Getting Started with WDAC

Windows Defender Application Control (WDAC) is the native Windows 10 security feature to control what files can be executed on the desktop. In Windows 1903, Microsoft has added support for file path rules as a basis for whitelisting. Before this, implementing a WDAC policy for the desktop in production was very difficult, almost impractical. File path rules allow applications in the Windows and Program Files folders to run without first specifying what they are. This is one of a series of posts about how to create and implement a WDAC policy for the desktop, with file path rules, and using Intune to deliver it.

Continue reading

Windows 10 Licensing on Cloud

You probably know that, until recently, the Microsoft license did not permit you to run a Windows Client OS on cloud infrastructure. This has now changed. The exact license terms are difficult to find, and the cases where the changes could make a difference are limited. Here is a summary.

The clause that restricts you is the one that permits you to run a virtualised copy of Windows only "on (a) device(s)dedicated to Customer’s use". Here is the relevant document: Licensing Windows Desktop OS for Virtual Machines.

The key parts of this are:

  • Virtual Device Access (VDA) Rights are what you need to access a virtual copy of the Windows client OS. "VDA Rights" are not the same as "VDA Subscription". VDA Rights are what you acquire either with Software Assurance to run a copy of Windows, or a VDA Subscription if you are running something else.
  • VDA Rights are subject to the restriction above, to run only on dedicated hardware.

To state the obvious, this means no Windows 10 in Azure or AWS running on shared infrastructure. Under these terms, for example, you cannot use Azure to provide a DR facility for enterprise desktops.

In May 2016 a Microsoft blog said that Windows 10 would be coming to Azure through a partnership with Citrix, using XenDesktop: Microsoft and Citrix Partner to Help Customers Move to the Cloud. This was picked up widely in the press. The Citrix offer was announced in April 2017: Citrix XenDesktop Essentials for Azure.

On the face of it this is a significant change. Yes, it has a minimum requirement of 25 users, but still it is:

  • a monthly subscription, not a long term contract
  • pay for capacity if you use it, and not if you don’t.

The curious thing about this is that there is no corresponding announcement from Microsoft, and no apparent change in Windows 10 licensing. So what exactly has changed?

  • The Citrix offer requires the customer to have an "Enterprise Agreement"
  • This EA will cover all users and devices in the organisation, already permitting them to access virtual Windows 10 Enterprise through VDA Rights (although restricted to dedicated hardware).

So the change is that, provided you have an Enterprise Agreement, and use XenDesktop Essentials with a minimum of 25 accounts, you do not need to use explicitly dedicated hardware.

Separately, in May 2017 Microsoft introduced a new offer: Azure Hybrid Use Benefit for Windows Server and Windows Client. This is not explicitly related to the Citrix XenDesktop Essentials offer. It allows customers to upload a Windows 10 Enterprise image to Azure, but "Only Enterprise customers with Windows 10 Enterprise E3/E5 per user or Windows VDA per user… are eligible".

You can already run a Windows desktop in Amazon Web Services (AWS). Here the licensing terms are more straightforward:

  • For a regular Windows "desktop experience" you get a licensed copy of Windows Server Datacenter Edition. Desktop Experience is a feature of Windows server that adds some of the features of a Windows client. Datacenter Edition is the license that allows you to run multiple virtual copies of the OS on one host.
  • For a minimum of 200 machines per month, you can Bring Your Own License (BYOL), provided you have VDA Rights (see above).
  • This puts a value on the license part of the VM of $4 per month, but with a 200 minimum.

So in summary:

  1. You can already run a virtual desktop (a real dedicated desktop, not a session) using a Windows Server OS on Azure or AWS without restriction
  2. You can already run a virtual desktop using your own Windows client licenses on any dedicated hardware, if you have VDA Rights through Software Assurance or a VDA Subscription.
  3. As a special case of 2) above, you can already do this on AWS with a minimum of 200 desktops
  4. You can now (2017) run a virtual desktop with your own Windows client licenses in Azure, if you have a Microsoft Enterprise agreement.

To use a virtual desktop on any scale you will still need the surrounding infrastructure: a machine composer; a broker; and a client. XenDesktop Essentials provides a way of obtaining these on a monthly rental, compared to the normal annual subscription or perpetual license.

Windows 10 Performance on AWS

Amazon Web Services (AWS) offers a range of Windows 10 virtual desktops, called WorkSpaces. Let’s see how they perform.

The summary is that:

  1. A Standard Windows 10 WorkSpace performs similarly to a top of the range Dell laptop
  2. A Graphics Windows 10 WorkSpace performs similarly to a high performance Dell workstation.

