What is Layering, and why does it matter?

We have been talking about layering now for the better part of a year, and while it's an interesting technology, it's sort of an ambiguous concept to a lot of people. There are a number of vendors out there with layering solutions--MokaFive, Wanova, and RingCube, to name a few.

We have been talking about layering now for the better part of a year, and while it's an interesting technology, it's sort of an ambiguous concept to a lot of people. There are a number of vendors out there with layering solutions--MokaFive, Wanova, and RingCube, to name a few. But what is layering, and why is it important?

What is Layering?

Conceptually, layering is a method of controlling a user environment by breaking Windows down into separate, manageable pieces called layers. Typically, the base layer is the corporate OS image, with maybe a few fundamental things like access control or antivirus apps.  Then, on top of that, ride other layers, like corporate applications, user data, non-persistent data, user installed applications, and so on.  Layers can be managed independently and by different groups, giving very granular control to users' workspace.

(from John Whaley's presentation at BriForum 2009 entitled: "Use of Layers in Desktop Virtualization Management")

In a way, layering is like silk screening a t-shirt. Each layer builds upon the one before it to ultimately produce was we all see. In this way, each layer is a separated out component of the users workspace, and can be anything from low level executables and settings to a user's mouse pointer or background picture.  All of these layers combined completes the picture and presents a single unified workspace to the user.

Layering can offer many benefits, including:

  • Simplified image management.  A simple base image with multiple, small layers, rather than many large base images.
  • Backups and snapshots.  Layers can be backed up individually, making rollbacks easy.
  • Easy application provisioning and de-provisioning.  Application layers are either turned on or off. Conflicts can be resolved via policies.
  • User installed applications.  UIA's can exist in their own layer that can be turned on/off, or restored should something bad happen (which, since it's a UIA layer, will surely happen).

How is it done?

How it's done is a question without a single answer, unfortunately. How each vendor does it's thing would take a much longer article, but each has it's use cases in a relatively young marketplace.  Still, I was once a consultant and should be able to weave together an general answer to that question :)  Here goes nothing:

There are quite a few techniques to layering, some of which have been around for as long as we have.  Fundamentally, things like roaming profiles and folder redirection can be considered a type of layering. Inserting users' configurations, files, and other information into a base OS is one of the key aspects of layering, so these certainly qualify. 

Of course, profiles and folder redirection have their drawbacks (none of which are new to anyone), so other methods have also been invented. Application virtualization products, of which there have to be a dozen now, have been adding applications on top of base images for many years. I remember my "I don't install apps" Softricity pin from a Swan & Dolphin iForum in 2002 or so, so it's been at least that long.  Of course, that became App-V, and we also have Citrix XenApp Streaming, ThinApp, InstallFree, XenoCode, Symantec Workspace Streaming, and many more.

Application Virtualization doesn't work in all environments or with all applications, though.  And even when it does, applications are typically isolated from one another, which means tweaking things to make them more usable.  That's left an opening for a new breed of workspace management that relies on the use of some of the tactics and methods brought on by the widespread use of virtualization.  This is where the ambiguity of the current layering philosophy begins to appear. There are several companies, MokaFive, RingCube, and Wanova to name a few, that have workspace management solutions that are based on some sort of layering, but each uses different methods to accomplish the same goal.

The general idea is that the layers are applied to a base OS image. Each layer is a piece of the whole workspace, where one layer might be the configuration for domain membership and unique machine identification information, another might contain kernel components, and still more layers that might each contain applications or other configurations.

Some vendors accomplish this with virtual machines on a client side hypervisor (Type 2, not Type 1) and multiple disk images, with each disk image representing a layer (MokaFive). Others have solutions that ride on top of the existing OS (no hypervisor needed) while still using disk images as layers (RingCube). Others stream the layers to the client, enabling more efficient backups and updates over the WAN and for remote users (Wanova). And while one may not work as well in your situation as another, they all present a new way of compartmentalizing the user environment into individually provisioned components that can be managed separately.  In fact, the separation of management alone might be a qualifying use case, given that it allows for a division of ownership with relation to the desktop (as I wrote about last month).

How does it fit into VDI?

