Michigan Endpoint Management User Group

We are in the process of putting together our Windows 7 roll-out plans and have discovered a few applications that will not run in IE8. Because we don't want to go the route of running the virtualized IE6 on Windows 7, and because they will run in IE7 just fine, we are looking at the Microsoft provided XP Mode virtual machine option. Unfortunately taking this route will require us to then patch all these virtualized XP installs. Can Altiris handle this with patch management? Would we be required to up our license count for Altiris to cover the virtualized XP Mode systems as well as the host desktops?

 

 

Shannon DuBey

BrassCraft Mfg

but XP mode "feels" very simliar to a VMWare session. So, I suspect you'd have to put an agent on there to get the patches, and therefore need more licenses. I don't see any official support statement on it yet, either.

Just to clarify: you can virtualize IE6, IE7, and IE8 using Software Virtualization Solution in Altiris, and even specify which version of the browser a particular URL should use if a user tries to access it, but you'd rather create an entire Windows XP virtual machine for users?  It seems to me that it would be much easier to virtualize the browser than provide a separate VM (complete with costs).

That's not the answer I was hoping for. Our parent company is pushing for a Microsoft EA Agreement that will include licenses for CCMS and I am currently looking for concrete reasons why we should stay with Altiris versus moving to CCMS which I am certain will happen eventually. Microsoft states they can patch XP Mode the same way they patch the host OS ... Shannon

How exactly can I virtualize IE 7 on Windows 7 when it won't even install on the OS to build the virtual layer? Is there a "how-to" guide for getting this to work because that would certainly solve my issue!

 

Shannon

MS will try to scare you and tell you that it's illegal to virtualize IE and you must use SCCM and must use XP Mode, etc.

It is true that I imagine Altiris would see the XP Mode as a separate computer and require an additional license.  And so would any other company, except, perhaps, Microsoft itself.

A good start:
https://www-secure.symantec.com/connect/articles/virtualized-internet-explorer-6-windows-7

You can also go here:
https://www-secure.symantec.com/connect/endpoint-virtualization/articles

And then filter the Author: to karl_burnell.. topics will almost exclusively cover Internet Explorer virtualization in Altiris.

Another fascinating article is this one, which describes the Symantec Browser Selection Tool:
https://www-secure.symantec.com/connect/articles/introducing-symantec-browser-selection-tool

Essentially, if URL A is selected, open in IE6 with Java 6 Update 17, if URL D is selected, open in IE6.  Anything you don't specify is opened in the default browser.

Full disclosure: I haven't implemented this myself yet, but will be looking at doing so in the next few months.

and I was very impressed. I have to strongly agree that using a solution like this is better than deploying\controlling a new VM for everyone. I also have my reservations everytime I hear that SCCM is 'free'. There are some huge costs associated to it, including in my mind, the time it takes to plan and deploy the solution (and remove Altiris).

Saw it demoed as well.. it's very slick.  The entire room is sitting there thinking, "Does this man practice dark arts?"  Yes.  Yes he does.

I've seen most of those articles before but will take another look just to be sure I didn't miss something. Unfortunately they address the issue of virtualizing only IE 6 on windows 7, not IE 7 which is what I need.

I've heard time and again that endpoint-virtualization can do this but have yet to see the proof. When I have tried to get it workin on my own I keep hitting the Microsoft wall. If anyone has documentation, or has made this work in thier environment I would love to give it a shot, until then we'll have to move forward with the dreaded XP Mode and the nightmare of manually patching the dang thing for 400+ desktops until we can get the applications upgraded to run on IE 8.

 

Shannon

IE6 won't work?  In your first post, you said you didn't want to go the route of virtualizing IE6, but because IE7 will work fine, you were planning on Windows XP VMs.  I understood that to mean they would run fine in either IE6 or IE7, just not IE8.  Since you're now considering virtualizing IE, am I hearing you right that IE6 is not compatible with the apps, and IE8 is not compatible with the apps, including compatibility mode, but only IE7 is compatible?