That’s useful to know. If you want to give people access to a good all-round machine, then the Standard WorkSpace will do it. And if you want to give them access to a high performance machine occasionally, then a Graphics WorkSpace will do it. Meanwhile they can carry around a tablet like the Surface Pro for everyday convenience, and still have access to the whole range of Office 365 applications.

The costings are a bit of a surprise, but that will have to follow in another post.

First, the definition of the WorkSpaces. AWS offers four levels of performance for Windows 10:

Value 1 vCPU, 2 GiB Memory, 10 GB User Storage
Standard 2 vCPU, 4 GiB Memory, 50 GB User Storage
Performance 2 vCPU, 7.5 GiB Memory, 100 GB User Storage
Graphics 8 vCPU, 15 GiB Memory, 1 GPU, 4 GiB Video Memory, 100 GB User Storage

The Windows 10 WorkSpaces run a copy of Windows Server 2016, using one Datacenter Edition license for all copies running on the same host. So it is not quite accurate to call it a Windows 10 desktop. AWS describe it as: " a Windows 10 desktop experience, powered by Windows Server 2016." It makes no practical difference to the functionality, or the benchmarking.

An AWS WorkSpace is a virtual machine with a rudimentary system for brokering the machines to different users, and a remote access client. This, again, makes no difference to functionality or performance, but it explains why we have these categories (Value, Standard etc.) rather than the usual mix of ECS virtual machines.

The software I use for benchmarking is PassMark PerformanceTest. I have been using it for some time. It is a good product, and I have my own benchmarks from different types of machines to compare with. The methodology is very simple: start the machine; install the software; run the benchmark. Ideally you might do several runs, but I have not found that to be necessary.

Let’s get to the results. First the benchmarks for the different WorkSpaces.

Computer Value Standard Performance Graphics
CPU Mark 1774.9 3527.4 2450.8 7879.3
2D Graphics Mark 297.9 513.2 344.3 460.8
Memory Mark 742.3 1494.8 1647.9 1869.7
Disk Mark 801.2 805.8 880.9 1252.2
3D Graphics Mark N/A N/A N/A 3988.4
PassMark Rating 751.5 1223.2 1010.6 2652.2

The Performance WorkSpace is a surprise. This is configured with the same 2 vCPU as the Standard, and with more memory. But the results are lower than for the Standard. I checked this twice, and I ran the test again on the following day to confirm. The figures here are the best obtained. A possible reason is that this is configured with only one physical core, with hyperthreading enabled, whereas the Standard is two physical cores, with hyperthreading disabled. Whatever the reason, it is obviously not worth paying more for the Performance WorkSpace, unless you need the additional memory. It could really be called a "Memory" WorkSpace.

Here is the comparison with other machines. First the Standard WorkSpace compared with a Dell Latitude E7240, a good quality laptop.

Computer Standard E7240
CPU Mark 3527.4 3495.3
2D Graphics Mark 513.2 563.6
Memory Mark 1494.8 1166.1
Disk Mark 805.8 2186.2
3D Graphics Mark N/A 457.4
PassMark Rating 1223.2 1719.6

The Standard WorkSpace is comparable to a top of the range laptop like the E7240 (although that model is a bit old now). The CPU benchmark is comparable, although the SSD on the physical laptop is much faster than the virtualised SSD on the WorkSpace. The WorkSpace CPU is two cores on an Intel Xeon E5-2676, while the laptop CPU was 4 cores on an Intel Core i5-4210U.

Here is the Graphics WorkSpace compared with a Dell Precision M6700 mobile workstation (again, a bit old now):

Computer Graphics M6700
CPU Mark 7879.3 9520.0
2D Graphics Mark 460.8 754.0
Memory Mark 1869.7 2232.1
Disk Mark 1252.2 589.5
3D Graphics Mark 3988.4 956.0
PassMark Rating 2652.2 2075.0

We can see that:

  • CPU is comparable – 8 cores on an Intel Xeon E5-2670 against 8 cores on an Intel Core i7-3940XM
  • Disk is better than the Standard, not as good as the Dell laptop SSD, but better than the Dell workstation SATA
  • The graphics are outstanding

My overall impression is that I would be happy with the Standard WorkSpace as a substitute of a laptop, and very happy with the Graphics WorkSpace as a substitute for a workstation.

Cloud Cuckoo

Cloud is a great marketing concept. It creates an impression of something new and better. But is it really new and better, or is it for the birds, up there in Cloud Cuckoo Land?

