virtualize your business desktop deployment · 2019-09-26 · 4 < virtualize your business...

© 2006 Altiris Inc. All rights reserved.

Virtualize Your Business Desktop Deployment A White Paper by Danielle Ruest and Nelson Ruest

July 26, 2006

www.altiris.com

Altiris, Inc. is a pioneer of IT lifecycle management software that allows IT organizations to easily manage desktops, notebooks, thin clients, handhelds, industry-standard servers, and heterogeneous software including Windows, Linux, and UNIX. Altiris automates and simplifies IT projects throughout the life of an asset to reduce the cost and complexity of management. Altiris client and mobile, server, and asset management solutions natively integrate via a common Web-based console and repository. For more information, visit www.altiris.com.

NOTICE The content in this document represents the current view of Alt ir is as of the date of publication. Because Alt iris responds continually to changing market condit ions, this document should not be interpreted as a commitment on the part of Alt iris. Alt iris cannot guarantee the accuracy of any information presented after the date of publication. Copyright © 2006, Alt iris, Inc. All r ights reserved. Alt iris, Inc. 588 West 400 South Lindon, UT 84042 Phone: (801) 226-8500 Fax: (801) 226-8506 BootWorks U.S. Patent No. 5,764,593. RapiDeploy U.S. Patent No. 6,144,992. Alt iris, BootWorks, Inventory Solut ion, PC Transplant, RapiDeploy, and RapidInstall are registered trademarks of Alt iris, Inc. in the United States. Carbon Copy is a registered trademark l icensed to Alt ir is, Inc. in the United States and a registered trademark of Alt iris, Inc. in other countries. Microsoft, Windows, and the Windows logo are trademarks, or registered trademarks of Microsoft Corporat ion in the United States and/or other countries. Other company names or products mentioned are or may be trademarks of their respective owners. Information in this document is subject to change without notice. For the latest documentation, visit www.alt ir is.com.

ABOUT ALTIRIS

Abstract......................................................................................... 2 About the Authors 2

Migration Project Truisms ............................................................ 1 The Benefits of Software Virtualization ........................................ 3

Dealing with Application Conflicts 4 In Comes Software Virtualization 5 Begin with Baby Steps 7

Migrate to SVS .............................................................................. 9 Best Practices for SVS in Migration Projects ............................. 13

CONTENTS

www.altiris.com

One of the most demanding aspects of distributed systems management is software asset management: the science of tagging, packaging, deploying and maintaining software assets in your organization. In comes software virtualization, or the ability to completely isolate software running on Windows PCs from both the operating system and from other applications which may cause system conflicts. In and of itself, software virtualization offers many benefits and may warrant an immediate implementation; but because of its nature, it requires redeployment of all of the software you run in order to take advantage of its virtualization capabilities. This white paper discusses where it is best to use software virtualization immediately as well as how to fully implement software virtualization when you perform your next operating system upgrade, hardware refresh or deployment project.

About the Authors Danielle Ruest and Nelson Ruest are IT professionals specializing in systems administration, migration planning, software management and architecture design. They are authors of multiple books, notably two books published by McGraw-Hill Osborne: Windows Server 2003: Best Practices for Enterprise Deployments, ISBN 0-07-222343-X and Windows Server 2003 Pocket Administrator, ISBN 0-07-222977-2 as well as Preparing for .NET Enterprise Technologies, published by Addison Wesley, ISBN 0-201-73487-7. They have extensive experience in software packaging and managing large packaging projects. They are working on their fourth book, Enterprise Software Packaging: Patterns and Practices, to be released in late 2006.

ABSTRACT

www.altiris.com Virtualize your Business Desktop Deployment > 1

One of the most demanding aspects of distributed systems management is software asset management: the science of tagging, packaging, deploying and maintaining software assets in your organization. In comes software virtualization, or the ability to completely isolate software running on Windows PCs from both the operating system and from other applications that may cause system conflicts. In and of itself, software virtualization offers many benefits and may warrant an immediate implementation. However, because of its nature, it requires redeployment of all of the software you run in order to take advantage of its virtualization capabilities. This means replacing the applications already running; that is, uninstalling the application and then redeploying it as a virtual application. Of course, uninstalling may leave behind traces of the application, leaving the operating system in a potentially unstable state, so the ideal time to do this is when deploying a brand new, “clean” PC.

