Posts made by Francesco Provino

Does anybody know how to push software restriction policies AKA application whitelisting in Windows 10 via Azure AD? We used that policies (and windows defender, also) to mitigate ransomware &co., and this approach has been very effective till now. No capital investment, very light on the machine… but, what about an AAD only scenario (no AD connector)?

Thank you all guys, I've already started my experiments (successful, till last try) with clonezilla &co.!

@JaredBusch said in How do you image Windows 10 for deployment?:

@Francesco-Provino said in How do you image Windows 10 for deployment?:

Hi everybody, I'm about to deploy several HP workstation with Windows 10 and a bunch of software inside (ERP, office, dropbox, etc) and I want to create a workflow for automated deployment/restore of a workstation in case of fail or software problems. Something like "take this usb drive: if something goes wrong, just plug it, reboot and wait".
I've seen many supporter of imaging VSbaremetalbackup (like veeam endpoint) here in ML, I will really appreciate your hints; thanks in advance!

Veeam Endpoint is not an image, it is a backup. From bare metal, yes, but a backup.

Imaging means you have VL and the legal rights to make a single master image.

For the clients that have imaging rights, I create a clean install on their hypervisor of choice and install everything needed.

Then I shutdown the VM and make a backup in order to change things later

Boot back up and then open an admin command prompt

cd sysprep
sysprep /oobe /shutdown /generalize

After the VM shuts down, I change it to boot to Clonezilla and make an image to the local NAS.

After the image is made, I can boot any device to a Clonzilla USB and pull down the image.

So, it isn't possible to create a master image with OEM license? I suppose that the process should work anyway…?

Hi everybody, I'm about to deploy several HP workstation with Windows 10 and a bunch of software inside (ERP, office, dropbox, etc) and I want to create a workflow for automated deployment/restore of a workstation in case of fail or software problems. Something like "take this usb drive: if something goes wrong, just plug it, reboot and wait".
I've seen many supporter of imaging VSbaremetalbackup (like veeam endpoint) here in ML, I will really appreciate your hints; thanks in advance!

@Dashrender said in From thin clients to desktops… not the other way!:

@Francesco-Provino said in From thin clients to desktops… not the other way!:

Maybe, just because the performance of an recent core i5 with plenty of ram and ssd are REALLY high by any (desktop computing) standards, so its hard to come close to that benchmark with a VDI.

Well you can't really compare 4 year old servers with HDDs to a new PC with an SSD, that's just not a fair test.

How long have you been doing VDI?

Test for you - try connecting to the VDI from a PC instead of your Zero Clients. When I ran thin clients back in 2000 they were horrible! This was with Terminal Services instead of VDI, but the concept was similar - shared resources and all. The thin clients would flash a white screen whenever the session was switching between pages on a Java or Flash website. This made Lotus Domino Web Access (don't recall real name) nearly unusable for the client.
When remoting into a Terminal Server (non Citrix) from a P2, 256 MB RAM XP machine was an awesome experience for the end user, but the thin client was nearly useless, as I said.

Hi @Dashrender, I've tried what you say, and there's no advantage in our configuration… we used praim p9002 as zero client, highly specialized devices with teradici processor. I think they deliver the best experience reganding VDI…

@Dashrender

@Dashrender said in From thin clients to desktops… not the other way!:

I was wondering where the bottle neck for the OP is? Is it RAM, disk IO, network bandwidth.

Not sure one can suggest that you bail on VDI if you don't know the reason your VDI is slow.

For example. If your switch is bad, over saturated, then new PCs won't help everything.

I don't think our network is that bad, we have cisco sg500 and the bandwidth requirement for PCOIP is very low… maybe the storage can be the limiting resource, but sometimes… it just feel like the scheduler of the hypervisor have something better to do than serve our desktop VMs, and I haven't figured out how to obtain the performance of a real desktop. Maybe, just because the performance of an recent core i5 with plenty of ram and ssd are REALLY high by any (desktop computing) standards, so its hard to come close to that benchmark with a VDI.

@Dashrender said in From thin clients to desktops… not the other way!:

It's not about reimaging broken machines to me. The storage space for backing up endpoints seems like a waste to me. Why not maintain an image to use for fast restores?

@Dashrender do you know about some easy and simple tutorial to do an automated deploy of windows 10, AKA image it?
My plan is to eventually reset the workstation in an automated way via AMT, something like "fire that script and forget".

@Dashrender said in From thin clients to desktops… not the other way!:

@Francesco-Provino said in From thin clients to desktops… not the other way!:

@Dashrender veeam backup include domain join, machine name… I'm not that experienced with windows imaging, I'm more a Linux sysadmin.

Well sure. It's a bare metal restore. I suppose if you have the storage for endpoint backups. But still seems like a large amount of capital spend (potentially) for something that will rarely be used.
Dedupe would greatly reduce the amount of storage for endpoint backups.

But you're looking to deploy win 10... How are planning to do that? Imaging would be the fastest way to deploy a unified type desktop.

Regarding the storage: yes, our NAS has already plenty of storage, Veeam deduplication will save a lot of space.
Windows 10 is already deployed in the VDI, z240 will include it as OEM.

