Monthly Archives: November 2010

You are browsing the site archives by month.

Citrix Fixes the Provisioning Services - KMS Problem!

This is big news for anyone who wants to use XenDesktop to facilitate a Windows 7 migration. Here’s why: It only takes a moment’s thought to realize that if your desktop virtualization project simply trades inexpensive desktop SATA storage for expensive data center SAN storage, it’s not going to do good things for your ROI. So provisioning your virtual desktops from a shared Standard Image is a must. And that’s what Provisioning Services (“PVS”) allows you to do. If your standard Windows 7 OS image is, say, 15 Gb, you only need one instance of it on your SAN regardless of how many virtual PCs you’re provisioning from it. Then, using the Citrix Profile Management tool in conjunction with standard Group Policy folder redirection techniques, you can merge user personalization at logon time.

There was only one problem…turning a Win7 vDisk into a Standard Image broke the Microsoft license key. The only way around that was to use Key Management Services (KMS) to auto-activate systems as they were provisioned, but there were problems in using KMS with PVS, as we’ve documented in earlier posts.

I am happy to report that the problem has been addressed in PVS v5.6, SP1, which is now available for download at the Citrix download site. Not only that, but PVS v5.6, SP1, also works with a Multiple Activation Key (MAK) for smaller environments where KMS is not justified. Here’s the difference between the two activation methods:

KMS is a service that runs on a server in your own network. It supports Windows Server 2008 and 2008 R2, Vista, Win7, and Office 2010. However, it requires a minimum number of systems checking in for activation before any systems will be activated. That threshold is 8 systems for server activation, and 25 systems for workstation activation. Prior to SP1, systems provisioned from a Standard Image looked to the KMS server like the same system checking in again and again, so the threshold counter didn’t increment. SP1 fixes that. Please note, however, that you must be running KMS on a 2008 R2 server if you want virtual machines to increment the threshold counter.

With an MAK, the activation server is hosted at Microsoft. The MAK is a reusable key that’s good for a predefined number of activations. With SP1, PVS will cache the activation confirmation code for each system, so they will automatically reactivate on subsequent reboots.

Here is the configuration process, straight from Citrix. First of all, the Imaging Wizard allows you to choose which activation method you’re going to use:

PVS Imaging Wizard

Choosing the Activation Method

Once you’ve chosen either KMS or MAK, here are the next steps:

KMS Activation

  • Reset the activation status on the vDisk image:
    • Boot the master target device from vDisk in Private Image mode
    • Run slmgr.vbs -rearm in console on master target device
    • Shut-down master target device
  • Put disk in Standard Image mode and stream. Target devices will automatically register with KMS server, and activate (provided there are at least 25 systems checking in).

MAK Activation

  • Put disk in Standard Image mode and stream.
  • Use “Manage MAK Activations” to remotely activate streamed target devices. This is done only once per group of devices.
  • Provisioning Services will cache activation confirmation code for each device so that devices will automatically reactivate on subsequent reboots.

Kudos to the Citrix PVS development team for getting this done and out the door. Great job!

Windows 7 and Security

Volume 9 of the Microsoft Security Intelligence Report is out, and it makes for some pretty interesting reading. Among other things, it talks extensively about botnets - the various “families” of botnets, how they are used, how they work, and how access to them is sold and traded on the black market. Why? Because (quoting from the report), “When we look at that intelligence as a whole, it’s clear that botnets pose one of the most significant threats to system, organizational, and personal security.”

One of the things you’ll find in the report is a discussion of the infection rates of different versions of the Windows Operating System. You may have noticed that every now and then, as part of the critical patches and updates that Microsoft pushes to your PC, there’s something included called the “Malicious Software Removal Tool,” or “MSRT.” Microsoft keeps track of how often the MSRT actually finds malicious software when it runs, and that information is presented here as the number of computers cleaned of bot-related malware per 1,000 executions of the MSRT. Take a look at the following graph, which covers just Q2 of 2010 (click to view larger image):

Infection rate found per 1,000 executions of MSRT

I would like to particularly direct your attention to the fact that the infection rate for Windows XP SP3 is four times the infection rate for Windows 7, and the rate for Windows XP SP2 is five times the Win7 rate.

I understand that, for some people, the issue of upgrading from Windows XP to something else borders on being a religious discussion. But, honestly, if Windows 7 is that much more secure - which it clearly is - isn’t it getting a bit difficult to justify the “you can have my Windows XP when you pry it from my cold, dead fingers” position?

Of course, larger enterprises have some challenges to overcome. As we discussed in our September post about the cost of a Windows 7 migration, Gartner recently reported that, since most organizations weren’t planning to begin their Win7 migrations until 4Q2010, and with PC hardware replacement cycles typically running at four to five years at present, most organizations simply will not be able to complete a Windows 7 migration through the normal PC replacement cycle before Microsoft ends support for XP SP3. There just isn’t enough time left.

But even if there was enough time - why would you not want to move to an Operating System that’s four times more secure as quickly as you possibly can?

As Gartner pointed out, one alternative is to move some users to a “hosted virtual desktop” instead of a new PC. Translation: Making VDI part of your migration strategy can help get you out from behind the eight ball. It can also boost the overall security of your organization. Doesn’t that make it a conversation worth having?

Wyse Xenith - 5 Minutes to Xen

In our interview with the “Wyse guys,” they talked about the Xenith “zero client” terminal. To clarify, “zero client” doesn’t mean that there’s no local operating system in the device. It means that you - or better yet, your end user - can literally take one out of the box, plug it in, turn it on, and have it up and running with absolutely no need to do anything to configure it. Wyse says you can have it out of the box and running in five minutes. It took us about three…and we weren’t particularly hurrying.

The one thing you do have to do is to configure a DHCP option that will provide a pointer to your config.xml file. When you turn the Xenith on, it will query your DHCP server, and along with the basic stuff like the IP address, subnet mask, default gateway, and DNS settings, the DHCP server will, through the option you configure, provide the Xenith with the URL of your Citrix Web Interface server and the path to the config.xml file. The Xenith boots so fast that by the time your monitor wakes up and syncs to the video signal, you’re looking at a login prompt.

In this video, Steve Parlee of Moose Logic and Dave Jolley of Wyse walk you through the process of configuring the necessary DHCP option, and then demonstrate how easy it is to take a new Xenith out of the box and be up and running with a virtual desktop.