Category: Cloud

Getting Started with WDAC

Posted on | by Airdesk | Leave a Comment on Getting Started with WDAC

Windows Defender Application Control (WDAC) is the native Windows 10 security feature to control what files can be executed on the desktop. In Windows 1903, Microsoft has added support for file path rules as a basis for whitelisting. Before this, implementing a WDAC policy for the desktop in production was very difficult, almost impractical. File path rules allow applications in the Windows and Program Files folders to run without first specifying what they are. This is one of a series of posts about how to create and implement a WDAC policy for the desktop, with file path rules, and using Intune to deliver it.

Continue reading

Windows 10 Licensing on Cloud

Posted on | by Airdesk | Leave a Comment on Windows 10 Licensing on Cloud

You probably know that, until recently, the Microsoft license did not permit you to run a Windows Client OS on cloud infrastructure. This has now changed. The exact license terms are difficult to find, and the cases where the changes could make a difference are limited. Here is a summary.

The clause that restricts you is the one that permits you to run a virtualised copy of Windows only "on (a) device(s)dedicated to Customer’s use". Here is the relevant document: Licensing Windows Desktop OS for Virtual Machines.

The key parts of this are:

  • Virtual Device Access (VDA) Rights are what you need to access a virtual copy of the Windows client OS. "VDA Rights" are not the same as "VDA Subscription". VDA Rights are what you acquire either with Software Assurance to run a copy of Windows, or a VDA Subscription if you are running something else.
  • VDA Rights are subject to the restriction above, to run only on dedicated hardware.

To state the obvious, this means no Windows 10 in Azure or AWS running on shared infrastructure. Under these terms, for example, you cannot use Azure to provide a DR facility for enterprise desktops.

In May 2016 a Microsoft blog said that Windows 10 would be coming to Azure through a partnership with Citrix, using XenDesktop: Microsoft and Citrix Partner to Help Customers Move to the Cloud. This was picked up widely in the press. The Citrix offer was announced in April 2017: Citrix XenDesktop Essentials for Azure.

On the face of it this is a significant change. Yes, it has a minimum requirement of 25 users, but still it is:

  • a monthly subscription, not a long term contract
  • pay for capacity if you use it, and not if you don’t.

The curious thing about this is that there is no corresponding announcement from Microsoft, and no apparent change in Windows 10 licensing. So what exactly has changed?

  • The Citrix offer requires the customer to have an "Enterprise Agreement"
  • This EA will cover all users and devices in the organisation, already permitting them to access virtual Windows 10 Enterprise through VDA Rights (although restricted to dedicated hardware).

So the change is that, provided you have an Enterprise Agreement, and use XenDesktop Essentials with a minimum of 25 accounts, you do not need to use explicitly dedicated hardware.

Separately, in May 2017 Microsoft introduced a new offer: Azure Hybrid Use Benefit for Windows Server and Windows Client. This is not explicitly related to the Citrix XenDesktop Essentials offer. It allows customers to upload a Windows 10 Enterprise image to Azure, but "Only Enterprise customers with Windows 10 Enterprise E3/E5 per user or Windows VDA per user… are eligible".

You can already run a Windows desktop in Amazon Web Services (AWS). Here the licensing terms are more straightforward:

  • For a regular Windows "desktop experience" you get a licensed copy of Windows Server Datacenter Edition. Desktop Experience is a feature of Windows server that adds some of the features of a Windows client. Datacenter Edition is the license that allows you to run multiple virtual copies of the OS on one host.
  • For a minimum of 200 machines per month, you can Bring Your Own License (BYOL), provided you have VDA Rights (see above).
  • This puts a value on the license part of the VM of $4 per month, but with a 200 minimum.

So in summary:

  1. You can already run a virtual desktop (a real dedicated desktop, not a session) using a Windows Server OS on Azure or AWS without restriction
  2. You can already run a virtual desktop using your own Windows client licenses on any dedicated hardware, if you have VDA Rights through Software Assurance or a VDA Subscription.
  3. As a special case of 2) above, you can already do this on AWS with a minimum of 200 desktops
  4. You can now (2017) run a virtual desktop with your own Windows client licenses in Azure, if you have a Microsoft Enterprise agreement.