Depending on your organization size, you may have from a dozen to several hundred applications in operation in your network. If it is only a dozen, you can take advantage of software virtualization immediately. Organizations that have hundreds of applications in operation won’t be able to completely adopt software virtualization unless they are willing to engage in a significant project that looks at each application and runs it through a new packaging1 service to adapt it to this new technology. Large-scale projects of this type often only occur during an operating system upgrade project. This is why the best time to implement software virtualization may be during a migration to Microsoft Windows XP SP2 or even better, Windows Vista, or gradually as new PCs are added or older PCs are refreshed.

That’s because these deployment projects include a lot of activities, one of which is the evaluation of the compatibility of each application or software that is currently in use with the newly updated operating system to ensure that it will function properly. It is usually at this time that organizations implement several additional processes:

• Application Categorization. Identify which type applications fall into. Usually there will be three or four types, such as Windows Installer native commercial applications, legacy commercial applications, Windows Installer native corporate applications and legacy corporate applications. Finally, some organizations may further subdivide these categories to Win32 or .NET applications. Categorization is a process that will greatly assist in facilitating the packaging activity.

1 Packaging is the activity of preparing an application with customized settings that meet

corporate standards so that it will install automatically without any feedback or interaction from end users.

MIGRATION PROJECT TRUISMS

2 < Virtualize your Business Desktop Deployment www.altiris.com

• Application Rationalization. Rationalization is also an important aspect of deployment projects. It consists of reducing the number of applications in the network through a series of evaluation processes. The easiest of these processes looks to reduction based on multiple versions of the same application and minimizes it to a single version. Next, if several applications offer similar feature sets, they can be reduced to a single application. Rationalization ensures that application sponsors exist for each application in the network. These sponsors are responsible for several activities during the migration project.

• System Construction Model. This is also an ideal time to implement a system construction model, one that divides the construction of a system into layers so that you can create a layer for all users, one for specific teams of users working in the same function and one for users who require individual applications that cannot really be assigned to groups.

• Standardized Systems Management. Migration projects are often the ideal time to review and update your systems management practices to streamline activities and reduce overall operating costs2.

• Standardize Deployments. Finally, one of the most important aspects of any deployment, especially an operating system deployment, is the implementation of a standardized approach to desktop deployment. Microsoft now provides some guidance and a set of tools for this through the Solution Accelerator for Business Desktop Deployment (BDD)3. BDD provides both guidance and tools that allow organizations both small and large to more easily deploy both Windows XP SP2 and Windows Vista.

Since each of these processes will help reduce operational costs and decrease the size of the overall project, and since this type of project requires a look at each one of the applications in the network, this may be the ideal time to consider software virtualization.

2 Additional information on Standardized Systems Management is available at

http://www.altiris.com/upload/wp-standardized_systems_management_v1.3.pdf.

3 More information on the BDD is available at http://www.microsoft.com/technet/desktopdeployment/bddoverview.mspx.

Application Sponsors

Application sponsors are

responsible for several

activities, which include:

Subject matter

expertise for the

application

Acceptance testing for

the application

package

Application monitoring

or watching for new

versions or patches

Rationalization

justifications or

justifying why the

application should be

in the overall software

portfolio


It is the very nature of Windows that causes the problem when it comes to software. Microsoft designed Windows as the heart and soul of the computer. This means that Windows provides a set of core services that other applications can rely on, services such as a graphical interface, printing, communications, and other device interfaces. Because Windows provides the interaction with all hardware devices, application developers can concentrate on providing added functionality through their application. To do this, they must rely on the dynamic link libraries (DLL) built into Windows. A major problem occurs when developers decide to include core operating system DLLs with their application because they know that their application works with this particular version. The application installation then replaces an existing DLL, breaking some other component in Windows. This is “DLL hell”—conflicts arise in your operating system when applications using conflicting DLLs try to cohabitate on a system.

Microsoft has done a lot of work to make Windows able to deal with these conflicts. The most important of these is the release of the Windows Installer service (WIS) which, along with providing one single interface for the installation of applications within the Windows environment, also provides the ability to manage application conflicts to some degree. WIS now provides extensive support for the software lifecycle (see Figure 1).