@coliver said in From thin clients to desktops… not the other way!:

@Dashrender said in From thin clients to desktops… not the other way!:

@coliver said in From thin clients to desktops… not the other way!:

Good luck we've got about 100 virtual desktops deployed and are looking to do another 100 next summer. We've got a big IBM SAN and a half dozen hefty servers doing the processing.

How many compute nodes do you have? Coliver

Six right now. We're haven't gotten close to maxing then out yet. That being said these machines perform at the physical desktop level but they aren't persistent, yet, so every time someone logs in they get a new desktop.

@coliver do you use altro something like nvidia grid to boost graphical performance? Do you have SSD in your SAN? The price of the SSD for our SAN frighten me (IBM), I can buy a lot more PCIe storage for my server, enough to keep VMs replicated between two or maybe all three node. Intel enterprise PCIe SSD is now at 0,8€/Gb or less, and the performance are really top notch… not your usual two-way 8Gbit/s fibre channel!

@Dashrender veeam backup include domain join, machine name… I'm not that experienced with windows imaging, I'm more a Linux sysadmin.

@Dashrender we have a three node vSphere environment (x3550 M4, 64 Gb of ram), that host ERP, fileserver etc. Mainly windows VM, some linux. We got not-good-as-real-desktop performance on gigabit network (cat6, SG500 switches) with Praim zero clients, so after trying many tweaking on the connection server, I think that maybe is a lot less complex and cost-effective to migrate towards a fat client environment… the core i5 of today are very capable (including integrate graphics) and z240 is IMHO a very nice machine to do office editing, ero and other not so heavy tasks. In addition, the AMT capability is really nice when you want to provision or tweak a desktop in a remote fashion. We already have veeam b&r in production, so the endpoint on the desktop seems like a very clean and effective choice to re-image a broken machine.

I'm about to start the migration of a VDI environment, back to… physical desktops! We aren't getting the performance that we need from a VMware Horizon VDI, that is backed by two servers providing 15 windows 10 virtual desktops, and a FC SAN (I'm about to replace it with local NVMe SSD, replicated).
My choice for desktops will be HP z240 with third party ssd (SATA or cheap NVMe). I will manage those workstations via AMT and I will use Veeam endpoint for the backups. (to our Veeam server, of course).

Do you think I will regret? I like the flexibility of the VDI, but performance aren't on par with even 8 years ago desktop with a baseline local ssd… even on the LAN, everything graphical related is "not as good".
Have any of you had the experience of migrate back from VDI to dekstops?

(Oh, I'm also about to drop our centralized fileserver for something like dropbox for business or onedrive… replicated on the local desktop ssd, of course)

A vendor submit us a "fat" solution based on this hardware and controlled by Polyedro software (from TeamSystem, I don't know if it exist outside Italy), but I think that this is just over-engineering… for 7k€!

@thwr thanks for your question! In this project we want to use 13,56 MHz ISO 14443 smartcards.

Hi everybody, I'm searching for a self-contained physical access control device, something that uses cards for authentication, and… something that is cloud-based, so I just have to plug the ethernet, configure an online account and start managing the device without "fat clients" or whatever. Maybe something like that can suit my needs? Do you have any experience with systems like that? It will be an access control point for a production plant with more or less 40 employees.

@scottalanmiller I think that sometimes AWS or other public clouds are the way to go, because often the ERP or CRM are old-style windows applications that are available only for on-permise deployments.

@scottalanmiller how is o365 comparable to drobpox for business? I'm very curious about that because I'm going to switch a company to D4B and I want to make a comprehensive evalutation of the alternatives…

About the VPN, I was thinking about the connection between the cloud provider and the LANs, nothing more!

This post is very interesting.
The scenary that you are drawing for a small business of 10-30 people is something like that: a file sync layer (like dropbox for business) that replicate everything locally, eventually on big'n'cheap ssd (compared to costly enterprise storage), so remote offices wouldn't be a problem. This way, is possible to leverage all the power of modern hardware (even a core i3 of the latest gen has plenty of power), without the hassle and the big uprofont investment of phisical servers, thin clients, storage etc. Every other service that canno be served in a SaaS way, of course can be hosted in a IaaS (I'm thinking about the typical windows-based ERP) and connected via a router to the local network.

So, the shopping cart to start a full-fledged IT infrastructure in SMB should be composed of just switches, a router with vpn capabilities (edgerouter er8?), desktops with big ssd (AMT - vPro) and a bunch of services like AWS, office 365, dropbox for business etc.
Maybe 1000-1200€ per seats (every 4 years) plus 30-40€/month/user… not bad, considering that one of the SMB in which I work bought upfront 70000€ of servers/storage/vmware/windows server tl… I'm afraid, with less performance and reliability.

I've recently started a blog, this is my first article in English… http://www.francescoprovino.com/2016/09/06/xenserver-7-software-raid-with-mail-alert/

I hope you enjoy it!

So, here is my article on XenServer MDADM raid: http://www.francescoprovino.com/2016/09/06/xenserver-7-software-raid-with-mail-alert/ feel free to correct my English!