Even though layering is pretty young, it's easy to see how it fits into VDI. Layering the user environment on top of a small base image is a pretty valuable method of workspace management. 

This is one of the reasons that both Symantec and VMware have OEM'd RTO Software's Virtual Profiles--it allows them to layer in the user's settings, data, and policies--to go along with their respective application virtualization solutions.  Sure, it's not layering in the "new" sense, but obviously the big players see the potential and want to make sure they have some sort of comparable workspace management solution.

The reason it's becoming so popular now is because VDI has become a hot topic. With SBC solutions, workspace management was spent trying to achieve a balance so that all your users could coexist together on the same box.  Since one of the attractions of VDI is removing (or at least dulling) that constraint, it opens the industry up for solutions to problems that we didn't really have before, or that weren't really identified as fixable problems. Application Virtualization is about as close as we got to layering in an SBC environment.

What's coming?

Layering should come into its own along side of the other client virtualization technologies over the next year or so. Virtual Computer and Neocleus already have client hypervisor products on the market, and with Citrix and VMware set to release theirs in the coming months, there should be more opportunities for layering solutions to grow in popularity. I wouldn't be surprised to see some layering vendors either teaming up with or being acquired by the big guys.

I also think that Microsoft could help the layering concept along. Currently, the layering vendors are more or less getting under the hood of Windows and rewiring it to do their bidding.  This is why we have so many different methods and approaches.  If Microsoft were to "layerize" Windows more to allow more development effort to be spent on the actual workspace management and less on rewiring Windows and working around any shortcomings, it would be a boon to the concept and allow it grow much faster than it has been.

So, are you using or evaluating any layering solution now? Share your thoughts, please!

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Laying is awsome. Just see what is brought by OSI 7 layers and Internet 4 layers. It seems we start to sublayer the APPlication layer now.  We talk so much about vritulization here. One thing is sure that there come new technologies  and products  after Microsoft windows, Client/Server and Web. They will change not only the  way to provide IT services in enterprise ,  there sure to have new biz models. That's great news for all us, as we also  find  new stuff to live on. :=)


Well I know Brian hates layers now after this comments yesterday on CitrixLive :-)

Anyway I see some key considerations. As Gabe points out, it's about doing things to Windows that Windows was never designed to do, So this brings up the question of app compat. Unless you can choose (a word that the XD team does not get with respect to implementation) I would be very nervous about an all or nothing approach. I'd have to go back to the vendors and look to see if any of them allow the option to choose.

Then there is part about how changes are applied to a layer. Example if i want to patch the OS, or patch the app layer can how are those changes merged back in a reliable manner? Does it require a reboot etc. I think the answer to this questions helps one figure out how usable these options are in a real production environment.

The next piece is how rich is the management of the layers? Can I have different permission levels for each layer. For example if a user installed app (a concept I HATE) requires the ability to change something in the OS layer and the user is not an admin, what happens? This whole area results in complexity and app compat limitations of any implementation.

When we consider this space, we should not forget Atlantis Computing or Unidesk that I bucket together as having something similar. Their approach is to do it outside the OS with I/O and disk tricks. No evaluation is complete without looking at these guys as well.

So clearly this is not a mature space, but do we really need to bother? Well I think that's an interesting conundrum. With respect to VDI this simply underscores to me why pooled desktops are just not possible in any environment at scale or complexity. Pooled desktops is just vendor FUD who are trying to convince us on cost of VDI. It will not work unless you are simply and very well managed in the first place. The technology is not there any time soon. Hence the only way to realize the benefits of VDI at scale today is persistent desktops. For that brokers that suck, don't scale etc are complexity added for no reason when existing tools can manage desktops in a data center to enable business agility. Hence a brokerless option is something the XD, View and Quest teams are sleeping at the wheel at, Bravo Ericom for Blaze that I still haven't tested so looking for a cheat option if anybody has and would care to share results in this forum,

Client hypervisors as Gabe points out are an emerging reality. Startup or big vendor, it's unclear how the layers concept will apply to both hsoted virtual desktop (data center desktops) and clients and pull it all together with something simple to use. I can see this being a mess for a while.

