ra2 studio - Fotolia
VDI administrators might be tempted to put off testing for configuration drift because of all the work involved, but it's important for security and performance reasons that virtual desktops remain compliant with configuration requirements.
As an administrator, you work hard to fine-tune the base desktop image you use to create virtual desktops. You probably vet the image in every way you can think of. The problem is, eventually, the virtual desktops you created might no longer resemble the original master image. Operating system patching and application deployment can cause certain virtual desktops to change their configurations over time, which is known as configuration drift.
Some types of configuration drift are harmless. For example, if Microsoft releases a new patch to address a critical security vulnerability, it is perfectly okay for that patch to exist on your virtual desktops but not on the base image. Conversely, there are types of configuration drift that should never occur, such as an administrator manually disabling the Windows Firewall on any desktop.
Unfortunately, there is no standard way of checking for configuration drift; the method varies depending on the virtual desktops' OS and the VDI software. Since some types of configuration drift are normal and healthy while others are not, it's up to you to determine which tests and corrective actions to perform.
Two ways to handle configuration drift
There are two ways to test for virtual desktop configuration drift in a Windows environment. First, you can use Microsoft System Center Configuration Manager (SCCM) to create a configuration baseline. The exact method for doing this varies from one version of SCCM to another, but with SCCM 2012 you can either import configuration data from a file or use the graphical user interface (GUI) to create a configuration baseline.
Before using the SCCM GUI to define a configuration baseline, you first have to create a series of configuration items, which is essentially a collection of settings, such as registry values. Settings can also include compliance rules that define what it means for that setting to be complaint. For example, you might create a setting enabling the Windows Firewall and a compliance rule that tests to make sure the firewall is still up. Once the configuration items are in place, you can create a configuration baseline that contains groups of configuration items, and then apply the baseline to a deployment of virtual desktops via download.
It takes quite a bit of work to configure SCCM to check for configuration drift, but SCCM is the preferred method. If your organization doesn't have SCCM, you can use the Windows PowerShell Desired State Configuration tool.
With the Desired State Configuration tool, you use a script to define your desired virtual desktop configuration. Once you have built this script, run it to create an .MOF file, which you can use with the Start-DscConfiguration cmdlet to assess the compliance of the target systems. Using the Desired State Configuration tool can be a bit intimidating because it requires PowerShell scripting, but Microsoft provides a tutorial to get you started. Once you're up and running, you can use the tool to manage registry settings, files and folders, roles and features, processes and services, and even deploy new software.
Regardless of which method you use, testing for configuration drift requires a significant amount of work. Even so, for security and performance purposes it is important to monitor your virtual desktops and ensure that they continue to adhere to your intended configuration.
A desktop audit can help set configuration goals
How to configure and manage storage for VDI
Install and configure XenDesktop to include vGPUs