Azure: Azure Virtual Desktop lab blog

Azure Virtual Desktop

Azure virtual desktop is a virtualization technology that enables quick access to Organizational Azure resources to remote users or work users connecting to Azure resources with a limited ER or VPN gateway traffic. The file access to azure file share or DBs could be exponential faster by hosting AVD in a collocated Azure data center. User experience would be better specifically, if they are accessing 500 to 2000 pdfs with OCI files etc.

Quite like Citrix or VMware horizon VDI infrastructure AVD deployment depends on following other infrastructure or cloud resources –

1) network resources, network logic and network resource access.

2) Identity services and Identity sync.

3) Master image. Custom image like historical VDI process or in the case of small deployment for Azure we could use pre-populated image from the gallery.

4) File share access or cache of user profile. Especially, in the case of pooled desktop which allows same user experience regardless of VM change in the pool. Citrix uses file share and enables local cache to write back to file share for faster writeback to immediate application request on profile. Similarly, AVD also features cache option if the profile server is not co-located facility. And cloud printer profile management like Universal print or printer logic other vendors.

5) Creating host pool and Scaling logic for the pooled desktop. AVD uses Breath first and depth first which we will go in length as we expand more on scaling logic later.

6) Monitoring and management (Insights, workbook, KQL, GPO, EPM, RDP properties etc.)

7) Backup, failover, and high availability.

1) Network configuration and requirements for AVD

a) Prior to networking it is important to access AVD experience with the help of AVD experience estimator.

b) Like any of the Azure hybrid network requirements. Setup a vnet or two and the following list of subnets under the vnet.

GatewaySubnet

AzureFirewallSubnet (If traffic filtering and proper enterprise security is needed using Azure firewall). Not applicable if only NSG is in use or NVA is in place.

AzureaBastion for secure RDP access to session host for troubleshooting.

AVD subnet for hosting AVD.

Identity or core subnet for hosting identity servers like DCs, AADConnect, Federation server etc.

c) After the vnet and subnets are set up. Setup the VPN gateway connection or ER as needed for hybrid connection to enterprise on prem network. Setup Hub to peer vnet to allow traffic from AVD to identity services. Hub and Spoke peering are required regardless of identity services being hosted on premises or directly on the cloud.

d) Add custom DNS in Azure portal or use command line to support the company domain name.

e) Deploy a domain controller with all FSMO roles or multiple DCs as required, along with DNS role on DC or member server.

f) Update the primary DNS IP on the to Domain controller IP with DNS role. You could still leave azure wire DNS as secondary DNS if you wish.

g) RDP Short Path (RDP Shortpath - Azure Virtual Desktop | Microsoft Learn)

Reverse connection has been in use from Server 2012 R2 and above with Remote Desktop Gateway and broker services, which is extremely dependable with TCP, however, not fast as UDP. RDP short path uses UDP port 3390 to enhance the connectivity with VPN or ER with direct line of sight or over the over public network. Above link shows the details description on usage of STUN and TURN for RDP short path.

RDP Short path provides better performance and reduced latency with improved RT. For managed line of sight network, it enables QOS and network throttling with GPO.

If firewalls or other network devices block UDP traffic, the connection will fall back to a TCP-based reverse connect transport.

Connection sequence in the MS docs shows how it decides on shortest path and the reference of port 3478.

AVD network port requirements for NSG /Firewall.

AVD requires following outbound connection rule –

1) Access Azure virtual desktop services on TCP port 443

2) Access AzureCloud service tag for TCP port 443 to access Azure monitoring, diagnostics, blob, service bus, queue, catalog Artifact on Azure marketplace,

3) Access to Azure.kms.windows.net on port 1688 for resolving Windows KMS license service authentication.

4) IP addresses 169.254.269.254 and 169.63.129.16 on port 80 Azure instance metadata service endpoint and session host health monitoring, respectively.

5) Additionally for the line of sight to the domain controller LDAP /Kerberos services for authentication, SMB for SYSVOL GPO access we need to allow port 53, 88,389,445,464,636 and the higher range ports 49152-65535 for both the UDP and TCP traffic. Along with TCP 135 and UDP 123 port outbound rule. Similarly, inbound rules on the Identity service VNET or on prem appliance whichever the case. SMB 445 is required for both the sysvol and the Azure file access with SMB protocol which will be used for profile Logix later.

