Windows 10 S – Putting Your Desktops on Lockdown.

Rory MonaghanApp-V, Application Virtualization, Windows 10Leave a Comment

WIndows 10 S

 

In previous blog posts, I touched on application delivery options when migrating to Windows 10. In this post, I’ll delve into hosted applications, application virtualization, and Windows 10 S.

You can also get your hands on a video I created showing how to run Win32 applications on this locked down Operating System through Citrix XenApp, and a few other alternatives. There’s also a useful two page Windows 10 S data sheet available.

VIDEO & DATASHEET
If you just want the video and data sheet you can skip down to the bottom of the article.

Just what IS an application virtualization product?

Products like Citrix XenApp and VMware Horizon Apps are labeled as application virtualization products. Products like Microsoft’s App-V and VMware ThinApp are also labeled as application virtualization products. The technologies at play here are vastly different.

Citrix XenApp, VMware Horizon Apps, Parallels Remote Application Server, etc. extend Microsoft’s Remote Desktop Session Hosts which allows you to put your application on a server and publish a shortcut to your users. When they launch the application, it presents and runs on their device as though it’s installed on their desktop. In reality, it’s being run on the shared server and presented on your user’s device.

App-V and ThinApp is application level virtualization which isolates the application and can deliver it and run it directly on any Windows system.

Why Use Application Virtualization?

If you have worked with Citrix XenApp, Microsoft Remote Desktop Services, VMware Horizon Apps or Parallels Remote Application Server AND you elected to install your applications into your image(s) you have most likely run into application conflicts. A common and now very outdated way of dealing with this and that is to silo applications.

When you run into an application conflict, you need to determine which applications are conflicting. If Applications X and Y aren’t working well together, you ensure they are hosted on different servers. This could mean creating an extra image or possibly having different conditioned based server builds. You will also need to clearly document which servers are used for which apps; you may also need to expand your naming scheme.

With application virtualization, using products like Microsoft App-V or Numecent Cloudpaging, your applications can run isolated. When the application is run it launches with visibility of its own dedicated virtual file system. This ensures applications will look within their isolated virtual environment so applications running on your shared session host will not conflict.

No more need to silo, no need to introduce complexity, and no need to introduce additional cost in extra OS licensing, storage, compute, etc.

Think about when you’re running into conflicts with traditionally installed apps in your image or build.

If App A conflicts App B, and App A is used by everybody in the company and App B is used by half of the company, you could end up with a lot of extra servers just to deal with two apps that conflict.

Now, imagine if you have hundreds of apps and multiple apps conflict! Fuhgettaboutit!

Application Virtualization Options

You have many choices in application virtualization products. Pretty much every product on the market will work with any vendor’s application hosting platform and virtual desktop infrastructure. Most can also run on physical laptops and desktops functioning both when the machine is online and offline.

When deciding which product to use, it may be pretty obvious based on the stack you work with. For example, if you use Parallels RAS on top of your RDS, the obvious choices are App-V, which is built into Windows Server 2016 as a feature, or Turbo.net containers which natively integrate into the product.

If you use just straight up RDS on Server 2016, App-V may be an obvious choice. If you are a small shop without enterprise level agreements with Microsoft and run Server 2012 R2, App-V is not as accessible so Numecent Cloudpaging or another alternative might be best.

Again, you can combine application virtualization and hosting together. For a comprehensive breakdown of the different products on the market, check out the Application Virtualization Smackdown and accompanying discussion of Smackdown Winners.

For the purpose of this article, I’ll focus on the two most widely used products in their respective fields – Microsoft App-V and Citrix XenApp.

You may be asking why I’m choosing to focus on hosted applications; it’s a technology which has been around for decades. Surely this should be about virtual desktops and application virtualization!

Published Hosted Applications vs. VDI

Brian Madden published a book several years ago called the VDI Delusion. I won’t give away the content of the book, but you can figure out the sentiment of the book by its title. Part of the equation of the delusion at time of publishing was the cost factor.

Cost is now less of a factor than it was then and many who agreed back then and claimed VDI was not a viable solution have since somewhat walked back their claims. Indeed, Citrix and VMware have largely improved their VDI offerings BUT, and there is a “but” in my opinion, VDI is already quickly becoming obsolete. In fact, for the majority, it could be a case of never was.

