Conrad Agramont

A few years ago the United States Federal Government, specifically the U.S. Office of Management and Budget) created a PC standard for then entire government to follow.  The provided over 300 settings for Windows XP and Windows Vista in order to create a standard for all computers.  This is what is now knows as Federal Desktop Core Configuration (FDDC).  There is a ton of resources on the Internet, mostly on the .gov sites, that provides guidance on what these settings are and how to audit those settings using publicly available tools.

As with any IT Department, defining the policy is one major leap.  But to some degree, that’s the easy part.  Now you must deploy that configuration and ensure it stays enforced, not to mention audited and reported on.  With the U.S Government, having a mandate from the OMB is pretty powerful, thus making this problem space even more critical.

The FDCC is a perfect fit for Virtual Desktops from a deployment and management perspective.  Virtual Desktops is all about OS and Application standardization and consistency.  Thinking of having a pool of available OS instances, just waiting for a user to login from a remote device which could be a hardened thin-client or legacy PC.  All of those OS instances are based on a “Master Image” that has been fully configured with the FDCC policies.  When a user logs in, all of their applications are delivered via “Application Virtualization” (e.g. Microsoft App-V or Citrix XenApp) which is still abstracted from the underlying “Master Image”, thus keeping the desktop within FDCC standards.  All of the users data and application data is stored on a centralized store (e.g. SAN) which again keeps the “Master Image” clean of user data and provides additional benefits for the user and IT (e.g. daily backups of all user data).

So what about those users that go on the road?  Well this is where Virtual Desktop is still in play.  Using Microsoft MED-V or Citrix XenDesktop, a user can still take their FDCC approved image and applications on the road with them.  The bonus about Virtual Desktop deployments is that the process and image based deployments can be done directly on a physical machine as well.  You just take that master image, settings, and even application virtualization and deploy it directly on a laptop.  Using something like Microsoft System Center Configuration Manager and the Microsoft Deployment Toolkit (a solution accelerator) delivers this type of deployment scenario for both virtual and physical deployments.

Just like in any Virtual Desktop deployment, it’s not like Server Virtualization!  Managing the deployment and operations for a Virtual Desktop Infrastructure (VDI) is extremely different and requires lots of up front planning.  Not to say that Server Virtualization doesn’t, but when you consider the number of different users actually logging onto those Virtual Desktops, there are lots of end user scenarios you have to think through.  Even with the guidance of the OMB for FDCC (see, here comes the acronym soup), you may still define additional policies for given user roles.  Which could include access to applications via a variety of delivery models (e.g. web applications, application virtualization, etc.)