Posted May 8, 20204 yr Windows Virtual Desktop can be a good fit for organizations seeking to enable remote work scenarios. As a result, the new Windows Virtual Desktop Azure Resource Manager (ARM)-based model is now available as a public preview and available to all customers. In this article, I'd like to cover the deeper technical points that explain how to enroll Windows 10 Enterprise multi-session, including Office 365 ProPlus, via the new Windows Virtual Desktop ARM-based Azure portal—and outline some important things you should know before getting started. Note: The previous Windows Virtual Desktop functionality was non-ARM. With the new spring update, service functionality is now ARM-based in the Azure portal. As a result, pre-existing customer deployments will need to be migrated into the new console using tools that Microsoft will release shortly. Windows Virtual Desktop architecture The Microsoft-managed control plane is a completely redesigned infrastructure that leverages native Azure platform services to scale automatically. Think about the Azure front door as a global load-balancer for the remote desktop protocol (RDP) connection, Azure App Services in Azure for hosting the infrastructure services, and Azure SQL DB for hosting the RDS brokering databases. Leveraging these services is one of the chief reasons why this service is so cost-effective. New Azure portal dashboard The new landing page for Windows Virtual Desktop in the Azure portal (shown below) is clean and simple, and streamlines deployment and management steps. For example, you can now immediately start with the creation of your host pools. Previous steps such as consent and PowerShell creation of the tenant are gone! (I'll talk about this in more detail later in this article.) User session management With the new ARM-based release of Windows Virtual Desktop, there's also a new option to do greater user session troubleshooting directly from the Azure portal. The Users menu gives you the ability to search for users, see their active sessions, manage applications, and send their messages during maintenance work. As you can see from the sample screenshot below, you can easily see active user sessions and provide regular helpdesk tasks. These features allow help desk employees to do first-line support for Windows Virtual Desktop directly from the Azure portal. Custom RDP settings Previously in the non-ARM version of Windows Virtual Desktop, you had to activate RDP settings via PowerShell. In the new ARM-based model it's possible to turn for example clipboard or disk drive redirection to align with your company security baselines and perform this step directly from the Azure portal menu. New Azure PowerShell module As part of the spring release, Windows Virtual Desktop now integrates into the Azure PowerShell module. That means PowerShell commands now begin with a prefix, such as Get-AzWvdDesktop instead of Get-RDS. (Any existing tools or automation scripts would need to be modified to use the new module, available here.) As shown below, this change allows you to create all Windows Virtual Desktop components in a completely automated fashion via PowerShell. ARM templates for automating the Workspace (tenant), host pools and application group deployments are coming soon. Differences between non-ARM and ARM experience in Windows Virtual Desktop The new management portal integration is completely built on ARM, which means that permissions can be managed via role-based access control (RBAC). All deployment components of Windows Virtual Desktop (e.g. host pools, workspaces, etc.) are objects within your Azure subscription. This makes it easier to manage and automate your environment. The chart below outlines the most important differences between the previous, non-ARM-based implementation in Windows Virtual Desktop and the new ARM functionality. From a high-level component architecture, the differences are as follows: Note: The ARM-based version of Windows Virtual Desktop is being rolled out to U.S.-based tenants and will expand shortly to other areas, including Europe and Asia. This also applies for the metadata location. Azure portal enrollment process for Windows Virtual Desktop Now that I've walked you through the new dashboard experience and the differences in the new version, I'll explain how you enroll Windows Virtual Desktop from scratch with a customer-created Windows 10 Enterprise multi-session that includes Office 365 ProPlus. I'll also cover how to select a custom image, also known as golden image. Prerequisites for Windows Virtual Desktop In order to use Windows Virtual Desktop on Azure, you must meet the following requirements: A per-user license eligible to access Windows Virtual Desktop Azure subscription Azure Active Directory (Azure AD) setup Azure AD Connect [*]Admin permissions to enable resource providers on your Azure subscription and create virtual machines (VMs) [*]Optional: Custom image (Azure managed image and/or shared image gallery) [*]Windows Server Active Directory (AD) AD must be in sync with your Azure AD so users can be associated between the two. VMs must domain-join to Active Directory. Azure AD Domain Services (replacement for traditional domain controller) [*]Azure Virtual Network with a connection to the domain Network must route to a Windows Server AD. Check out all of information on the required ports and URLs, as well as endpoints/client access. Optional: Networking/on-premises connectivity – express route, VPN to make your environment hybrid for back-end connectivity. [*]Profile Containers network share on Azure Files or Azure NetApp Files (See here for our recommended Azure Managed options) Perform the Microsoft.DesktopVirtualization resource provider registration Open the Azure Subscriptions services menu. Open the Azure subscription where you are going to deploy your Windows Virtual Desktop environment. Select Resource providers. Search for the Microsoft.DesktopVirtualization provider and select Register. Confirm the registration. There must be a green checkbox next to the Microsoft.DesktopVirtualization provider as in the screenshot below. You are done with the prerequisite steps. You can now start with the enrollment process. Create your host pool You can now use our master image as the baseline of your deployment. A host pool is a collection of session hosts (right now based on Windows 10 Enterprise multi-session, however