FROM: Jason Snyder, Chief Technology Officer, Commonwealth of Massachusetts
RE: Advisory Memorandum – VDI(Virtual Desktop Infrastructure)
The Commonwealth Chief Technology Officer is issuing this Advisory Memorandum in response
to questions raised about the use of “VDI” (Virtual Desktop Infrastructure) for
secretariat/agency deployment as an alternative to traditional PC desktop configurations.
VDI technology has matured to a point that allows it to offer many advantages to the
Commonwealth and actually can lend itself to emerging security approaches being taken on by
the Commonwealth Security Group. With the continuing need for lowering costs and creating
operational efficiencies, VDI’s ability to utilize inexpensive, longer refresh cycle “thin client”
hardware in place of standard desktop hardware can be a great cost savings. VDI’s efficiencies
in desktop provisioning, OS versioning, patching, and application distribution/integration can
offer much to some of the IT organizations in the Commonwealth. As the growing use of remote
access and a variety of devices presents challenges to the Commonwealth, VDI offers many
secure solutions to be able to face these challenges and boost productivity.
Based on preliminary testing, current industry practices, Commonwealth secretariat/agency
feedback, and business owner feedback, it is advised that secretariats/agencies take into
consideration the following key points when evaluating whether or not to deploy VDI
After review by both the technology and security offices in ITD, it has been determined
that the recommended approach for using VDI in the Commonwealth is to use the
“centralized model” methodology which involves deploying a VDI solution that utilizes a
centralized server or servers that are attached to centralized data storage systems. The
technology of using the “hosted model” of outsourced virtual desktop services is not
quite mature enough to meet the complex security and integration challenges faced by
the Commonwealth at this time. Use of the untethered or “remote model” would be cost
prohibitive and inefficient when considering the majority of the Commonwealth’s work
Dynamic “non-persistent” mode
After review by both the technology and security offices in ITD, it has also been
determined that the recommended mode for using VDI in the Commonwealth is to use a
solution that leverages “dynamic” or non-persistent mode. Dynamic mode makes use of
a master image of the desktop that gets cloned for each user that then get gets combined
with the user’s personal data (which is stored separately from the desktop) and
applications. Dynamic mode allows for efficiencies and cost savings in the back-end
infrastructure required to host a VDI solution, while preserving the end-user experience
from a variety of locations and device types. The use of “static” or persistent mode is
designed for a unique and diverse user base and uses completely separate unique images
per user. Static mode carries a lot of resource overhead in terms of storage and
bandwidth use and is not recommended. The TCO for “dynamic” mode is up to 11%
lower than the TCO of “static” mode.
Caveats and Concerns for VDI implementation:
Bandwidth and protocol use.
WAN link bandwidth utilization should be analyzed before considering VDI to
support a large amount of remote sites.
Many VDI solutions offer the use of special efficient protocols such as PCoIP or
ICA that optimize the end-user desktop experience when used instead of RDP.
Consideration of these protocols should be given when looking at Network
topology and “Thin Client” hardware compatibility.
High speed storage solutions are highly recommended for certain segments of VDI back-
end infrastructure to optimize overall performance and end-user experience.
Printing and USB device compatibility
Direct attach USB printers or “thumb drives” can be a challenge when trying to
While centralized security lockdown of USB ports can be an advantage to some
agencies, it may be a challenge to others.
Another consideration is that compatibility of certain encryption technologies for
“thumb drives” can be limited.
Redundancy in the various layers of back-end infrastructure should be ramped up
considerably when going from pilot to production environment. Reliance on
connectivity and a centralized back-end infrastructure can lead to single points of failure
that need to be mitigated wherever possible.
ITD security is doing risk analysis now, but will need to integrate an Enterprise VPN
approach that will segregate VDI sessions appropriately. This is more secure than
today’s approach, and will likely allow use of more types of devices in a secure manner.
MS OS licensing can include additional connection fees when an Enterprise license is not
in place. Typically, the subscription fee is $100 per year, per device. If there is an EA or
“Software Assurance” in place, this fee can be waived for PCs, but not Thin Clients.
Initial cost of deployment for a VDI solution when done properly can be high and might
be prohibitive if the only motivation for a migration is TCO savings. According to
Gartner: “The TCO benefits of VDI, however, have been in doubt in the past, as
reductions in IT labor and end-user costs were often offset by the capital costs required
to build the required back-end infrastructure.” Other motivations such as operating
system upgrades, desktop/file-print server lease expirations, or business/operations
needs should be part of the equation when considering VDI deployment.
With Commonwealth IT consolidation, the decision was made for secretariats and
agencies to maintain their own file and print environments. As VDI can potentially blur
that line, questions remain in regards to how VDI might be architected for the
As with any technology deployment, we recommend secretariats/agencies conduct thorough
testing of their own internal critical systems with any VDI solution before considering
In summary, ITD recommends secretariats/agencies deploying VDI technologies use:
“Centralized Model” methodology.
Dynamic “non-persistent” mode.
A well architected solution and security approach that takes into account the many
factors involved in deploying VDI in the Commonwealth.
If any Secretariat or Agency wishes to pursue a VDI solution, they should contact the
Commonwealth Chief Technology Office as ITD would like to partner on any such
Concerns regarding this advisory can be sent to: email@example.com