We do not want to go the route of virtualizing IE 6 because we currently run IE 7 for everythign and they work (though they would probably work fine in IE 6 as well). Going back to IE 6 is a security risk, would be a setp backwards in functionality, and will certainly ruffle feathers of the user community. Currently we run 3 web based applications that will not function in IE 8, even in compatability mode, and will function in IE 7. If we can get that running without going the route of the XP Mode virtual machine that would make my life far easier than having to install and configure XP Mode on all systems just to run IE 7. Management will not go for the idea of virtualizing IE 6 on desktops no matter how we "spin" it.

 

So what I need is 1) a virtualized version of IE 7 on Windows 7 or 2) a reliable method to patch the XP Mode systems without giving our parent company the ammo that CCMS can do it natively for "free" (we all know nothing from Microsoft is ever free but these decisions are out of my hands).

 

Shannon

Those are very real concerns regarding IE6.  I haven't seen IE7 virtualized on Windows 7, but I have seen IE6 and IE7 virtualized in Windows XP.

I understand what it's like to know that management won't support a decision, not based on knowledge or facts, but opinion about a particular version, brand, or industry movement.  I do think, though, that because the BHO only opens your internal company apps in IE6 for compatibility, that there's no additional security risk because the users can't launch it.  If they go anywhere else from IE6, it'll open in the default browser.

You may have a valid point about the functionality.  I assumed that all that matters for internal apps is that they work, but users may be very used to features like tabbed browsing and throw a fit if those were to go missing.

This is usually where I blame the developers.  Have you tried blaming the developers yet? Okay, I'm only joking.

If you choose to patch XP Mode with Altiris, you will have an additional node count from everything I understand.  If that's ammo to management, I'm not sure what I can do to help.

This thread has obviously been hijacked, let's get back to the original question...

Are you aware of any customers virtualizing IE7 on Windows 7?  Or do you mean that the topic is patching XP Mode using Altiris?

Okay, the origional question(s) were

1) can Altiris Patch Management patch XP Mode running on windows 7? - We currently run CMS/SMS 6.x but will likely upgrade to either 7.0 or 7.1 soon (particularly if it will allow us to patch the XP Mode VM's)

2) What does it mean for a node license count, as in do we need an additional license for all the XP Mode VM,s or just one for the host?

 

The third question that has arrisen out of the previous discussions is the possibility of running IE 7 on Windows 7 using Symantec Virtualization software, in case anyone knows the answer to tha as well.

 

Shannon

XP Mode is just Virtual PC with Windows XP included for Windows 7.  Altiris can run on virtual platforms; 32-bit and 64-bit is supported for Altiris 6 R13, and certainly supported in 7.0 and later.

I'm installing XP Mode now on my own system to confirm that the agent and plug-ins can be installed.

I also suspect that you will need a license for each Windows installation, which means one for Windows 7 and one for Windows XP.  Altiris would see each as distinct, managed computers.  I'll confirm this as well after I install XP Mode.

Perhaps someone from Symantec can weigh in on the IE7 SVS on Windows 7 topic?

I have asked the Product Manager for our virtualization products to weigh in as soon as he can...

What I am being told is that there hasn't been a sufficient business case yet to produce an IE7 virtual layer for Windows 7 as the "Compatibility Mode" of IE8 seems to be working for most customers.  So, here is the question - have you found that the IE7 compatibility mode available in IE8 isn't sufficient for what you need?  The more details the better...:-)

Thanks!

Everything I have heard in regards to question #2 is that the XP mode is a virtual system and as such it would require licenses for items as if it were a separate system.

This isn't just for Altiris but for Antivirus, applications etc.

