[UPDATE 05. January 2023] The Team around the Imager Fling has released version 2.1 of Imager with a couple of nice enhancements:
I quickly updated Imager and created a new Image, everything is still working smoothly and the experience is great. For the three new features you can see screenshots below:
Stay tuned for future updates!
[ORIGINAL POST] Every once in a while I’m having a customer asking for use cases, which can only be covered by virtual machines running locally on the Desktop. Reasons usually are offline use or when the VM needs to be closely tied to the physical machine. Another main use case is: I want to provide (cheap) VMs for Bring Your Own Device (BYOD) use cases or emergency cases, where employees need to make use of another device which is not their standard corporate PC but the environment is not allowing to run a VDI sourced out of the datacenter by e.g. VMware Horizon.
In the past, there were solutions like VMware Horizon Flex with Mirage to cover those use cases, however, Flex was send End of Life (General Support) on June 30th 2019. The reasoning behind it makes sense from a product perspective (use Workspace ONE UEM instead, the world is heading to the Cloud, it’s legacy technology), but there was never a real 1-1 replacement solution.
Some time ago a Beta of a solution called ‘ManagedVM’ was launched but did not make it to GA due to missing customer request, which left us with no solution covering the above use cases natively. But there’s some light at the end of the Tunnel: Earlier this year, some highly skilled VMware Engineers provided a Fling called ‘Imager’, which was already partially covering what we were getting from the ‘ManagedVM’ Beta. In November, there was a massive feature update of the Fling which can now be used to cover the basic requirements of providing a managed virtual machine running natively on a Windows PC. Further development and enhancements are planned for the future, but in this Blog post we are going to take a closer look at the Imager Fling in version 2.0.
Please note: By definition, a VMware Fling is a solution developed out of the VMware community and not supported through the VMware Global Support Services. It’s not a product as such, it’s a tool which may get productised if the acceptance rate out of the customer base is high enough.
Before we start, what’s the objective? Providing a Virtual Machine running on top of a Windows 10 or 11 client, which is/can be managed and protected by Workspace ONE UEM. In my case, I will use a SaaS version of Workspace ONE UEM, integrated with Azure Active Directory (AAD Only), a Windows 11 laptop as Host PC and for provisioning the VM (running the Imager Tool).
The engineers did a very good job in documenting the whole process from an end to end perspective in a PDF file. It is highly recommended to follow the documentation, which can be downloaded directly from the Imager Fling site. There’s also the option to provide feedback and comments, which usually get very quick replies from the team. A video explaining the process is uploaded as well:
STEP 1 – Prerequisites
But now let’s dive into it. There are a few prerequisites which should be done upfront on the PC/Server running the Imager Fling. The Fling requires some additional software, which in most cases can also be downloaded and installed during the process of building the image, but no reason why you shouldn’t do this first as it takes some time to install especially the ADKs. I downloaded and installed Microsoft Edge WebView2 Runtime, Windows Assessment and Deployment Kit (ADK) and Windows Assessment and Deployment Kit (ADK) Windows Preinstallation Environment (Windows PE) upfront. For building the image, of course you also need an .iso copy of Windows and the Imager Fling itself. I used Visual Studio to get a copy of Windows 11 incl. a test license key. Last but not least, download the Imager Fling itself. On the host where you want to run the ManagedVM, you also need a copy of VMware Workstation Player or Pro, which can be dowloaded from VMware CustomerConnect. In my tests I used Workstation Pro 16.2.5.
Another pre-req I would recommend is building your Provisioning Package using Workspace ONE UEM upfront with Drop Ship Provisioning (Offline). Dropship (offline) is being used to provision Windows devices with apps and out-of-the-box-settings out of the ‘factory’, or in our case for the Virtual Machine.
This is not mandatory and can be done as part of the Image-Builder Process as well, but as the objective is to have a VM managed and secured by Workspace ONE UEM, I would highly recommend this step. While I’m not going to outline all details around Dropship Provisioning, I have documented the steps to build your .ppkg and Unattend.xml file in the Gallery below. The process is also documented quite well [HERE].
STEP 2 – Install Imager
No rocket science in doing that, simply run the Imager.msi on your PC and follow the Setup Wizard.