Windows 7 and Server 2012 R2 and above are supported as well). You can use them later to assign desktops and published apps too. Search for Windows Virtual Desktop in the Azure menu. Select Create a host pool. Choose your subscription, metadata location, and host pool properties. Select Next: Virtual Machines. (Are you using Windows 10 single session? Make sure to change the host pool type to Personal.) Select Yes to add virtual machines. Fill in the VM details, such as the size and image for your enrollment. This image could be one of our Microsoft pre-created images, such as Windows 10 Enterprise for Virtual Desktops, Version 1909 + Office 365 ProPlus. Note: You also have the option to click on Browse all Images and Disks and pre-select an custom image based on an Azure Managed image or one from the shared image gallery (SIG). Note: The name prefix of your session host cannot exceed 10 characters, this is because of the auto built-in count of VMs that comes as extra e.g. WVD-VM-1, WVD-VM-2. Note: For details on the maximum suggested number of users per virtual central processing unit (vCPU) and the minimum VM configuration for each workload, see our recommendations for multi-session, single session, and general VMs. This could be helpful to see your initial estimated VMs as part of your host pool. Provide the properties for your Azure Virtual Network (VNET) to which you'd like to join your session hosts. Make sure that the DNS servers of your Azure VNET are pointing to the domain controller’s DNS servers so that the fully qualified domain name (FQDN) can be resolved! Also make sure that all the URLs below are reachable from that VNET. You can also use the Azure Service Tag - WindowsVirtualDesktop FQDN as a filter to make this process easier. For more information, see Use Azure Firewall to protect Window Virtual Desktop deployments. Address Outbound TCP port Purpose Service Tag *.wvd.microsoft.com 443 Service traffic WindowsVirtualDesktop mrsglobalsteus2prod.blob.core.windows.net 443 Agent and SXS stack updates AzureCloud *.core.windows.net 443 Agent traffic AzureCloud *.servicebus.windows.net 443 Agent traffic AzureCloud prod.warmpath.msftcloudes.com 443 Agent traffic AzureCloud catalogartifact.azureedge.net 443 Azure Marketplace AzureCloud kms.core.windows.net 1688 Windows activation Internet wvdportalstorageblob.blob.core.windows.net 443 Azure portal support AzureCloud Enter in a service account to join your session hosts to your AD (Kerberos – ADDS) domain. Select Next: Workspace. Create the workspace. The workspace is the new name for a tenant. You can now create this directly in the Azure portal instead of using PowerShell! The workspace will be created in the same region as selected for the host pool. Select Yes and Create new. Provide a name for your Workspace (tenant). Select Ok. Select Review + Create. Review your settings and select Create to start the deployment. Create and assign remote applications (to groups) The process of publishing applications has become easier. First, you must create an application group using RemoteApp as type. You would then need to create two host pools if you want to use both desktops and remote apps as one specific user. Note: The Desktop Application Group (DAG) is automatically created through the Host Pool Wizard. This is for desktop sessions, the steps below are for Remote Apps. Select your Host pool and enter your resource group properties. Select Add Azure AD users or user groups. Select either a user or Azure AD group to make it more Dynamic. (Yes, you read that correctly, the updated version of Windows Virtual Desktop supports Azure AD groups!) Add your (remote) application from the start menu for the session host to publish. Select your Workspace. Note: You can also easily adjust existing host pools (RemoteApp) and add new applications on demand. Change the name of your workspace It can be helpful and more user-friendly to change the name of the Windows Virtual Desktop environment to "Windows Virtual Desktop" (as shown in the example below), or your organization name. To make this change, simply navigate to the properties for your workspace in the Azure portal and update the Friendly name. Change the name of your virtual desktops Just as it can be helpful to change the name of your Windows Virtual Desktop environment, the same is true for your virtual desktop names. You can change the name to something custom such as "Session Desktop" as shown in the example below. Simply navigate to the Application group in the Azure portal and open the properties, then update the Friendly name to whatever you like. Install the Windows Virtual Desktop Client for Windows To run your Windows Virtual Desktop (either the full desktop or remote apps) directly from the client and/or Start menu, you must first download and install the Windows Virtual Desktop Client. Launch the Windows Virtual Desktop Client Desktop app. Select Subscribe. Enter a username that has a desktop or apps applied. Select Next. Enter your sign-in credentials. Verify your identity through Azure multi-factor authentication (MFA), if activated. Your remote apps and desktops are ready! Use the HTML5 web portal Windows Virtual Desktop can be accessed without a client or agent directly from a web browser, which can be beneficial when you need to do some work and don't have your device with you. To access the RDWeb portal, visit https://aka.ms/wvdarmweb (short link) or https://rdweb.wvd.microsoft.com/arm/webclient/index.html (full length). Sign in with your credentials and verify your identity via Azure MFA, if enabled. (Azure MFA and Azure AD Conditional Access can be enabled via the Microsoft 365 Admin Center.) Once you have access, you’ll see all your desktops and remote apps! Your Windows Virtual Desktop environment is ready to use! If you run into issues during setup, be sure to check out our troubleshooting overview. You can also provide feedback, comments, and questions below. I also would like to recommend that you to join the Windows Virtual Desktop community on Tech Community to connect with the Windows Virtual Desktop Engineering team and your fellow public preview participants. Finally, for more information on tools that can help you empower end users to work securely in a remote work world, see Brad Anderson's post on the Microsoft 365 Blog. Continue reading...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.