To use a virtual desktop on any scale you will still need the surrounding infrastructure: a machine composer; a broker; and a client. XenDesktop Essentials provides a way of obtaining these on a monthly rental, compared to the normal annual subscription or perpetual license.

Windows 10 Performance on AWS

Posted on | by Airdesk | Leave a Comment on Windows 10 Performance on AWS

Amazon Web Services (AWS) offers a range of Windows 10 virtual desktops, called WorkSpaces. Let’s see how they perform.

The summary is that:

  1. A Standard Windows 10 WorkSpace performs similarly to a top of the range Dell laptop
  2. A Graphics Windows 10 WorkSpace performs similarly to a high performance Dell workstation.

That’s useful to know. If you want to give people access to a good all-round machine, then the Standard WorkSpace will do it. And if you want to give them access to a high performance machine occasionally, then a Graphics WorkSpace will do it. Meanwhile they can carry around a tablet like the Surface Pro for everyday convenience, and still have access to the whole range of Office 365 applications.

The costings are a bit of a surprise, but that will have to follow in another post.

First, the definition of the WorkSpaces. AWS offers four levels of performance for Windows 10:

Value 1 vCPU, 2 GiB Memory, 10 GB User Storage
Standard 2 vCPU, 4 GiB Memory, 50 GB User Storage
Performance 2 vCPU, 7.5 GiB Memory, 100 GB User Storage
Graphics 8 vCPU, 15 GiB Memory, 1 GPU, 4 GiB Video Memory, 100 GB User Storage

The Windows 10 WorkSpaces run a copy of Windows Server 2016, using one Datacenter Edition license for all copies running on the same host. So it is not quite accurate to call it a Windows 10 desktop. AWS describe it as: " a Windows 10 desktop experience, powered by Windows Server 2016." It makes no practical difference to the functionality, or the benchmarking.

An AWS WorkSpace is a virtual machine with a rudimentary system for brokering the machines to different users, and a remote access client. This, again, makes no difference to functionality or performance, but it explains why we have these categories (Value, Standard etc.) rather than the usual mix of ECS virtual machines.

The software I use for benchmarking is PassMark PerformanceTest. I have been using it for some time. It is a good product, and I have my own benchmarks from different types of machines to compare with. The methodology is very simple: start the machine; install the software; run the benchmark. Ideally you might do several runs, but I have not found that to be necessary.

Let’s get to the results. First the benchmarks for the different WorkSpaces.

Computer Value Standard Performance Graphics
CPU Mark 1774.9 3527.4 2450.8 7879.3
2D Graphics Mark 297.9 513.2 344.3 460.8
Memory Mark 742.3 1494.8 1647.9 1869.7
Disk Mark 801.2 805.8 880.9 1252.2
3D Graphics Mark N/A N/A N/A 3988.4
PassMark Rating 751.5 1223.2 1010.6 2652.2

The Performance WorkSpace is a surprise. This is configured with the same 2 vCPU as the Standard, and with more memory. But the results are lower than for the Standard. I checked this twice, and I ran the test again on the following day to confirm. The figures here are the best obtained. A possible reason is that this is configured with only one physical core, with hyperthreading enabled, whereas the Standard is two physical cores, with hyperthreading disabled. Whatever the reason, it is obviously not worth paying more for the Performance WorkSpace, unless you need the additional memory. It could really be called a "Memory" WorkSpace.

Here is the comparison with other machines. First the Standard WorkSpace compared with a Dell Latitude E7240, a good quality laptop.

Computer Standard E7240
CPU Mark 3527.4 3495.3
2D Graphics Mark 513.2 563.6
Memory Mark 1494.8 1166.1
Disk Mark 805.8 2186.2
3D Graphics Mark N/A 457.4
PassMark Rating 1223.2 1719.6

The Standard WorkSpace is comparable to a top of the range laptop like the E7240 (although that model is a bit old now). The CPU benchmark is comparable, although the SSD on the physical laptop is much faster than the virtualised SSD on the WorkSpace. The WorkSpace CPU is two cores on an Intel Xeon E5-2676, while the laptop CPU was 4 cores on an Intel Core i5-4210U.