I have worked in many different industries including Healthcare, Finance, Retail, Technology, Construction, Law, etc. and a common theme across all of this is that the majority of core users who bring in the money tend to use only a handful of applications. Most don’t require a full desktop; they only care about the applications themselves.

IT teams and businesses have created a dependence on desktops by providing mapped network drives, enabling users to rely heavily on favorites in Windows Explorer, store their life’s work in their Desktop and Documents folders (which might or might not be redirected and backed up).

Centralizing and simplifying things by providing published hosted applications not only reduces the cost of running beefy physical workstations, laptops or having virtual desktops but also enables your IT to better manage the environment and users and customer data in more robust and secure manner.

More than this, today it’s estimated that for every one desktop application, an organization runs twelve web applications. With the adoption of the cloud, more and more vendors are moving their products to a Software as a Service subscription model. The most obvious of these being Microsoft Office 365 (which is awesome by the way!).

This shift will further reduce dependency on a full desktop. In my opinion, provide desktops to those who need them, such as IT workers and developers, and deliver published apps to those who don’t – which is pretty much everyone else.

Why Should I Use App-V with XenApp?

App-V has native integration with XenApp, BUT I opt to not use the built-in integration. I will explain why a little later in this article.

If you’re large enough to afford Citrix products, you likely have a Microsoft EA. If that’s the case, App-V is now in Server 2016 as a feature and is by far the most widely used application virtualization product on the market. If you’re using Citrix App Layering in your environment, App-V is the perfect companion to allow you to work around some of the limitations of layering and of course, you reap all the benefits of application virtualization.

Deploying App-V applications in XenApp.

No matter if you use Machine Creation Services (MCS) or Provisioning Services (PVS), you’ll want to ensure your servers are non-persistent. That way, you can perform rolling reboots which reset the servers to a clean state, reducing the possibility of issues popping up over time from stale sessions, stuck processes, broken services, etc.

App-V boasts a feature called Shared Content Store (SCS) mode which is perfect for this kind of environment. SCS doesn’t commit anything to local disk. Your virtual applications files are not fully cached onto the servers. Small stub or sparse file are stored on the server in the App-V package store, and the application is loaded into memory.

The native integration with App-V provides two built-in methods for deploying your virtual applications to your hosts.

You can choose to “Add Microsoft Server” which prompts you to input the URL of one of your App-V publishing servers. This has to be just one of your publishing servers, not a VIP to multiple. If you’re wondering what the heck an App-V publishing server is, with App-V you have the option to set up what’s called the App-V Full Infrastructure, which contains Management Server(s), Publishing Server(s), a database and an optional Reporting Server.

It’s not a very good way to deploy App-V, and I go into that in more detail in my post about App-V Scalability.

The other option is to select “Add Packages” which allows you to add App-V packages right from your App-V file share. No extra infrastructure required just a file share for your apps. This is much better than doing it with the Microsoft Server option, BUT I still find it very limiting. There’s not a whole lot you can do other than add and remove the packages, add to Delivery Groups and Application Groups, etc. I have also had issues with application shortcuts getting messed up.

My favorite delivery tool for a XenApp environment is App-V Scheduler.

 

In addition to enabling the App-V feature in my PVS image using the PowerShell cmd Enable-AppV, I also installed the App-V Scheduler agent and configured the above settings.

I provided a path to my App-V content share where I will put all the app packages I want to be deployed to my XenApp hosts.

With these settings all applications are globally published, meaning they are targeted to the machine and not to the user.

The App-V cache is cleared every time a machine starts up, ensuring applications are brought in fresh on each reboot.

What makes this one of the best ways to deploy App-V is the fact that applications can be mounted or cached on a per-app basis when determined by your Citrix team. By default, an application will run in Shared Content Store mode which as stated means when the application is launched it runs in memory and doesn’t commit anything to the local disk on the server.

Some applications may need to be mounted if they’re large as they may not perform well streaming on demand. This product gives an easy way to handle all applications optimally.

The Scheduler is configured for PVS private mode. When we open an image for updates, it won’t bring in App-V applications – ensuring apps are only delivered when running in Standard mode. This is another benefit of using App-V and App-V Scheduler. Some other appvirt products don’t have this flexibility, which in cases could mean putting those appvirt packages into your image which negates a lot of the reason for using appvirt in the first place.

