tools that are used for any desktop in your environment.

You can also control how the two operating systems behave with one another, and you can even pre-define which websites or web-based line-of-business (LOB) applications need to be automatically invoked in the virtual machine’s web browser (Internet Explorer 6 by default).

What’s available for MED-V today?

Currently MED-V v1 is available running on Windows XP and Windows Vista.

MED-V v1 SP1 with support for Windows 7 will be available in the first quarter of CY 2010.

It will support Windows 7 hosts (32bit and 64bit) and will use Virtual PC 2007 to enable virtual machines that mainly run Windows XP SP3, but also Windows XP SP2 and Windows 2000 SP4 when necessary.
It will not require hardware assisted virtualization (such as Intel VT or AMD-V).

Watch for MED-V v1 SP1 Beta at https://www.microsoft.com/med-v

Get Started with MED-V

Begin testing and working with MED-V today as part of your Windows 7 deployment strategy.  Use the following link to download the Quick Start Guide and Evaluation Guide as well as other supporting documentation and information about MED-V at:  https://www.microsoft.com/medv

Conclusion

Adopting new operating systems is always a challenging task, but with Windows 7 and the Microsoft Desktop Optimization Pack you can enhance and accelerate the deployment of Windows 7.  In this document we discussed the general reasons behind desktop virtualization and how each of the Microsoft technologies fits into the equation as well as how both App-V and MED-V can enhance a Windows 7 deployment.

When looking to reduce costs, the features of App-V can provide immediate and long-term return on investment when deploying Windows 7.  Eliminating application conflicts and regression testing have an immediate impact in the organization.   You can find more information on How App-V can help reduce costs at the App-V Cost Reduction Study. 

If the solution required is to increase business flexibility, such as deploying Windows 7 before spending lengthy time doing application compatibility testing, MED-V is the technology of choice.  Make sure you get more information on MED-V at https://www.microsoft.com/medv.

Remember when looking at additional solutions for your desktop optimization strategy, get started at: www.microsoft.com/mdop and read more about Microsoft virtualization at:  https://www.microsoft.com/virtualization/en/products-desktop.aspx.