Virtualization: Microsoft Enterprise Desktop Virtualization (MED-V) A-Z Deployment

Microsoft Enterprise Desktop Virtualization, or MED-V, is Microsoft’s solution to resolving compatibility issues with Windows 7 in the enterprise environment.

MED-V extends enterprise-level control and configuration to the Windows Virtual PC (i.e. XP Mode) feature built-in to Windows 7. In short, administrators create an image, apply policies & applications to that image, and then publish the image to a MED-V server. Client PCs can then install the MED-V client, connect to that image, and download it to run legacy applications. The server therefore does little more than distribute the image to clients the first time and any time a change is made to the master image file.

The whole process is pretty slick from the end user’s perspective, as they are presented with a list of published legacy apps, not the actual Windows XP virtual PC. They can even pin the apps to their taskbar and run them as if they were any other application. For the end-user, it’s like running any other application.

Administratively though, it takes a bit to get to that point, which is the purpose of this article.

The Microsoft Library naturally has quite a few articles on designing, deploying, and configuring a MED-V environment, but as usual they are a bit convoluted and don’t do a very good job of illustrating the exact process and administrator needs to take. Still, I highly encourage any readers to thoroughly review the material available there. The MED-V Team Blog is another excellent resource for up-to-date information on MED-V and instructional videos.

Right up front you should know that MED-V is part of the Microsoft Desktop Optimization Pack, and that is only available if you have a Microsoft Software Assurance subscription (or its equivalent). Don’t bother looking for a DVD in your subscription pack either, you’ll have to download it from their Microsoft Volume Licensing Site (MVLS) (at least as of this writing).

Once you’ve obtained the ISO, you’ll want to launch the installer on your new MED-V deployment server. As with everything, I would highly recommend a dedicated server for this.

Streamlined Server Installation & Configuration

Microsoft’s documentation is littered with stuff, so this is a quick overview of what you need to set up and configure for a single server MED-V environment.

Assuming you want to stick with just one server, you’ll need to do the following. Note that these instructions are for Windows Server 2008 R2:

  1. Install the Background Intelligent Transfer Service (BITS) under Features in Server Manager.
  2. Install the Web Server under Roles in Server Manager. Make sure to check the boxes to include Basic Authentication, Windows Authentication, and Client Certificate Mapping Authentication
  3. Launch the MDOP CD, and then click on “Microsoft Enterprise Desktop Virtualization.”
  4. Now, under “Install the MED-V Server,” install either the 64-bit or 32-bit MED-V Server component. This will be the only component you install on the server.

At this point you have everything installed for the server to function, but you won’t be able to run reports until the SQL components are set up… more on that in a minute.

Reboot for good measure, and then launch the MED-V Server Configuration Manager, which will now be under your start menu.

It’s actually exceedingly easy to configure. There are four tabs; Connections, Images, Permissions, and Reports.

Your client PCs will connect to the server through either port 80 (the default) or port 443. Port 80 is enabled by default. I certainly recommend setting up an SSL connection and doing this securely, but as I have a philosophy of not overcomplicating things when you’re initially figuring them out, I’d keep it on port 80 for now and enable 443 once you have confirmed you have a working environment.

The VM’s directory is the directory on the server where the images will be stored. Make sure it is on a drive with plenty of space… especially if you intend on having multiple images/configurations. I use “DRIVE:\MED-V Server Images.”
The VM’s URL is how the client software will connect to the server (we’ll configure IIS in a bit). If they are just internal clients, you can use something simple like http://SERVERNAME/MEDVimages or whatever. Note that the client PCs won’t see this URL.

By default, the “Everyone” group has full access to the server. I highly recommend removing that and adding a more appropriate Active Directory security group. “Changes Allowed” simply means that the group specified can make configuration changes to the policies published to the server.

Assuming you have not yet installed the Microsoft SQL Server Management Objects collection, you will be presented with two links on this tab, one for SQL 2005 and the other for SQL 2008. Once these are installed, you’ll be able to configure the reporting options if desired.

