Sunday 29 December 2019

Deploy management tool for Windows Virtual Desktop host pools

I've been test driving Windows Virtual Desktop recently and I'm impressed with what I've seen. I've blogged about my experience here. I have noticed however that I can create a host pool in the Azure Portal but I can't see it or manage it afterwards in the portal. 



I can see the VMs but not the host pool. 



Try it yourself. Have a look at All Resources. You won't find anything related to Windows Virtual Desktop or host pools.

So how do we manage WVD? We have two options. We can manage the host pool using PowerShell (see here for a full list of cmdlets) or we can create our own management user interface. It's very easy. Microsoft have already provided a sample, which is an Azure Resource Manager template. Admins are encouraged to customize to suit their requirements. 

Here's how it works.

Navigate to the ARM template on GitHub



Scroll down and select Deploy to Azure. You'll need permissions to create resources in your Azure subscription.


Enter the parameters (subscription, resource group, admin account). Give the application a unique name.


The deployment is under way and you can see the resources being created.


The deployment has completed. Now we need to launch the tool.


First, ensure that Users can consent to apps accessing company data on their behalf.


Where do we get the URL for the tool? Have a look in All Resources and find the application that you have just created.


You'll find the URL on the top right corner. It's of the format https://yourappname.azurewebsites.net. Browse to the URL and sign in with the host pool owner.


Grant permission to access WVD.


Choose your Tenant Group from the drop-down arrow and you have access to the host pool.


You can now manage the host pool. See how you can add or drain a host and see details of user sessions.

I hope you find this useful. Until next time.





Tuesday 17 December 2019

Use FSLogix Containers for Windows Virtual Desktop profiles

Recently I published a blog post of my first experience with Windows Virtual Desktop. In this post we'll look at how to integrate with FSLogix containers for profile management. This is now the recommended profile management solution for WVD. The User Profile Disk (UPD) solution has been around for a long time (introduced in Windows Server 2012). However it is scheduled for deprecation. This was inevitable since Microsoft acquired FSLogix in 2018.

So what is FSLogix all about? 

Remember roaming profiles? I've always hated them. They grow in size and out of control. When a user logs in the entire profile is copied from a central location to the desktop. This can takes ages and provides a very poor user experience. I've always seen roaming profiles as nothing but trouble so have avoided implementing them at all costs to avoid the 9am madness. 

FSLogix is designed to provide "roaming-profile-like" functionality in remote computing environments, such as WVD. When a user logs into a VM in the host pool, the FSLogix container is dynamically attached using a natively supported Virtual Hard Disk (VHD) or a Hyper-V Virtual Hard Disk (VHDX). The user profile is immediately available and appears in the system exactly like a native user profile. No data is actually copied so the performance and user experience are first class (which is why FSLogix have been the industry leader in this space for quite some time).

How do I buy FSLogix?

FSLogix is not licensed independently (and doesn't actually require a license key to install). It is included with many Microsoft licensing bundles (e.g. Microsoft 365 E3/E5). You can find the full list here.

Storage option

Where do we begin? The first thing we must do is decide where the FSLogix containers will be stored. There are a number of options in Azure.

You can use any of the following technologies:
  • Azure Files
  • Azure NetApp files
  • Storage Spaces Direct
You can read about these technologies and the pros and cons of each in the official Microsoft documentation.

For my testing I've decided to keep it simple. I'll use a traditional fileshare. Obviously this fileshare cannot be on one of the host pool VMs so I'll need another VM for that.


I created a new Azure VM (WVDShare).


It was on the same virtual network as my host pool VMs. It had a public as well as private IP address so I would be able to connect remotely via RDP.


DNS was already configured on this virtual network (that's the IP address of my DC). The VM was joined to the Active Directory domain.


I created an AD group and added my test user.


Finally I created a share (\\WVDShare\FSLogix) on the VM and assigned full control to the AD group.

Install and configure FSLogix

Next FSLogix had to be installed on all the VMs in the host pool. I only had three so I did this manually. However you could use a management tool like ConfigMgr to automate the installation.

The host pool VMs were not configured with public IP addresses by default so the easiest way to connect was via WVDShare which was on same virtual network but had a public IP address.


The FSLogix software was downloaded using this link

https://go.microsoft.com/fwlink/?linkid=2084562


The files were extracted.


I was interested in x64. I launched the installer (FSLogixAppsSetup.exe).


Accepted the license terms for the various components and started the installation.


The installation was short......


….and finished successfully.


The FSLogix folder structure.


App could be seen in "Programs & Features". It could now be configured - which really meant some registry changes.

Ran RegEdit as an administrator. Navigated to HKLM\Software\FSLogix.

Created a key named Profiles.