We have performed only basic testing in IE8 with "compatability mode" enabled and thus far have gotten mixed results. Our main issue is that the number one application, our JD Edwards ERP package is NOT SUPPORTED with IE 8 as the browser which means that for any issues that may arise on a daily basis (and there are many in any given week)if we call them in for support to JDE we will be told we are using an unsuported browser and no help will be given to resolve the issue, even if it is not browser related at all. For this reason alone, running IE8 is not a viable solution for us, even in "compatability mode". Our budget over the next two years simply does not support upgrading to a version of this application that would support IE 8 as it is a major upgrade of hardware and software resulting in hundreds of thousands of dollars spent. So, I've been tasked with finding a way to make it work.

I've experienced similar issues with vendor support in the past -and big names too. Even though technically there might be nothing wrong with execution in a more modern browser, support won't touch the call if the client config was 'left' the support matrix.

Very frustrating -especially when it's obvious that the issue is server side rather than at the client.

When the vendor solution is 'mission critical' and so ingrained in the institution it just has be worked around, and can present  quite a thorn in the desktop OS upgrade cycle....

I still say virtualize IE6.  If management has a problem, let them know it can be fixed for a several hundreds of thousands of dollars.  Because IE6 is only used for your applications (e.g. ERP) that need it, there are no security risks.  The users won't be using IE6 for anything else (e.g. Facebook) that would represent a security risk.  Your only drawback would be lack of tabbed browsing, but I would present this as a feature they could regain if they upgraded the ERP software.

Another option might be using Firefox for the ERP software, if they allow it.  I'm not sure if Symantec's BHO would let you send ERP URLs to Firefox, but it's worth a look.

If we go the route of virtualizing IE 6 for these three web applications, how do we "lock it down" so that nothing outside our internal network can be accessed with the virtualized browser? All of our desktop users have full admin authority on thier own desktops, a requirement for a different application, so they would not be prevented from reconfiguring any "fake" proxy settings we put into place. Is there another way to do this?

Hi Shannon,

Could you post this as a new question in the virtualisation forum? 

Kind Regards,
Ian./

In the last 2 days it hasn't gotten a single reply and quite honestly not more than one or two people besides myself have looked at it. Does anyone from Symantec monitor this forum and can weigh in on the topic?

Hi Shannon,

I've asked the virtualization team to take a look at your other post to see if we can get you some help.

Thanks everyone who has been so helpful here!

Cheryl

Hi.

Does your JD Edwards only support running in IE7? What about Opera or Firefox?

XP mode is Virtual PC built into Windows 7.

The application is then published to the Win7 desktop instead of the WinXP desktop. Something they call seamless mode where you don't see the guest OS that your app is actually running on.

 

From here: http://www.dabcc.com/article.aspx?id=6715

For those of you who are not familiar with the "Unity" feature then think of it like a "seamless virtual window" What I mean is that when you are running a virtual machine in "unity mode" then the "desktop" is removed and the applications (windows) are displayed on the host machine directly. For those of you who have experienced "Citrix seamless windows" then you will know exactly what I trying to explain.

 

and from here: http://www.brighthub.com/computing/smb-security/articles/47776.aspx

Seamless or Unity Mode: Both VMware and VirtualBox is offering seamless mode so your installed applications in the guest system will run without having to be inside a window. This feature is called “Unity Mode” in VMware. Virtual PC 2007 does not have this feature but Microsoft added this cool feature in the upcoming Windows Virtual PC for Windows 7 operating system with different hardware requirement than Virtual PC 2007.

So if this is the case, would we still be at risk for non-patched Windows XP mode VM's so long as the user does not actually start up the host? As in could we simply give them a shortcut to run our web apps inside IE7 installed on the XP Mode VM but remove the links to launch the full VM environment to avoid having to apply monthly patches on the VM? Or does launching the application actually launch enough of the VM host to provide some, though probably minimal security risk on the systems?

We are looking into the possibility of running a different browser but so far the direction has been to find a way to make IE 7 work. We would like to avoid introducing new interfaces and potential issues but it seems that simply going to Windows 7 will do this anyway so a new browser platform might be a possibility in the long run.

Troops rallied and making progress toward finding a working solution.