Inbound –

1) You can add allow bastion subnet to for RDP service to allow access to AVD session host for troubleshooting issues with master image VM or other session host.

2) Identity Services

After meeting the network requirement, let us jump right back to identity services. Which comprises of identity sync and security.

To synchronize identity from domain controller to Azure AD we would require the ADconnect services. Azure AD Connect: Get started by using express settings - Microsoft Entra | Microsoft Learn

1) Deploy a member server.

2) Download and deploy ADconnect services.

3) Deployment would require authentication to AAD services with the global admin account and authentication to DC with domain admin account.

4) For easy and quick deployment, we can select express setting and password hash sync which will also offer SSO. For detail about PTA and Federation services to enforce authentication on-premises are covered in depth on AZ-104, SC-300. Custom settings are useful for updating UPN and OU selection during initial sync and other reasons.

5) After the successful deployment user account and security group in all OUs will be synchronized and updated on AAD and listed as synched or hybrid identity. For new UPN or identity, it will first need to be created on the domain controller which will automatically be synchronized after every 30 mins. Synched process could be enforced immediately with the help of start-ADsyncCyle with delta switch or by using schedule script on the ADconnect server.

6) After synchronizing the user identity there are license requirements that need to be met for security and AVD access. Enforcing AVD security with conditional access requires AD P1 and above and for AVD access it requires Microsoft 365 business premium and above which also incorporates AD P1 license. The other security needs are Azure defender for cloud and defender for endpoint.

AVD VM image creation process –

Shared Image Gallery

Imaged could be selected from the Azure marketplace if the default image in the gallery and marketplace suffices. However, if the organization has a need to setup the gold image with tailored applications, then it is better to create custom image, wiped UIP with sysprep tool for OOBE experience and capture the image for deployment and store it in a shared path or image gallery.

Quite like creating images in the on-prem hyper V, VMware, or Citrix XenApp for best practices every step of image change, each application installs, and reboot would require VM snapshot. In the case of Azure, it will be the snapshot of the OS disk and keeping version of snapshot for roll back if needed to restore from the snapshot.

Optimizing image for performance –

Running Image optimizer script.

Running application specific image. For example to optimize and install Microsoft teams for all users, please follow this article to make recommended registry change, install WebSocket and PowerShell to deploy on computer Use Microsoft Teams on Azure Virtual Desktop - Azure | Microsoft Learn

Installing OneDrive on VM Install Office on a master VHD image - Azure | Microsoft Learn

Installing office on gold image VM Install Office on a master VHD image - Azure | Microsoft Learn

Allowing user to choose language option in OS. Step 2 of Install language packs on Windows 10 VMs in Azure Virtual Desktop - Azure | Microsoft Learn

After the final change on the gold image VM. Run the sysprep tool with OBBE and generalize option and select shutdown from the dropdown. After the identify of VM gets cleared with sysprep. Switch back to Azure portal on the master VM blade and select Capture button. During the capture process select “share image to Azure compute gallery.” Select the target VM image definition by selecting create new and creating resource group during the process to keep VM image definition in a separate RG.

For the version select the semantic version e.g., x.x.x.

Choose the replicate count within a region or across the region based on the organizational need and the volume of deployments. (Note – one replica per twenty concurrent steaming deployment of VM deployment and two hundred per region if AVset is enabled on four hundred without AVset per session host).

Once the VM image gets deployed and saved under the gallery, you can navigate to the gold image version anytime to start “Create VM” from the master image for a quick test deployment and access how the final VM deployment looks like.

Once deployed verify the VM with RDP and make sure all application works and VM shows as optimized based on organizational need. Once the VM state looks good, delete all the snapshots that were created during the process of image preparation and delete VM tool.

Deployment VM in host pool using gold image from the Gallery –

1) Search from AVD on Azure portal

2) Click on the host pool blade.

3) Click the registration key to generate a new key for the host pool.

4) Select session host on the host pool blade.

5) Click “ADD” button.

6) On the basic tab, fill all the details for host pool settings name, RG, and the type of host pool.