There’s no need to define Cloud services. It has been done by the National Institute of Standards and Technology (NIST) in their Cloud Computing Definition. You could write a PhD thesis on the abuse of the term in advertising. Let’s assume for the moment that it is something like buying your IT as a service. What is new about that?

  • Running your IT in a third party data center is not new
  • Paying someone else to run it is not new
  • Financing your IT assets over a payment term is not new
  • Buying specific services, like payroll, on a subcription is not new

What is better about it?

  • Having your IT remote rather than local is no faster or cheaper than it was
  • Paying someone else to run it is not better or cheaper than it was
  • The cost of financing assets is not lower
  • Running specific services, like e-mail, on a subscription has not become better or cheaper than it used to be

Of course it has always made sense to run some of your IT remotely, like a public website. Nothing has changed in the arguments for and against, so we don’t need to repeat them.

Nothing has changed, either, in the basic economics. Remote data is still more expensive, by roughly the same factor as before. Having someone else do something for you is still generally more expensive than doing it yourself, or not doing it at all. Yes, there are economies of scale in data centers, but there always have been.

So what’s up?

The significant change has been Virtualisation, or time-slicing of computing resources. Virtualisation is done by a tiny piece of software (maybe 300MB) that separates different workloads and their use of resources like CPU and memory. It is a kind of extended BIOS, nothing more. If the operating system allowed complete separation of workloads you would not need it.

Time-slicing enables the units of computing resource to be rented out. Up to now, the unit of resource has been physical. No matter how you finance a server, someone has to buy it and allocate it to a workload. With time-slicing the resource can be taken from a pool and put back when not used. You pay for the amount of resource used, and the level of guaranteed availability of the resource.

Of course you still have to have software to make use of the computing resource. It would be difficult if you had to buy the software as an asset, even if you were renting the CPU cycles. The Microsoft Service Provider Licensing Agreement (SPLA) allows a service provider to charge for usage rather than sell the license.

If we take something like Exchange, there are now three models for obtaining the service:

  1. Buy the hardware and software
  2. Subscribe to seats in a shared Exchange system
  3. Rent the hardware and software.

It does not really matter where you run it (on premise or at a third party data center) or who runs it (yourself or subcontracted). There is nothing new about those options. Of the three models above, only the last is new.

So why would you want to rent the hardware and software to run your own system, rather than buy it outright or subscribe to a service instead? You would need to want a custom dedicated service (otherwise subscribe) as well as flexibility to scale resources up and down inside a three year period (otherwise buy).

What rental achieves, which is quite valuable, is to remove the capital expenditure aspect of the decision making. With the physical server model it was easy. You had to buy a number of boxes and do some sizing. With the Virtualisation model the decisions are more complex. You need to create a virtualisation infrastructure as well as the traditional server infrastructure.

Services like Dropbox, iCloud, Google Apps, Office 365 are not technological innovations. Services like Windows Azure and Amazon S3 are technological innovations, because they enable you to rent computing resources rather than buy, using Virtualisation.

So is it Cloud, or Cloud Cuckoo Land? I think the question you need to ask as a CIO is "can we rent it?". That is what’s new about Cloud.

Cloud and Windows 365

The idea of a Cloud Desktop is appealing, but can it exist?

Microsoft does not allow service provider licensing for Windows 7. You can have a monthly subscription for a remote desktop on Terminal Services running on Windows Server, but not for Windows 7. This has been clarified recently in a note from Microsoft: Delivery of Desktop-like Functionality through Outsourcer Arrangements and Service Provider License Agreements.

Terminal Services mean that the user shares the resources of the server with other users. To be reliable it needs to be very tightly controlled. The user cannot be an admin and cannot install software. The user cannot access high quality graphics, video and audio because they do not have direct, exclusive, access to the hardware.

Note that “The hosting hardware must be dedicated to, and for the benefit of the customer, and may not be shared by or with any other customers of that partner”. This is very curious. It means that you can buy a Windows 7 remote desktop running on a PC blade in a datacenter, but not on a VM (unless that also runs on dedicated hardware), even though Microsoft receive exactly the same license fee in both cases.

This is obviously an artificial restriction. One possible reason for this could be that Microsoft will soon introduce their own Windows 365 online desktop. A Windows 365 online desktop makes a lot of sense when used with Office 365, because all the data is then highly connected. You really can connect from nearly anywhere, with nearly any type of device.

At the moment with Office 365 that is not the case. Microsoft say that: “Because this infrastructure is located online, you can access it virtually anywhere from a desktop, laptop, or mobile phone”. You can access it, certainly, but you can use it properly only if the PC or Mac has Office installed locally.

