Building the Golden VDI Image
With Golden VDI images, multiple virtual desktops can be implemented based on one basic image. This configuration simplifies management, ensures that users have a consistent experience with every login, and ensures that all systems meet the company’s security and compliance requirements: All virtual desktops generated by the image are exactly the same and comply with the policy.
The vast majority of virtual desktops are delivered to the users non-persistently. This means that every change (user profile, installed applications, configuration adjustments) disappear when the VDI is restarted. So make sure you have a good user profile solution. For those machines that are delivered persistent (think about developers for example), you can create a writable clone of the golden image, and from then onwards all changes (security updates, configuration changes new applications) are made within that new branch.
What Goes into your golden Image?
A golden VDI image contains the Windows OS and patches. It also contains a minimum set of configurations, optimisations and applications. Configurations and optimizations that go into the golden image should only be those that are needed before the computer boots. All other can go into Group Policies. For included applications I prefer to focus on only those 10-15 most commonly used applications, otherwise you risk that the image becomes to big and slow to manage. Application virtualization can be used as a method for the other, less commonly used apps.
I install following applications into my image:
- Windows OS (Obviously)
- .NET framework
- Visual C++ Redistributables (all of the supported versions, don’t install outdated versions as they can introduce security risks)
- Microsoft Silverlight if needed
- Broker agent (eg. Citrix Virtual Apps and Desktops or VMware Horizon View)
- Virus Scanner
- Any application that is used by 75%+ of the user community. In most cases that is
Other applications I would deliver with a virtualization tool like App-V, until MSIX becomes the new standard. Remember that with Windows 10, enterprise version App-V is included.
How to build the Image?
Images can be managed using automation tools such as Microsoft Endpoint Manager (Formerly SCCM & Intune), Microsoft App-V, Ivanti Automation, Citrix App Layering, VMware App Volumes, custom scripts or … (God Forbid) completely manually.
Keep your users happy, test before you deploy.
It is important to know that, with any automation tool you use, every golden image update applies to ALL virtual desktops, so you must always test, test and test updated golden images before you assign them to production. Every implementation that I do has several phases, starting with the build. The following is IT testing, where basic implementation testing is performed by IT personnel. Later a subset of users will be asked to perform user acceptance tests, where a small group of end users can test the functionality of the LOB applications. In each phase, the testers provide feedback and adjustments are made accordingly. Testing is vital for the success of a VDI project. I have seen all too often that a project is being accelerated under time pressure, skipping testing phases, with disastrous consequences for users and the business.
Citrix App Layering
Citrix App Layering (fermerly Unidesk) is a tool that helps you build your VDI image.
Benefits of Citrix AppLayering
- With Citrix App Layering you can compose different images based on the layered applications. That way it is easy to build a Test, Acceptance and Production image.
- Some organizations maintain multiple golden images because they have to maintain multiple user profiles (eg: Marketing apps differ from those at Accounting). It is recommended to limit the number of golden images to make it easier to manage. With Citrix AppLayering you can use Elastic Layers. It contains applications that are added to the computer during logon, depending on Active Directory group membership. In case you don’t wish to use Elastic Layers (because they come at a performance cost and not all applications are compatible with Elastic Layers), with App Layering you can create image combination easily, while only installing each application once (per layer)
- Citrix App Layering comes with a solution for the user profiles: User Layers. These layers, a VHDX file per user, are connected to the computer at logon, and disconnected at logoff. That way, users maintain their settings (and possibly installed applications) between sessions. From experience I noticed that it is generally faster than other (streaming) profile solutions like Remote Profiles, Citrix UPM, Ivanti Personalization server and others.
Improvements I would like to see
- One of the biggest downsides is that it’s very hard to call this an automation tool. Installations still happen mostly through the GUI. Using automation scripts is possible, but very complex, especcialy since the different layers are not part of the Domain during setup.
- It would be so beautiful if it were possible to create a new OS layer and (try to link) all the existing platform and application layers to it. In that way, it would be much easier to keep up with the fast pace of new Windows 10 versions. Currently, a new OS layer means repackage all the apps.
- From my tests I see that App Layering has more impact on the logon performance than I would like. Maybe I missed something, some wrong configuration, but so far I can only conclude that a Layered golden Image needs more time to logon then the same setup without App Layering. And I’ve looking at it together with Citrix Support for weeks now.
Below you can find my notes from the field on App Layering. Things I sometimes had to learn the hard way. 🙂
Setup and Configuration
The best possible online resource on setting up and configuring Citrix App Layering can be found on the page of Carl Stalhood. His page is always up to date and is a very detailed step-by-step guide:
One note: When you setup the App Layering appliance (Enterprise Layer Manager or ELM) and you connect to it for the first time, don’t be shocked. You’ll need Silverlight, and a browser that supports Silverlight (thus not Google Chrome).
Log File & Troubleshooting
Citrix App Layering Service Log file can be found here: C:\ProgramData\Unidesk\Logs\ulayersvc.log
Important to know here is that there is a request 1 and a request 2. According to Citrix:
“We return control to the login process at the end of Request 1. Request 2 is our system tray application checking in, and that app is started by explorer when you get your desktop showing. So request 2 starting is actually an indicator that the entire login process is complete.”
By default, ulayersvc.log only logs events INFO or higher. You may determine that you want more detailed logging. To turn on DEBUG logging, you need to edit a configuration file. The setting must be present before Ulayer.exe starts, which normally means it must be present before the machine boots. So you cannot set it from a GPO, for instance.
Update C:\Program Files\Unidesk\Layering Services\ulayer.exe.config.
Change INFO to DEBUG and save.
Updating the software in an OS, Platform, or App layer is easy. You add a version to the layer, install the upgrade or patch on the packaging machine and then finalize the layer.
Once updated, you deploy the new layer version with an update image version to your provisioning tool.
- In case your provisioning tool is Citrix PVS, and you wish to use the build-in versioning of the image (on top of the App Layering versioning) then don’t make multiple layer versions of the Platform Layer. I experienced issues where Platform Layer versions created instability with PVS functionalities. I also read on other forms where people experienced network issues on Platform Layer versions.
PVS Write Cache
When using Elastic Layers in combination with PVS, make sure that you prepare for an XL write cache. Citrix PVS typically does it’s caching based on disk blocks, but AppLayering with Elastic Layers enabled will do this on a file-base. This increases the RAM needs as well as the local disk size requirements.
Great Resources on Citrix App Layering
- Citrix Docs on App Layering: https://docs.citrix.com/en-us/citrix-app-layering/4.html
- Citrix Reference architecture on App Layering: https://docs.citrix.com/en-us/tech-zone/design/reference-architectures/app-layering.html
- Webinar and Q&A by Citrix on App Layering. A lot of questions are answered here: https://www.citrix.com/blogs/2020/03/02/citrix-tips-citrix-app-layering-webinar-qa/