7) On the “Virtual machine” tab naming prefix ensuing the total length of prefix and suffix does not exceed eleven characters.

8) Select AV zone or no redundancy.

9) Under the image section. Select see all images and click on “My images – shared images” and click on the gold image we prepared.

10) Type the value for number VM to deployed. For storage it is recommended to have premium SSD for a pooled desktop with SKU supporting at least 4 CPU cores and 16 GB RAM.

11) Select AD join or AAD join. For AD join type username with UPN suffix and password with correct privilege to join machine to domain and select custom OU path where you would like to create new computer account.

12) Finally, provide the local admin username and password that needs to be created on the new VM.

13) Enabled diagnostic and store to Log analytics.

14) The entire process of imaging could be automated with Azure image builder. The benefit of image builder is scripted process to maintain image with recent updates, generalize and create recent version and redeployed and reapply to VMs as the update release. It will require a managed identity and an automation account. Please follow docs Azure VM Image Builder overview - Azure Virtual Machines | Microsoft Learn and repo Azure/azvmimagebuilder: Azure VM Image Builder Samples Repo (github.com) and Create a Windows VM by using Azure VM Image Builder - Azure Virtual Machines | Microsoft Learn. Git repo has image optimizer, FLlogix deployment and deployment on MI with ARM template. For the town image, we need to replace the image publisher with the ID or our own master image and finally, the ARM deployment would deploy the image to shared gallery.

File Share and FSLogix

FXlogix includes – User Profile, Office profile, App masking and Java version control.

User profile redirection to the Azure file share is the commonly used cases for FxLogix. As office profile is only applicable if we have separate roaming profile for user share which are rare nowadays.

App masking allows restricting access to users or groups. For e.g., applications used by HR should be accessible to other departments in the case of common pool.

Cloud cache provides faster write operation to user profile update if the file share location is remote. This is like the technology Citrix used for Profile share write operation by using quick write operation on temp VHD and steaming the change to the remote file share later or during log off to avoid writeback latency and retain best user experience. Cloud Cache Overview - FSLogix | Microsoft Learn

License requirement - Microsoft 365 E3, E5, F1, F3 or for companies who are eligible for education licensing, A3, A5. You can also utilize Windows 10 Enterprise E3, E5 or A3, A5 for the education sector.

Install Fxlogix using this article if the image is not replicated from Azure gallery - Install FSLogix Applications - FSLogix | Microsoft Learn

Here is a script to on GitHub to domain join Azure file share to enable NTFS permission Releases · Azure-Samples/azure-files-samples (github.com)

Before configuring Fxlogix path on session host. Create Azure file with SMB authentication using following article - Use Azure Active Directory Domain Services (Azure AD DS) to authorize user access to Azure Files over SMB | Microsoft Learn. Disable password expiration on the AzureFileShare computer account AD to never expire or apply the same with GPO on OU where the computer account is located. Or update-AzStorageAccountADObjectPassword in a schedule interval before password expires.

RBAC Permission on Azure file share

1) For administrative purposes - file contributor privilege

2) For user access – file contributor

NTFS permission for AVD users – modify NTFS permission at the profile folder.

HKLM – software – Fxlogix – create/ Add a Dword “Enabled” value 1. Additionally, create multi string value “VHDLocations” with value data as FQDN of Azure share user profile path.

Configuring cloud cache - HKLM – software – Fxlogix – Profile – Add new Dword32 “Enabled” value 1. create multi string value “CCDLocations”” with value data as FQDN of Azure share user profile path prefixed with “type=SMB,ConnectionString=”

Creating host pool and scaling

Azure Virtual Desktop (AVD) consists of three features, Host Pools, App Groups, and Workspaces. The service offers a secure and easy-to-use remote desktop solution with minimum setup and maintenance overhead.

A Host Pool is a collection of Azure virtual machines. Session host of VM in AVD registered either to Azure AD or Active Directory Domain services. The session hosts are registered to the host pool collection and are readily available for end-users to interact with and use. Currently, Azure offers two types of host pool options: Personal, for individual use, and pooled for shared usage by an authorized group of users. A load balancing mechanism is used to determine the traffic flow on the session hosts.