Layers is a future management concept that would need to overcome implementation and app compat hurdles to be real and apply to both hosted desktops and client desktop to reduce complexity. Until then persistent desktops is the only way to implement VDI at scale where there is variance in an environment. If you want cheap pooled today that works, simply use XA it works in 99% of use cases, just don't believe stupid people who don't know how and are lazy to only work with a full Desktop OS which is not needed for these task worker types. The only investment I would be making right now is decouple users from OSs and Apps as much as possible as I move beyond XP. That means invest in App Virt for sure where you can, use Win 7 as a stimulus, perhaps take the approach must virtualize and MSI the exceptions only.

So in conclusion, layers is needed to enable pooled in time, but not happening any time soon. Understand why VDI, it's not cost unless simple use cases, in which case XA is the cheapest way to do it. The vendors need to wake up and offer brokerless options to let people implement persistent desktops today, period. All the rest of the value in a broker is just BS deigned to lock you into vendor A or B. BTW Gabe great topic to write a lot more detail in. Perhaps we the community can help define the problem and help flush out the issues.


IMHO, fundamentally, we need to be thinking of layering in 2D rather than 1D.  VDI will drive the maturing of the available technologies to evolve to a better model (whatever it might be called), but I'm not sure anyone really knows what that is yet. (Which is why I think Brian is optimistic about VDI going mainstream in 2010).

Everyone draws a layer diagram like the one in this article, with horizontal layers of things added on top of each other.  But we also layer vertically some with application virtualization (for example).  Here we often segment the OS, from Application and Application-related-data. The app and a-r-d need to travel as a pair for a given user when needed, creating a vertical segmented slice.

Maybe it is a checkerboard model rather than a layer-cake model?  Anyway, while it is confusing that every vendor is doing things in slightly different ways, in the long run we all will learn through experimentation what works and what isn't needed.  Eventually, (I hope!) the winners will evolve to the stuff that works in a nice clean and easy to understand model.


Great point, Tim!  I mentioned that I think Microsoft can help with this by making Windows more compartmentalized, but I hadn't really put much thought into what that really meant.  That's it!  Pigeon-hole the damned thing, and then give us (well, these layering vendors anyway) a way to address each hole so stuff can be moved around, turned on/off, and so on.

You know...if they do that, actually go that far, might it be possible that this would work on TS solutions, too?


Pigeon-hole:  I like it!  At least until the ASPCA gets wind of it.

But yeah, it's a windows problem and a great VDI solution is a great TS solution also.


Shows why TS will always be cheaper. Fix/enable better isolation in TS plus layers and VDI is a corner case for hosted environments. Clients will come for local execution ability minus all the benefits of session mobility.....


I now know appdetective is one of 356 people ;)


@appdetective - << Fix/enable better isolation in TS plus layers and VDI is a corner case for hosted environments >>

Isn't this the very case that was being made for Parallels Containers over the last couple of months? It's the best compromise between two extremes: VDI and TS.


@edgeseeker Parallels does not address app compat. Crazy smart Russians, but there is just no way I see them getting traction. If they did I'd rather do with RingCube who go deeper to solve a lot of app compat.

Shawn or I am one of 356 sessions with multiple people listening :-)


@appdetective - DOH!

@all - Since it wasn't already mentioned in this article let me just say "cloud computing" and "fungible".  There I've said it.  Carry on.


I am currently in the process of getting together an ILIO / Atlantis installation. I will report back my experience when I have some sine right now I really don’t think my opinion (key word) is much different than the other posts.

@Shawn "fungible" - LOL I dislike that word just as much as appdetective hates "brokers"


This is indeed an interesting topic, but it (IMHO) needs to be cut in chewable and better put together pieces as main articles instead of insightful, yet highly compacted comments.

Anyone agree? Or is it only my yap-yap?

Layers, layers…Layers of abstraction are the very fundament of computing, but as of now it’s pretty dim to see where the abstraction and the layering all intermingle.

We need to put in some clarity on what is what instead of silently watching the shifting of terms, the shifting of meaning.

Who’s up for the task?

In other topics:


Could you please do a write-up explaining the broker/broker less issue. I’m only second guessing what you’re aiming at, and that’s not good for me, or anyone.