Created the following values for the Profiles key:

Name: Enabled
Type: DWORD
Value: 1


Name: VHDLocations
Type: Multi-String Value
Value: \\WVDShare\FSLogix


This told FSLogix where to save the user profile.


Unfortunately this gave me an error, although it seemed to work:

Data of type REG_MULTI_SZ cannot contain empty strings. Registry editor will remove any empty strings found. 


I don't like messy so I re-created the value as a string value and didn't get the error. After all I only had a single value.

The registry settings should then be configured on the other host pool VMS. This can be done with a GPO but for simplicity I just exported the key and imported to the other VMs. 


See the local groups created by the installation. By default the Include group contains "Everyone" and the Exclude group contains the "Administrator" account.

Members of the Include group are subject to the FSLogix policy. Members of the Exclude group are not.

User Experience

All the configurations had been carried out so I just needed to log in to the host pool to see the profile management solution working. However it didn't work for me first time. I didn't see anything in the \\WVDShare\FSlogix folder.

I followed this procedure to configure logging.

HKLM\Software\FSLogix\Logging

Name: LoggingEnabled
Type: DWORD
Value: 2



This was the log file I needed.


There was my answer. 

"Local profile already exists. Do nothing".

I hadn't read anything in the docs about local profiles and the fact that they should not exist for the FSLogix solution to function. However when I looked further I found it in this troubleshooting doc.


I deleted the local profile and signed in again.


This looked a little better.


I created a file on the desktop of GH-2.


Signed out of the VM. Looks like the profile was being saved to the FSLogix container.

 

I signed in to the host pool again. This time I got GH-0 and there was my file on the desktop - cool.


Finally I could see content in the FSLogix share.


It's a VHD as expected.

I really like the integration of FSLogix and WVD. It's very effective and really easy to set up and configure. I hope this helps you to do the same.

Until next time.....

Thursday 28 November 2019

Test driving Windows Virtual Desktop

This week I've been working with Windows Virtual Desktop (WVD) for the first time. Microsoft announced General Availability in September and I'm just getting to it now. I think it's great. What's not to like? We can now deploy a Remote Desktop solution in Azure without having to worry about the underlying infrastructure (RD Gateway, an RD Connection Broker, and RD Web Access).

I've captured my experience in this blog post. It's pretty long so I've divided it into the following sections to make it easier to read.
  • What is Microsoft Windows Virtual Desktop?
  • Is it the same as Microsoft Managed Desktop?
  • Windows Virtual Desktop prerequisites
  • Setting up Windows Virtual Desktop
  • Working with Windows Virtual Desktop
  • Advanced configuration (with RemoteApp, FSLogix containers and MSIX App Attach)

What is Windows Virtual Desktop?

WVD allows you to deploy and scale virtualized Windows desktops and apps on Azure. It can be deployed in minutes and offers simplified management, multi-session Windows 10 and optimizations for Office 365 ProPlus. We can deploy VMs with Windows 10 or Windows Server 2016. We can also use our own custom Windows 7 images. As an added bonus this includes free extended support for Windows 7 (extended security updates for three years). That's a no-brainer.

Is this the same as Microsoft Managed Desktop?

No, Microsoft Managed Desktops is something different. This is also a cloud service but Microsoft will manage Windows 10 and Office 365 ProPlus on your hardware. Obviously Microsoft will only support this on a specific list of devices.

This service includes the management of:
  • hardware (once it's on the approved list and registered)
  • software updates
  • Office 365 ProPlus and LOB apps as appropriate
  • end user device deployment
  • security monitoring and response

OK, so back to WVD.

Windows Virtual Desktop Prerequisites

There are some requirements before you can get started.
  • Licenses - you should consult the official docs  but I have Microsoft 365 E3 for testing.
  • Obviously we need an Azure subscription - this will cost you money (but not too much).
  • User accounts - you'll need to nominate a WVD Tenant Creator and some test host pool users.
  • You need to decide what directory services you will use to support your infrastructure. You can use Azure AD, DC hosted in Azure or a DC hosted on premises with a VPN to Azure. The Azure VMs that you create can be AD-joined or hybrid AD-joined (not Azure AD-joined.
  • Azure network - you need to have a virtual network in Azure. Remember you don't configure DHCP in Azure virtual networks. IP addressing is dynamic based on the assigned subnet. 

  • I'm using a DC hosted in Azure so I configured a static DNS record for the DC in the properties of the virtual network. This way my VMs will be able to join the domain.
  • Download and install the Windows Virtual Desktop PowerShell module. Launch PowerShell as administrator and run:
         Install-Module -Name Microsoft.RDInfra.RDPowerShell
  •  Then import the module:
          Import-Module -Name Microsoft.RDInfra.RDPowerShell

Setting up Windows Virtual Desktop

Now let's get started setting up the environment. The first thing we need to do is to allow Windows Virtual Desktop services to access the Azure AD tenant. For this we'll need the tenant ID (also referred to as Directory ID).