An App Group is a logical grouping of applications installed on a session host. The Workspace is a logical grouping of application groups in AVD. The app groups are associated with workspace to enable IAM access and publish applications to users to access remote desktops and apps. RBAC assignment to access AVD desktop or application is implemented through application group access management.

As application groups are linked to Workspace. We can first create workspace from the AVD blade or host pool first.

Creating workspace -

On the basic tab of the AVD workspace. Type the workspace name and the description. Create the new RG or select the existing RG as it applies. Select the location for the workspace which should be in the same region as the network resources, however, the host pool metadata could be on different region and resource group.

As we do not have application group pre-staged, we can “NO” for the “Register Application group” tab.

Enabled diagnostic for the workspace, if you have a log analytics workspace setup to store the diagnostic logs for the workspace and review and create after completing the tag.

Creating host pool –

On the AVD blade select create host pool –

On the first tab Type the host pool name, select or create new Resource group and the location of the host pool metadata. Metadata location and RG is not tied up or dependent on the other Azure resources, therefore, it could be in any other region or separate RG.

On the host pool type, select pooled or personal desktop. Pooled desktops are muti session desktop where the user and user application session are redirected and saved to FsLogix profile on a SMB file share. Whereas personal desktops are useful if the dedicated system is required for each user. Personal Desktop has automatic and direct assignment. Automatic is the default assignment, where a user account or a group only needs access to the host pool and a user would automatically get assigned to assigned to available VM based on the load balancer logic. Direct assignment requires host pool and the VM level aka session host access for the user Azure Virtual Desktop personal desktop assignment type - Azure | Microsoft Learn

For the pooled desktop we have Breadth-first and depth-first algorithm. The default option is the breadth first which will assign or load balance the user session to any available VM in the pool randomly before redirecting user session on the same session host. Whereas depth first will not redirect resource to other available session host and try to optimize cost by directing most session to first session host and once the first session host is overutilized the new user session would be redirected to new session host.

To avoid performance degradation when configuring depth-first load balancing, you must set a maximum session limit per session host in the host pool.

There is an option to create a validation environment for the host pool which is used for validating updates before deploying it actual production session host in production pool.

On the virtual machine tab for the host pool, select Add virtual machine.

Select Resource Group and Type name prefix for VM. VM name with prefix should be under eleven characters.

Select availability zone or set as required.

Set the security type as standard. If there is a need to secure VM for PCI or other security requirements, then TPM can be applied to the VM with additional cost and supported SKU in SKU selection.

Select the image type as gallery and select the default images from the gallery or the custom image.

Select the size and SKUs needed. For pooled desktop it is recommended to choose size or SKU supporting at least 4 vCPU and 16 GB plus memory and premium SSD for the storage performance on shared pool desktops.

Select network and security groups that are in direct line of sign with identify services with vnet peering or for lab subnet in the same vnet will keep it in same network anyway.

Type the username and password with RBAC permission to join machine to domain for AD join machine and similar RBAC if you are only joining AAD instead. For AD domain join machine, you can also specify custom OU path to join VM to custom OU other than default computer account.

Click yes to register Desktop application group to workspace we created earlier, as user will see this VM and App group in their workspace when they sign in. Click next and click review and create after tag assignment and click create once the validation passes.

During the process of host pool creation, a new application group generates with the prefix of host pool name and suffix of DAG (Desktop application group). However, an application group needs to be created and named separately if it is deployed with IAC or PowerShell command.

Host Pool configuration

On the host pool you can configure the schedule agent update to update the agent on session host on schedule maintenance time based on the time zone, instead of automatically updating whenever available to avoid the session host degradation during the production hour.

You configure all RDP properties related to connection, session, display from the host pool or GPO. Supported RDP properties with Azure Virtual Desktop - Azure Virtual Desktop | Microsoft Learn

Host pool scaling plan –

To scale host poot AVD requires custom RBAC role at the Azure subscription level with allowed action for read/write operation on VM and host pool and the subscription level.

Once the custom role name is defined. On the host pool IAM blade click Add role assignment and find the custom role and assigned to “Windows virtual desktop” identity.