Cloud and Office 365

Cloud is a brilliant marketing concept, but it can be difficult sometimes to pin down exactly what it means. This post looks at what Microsoft is offering in Office 365.

Office 365 is Microsoft’s version of cloud services for office applications. It provides "secure anywhere access to professional email, shared calendars, IM, video conferencing, and document collaboration". It is also a business (or multi-user) version of Windows Live, and a replacement for the earlier incarnation Business Productivity Online Services (BPOS).

My focus in this blog is what Office 365 delivers for a medium sized business. There are plenty of resources giving you the details of Office 365 features. The aim here is to show what it is, and discuss how you might use it.

Here is the admin portal. You can administer users, services and subscriptions here. Click on any of the images below to see a larger version with the details.

Office365 Admin Portal

Here is the user portal. This gives you access to Outlook, the SharePoint Team Site and Lync instant messaging.

Office365 Portal

SharePoint Team Site portal

Office365 SharePoint Home

Working with documents, either in the browser or by opening the application on the desktop

Office365 Documents

Using Word Web App. If you are thinking of using Web Apps instead of Office, you need to do a feature comparison to uderstand what you may be missing. For example:

  • In Word, no headers and footer, no section breaks
  • In Excel, no data sorting.

Of course there are far more differences than these, and you need to decide for yourself if they are relevant, but I mention these to show that it is not an academic comparison of features you never use.

Office365 Word

Using Outlook Web Access (OWA)

Office365 Outlook

Outlook options

Office365 Outlook Options

Outlook attachment, from the PC not SharePoint. You can map a drive to a SharePoint library in order to have direct access to the shared files from Outlook.

Office365 Outlook Attachment

Exchange mailbox administration

Office365 Mailbox

Exchange options

Office365 Exchange Phone and Voice

Forefront protection

Office365 Forefront for Exchange

Office 365 is a service operated by Microsoft, and of course pricing is set by Microsoft. Here is the UK pricing. Key points to note about the pricing plans:

All the pricing plans come with Exchange. Office 365 is essentially an online Exchange service plus other things on top.

The Small Business pricing plan adds Office Web Apps, somewhere to store files online (SharePoint) and an Instant messaging service (Lync).

The Midsize and Enterprise plans add SharePoint and Lync to Exchange. They have scaled up capacity and integrate with your own Active Directory. Different plans (E1 to E4) successively add features:

  • E1: Web Apps are view-only. You will need something else (Office on the desktop) to create files.
  • E2: Adds full Web Apps
  • E3: Adds Office Professional on the desktop
  • E4: Adds an on-premises Lync server for PBX

There are more feature differences that I have not mentioned, but they also add progressively through the plans.

There are also two Kiosk plans. These are like E1 and E2 but have cut-down versions of Exchange and SharePoint.

Features and pricing are changing all the time, so you will need to review features carefully before selecting a plan. However you can change plans at any time for any user, so you are not locked in to the wrong plan.

So what, really, is Office 365?

  1. It is subscription licensing, per user per month with the ability to scale down as well as up
  2. It is an online Exchange service operated by Microsoft
  3. It is an online file server or collaboration service, using SharePoint
  4. Being an online service, naturally, you can access it from anywhere
  5. You don’t need to run your own mail server, file server, mail filtering, archiving, backup server, intranet server, remote access. But you still need to run a print server, directory server, application server, management server.
  6. If you want to use the features of Microsoft Office (Word, Excel, Powerpoint and Outlook etc.) then you still need a PC or a Mac. You can’t do it from an iPad or Android tablet, or from a thin client. Office 365 is not a web-based version of Office. The exception to this is if the heavily cut down Web Apps version is sufficient.

Secure authentication for remote access

Being an online service you don’t have to provide remote access to your LAN. Your data is equally available from anywhere, so it works well for a distributed organisation. You also don’t have to provide backup and DR. But there is a curious anomaly: no two-factor authentication. Remote access creates a vulnerability to impersonation, since you cannot know who is entering the user’s credentials. Login details can easily be obtained if a user logs in from an insecure device or, for example, if the user loses a device that is configured for access, or just by guessing.

Two-factor authentication using a hardware or software token protects against this. Office 365 does not provide two-factor authentication. In this sense it is like opening your firewall to allow access to your servers: you just wouldn’t do it.

Office 365 uses Active Directory Federation Services (ADFS) to link your own directory of users with Microsoft. In your main premises the user is actually authenticating to your own AD. Remotely the user authenticates using your ADFS Proxy accessible from the Internet. The ADFS Proxy can require a more secure authentication for external access. Security vendors like RSA SecurID can integrate their two-factor authentication with your ADFS Proxy, and so enforce strong authentication in Office 365 for remote access.