And yes, I think it would be absolutely marvelous for you having a column of your of own. Make it happen!


@appdetective - What app compatibility issues do you think Parallels have? It's a fully isolated environment in which each container is a 64-bit Windows VM.  Unlike TS, there's no lack of isolation that often bring rise to compatibility problems. No traction? I suggest you do your homework.


@edgeseeker. I've done my homework honey. I had Parallels in a number of times over the years. Every time I ask them a basic question like how the F do you keep up with patching when a zero day event happens. BLANK. Ask them if you can install any kernel mode driver in the container and have variance across contatiners wth other driver (just lik TS) BLANK. (Ringcube can do some of this) Try installing XA for fun on a parrallels container BLANK. As for stability of the product BLAAAAAAAH. It can't address developers so what does it really offer over TS that is worth the risk and effort? If you want full isolation a full OS to yourself either 1-1 XA on local cheap storage or $$$$$$$$ XD with crap infra plus VECD is the only way to go. Parallels is a hack of the Windows operating system, which MS does not put $$$ behind to support. When they do then real environments can think about running on it IMO. MS pushed RDS al the way for desktops  so it's a naive person to bet against them and expect to maintain any service level. Sure Parallels has a fe naive customers who are all gaga about saving a few captial dollars not understanding the s h i t storm they are creating. Of course those people exisit, they are also the ones that buy the PCoIP hype and think View is so great because it locks you into a single hypervisor.

@Kimmo Think XA blackhole problem and similar and the impact that can have on groups of users, despite zones, failover etc. Think also XA scalability limitations on HUGE farms. Now ask yourselve a question, do you want to introduce that service level for your desktops. i.E crappy broker does something bad (software does have bugs) all of a sudden MANY users are taken out, not because of a Desktop problem, but because of a layer of complexity in the middle that is not needed for persistent desktops. If that is not a concern for you, by all means increase the unrealiabilty of your desktop environment,.....it all depends on your business. In my case network outages which are shared are accepted and we have no choice, but mass desktop outages will not be accepted especially when there is an option to avoid al this mess. Imagine if every time you hit CTRL-ALT-DEL on your fat PC, you had to depend on a broker to get you there? What purpose is the broker serving, NONE!


Beginning to seriously wonder if I'm blacking out during the day and making posts under an alter-ego named AppDetective.  LOL   Couldn't agree more on everything said above.  In fact, I've discussed much of this with a Citrix person on a concall today.  What I really wonder on the OS Partitioning front is what Microsoft's plans are in this area.  They came out about 3 years saying they were going to do OS Virtualization (which became Hyper-V), they said they were going to do Application Virtualization (which became Softgrid/App-V), they said they were going to do OS Partition (which became ummm, I've got nothin')



@Appdetective - Quit with that "honey" thing! I belong on the other team!

Would love the see the look on your face if and when Parallels gets acquired. You too, Shawn!


@edgeseeker, So they haven't told you about their plans to IPO? Perhaps MS will buy them and you will be right, which is fine with me, until then just a bunch of crazy guys begging for a VDI with others like Quest hoping to get in on the action. Blaaaaaaah my darling :-)



Unquestionably I encouraged you, and so did we all.

You have that certain charisma with your knowledge and wit. Your foul language and outright rage combined with insight is most certainly the most common determinations of being in IT and being serious about it.

I cannot imagine anyone not sharing that.

Talking from my own experience, it’s a pretty thin line of expressing yourself and hurting people

You, my friend, crossed that line today. Take that mark, clear up and return as the appdetecive we all come to love.


@Kimmo,respectfully, when people imply that one hasn't done their homework and are posting whinny drivel, it warrants a response sometimes. Yes I agree my post to @edgeseeker may seem harse looking back at it, but.... it doesn't matter. Back to bashing vendor product, crap product teams and figuring out WTF we should do about layers.


@appdetective - That's it! From here on out, you're AppDefective... In the head, that is!