Here is the Graphics WorkSpace compared with a Dell Precision M6700 mobile workstation (again, a bit old now):

Computer Graphics M6700
CPU Mark 7879.3 9520.0
2D Graphics Mark 460.8 754.0
Memory Mark 1869.7 2232.1
Disk Mark 1252.2 589.5
3D Graphics Mark 3988.4 956.0
PassMark Rating 2652.2 2075.0

We can see that:

  • CPU is comparable – 8 cores on an Intel Xeon E5-2670 against 8 cores on an Intel Core i7-3940XM
  • Disk is better than the Standard, not as good as the Dell laptop SSD, but better than the Dell workstation SATA
  • The graphics are outstanding

My overall impression is that I would be happy with the Standard WorkSpace as a substitute of a laptop, and very happy with the Graphics WorkSpace as a substitute for a workstation.

Cloud Cuckoo

Posted on | by Airdesk | Leave a Comment on Cloud Cuckoo

Cloud is a great marketing concept. It creates an impression of something new and better. But is it really new and better, or is it for the birds, up there in Cloud Cuckoo Land?

There’s no need to define Cloud services. It has been done by the National Institute of Standards and Technology (NIST) in their Cloud Computing Definition. You could write a PhD thesis on the abuse of the term in advertising. Let’s assume for the moment that it is something like buying your IT as a service. What is new about that?

  • Running your IT in a third party data center is not new
  • Paying someone else to run it is not new
  • Financing your IT assets over a payment term is not new
  • Buying specific services, like payroll, on a subcription is not new

What is better about it?

  • Having your IT remote rather than local is no faster or cheaper than it was
  • Paying someone else to run it is not better or cheaper than it was
  • The cost of financing assets is not lower
  • Running specific services, like e-mail, on a subscription has not become better or cheaper than it used to be

Of course it has always made sense to run some of your IT remotely, like a public website. Nothing has changed in the arguments for and against, so we don’t need to repeat them.

Nothing has changed, either, in the basic economics. Remote data is still more expensive, by roughly the same factor as before. Having someone else do something for you is still generally more expensive than doing it yourself, or not doing it at all. Yes, there are economies of scale in data centers, but there always have been.

So what’s up?

The significant change has been Virtualisation, or time-slicing of computing resources. Virtualisation is done by a tiny piece of software (maybe 300MB) that separates different workloads and their use of resources like CPU and memory. It is a kind of extended BIOS, nothing more. If the operating system allowed complete separation of workloads you would not need it.

Time-slicing enables the units of computing resource to be rented out. Up to now, the unit of resource has been physical. No matter how you finance a server, someone has to buy it and allocate it to a workload. With time-slicing the resource can be taken from a pool and put back when not used. You pay for the amount of resource used, and the level of guaranteed availability of the resource.

Of course you still have to have software to make use of the computing resource. It would be difficult if you had to buy the software as an asset, even if you were renting the CPU cycles. The Microsoft Service Provider Licensing Agreement (SPLA) allows a service provider to charge for usage rather than sell the license.

If we take something like Exchange, there are now three models for obtaining the service:

  1. Buy the hardware and software
  2. Subscribe to seats in a shared Exchange system
  3. Rent the hardware and software.

It does not really matter where you run it (on premise or at a third party data center) or who runs it (yourself or subcontracted). There is nothing new about those options. Of the three models above, only the last is new.

So why would you want to rent the hardware and software to run your own system, rather than buy it outright or subscribe to a service instead? You would need to want a custom dedicated service (otherwise subscribe) as well as flexibility to scale resources up and down inside a three year period (otherwise buy).

What rental achieves, which is quite valuable, is to remove the capital expenditure aspect of the decision making. With the physical server model it was easy. You had to buy a number of boxes and do some sizing. With the Virtualisation model the decisions are more complex. You need to create a virtualisation infrastructure as well as the traditional server infrastructure.

Services like Dropbox, iCloud, Google Apps, Office 365 are not technological innovations. Services like Windows Azure and Amazon S3 are technological innovations, because they enable you to rent computing resources rather than buy, using Virtualisation.

So is it Cloud, or Cloud Cuckoo Land? I think the question you need to ask as a CIO is "can we rent it?". That is what’s new about Cloud.