STEP 3 – Build your Image
The Imager Setup created a Desktop Icon for the Imager-Tool. Simply double-click the icon to kick off the Imager Fling. When never run before on the machine, the Imager window will be empty, in case you have built already images, they’ll be shown in the window and can be continued in case the built-process was not finished or exported as ManagedVM package, what we are going to do later. The process of building your VM is straight forward and the tool guides you through the process, the main steps shortly explained (details in the Imager documentation):
- 1 Source Image: Provide your Windows .iso file and select the Windows edition
- 2 Plan: You can stop the image build process after each step and continue later if desired
- 3 Virtual Machine: Define the name and specs of the virtual machine
- 4 Operating System: Define the local admin name/password and skip OS updates (this step can be highly important if you use an older Windows image. Even with the H2-2022 image it took in my case approx. an hour to download and apply all OS updates as part of the image build process)
- 5 Software: Optionally you can add software to your base image. If you want to, the .ppkg file created as part of the Dropship Provisioning process from Workspace ONE UEM comes into play here.
- 6 Optimize: Optionally, you can optimize your base image using a custom template or the default template, which usually improves running VMs with common, best practice settings.
- 7 Sysprep: Here the second Dropship Provisioning (Offline) file gets relevant as you can optionally integrated your unattend.xml file from Workspace ONE UEM.
See the different steps in the below Gallery:
Once all is set, hit the ‘Build Image’ button and the process should start. The process will take a while to build the image, dependent to your defined settings (Windows updates!), apps through the UEM .ppkg, OS specifications and local hardware. In my case it approx. took 1.5 hours to build the base image.
Your Image is ready:
STEP 4 – Package your VM
Next you will package your VM to provide it to the Host where it should run using Workstation. A .zip file including the Image will be created and needs to be provided to the host via a network share, OneDrive or simply a USB Stick. Simply select the Image and Click on Export:
Another wizard starts and allows you to set options for your VM package. Especially important to apply security settings to e.g. add a virtual TPM (allowing Bitlocker encryption on Win11), lock the option to change VM settings and finally to digitally sign the package with your corporate certificate to prove its origin and validity. I skipped that step which is causing a warning during provisioning the ManagedVM.
Once done, you will find the .zip package of your image at the defined place of your machine:
STEP 5 – Provision your ManagedVM
Now is the step where you can distribute (Fileshare, OneDrive, USB-Stick) the .zip / VM to your client where it should run, called the Host. Ideally this is a separate PC running Windows 10 or 11 with VMware Workstation Pro or Player preinstalled. In my case, I used the same PC which was also used to package the VM. Technically there’s no reason why it wouldn’t work on the same machine.
Once the file is copied, extract it to your desired destination. You’ll get three objects in the folder where ‘InstallOnWindows.exe’ is the one which is initiating the provisioning process. From the documentation:
Important to note: Run the ‘InstallOnWindows.exe’ with admin privileges as it installs a small ManagedVM agent on the host PC – more information in the Imager documentation.
Don’t get confused about the warning for ‘Failed package verification’ – this comes up when not signing the package with a certificate. Once the Provision process is finished, it will automatically start Workstation and fire up the VM. A Desktop icon is going to be installed as well.
This should be the final outcome:
STEP 6 – First Start of your ManagedVM
Now comes the exciting step where you will see if all the pre-work was successful, the first start of your ManagedVM. The following steps will be different for every use case, dependent on the applied settings, used image and ‘OOBE’ options defined. In my test case I was also not (yet) able to finalize the full desired experience including an OOBE enrollment into Workspace ONE UEM, as I had some mismatching settings between WS1 UEM and Azure AD. Once this is fixed, I will update the screenshots below. However, you can still access the VM using a local account and kick off the Workspace ONE enrollment manually from the Intelligent Hub application, which was embedded into the .ppkg file (including Zoom and Chrome as sample apps in my case).
Here we go – Managed VM Online and running – managed by Workspace ONE UEM (as mentioned, Hub enrollment in this case).
Imager 2.0 is a massive step forward. It takes some time to run through the whole process, but provides a great tool to create and provide a secure Workspace ONE UEM managed virtual machine (VDI), which can be used offline as well. If this is now firing the ‘Year of [offline] VDI‘ is another question to discuss….
Please reach out to your VMware contact in case you are making use of the Imager Fling and if you are having real world production use cases. This helps in the process of lifting the Fling to a product one day.