The shortcomings of virtual desktops

I have never been one to shy away from controversy.  There are a number of things that make virtual desktops great!  Personally, we use virtual desktops internally to keep all our internal documents private and secure while providing a great desktop experience to our company.  It works for us.  We eat our own dog food to make sure that any issues we run into are solved before our customers run into them.  With that in mind, here are the biggest issues with VDI:

1. Users

This couldn’t be an honest document if I didn’t first address the elephant in the room.  Users cause a majority of the problems, right?  Well, that’s sort of true and also so far from the truth.  Users, when not trained on how to use a technology, will get creative.  Creativity when not directed will lead to problems.

Example: user says, “I couldn’t login all day so I didn’t get anything done”

Thank God for logs!  Otherwise this would have got me in trouble a long time ago.  This really happened!  A user decided to blame VDI for not being productive and getting something done.  The worst of it was the supervisor believed him/her and it almost lead to the end of a VDI pilot that otherwise was very successful.  You need to train the users.  Additionally, having a good tool to evaluate user login times, application launch times will help you identify a performance issue before a single help desk ticket is opened.

2. Data Forensics

You’re wondering why I even brought this up aren’t you?  Well here’s the problem, data forensics for a non-persistent virtual desktop is a huge problem.  If a network was breached by malicious intent or a user opening some bad link in an email, we need to track it and figure out what happened.  The problem is that these issues are often discovered hours or days later.  In a physical desktop environment, this isn’t a big deal.  You can remotely connect to their computer and pull down the logs or you can image their PC with something like FTK to include a binary dump of their hard drive and RAM contents and do the analysis.  You can’t do that on non-persistent VDI.  Or can you???  Yeah, it took a while to really solve this issue, I’m not giving it away in a blog post but I will be more than happy to have a discussion with any customers that have a concern.

To piggy back on the forensics issue, we had a customer that had a user download some terrible illegal pornography.  Yes, it happened at a government site!  NCIS showed up and asked to take the computer.  Well, I am all for complying to military policy but after explaining to a military police officer that a zero client is literally zero and would provide them with none of the things they were looking for, what do you do?  See the cliff hanger….  You have to contact me for the answer.  And no, I won’t tell you who the customer is.

3. The Network

This one is too easy!  If you’re the server guy/gal, it’s always the network.  If you’re the network guy it’s always the server.  Well, the truth of the matter is that if you don’t have a solid network then you won’t have a solid VDI.  Customer environment: the virtual desktops are all down for everyone on the west coast.  Server guy talks to network guy, “Are there any network changes? No?” *hears keyboard typing*  – He walks back to his desk…  Everything works again!  Let’s be clear, it was the network and the network team changed something in the middle of the day and now it’s working.  This happens all the time.  You have to realize that physical desktops can handle networking changes a little better.  You generally need connectivity, and while it can go slow for a brief period of the day, it’s likely that a user won’t open a ticket because their computer is going slow.  Those reboots the help desk tells you to do also just buy some more time for the solution to fix itself.  Now fast forward to VDI, slow network equals poor user experience.  The best part is, the VDI team will get blamed and not the network team.  It’s all VDI that causes the problem after all!

4. HBSS / Antivirus

It’s common knowledge that HBSS (Host Based Security Scanner) will kill any desktop experience, physical or virtual, if not implemented correctly. I have had my fair share of knock down drag outs with the HBSS team for making a change in the middle of the day that was thought to be benign and harmless.  How does this have anything to do with VDI?  Well, HBSS is a suite of applications such as a host based firewall and antivirus that is centrally managed.  The first concern is if a policy gets pushed to a virtual desktop and it kills the ports and protocols that are needed to connect then everyone will immediately get disconnected.  Yes, it’s happened…  No customer example necessary, that happened.  Additionally, antivirus policies that are typically deployed to physical environments want to scan everything opened, read, modified, closed, and do the same thing daily at a specific time.  In a physical desktop world with a thousand PC’s you have a thousand hard disks.  In a virtual desktop environment, you could have 100 hard disks.  You have to treat those shared resources carefully or you can inadvertently cause a denial of service on your network by doing something like running an antivirus scan in the middle of the day.  True story, a government customer I worked for once thought they were being hacked on an anniversary of 9/11 (not saying who) because the previous day they implemented significant and untested HBSS changes that would check everything.  I was one of fifty people evaluating the hack and the only one who accurately identified it was the HBSS settings.  I should point out that every VDI deployment DH Technologies does comes with ports/protocols and network diagrams BEFORE an engineer comes onsite to eliminate these issues.  Also we have this awesome document that explains how to solve the deployment of the HBSS agents for VDI while still provisioning the framework necessary.  All you have to do is contact us.

5. User Persona

User persona is unique to virtual desktops.  User persona is essentially anything that you changed or created on a desktop.  It’s basically your profile but it’s also registry keys and outlook email signatures, printers, etc.  When a user persona isn’t setup correctly or a small blip occurs in Active Directory that causes the persona to not process correctly users get logged in with none of their data or settings.  This generally causes panic and users think all their data is gone.   After all, that’s exactly what had to happen on a physical desktop for them to see that kind of scenario.  This is probably one of the most common issues that I see regularly.  It happens in our corporate environment from time to time.  It’s usually caused by not properly checking a patched master image to see if it still processes the user persona policy properly or an Active Directory GPO conflict.  Easily fixed.

6. Printers

Printers in my opinion are what’s wrong with the world.  It’s kryptonite.  What happens when your virtual desktop is in a data center 400 miles away and you want to print to a printer that’s sitting in the same room as you?  The print job has to spool to a print server that’s hopefully in the data center and then all the way back to the printer that was sitting right next to you.  Well this can cause it to go slower and it will definitely create some additional network bandwidth that you would never see in physical desktops.  Let’s not get too freaked out.  There’s lots of different ways to solve this issue.  To be honest this was more of an issue three years ago. Solutions: ThinPrint, Uniprint, direct USB printing, location-based printing and more…

7. Slow Login Times

This is by far my favorite complaint with VDI.  The reason why is because I can already tell you what caused it and I know literally nothing about your environment.  First off, remember these virtual desktops are not physical desktops so stop treating them like they are.  Every time a user logs into a non-persistent virtual desktop it’s like the first time they logged on every time.  They get to walk through the out of box experience, profile setup, etc.  GPO’s have to process (almost always setup incorrectly) and lots of other first time things.  The VDI industry has solved this issue slowly but steadily.  Additionally, Liquidware Labs provides an awesome tool that will actually breakdown the login process to tell you exactly how much time it takes to find a domain controller, process GPOs, etc. to determine the exact cause of slow login times.  Did you know the most common login time killer??  GPOs, CA certificates (for smart card logins only), and printers.  Yes, printers also kill the login times.

Top 7 VDI Shortcomings

  1. Users
  2. Data Forensics
  3. The Network
  4. HBSS / Antivirus
  5. User Persona
  6. Printers
  7. Slow Login Times