We can get the Directory ID in the properties of Azure Active Directory. Copy it be clicking on the blue box to the right. You'll need this a couple of times during this process.


Now navigate to https://rdweb.wvd.microsoft.com (this is Windows Virtual Desktop services). Add your tenant ID and click Submit for the Server App.


Accept that you are granting permissions to WVD.


This was successful.


Repeat the process for the client app.


Accept the permissions.

Enjoy the success. Now that we've granted access to Azure AD we need to grant permissions to a user to create a Windows Virtual Desktop tenant. Essentially we'll assign the "TenantCreator" role to a user account.

We do this in the Azure Portal.


Navigate to Azure Active Directory and select Enterprise Applications.


Select Windows Virtual Desktop and choose Users and Groups.


Select Add User and add the lucky user who will create the WVD tenant. I've chosen Fred. See that he is now a TenantCreator.

Now we'll create the WVD tenant. Remember we copied the tenant ID earlier (aka Directory ID). We're going to need it again. We'll also need the Azure Subscription ID.


It's easy to find. Navigate to your Subscriptions using the search.


You'll find the subscription ID. Now's let's create the WVD tenant. We do that using PoSH. Sign in to Windows Virtual Desktop by using the TenantCreator user account with this cmdlet:

Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"

Create a new Windows Virtual Desktop tenant associated with the Azure Active Directory tenant (you'll choose a tenant name and replace the bracketed values with your tenant ID and subscription ID):

New-RdsTenant -Name <TenantName> -AadTenantId <DirectoryID> -AzureSubscriptionId <SubscriptionID>


The WVD tenant has been created. Now we'll deploy a host pool of virtual desktops. Sign into the Azure Portal and select Create a Resource.


Search for Windows Virtual Desktop and select Windows Virtual Desktop - Provision a host pool.


Choose to Create a host pool. There are four pages of details to configure.


The first page has some basics.
  • Choose the subscription that you want to use (there will be a cost).
  • Select a Resource Group. It needs to be empty so you'll probably create a new one here.
  • Select your region.
  • Enter a name for the host pool.
  • Choose the desktop type. Personal is where every user has a dedicated VM. I've chosen pooled.
  • Configure the users that will log into these VMs (comma-separated list). Note that you'll also need to enter the TenantCreator here if he will need access. It is not automatic.


The next page is for our expected usage. This determines how many VMs will be deployed. Click Change Size if you want to change any VM details. I'm conscious of cost in my lab so I've done that. Also enter a prefix for the names of the VMs


The third page allows you to configure the VMs. Choose the following:
  • Image Operating System - I've chosen Windows 10 Enterprise multi-session with Office 365 ProPlus.
  • Disk type - I've chosen Premium SSDs for performance.
  • Domain join account and password - the account must already be configured on the domain. This requires password complexity so be careful here.
  • Domain and domain OU - remember the VMs must be able to find the DC
  • Virtual network and subnet - make sure your DNS configuration is in place.

The final page asks for the WVD tenant details. Enter the tenant name and the owner account details. That's Fred, who created the tenant.


Finally you're asked to review your configuration and then Create the host pool.


The deployment is underway. You can see the detailed steps.

The deployment has completed.



The VMs have been created......



…..and joined to the domain.

Working with Windows Virtual Desktop

There are two ways to access the WVD pool from a desktop.
  • Remote Desktop client
  • Browser (HTML5 client)
I'm going with the full client option. You can download from here


It's an MSI installer so just run and install as normal.


On the first launch you have to Subscribe to WVD.


Sign in as a permitted user.


Looks like we're in business.


I can see my WVD host pool......


….and I've signed into one of my VMs.


I can now work normally. I can browse to fileshares on one of my servers hosted in Azure.

Advanced WVD configuration

So what's next? We can get lot more advanced with WVD and I will when I have more time.

Management Tool

You cannot manage WVD host pools in the Azure portal. You can manage the pool using PowerShell or you can create you own management UI.

http://gerryhampsoncm.blogspot.com/2019/12/deploy-management-tool-for-windows.html

RemoteApp


We can create a RemoteApp app group and publish individual Start menu apps.

FSLogix profile containers

The WVD service offers FSLogix profile containers as the recommended user profile solution. 

http://gerryhampsoncm.blogspot.com/2019/12/use-fslogix-containers-for-windows.html

MSIX App Attach

MSIX app attach is where the application (stored in MSIX format on a central location) is attached to the operating system. After attaching, applications look and feel as locally installed to the user as well as the operating system.

That's it for now. I've enjoyed test driving Windows Virtual desktop. You can get more information in the official docs

Until next time.......