Now you’re ready to configure IIS. This is actually pretty simple, and there really isn’t much too it.

  1. Create a Virtual Directory under the Default Web Site named “MEDVImages” (or whatever you used in your URL above). Point the physical path to “DRIVE:\MED-V Server Images” or whatever you used in the images section above.
  2. Click on your new Virtual Directory, and double-click on “BITS Uploads” (all the way at the bottom of the default “Features” view). Check the box to “Allow clients to upload files.”
  3. Now click on “Mime Types.” You’ll need to add two mime types, .ckm and .index, set both to: application/octet-stream
  4. Right-click on the Default Web Site and select “Edit Permissions.” Click on the Security tab and add the “Everyone” group, assigning them “List Folder Contents” and “Read” permissions. Note that you can use more specific security groups if you want. Do the same thing for the MEDVImages virtual directory.

Congratulations! Your server is ready to go… but that was the easy part ; )

Creating a new Virtual PC Image

I use Windows 7 exclusively, and when I read in Microsoft’s documentation that I would need to create my MED-V image with Virtual PC 2007, I assumed I would need to install XP or Vista. Not the case, even though it won’t run on Windows 7 if you download it from the web, it will if you install it from your MDOP DVD.

Caution: If you have enabled the Windows XP Mode feature under Windows 7, you will need to remove it or you risk causing yourself quite a few headaches. Personally, I recommend using a dedicated MED-V Management PC for the rest of these operations. Windows 7 works just fine, just no XP Mode.

Pop in your MDOP DVD, click on Microsoft Enterprise Desktop Virtualization again, and install the following:

  1. Virtual PC 2007 SP1
  2. Both Hotfixes for Virtual PC 2007 SP1

You are now ready to create yourself a new image. I won’t go into the specifics, but they can be found here.

In my environment, I created myself a new Windows XP box with a 20GB hard drive (the hard drive file will expand as space is consumed, so not all 20GB is taken up right away… my VHD file ended up at 4.7GB).

I did not join my XP box to the domain, I simply gave it a name and installed the software I needed (including our anti-virus solution). You can SysPrep it if you want, particularly if multiple MED-V images will be run on the same end users’ computer. Again, I did not, we were only using MED-V for a very small number of legacy apps. You should not use SysPrep to join it to the domain anyway in this scenario, that should be done under the MED-V join domain script (in the management console, we’ll get there).

Joining the VM to the domain is a matter of debate anyway. For me, it would just be one more AD object to manage, and we were only using them to run one application. The end user cannot get to the console (unless you want them to), so if the applications you are using do not require domain access, it may make sense to leave it as a bare bones box. I would suggest patching it up and installing anti-virus software though.

Once the box is ready, you’ll want to copy the MED-V_workspace_1.0.65.msi file off of the MDOP DVD and run it. Once installed, you’ll find the “VM Prerequisites Tool“ under Start – All Programs – MED-V. Run it, and follow the directions to set your image options.

Note that there are some options you cannot change. This is by design, think of it as Microsoft informing you what they are doing in advance (a rarity… be appreciative).

The options are discussed here, but for the most part the defaults are adequate.

You will also need to install the Microsoft Virtual Machine Additions. To install them, just go to Action – Install or Update Virtual Machine Additions on the VM’s console window.

If you want any other application to be available to your end users, now is the time to install them. Once that is done, shut down the Virtual PC.

You have now successfully created for Virtual PC base image! You still have a ton more to do though : )

Creating a MED-V Workspace

Remember that MDOP DVD, pop it in your MED-V management station again, time to install the management console.