After RBAC assignment is completed for the custom role is completed. Create a scaling plan and with Friendly name and resource group and location.

One the schedule for scaling plan goes through general, ramp up, peak hours, ramp down and off-peak hours schedule.

For peak hours it is recommended to have breadth first mode load balancing to avoid boot storm on a single session host and keep “capacity threshold” to 50-60% so the host inactive session host starts automatically to offset the morning user session. Once the ramp up is completed during the day or peak hours could be assigned depth first load balancing to redirect few additional user sessions to existing session without bringing more session host unless needed, therefore, keeping the compute cost down during day and once the user sessions are stable.

During Ram down we could leave depth first load balancing but increase the capacity threshold to leave the session on existing session host. Off-peak hours at nighttime with high-capacity threshold to keep the session host to minimum during night or weekend.

We could also use the VM SKU that supports ephemeral disk to create non-persistent Host pool if the workloads require no persistent data for user session.

A useful feature of personal desktop pool is to start the VM on connect which could not be achieved with the help of custom or power on VM role at the subscription level for WVD/AVD identity. As defined in the article below.

Set up Start VM on Connect for Azure Virtual Desktop | Microsoft Learn

Prior to support for VM auto start with IAM role. It needed scripting which is shown on the training Article by Travis Roberts who has authored bunch of Azure trainings including IAC and AVD.

Auto Start and Stop Session Hosts in Windows Virtual Desktop Spring Update (ARM) Edition with an Azure Function - Ciraltos

Group Policy for the AD joined Session host -

The GPO for network properties restricts user from changing network location, name and icon. Also, ICS sharing could be disallowed with Prohibit ICS on session host policy.

Disabling bits peer-caching will disallow session host from sharing downloaded content to other session host.

Instead of GPO. Endpoint management could be use to enforce policy on session host for Azure AD joined devices with the following limitations on EPM. No WiFi policy on EPM, no Auto pilot reset from EPM console for AVD and not remote wipe for AVD.

AVD High availability /DR and backup –

For a pooled desktop HA could be achieved by selecting Availability set or availability zones. That way in one fault domain or zone is down then user session is redirected to available VMs on the set or zone accordingly. Connecting resource or data between VM is different zone does incur the egress traffic cost for data transfer.

For the Azure Virtual Desktop (AVD) Disaster Recovery (DR) plan, there are a few options for replicating the required resources to the secondary region. One option is to use Azure Site Recovery (ASR) to replicate the virtual machines and other resources to the secondary region. ASR can be configured for both active-passive and active-active replication.

Another option is to replicate the profile storage across regions, as you mentioned. This can be done using Azure Blob Storage or Azure Files, depending on the type of profile storage being used. By replicating the profile storage across regions, you can quickly spin up new VMs in the secondary region and point them to the replicated profile storage. This can be a faster and simpler solution than using ASR to replicate the VMs themselves.

However, it is worth noting that if you choose to replicate the profile storage, you will need to make sure that all other required resources (such as Active Directory domain controllers, DNS servers, and any necessary network connectivity) are also available in the secondary region. Additionally, you will need to make sure that any necessary changes to the AVD deployment (such as updating the DNS records and load balancer configuration) are made to enable the secondary region to function as the primary region in case of a failover.

In summary, both ASR and replicating the profile storage across regions are valid options for AVD DR, but each has its own considerations and requirements. The choice of which solution to use will depend on the specific needs of your organization and the resources available in the secondary region.

Important URLs for reading -

Enable Start VM on connect to AVD service principal to an az subscription

Set up Start VM on Connect for Azure Virtual Desktop | Microsoft Learn

Give session hosts in a personal host pool a friendly name

Azure Virtual Desktop personal desktop assignment type - Azure | Microsoft Learn

Azure Virtual Desktop diagnostics log analytics - Azure | Microsoft Learn

How to resolve Az adviser recommendation for AVD

Azure Advisor Azure Virtual Desktop Walkthrough - Azure | Microsoft Learn

URL to allow for AVD from firewall /proxy services

Required URLs for Azure Virtual Desktop | Microsoft Learn

AVD workload recommendations -

Session host virtual machine sizing guidelines for Azure Virtual Desktop and Remote Desktop Services | Microsoft Learn