Figure 1. Windows Installer support for the Software Lifecycle

THE BENEFITS OF SOFTWARE VIRTUALIZATION


In addition, Microsoft has been putting additional features into the operating system to provide support for multiple versions of the same DLL operating simultaneously. In Windows NT, Microsoft began by creating the NTFS file system, which adds access control to all files and folders. In Windows 2000, where Microsoft integrated WIS for the first time, they restricted the way applications and users interact with the operating system, moving all user data access to a personal profile. In Windows XP, Microsoft added support for side-by-side DLLs operating in memory at the same time and introduced Windows System File Protection—a watchdog service that automatically repairs core system files in the event that an application installation overwrites them. In Windows Vista, Microsoft is providing further support for isolation through User Access Protection (UAP), a technology that forces even administrative users to acknowledge each time they need to perform an administrative or high-privilege action on their system.

Dealing with Application Conflicts Despite all these improvements, application conflicts still exist because of the way organizations operate. This is partly due to the sheer number of applications organizations must run in order to support their operations. While small organizations may get away with running small numbers of applications to operate, medium to large firms often find themselves running hundreds of different applications with a wide range of functionalities and features, each one requiring some particular component to run properly within Windows.

It is true that migration projects such as the deployment of a new version of Windows will allow organizations to both reduce the number of running applications and upgrade some of them to versions that take full advantage of new operating system features. However, because of the number of applications they run, organizations simply can’t afford to upgrade each and every one of them. This leaves organizations with a mix of updated and outdated applications. In fact, organizations often find themselves running four or five categories of software:

• Newly-released commercial applications. These take full advantage of new OS features.

• Legacy commercial applications. These often cause the most conflicts.

• Updated or new custom applications. Applications that are developed in-house to take advantage of new OS features.

• Legacy custom applications. Applications that the organization is not willing or can’t afford to upgrade.

Ironically, it is the level

of effort Microsoft is

investing in making

Windows more stable

that requires

organizations to spend

so much time testing

application compatibility

during each and every

OS deployment project.


• Custom commercial applications. Applications that cannot be upgraded because an upgrade simply does not exist. A good example of this type of application can be found in manufacturing, where applications are designed to run special equipment providing mission-critical services to the organization.

This mix of applications makes the management of application conflicts one of the most important and challenging responsibilities of system administrators today.

In Comes Software Virtualization According to Wikipedia.com, virtualization is “…the process of presenting a logical grouping of computing resources so that they can be accessed in ways that give benefits over the original configuration.” This is exactly what Altiris® Software Virtualization Solution™ does—present groupings of file system and registry objects in such a way that is completely transparent to the applications that require them as well as to the operating system itself. In fact, Altiris’ goal is to eventually virtualize nearly every component of the local desktop. Applications continue to be deployed locally, but instead of deploying application installations, you deploy applications as files only—files that require activation once they are located on the target system.

The first step in preparing an application for virtualization is the process of capturing the installed state of the application and storing it in a Virtual Software Package (VSP). Next, the application is delivered to the target system. Then it is imported and activated. Users run the application normally because the SVS filter driver, running at about 170 KB, manages all application interaction with the file system and registry. Since the application is captured in its installed state, users or administrators can reset it to its installed version in the event that an untoward incident occurs. When it is time to retire the application, simply deactivate it and delete it from the system (see Figure 2).

Figure 2. Working with Virtual Software Packages

Corporations running

Access 97 or 2000

applications can now

have them cohabitate

with Access 2003 on the

same system without a

worry that they might

cause system

incompatibilities.


In addition to supporting the activation and deactivation of applications, SVS also provides complete isolation of an application’s resources, allowing formerly incompatible applications to cohabitate happily on the same system. In fact, applications continue to interact with each other and with the operating system in a normal way; only the application's resources are isolated. This approach offers the benefits of virtualization while still allowing the application to execute normally and the virtualization to be invisible to the end user.

For example, corporations running Access 97 or 2000 applications can now have them cohabitate with Access 2003 on the same system without a worry that they might cause system incompatibilities. This is because SVS uses a filter driver (FSLX.SYS) to protect the operating system and present it with the requirements of the application (see Figure 3). Users can even cut and paste information from one version of Access to another because the operating system interprets both applications as behaving normally.