Click on Microsoft Enterprise Desktop Virtualization (yet again), and do the following:

  1. Scroll down to Install the MED-V 1.0 SP1 Client and Management Console
  2. Click on “New install on Windows 7, …”

Make sure that you check the option to install the MED-V Management Console. During the installation routine, it will ask you to specify a server and port for your MED-V server. Type in the hostname (or IP) of the server you installed the MED-V Server component on (Microsoft pre-populates it with “MEDVServer”), specify the port (probably still 80), and click to continue.
Once installed, you’ll find a MED-V Management icon under the MED-V folder in your Start menu. Launch it, and we’re ready to create a policy by doing the following:

Click on the “Images” button at the top

  1. Under “Local Test Images” click new and specify the location of the base image file you created in Virtual PC 2007 and give the image a friendly name, such as WindowsXP.
  2. Click OK

Now click on the “Policy” button at the top.

  1. On the first tab, General, give your new “Workspace” a name, such as LegacyApps or IE6.
  2. Click on the Virtual Machine tab and click the “Refresh” button, then select your image from the “Assigned Image” drop down box.
  3. The Deployment tab is where you set all of your User/Group permissions. Notice that the settings under General, Data Transfer, and Device Control are all per user/group… so you can have individual settings for each one. Activating the clipboard and printing are popular options here.
  4. Under the “Applications” tab, you are going to specify the apps the users will have access to. Assuming you want to publish Internet Explorer 6, you would type “Internet Explorer 6” in the Display Name and Description fields, and then type “c:\program files\Internet Explorer\iexplore.exe” in the Command Line field (with quotes since there are spaces).
  5. The “Published Menus” area underneath allows you to publish an entire menu, such as Microsoft Office 2003, instead of typing out each and every application.
  6. Set the “Start-menu Shortcuts folder to whatever you want to name it. It’s a very end-user unfriendly name of MED-V Applications by default. I use “Windows XP Applications.”
  7. Click on the “Web” tab. This allows you to control web browsing behavior. Click on the “Browse the list of URL’s defined in the following table” check box, and then make sure “In the Workspace” is selected. Now, you can specify domains (such as that will always be browsed in the workspace. If someone types in the specified domain in IE8 under Windows 7, they will automatically be redirected to IE6 under Windows XP. Cool stuff.
  8. Now, under “Browse all other URLs” you can select “In the host.” This allows you to force all other web sites to be opened under the much more secure IE8 under Windows 7. Even if a user directly types a URL into the legacy IE6, they will be directed to IE8. You can also set it to direct “mailto” links to the host, so that their default email application will be activated. Cool stuff!

Don’t forget to click the “Commit” policy button (right under the big Policy button or underneath the Policy menu).

Certainly there are a lot of other policy settings you can choose. I recommend looking through each and deciding what works best for you.

Finally, it’s time to pack your new image. Click on the “Images” button again and do the following:

  1. Under “Local Packed Images,” click “New”
  2. Select your base image file again and give the image a name, just as you did in the Test Image screen.
  3. Click OK. The packing process will now be kicked off, combining the policy you just created with the image file. This takes a few minutes.

Now that we have the image all packed and ready to go, we have to get it up to the server for distribution. Highlight your new packed image, and click “Upload.” Depending on your network speed, this can take a very, very long time.

Once uploaded, launch MED-V on your PC and log in. It will prompt you to either “Use Test Image” or “Use Deployed Image.” You get this choice because you created the image on your PC. Choose “Use Deployed Image” and you’ll get the exact experience your end users can expect… which is basically waiting a very long time while the multi-gigabyte image downloads to their PC.

When it finally finishes downloading, you’ll notice that nothing happens… no XP screen. This is by design, as XP is just running in the background. If you look under your Start menu, you’ll notice the new shortcut folder you created earlier (Mine is named Windows XP Applications). Under there you will see the applications and menus you specified when creating your policy. Click on one, and it will launch the application as expected, surrounded by a red box to show clearly that it is running in the legacy XP mode.

MED-V is an exceptional solution to move your organization forward with Windows 7 while maintaining compatibility with legacy applications. While it takes some time to set up and configure, it is well worth the effort.


No comments yet... Be the first to leave a reply!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s