Any application cache and sparse files get stored in the App-V package store under E:\App-V. Thanks to defaulting to SCS, this drive can be pretty small.

App-V scheduler central view

App-V Scheduler offers much more than Studio concerning deploying App-V applications than Studio. As stated you can mount\cache application selectively. You can also selectively choose if an app is published globally or based on the user.

You can one-click deploy all applications in the content share to all servers or a group of servers. You can browse to a single server and remove an application, multiple applications or even all applications very easily without going on the server. You can easily create connection groups to allow multiple applications to work together, similar to isolation groups in Studio.

App-V Scheduler is awesome. I can rest assured when my servers reboot, that the apps all come back pretty quickly and if I want to deploy an application to hundreds of servers, I can do it with a single click.

Numecent Cloudpaging

App-V sure isn’t the only game in town. One of the biggest complaints from techies is that you can’t sequence ALL applications with App-V. In the Citrix world, you can now deploy those apps which won’t work with App-V as application layers instead, but application layers in Citrix App Layering currently limit you to deploy your app layer to machines with the same image as the one you used when creating the layer.

If you have multiple images for maybe Server 2008 R2, 2012 R2, 2016, Windows 10, Windows 7 and even 32-bit and 64-bit, that could mean creating an app layer for each of those OS types. If you have multiple variations of your image, it means even more.

Citrix App Layering elastic layers don’t work for all apps, some need to be put into your published layered image and even when they do work, you might prefer to run the app isolated.

If you want another appvirt product with a higher rate of application compatibility, look no further than Numecent Cloudpaging. You can virtualize applications with drivers, low-level system components, etc. This is thanks to the feature to run an application as ‘locally installed’ meaning the isolation is essentially turned off. You can get close to a 99% success rate thanks to granularity in isolation options.

Read more about how awesome Cloudpaging is.

Windows 10 S

Windows 10 S DOESN’T support Win32 applications. It only supports Universal Windows Platform (UWP) apps. The problem with this is that Microsoft has stripped away OS components such as services, .NET dll’s and a bunch of other things. There is a converter for developers to convert their existing Win32 apps to UWP but it only wraps the app so it can be deployed via the Store. It doesn’t help with compatibility, and so most Win32 apps just won’t work on Windows 10 S.

The other facet to this is the fact that UWP apps can run on ARM processors. The U stands for Universal so apps will be able to run on mobile devices natively and since the Receiver is a UWP app, so too can the Citrix published apps.

The big play for Citrix is that with the Receiver available, people can just use their Win32 apps through XenApp. In my opinion, the current UWP version of the Receiver is not without its flaws, the display for the published app doesn’t scale to the size of the app, and the experience is a little clunky, but it’s still in its infancy and shows promise. This type of approach is already popular in academia on Chromebooks, and some organizations are looking at Windows 10 S for security reasons.

WIndows 10 S running Win 32 apps using Citrix Receiver

Since it’s so lightweight and the apps are less integrated to the system, patching doesn’t have the same management overhead, and there’s a reduced surface level for attacks since the holes hackers use today shouldn’t be there.

Not every peripheral will work. There is a list of compatible printers and devices, but if you have other third-party devices, you should consult with the vendor to ensure they are compatible. If additional software is required for the device to work, odds are it will not work right now. You can still deploy Windows 10 S to workstations which do not require these peripherals and deploy Windows 10 Enterprise to the others.

Video: How to run Win32 applications on Windows 10 S

 

Conclusion

The direction things are going seems to be that the desktop will become less and less relevant. If Windows 10 S becomes popular thanks to reducing the surface level for attacks which are quickly becoming the number one concern for organizations, you should initially see an increased demand for hosted published application products like Citrix XenApp, VMware Horizon Apps, Microsoft RDS, Parallels RAS and Software2 AppsAnywhere.

Win32 applications aren’t going to go away quietly, and as I’ve said, for these shared sessions hosts running many different applications for tens of users, App-V and Cloudpaging are crucially important for cutting costs through increased user\server\app ratio.

Win 10 S datasheet


ABOUT THE AUTHOR

Rory Monaghan

Rory is Algiz Technology’s CTO Americas.  A man of many talents, he’s a Microsoft Windows IT Pro MVP, international speaker and contributes to the online App-V community via his blog www.rorymon.com.

Share this Post

Leave a Reply

Your email address will not be published. Required fields are marked *