Figure 3. SVS Basics

SVS applications are stored in layer files that contain both a read-only and read-write sections. The read-only section is what makes it possible to reset an application to its pristine state, while the read-write section provides the ability to store custom modifications created during


application usage. In addition, Data Layers support the ability to preserve user data4.

What is most important is that SVS is designed to interact directly with the Windows Installer service because the captured VSP can include a copy of the original MSI file used to install the software in the first place. If the application being virtualized is a legacy application that does not include an MSI, then SVS simply captures its running state and keeps the operating system pristine by stopping the interaction of the application from making any permanent changes to the OS (see Figure 4).

Figure 4. The Software Virtualization Advantage

While traditional applications interact deeply and actually change the operating system and sometimes other applications during installation, Virtual Software Packages only interact with the SVS filter driver, keeping the operating system and other applications completely pristine.

Begin with Baby Steps As mentioned previously, while SVS provides an incredible advantage to organizations that constantly face operational application issues, it still requires the repackaging and deployment of each application to fully profit from the advantages SVS offers. This is why it may be best to wait for a project such as an operating system upgrade to fully deploy SVS in the organization.

4 For a more detailed overview of the operation of SVS, see Altiris Software Virtualization

Solution at http://www.altiris.com/upload/wp_svs.pdf.

SVS isolation features

allow you to support

your most problematic

applications

immediately.


But, this does not mean that you can’t use SVS in the meantime. Even if you decide to wait for an OS deployment to convert every application to SVS, you can still take advantage of its isolation features to support your most problematic applications immediately. Good examples abound.

• Access applications. Most organizations cannot afford to upgrade the multitude of Microsoft Access applications their user community has developed. Properly converting these applications to a client-server structure using back end databases and front-end screens that can operate through the Access runtime is the best way to deal with this issue, but if you haven’t taken this step, then virtualize them! This will completely isolate them from the latest version of Access you need to deploy5.

• Custom in-house applications. If you have custom applications that just won’t cohabitate with any other, you can virtualize them and have them finally cohabitate with any other on any system.

• Custom industrial applications. If you have custom industrial applications, for example, manufacturing applications, that require different settings for each manufacturing plant you run, you can now easily convert them to Virtual Software Packages and run them all on the same system.

Perform spot virtualizations by identifying the most problematic applications and virtualizing them immediately, then wait until your next OS deployment or hardware refresh project to virtualize the rest. This allows you to familiarize yourself with SVS and learn what advantages it brings to application management.

5 More information on running and managing Access applications in-house is available at

http://www.reso-net.com/articles.asp?m=8 under Decentralized Development Strategies.


When you’re ready to move all of your applications to SVS, then you can begin to create a Virtual Software Package for each application. This means that if you integrate it with an operating system deployment, you might change the way you perform this deployment. For example, using SVS might change the way you create your machine build. Before, organizations tended to create a massive system ”kernel” that included all of most common applications and utilities found within the organization (see Figure 5). This kernel was difficult to build and even more difficult to test because it required the integration of vast numbers of components. With SVS, this level of integration is reduced.

Figure 5. The PASS6 System Construction Model includes a core System Kernel

Now, you can focus on installing the core operating system along with any required updates, adding core utilities such as antivirus, anti-spyware, firewalls, management agents, and virtualization filter driver and then virtualize all other components. You can still create a single core image that will include everything that is common to all desktops, but now, you can focus on the proper construction of your core operating

6 For more information on the PASS System Construction Model, see “Enterprise Software

Packaging: Practices, Benefits and Strategic Advantages” at http://www.altiris.com/upload/wps_esp_whitepaper.pdf.

MIGRATE TO SVS

With SVS, you can focus

on the proper

construction of your core

operating system and

expect it to maintain its

pristine state for the

duration of its existence

within your organization.


system and expect it to maintain its pristine state for the duration of its existence within your organization. Just imagine the benefits!

If you rely on a system construction model like PASS, then you can begin to see how SVS changes the structure and interaction of its components (see Figure 6). Several layers of this model are impacted by SVS both within and without the kernel.

Figure 6. SVS Interacts with PASS at Several Layers

The image you capture for deployment will include an installed operating system and installed utilities that cannot be virtualized at this stage, but everything else can be contained within a Virtual Software Package. This makes the construction of a kernel image much easier than before. You simply install the operating system and core utilities, and then import and activate the required VSPs. Finish by capturing the image for deployment.