Listen man, you really must have a loose screw somewhere inside your head, or you must be some sort of hate monger who works for Citrix, VMware, or one of those snobs. Do you really think Parallels is not a legitimate player in this industry? Just ask the hundreds of Service Providers and their countless customers who have been betting the farm on the Containers platform for several years. My company has been running on Containers for 2 years - Just 6 months ago, we kicked off a 700-user VDI pilot on Containers that's been running like a charm since. You talk about Zero Day events - Go ahead and give me one real-life example of a Zero Day event that you think would have brought a Parallels customer to their knees. Exactly!!! Blah blah blah yourself!!!

Listen, I've attended every briForum since the event's inception. If you want to have an arm-wrestling match, bring it on!  


Wow this thread went from mediocre to worse than mediocre in a hot minute...

Anyway, does anybody else read the title and say to themselves in their best "Aaaarnold" voice.

"Who is your daddy and what does he do"?

I know I do... carry on...


edgeseeker, since you've signed up three days ago to contribute, and gave crap to Shawn Bass for no reason as well who has been on these forums CONTRIBUTING for years, I guess this is your attempt to push your Parallels idea forward. I am sure you will add a lot to the forums with your great insight into why using a non desktop OS related technology offers a compelling difference over TS, is better than Ringcube that solves more app issues and has a desktop solution, casual dismissal over zero day security, BLIND love for ONE vendor and why a tiny implementation of a few hundred users makes this so compelling an industry event. Show me one large customer that uses them. Oh yeah that scale thing.....

It's ok to disagree, that's how we all earn. I look forward to your contribution. Happy to debate on merit, not willing to spoil this great blog trading barbs and I am sure nobody is interested in that either.


@appdefective - True, I did sign up a couple of days ago, but only because I was sick and tired of your antagonistic attitude towards others. Obviously, you're a RingCube fan, to say the least. Is this really how you "earn"? By disagreeing? Ha ha ha!!!


@edgeseeker. you are totally out of order here. You have not said a single smart thing. I read this blog often, and keep my mouth shut and learn from a lot of people here smarter than me. Now after reading your crap I had to sign up with an account and ask WTF is your problem? because I am smart enough to call out horse crap when I see it.

@appdetective, has posted a ton of opinion. I love the fact he/she is real, and says what he/she thinks with smart insight to back it up. I 100% agree with comments above from @Kimmo

"You have that certain charisma with your knowledge and wit. Your foul language and outright rage combined with insight is most certainly the most common determinations of being in IT and being serious about it.

I cannot imagine anyone not sharing that."

Kimmo is right. What I love about appdetective is that he/she pushes the thought process beyond a product or architecture, questioning assumptions and taking no prisoners. I don't see appdetective having love for any vendor or person based on his/her comments, it's all focused on pragmatic implementation.

Yes he/she may have pissed you off with a comment, but you started it with your do your homework comment. I also agree with appdetectives response where you make a stupid comment about Shawn Bass as well. So grow up, and stop whining and posting stupid crap all over the place. I will call you @honey since you have the maturity of a school girl. You have been given the opportunity to respond with a view, and I 100% agree with appdetective that disagreeing and debate are great ways to learn. It is exactly people like you focused on 1 one way to do something that make IT a mess. Turning up to BriForum is no qualification, it just shows that you still don't get it given your responses. You have no right to dump your stupidity all over this blog to drive people away. If you disagree fine, express that, contribute something to the community not this crap. Are you married to parallels or something? Come present your stuff at BriForum or get a session at Citrix Synergy if you are so confident. I know what I know, and I also know what I don't so. I like this blog, don't mess it up!

@Appdetective, keep up the good work, and don't worry about these cry babies.



Please delete all this negativity since it really doesn’t do any good and we certainly don’t need more iBangedYourMom or “I didn’t register until I read your crap” type posters. There are plenty of other boards for that nonsense

The one thing that always brought me to BM.com was folks who shared experience and especially the hardcore enterprise level experience from guys like Claudio and Sean. Opinions are great, as long as everyone can leave it at that and trade them fairly.  Seriously bros, the only guy on here who gets paid for his opinions is Brian.

We need more comedy here too, and I don’t mean more office space references or Judd Apatow lines, I can get that just by walking around the office.

So anyway, has anyone implemented any form of layering and how did impact your users / business?




Commenting is closed now. I'll look into deleting this - the certainly very little contribution at this point.  We don't have too many flame wars around here...