Integration with other services

Being online and operated by Microsoft, there is the problem of how to integrate with other third party services. RIM have recently introduced Blackberry Business Cloud Services to integrate Office 365 with the Blackberry service. Microsoft Dynamics CRM Online will also be integrated. SharePoint Online allows you to use your own SharePoint intranet applications. As far as integrating with non-Microsoft services, that seems unlikely. I can’t at the moment see how you would integrate with EMC Documentum or Autonomy WorkSite.

You can still obtain Hosted Exchange, SharePoint and CRM separately, if the server-side features of Office 365 are not sufficient. These are multi-tenant versions of the servers run by third parties. These also use subscription licensing. And of course you can still outsouce the operation of dedicated services to run in a data center somewhere else.

Remoteness

When you change from using existing instructure on the LAN to using Office 365 on the Internet you need to provide additional bandwidth to it. Arguably e-mail does not need fast connections because it is asynchronous, but SharePoint as the library of shared documents will.

If you use WAN acceleration devices like Cisco WAAS or Blue Coat PacketShaper at remote sites, compression will no longer work because it requires a device at both ends, so you will need additional bandwidth at remote sites too.

Mix and match

The plans themselves are pretty much for marketing purposes. You can mix and match E (Midsize and Enterprise) and K (Kiosk) plans in the same organisation, and indeed you can simply add or remove components for any number of users. This means that, in effect, each component has a unique price that you can evaluate, and can be assigned to each user depending on their needs.

Costs and Benefits

So, the big question: if you are a 1,000 person organisation, is Office 365 a reasonable alternative to doing it yourself?

Exchange is going to cost from £16k per annum (kiosk), £31k (basic) and £52k (full). Archiving adds £23k. You will have to compare that with your own costs of running Exchange Server for 1000 users.

Office Pro Plus will cost £100 per user per annum. You can make a direct comparison of what it would cost to buy through Office 365 or through Volume Licensing. There is no difference in the end result: Office on the desktop and Web Apps online with both.

Web Apps will cost £47 per user per annum, as an alternative to the installed version of Office. You need to have SharePoint as well, to be able to use Web Apps. It can be SharePoint online or on-premises. There is no other way to obtain Web Apps as an alternative to Office installed on the desktop.

You also need to add the cost of additional bandwidth to get to Office 365 over the Internet. Your additional costs will depend on circumstances, but will be substantial.

To use Office Pro Plus you still need to run a full desktop service on Windows or Mac, or on terminal services. You will still need to run servers for:

  • Active Directory
  • DHCP and DNS
  • Print server
  • Other business applications like the finance system
  • Management of the PC’s: anti-virus, software distribution, patching, image deployment
  • Probably file server and backup server for data that is not in SharePoint. For example, SharePoint has an upload/download paradigm. I would expect a lot of people to hold data on the PC. Normally this would be redirected to a file server. So would a user roaming profile.

To run these servers, of course, you still need a computer room and IT staff. Therefore the cost-saving with Exchange Online and SharePoint Online is the incremental cost of running these on-premise in addition to the existing on-premise servers.

The mix and match aspect is important. Most of the organisations I know have Office, Exchange and SharePoint users ranging from expert to not at all. Although you can provide different editions of Office, that’s it. Office 365 Kiosk allows you to identify a body of users who only ever have light usage, and to license them at a significantly lower cost while still being integrated in the same infrastructure (the corporate directory, calendars, intranet).

If you have no existing infrastructure then there is a strategic choice to make between online and on-premise. But that is a rare situation. Most businesses aready have an infrastructure of IT services. They can choose to migrate services to Office 365 over time. For example, an upgrade to Exchange would be a good time to consider it. You really have to want to outsource Exchange and/or SharePoint for Office 365 to make sense.

Personally I don’t buy the argument about "allowing your valuable IT staff to concentrate on strategic matters". It either makes economic sense or it doesn’t. However I do think that if you remove routine tasks from IT staff then it is easier to focus on managing the remainder. The difficulty with managing IT is complexity, and so the less complexity the better.

You can obtain a trial of the Office 365 Enterprise Plan E3 here. You can also obtain a trial of the Kiosk Plan K2 here, if you are interested to see how it could work in a mix and match environment.

If you would like to contact Airdesk we can work through a cost-benefits analysis of online vs on-premise with you.

The Cloud is not a disruptive technology. It is a pricing plan.