Reference computers are now much easier to construct. In addition, if you use Microsoft’s new file-based Windows Imaging format (WIM) which will be delivered with Windows Vista7, you will be able to service images by mounting them as files and injecting new components to them. With Virtual Software Packages, you can update an OS image simply by

7 For more information on WIM, see Ximage and WIM Image Format at

http://www.microsoft.com/technet/windowsvista/expert/ximage.mspx.


updating the VSP and recopying it into the image—you build a reference computer only once in the project. Another way to facilitate this process is to use an existing Windows Installer (MSI) package, create a new layer through the virtualization filter and install it into an isolated environment. This allows you to use existing packages while benefiting from virtualization.

In addition, because of the very nature of VSPs, it will be much easier to work with the presentation layer of your system images. One of the toughest activities today in desktop construction and system imaging is to properly create and update both the Default User Profile and the custom user profile. Because VSPs can include presentation layer changes such as the positioning of icons within the Quick Launch Area of the desktop Start Menu, you don’t need to modify these settings ever again. Simply make sure they are captured within the VSP and they will show up automatically when the VSP is activated.

In addition, your packaging and testing process will be modified. You still need to package, but you won’t need to worry about clean machine images so much anymore. That is because after each application capture, you can simply deactivate the software you just installed to return the system to its clean state, saving hours of work (see Figure 7).

Figure 7. The Packaging Process for Virtual Software Packages


Finally, with the use of a system construction model such as PASS, you’ll find that role-based application groupings are now much easier to deploy. With installed applications, you need to create conditional installation sequences that require complex logic to make sure that applications are not installed out of sequence. With VSPs, you just need to bundle all of the applications in a group within the same VSP or, if you prefer, create an independent VSP for each tool and then copy all of them to target computers.

SVS also interacts completely with deployment tools such as Microsoft Systems Management Server or Altiris® Client Management Suite™, so you don’t need to change your existing management infrastructure or your existing deployment strategies. Only core system imaging and packaging strategies need to change.

You’ll still need to be concerned about proper deployment strategies and proper deployment project structures, but using SVS to capture all of your application installations will greatly simplify the deployment preparation steps and the operation of the desktops once deployed8.

8 For more information on proper migration project strategies, see “Six Steps to Successful

Hardware Refresh” at http://www.managefusion.com/upload/managing_hardware_refresh.pdf.


Integrating SVS to an operating system migration or hardware refresh project will help you put an end to application management difficulties. So, when you do move to your next version of Windows, make sure you take advantage of the following best practices.

• Rationalize all applications. There is no reason to have more than one version of an application in your network or any reason to have multiple applications that offer the same feature set.

• Use application sponsors. Make sure that each and every application in your network has a named sponsor and that sponsors know and understand the responsibilities of this role.

• Categorize your applications. Properly categorizing your applications will help you identify problematic applications more quickly. It will also smooth the deployment preparation process.

• Use a system construction model. Using a model like PASS can help reduce desktop and server management costs.

• Implement standardized systems management. Streamline your management practices to help reduce operational costs and decrease your administrators’ workload.

• Standardize your deployments. Make use of best practices such as the Business Desktop Deployment Solution Accelerator to reduce desktop deployment costs.

• Move to software virtualization. Virtualize applications wherever possible to deal with application conflicts. Meanwhile, you can perform ”spot” virtualizations, repackaging the most problematic applications you own. This allows you to reap immediate benefits from software virtualization while you perform your global move.

• Focus on the new kernel. With software virtualization, you can now concentrate on the operating system with proper updates and core utilities as your system kernel. Everything else is virtualized and isolated from the base OS. This means the kernel stays pristine throughout its lifetime in your organization.

• Change your reference computer habits. With SVS, you can build one reference computer and always keep it clean by deactivating virtual software packages once they are captured.

• Integrate the presentation layer. Make sure that your VSPs include interface components that are activated with the VSP. This way, you are automatically dealing with the presentation layer for both new and current users.

• When you think migration, think SVS. Make sure you take full advantage of SVS during your next deployment project. You will quickly see the advantages.

BEST PRACTICES FOR SVS IN MIGRATION PROJECTS

virtualize your business desktop deployment · 2019-09-26 · 4 < virtualize your business...

Documents