Windows Virtual Desktop technical walkthrough, including other (un)known secrets you did not know

Copper Contributor

Windows Virtual Desktop technical walkthrough, including other (un)known secrets you did not know about the new Microsoft-Managed Azure Service

 

A lot of you know that Windows Virtual Desktop is now public preview. Lots of people wrote articles about it, and so did I. Most articles are covering information that is available everywhere, or just a subset of the service…

 

“If You Never Try, You'll Never Know”Ben Francia

 

With this article, I’d like to cover the things you might not have caught. Some are deep(er) technical points, while some are just not part of the public message but still way too important not to share. It’ll hopefully help you as consultant or architect to bring the technical (and functional) message around Windows Virtual Desktop to your customers :smiling_face_with_smiling_eyes:!

 

Continue reading…

 

Cloud learning

If you are learning on Azure right now and want to quickly increase your brains with awesome cloud-related knowledge, as part of Project Byte-Sized we are releasing a new community book – covering Cloud principles and best practices in June. After a period of 3 months, we received a total number of 145 submissions from all over the globe (19 countries). Altogether 140 people contributed resulting in 300+ pages, which we think is truly awesome.

 

Catch a sneak preview here, so you know what names you can expect. It can help you gain knowledge from the best people in the community!

 

The Desktop-As-a-Service market is growing

Garner and IDC expect a potential growth of 50% in the year 2019 of new DaaS customer choosing it over traditional VDI, pushing DaaS over 3 billion in revenue by the end of this year. The EUC/VDI community acknowledged this number. During our relatively small Byte-Sized Community survey, we asked almost 200 independent people if they already use Desktop-As-a-Service solutions and if they expect that Windows Virtual Desktop will have a major impact on DaaS going forward.

 

“Q1 - Are you considering Desktop-As-a-Service (DaaS) anytime soon?”

 

“Q2 - Once released, the Microsoft Windows Virtual Desktop #WVD will have a major impact on DaaS going forward“

 

 

What are the differences between traditional VDI and DaaS?

To help you understand how Desktop-As-a-Service (DaaS) and traditional VDI are different from each other, I’ve had made this comparison matrix:

 

 

Once more - What is Windows Virtual Desktop?

People that follow my blogs know that I explained the services and benefits earlier in this article. However, for the people who didn’t catch that yet, here is a short run-over.

 

 

Windows Virtual Desktop, or WVD in short - is a born in the cloud Desktop-As-a-Service platform service offering on top of the Microsoft Azure Cloud. All the infrastructure services, such as brokering, web access, load-balancing, management and monitoring is all setup for you as part of the control plane offering. It also gives you access to the new Windows 10 Multi-User (EVD) Operating System – which is completely optimized for the sake of Office 365 ProPlus services, such as Outlook, OneDrive Files on Demand (per-machine), Teams etc.“

 

The only responsibility in terms of management effort is the golden images on top of Azure

Infrastructure-As-a-Service (IaaS). The rest is all managed for you through the Azure service SLAs. Sounds pretty cool, right?

 

Let’s first start with the things you might not know about it

For the people who lived offline the past 2 months, here are some things you must know before you start reading this article!

 

  • Windows Virtual Desktop gives you the only multi-user Windows 10 experience, including compatibility with Microsoft Store and existing Windows line-of-business apps, while delivering cost advantages.
  • Allows you to virtualize both Full desktops and RemoteApps.
  • You can also use to for persistent Windows 10 – single user virtual desktops.
  • WVD will support Windows 7 virtual desktops and is the only way you can safely run Windows 7 after its End of Life on 14 January 2020. Windows 7 desktops on WVD will be the ONLY systems that receive free extended security updates.
  • Customers with the following license SKUs are entitled to use WVD with no additional charge apart from Azure compute, storage, and network usage billing:
    • To run Windows 10 multi-session, Windows 10, or Windows 7
      • Microsoft 365 F1, E3, E5, A3, A5, Business
      • Windows 10 Enterprise E3, E5
      • Windows 10 Education A3, A5
      • Windows 10 VDA per user
    • To run Windows Server 2012 R2, 2016, 2019
      • Remote Desktop Services (RDS) Client Access License (CAL) with active Software Assurance (SA)
  • Windows Virtual Desktop session host VMs are not exposed to the internet directly. They can run using a private IP address and run isolated from other workloads or even the internet. The reverse connect technology allows the VMs to be accessed
  • When a user connects to the WVD service, the use of Azure Active Directory (AAD) as the identity provider allows you to leverage additional security controls like multifactor authentication (MFA) or conditional access;
  • Deeply integrated with the security and management of Microsoft 365, such as Intune Modern Management
  • From a best practices point of view; Make sure all Azure resources are in the same region
  • All the Nvidia vGPU graphical enhanced n-series virtual machines on Azure are supported with Windows Virtual Desktop as well!
  • Citrix is adding their own Citrix Cloud stack as well to Windows Virtual Desktop, think about the Workspace experience and other services.
    • Expect updates around this during Synergy later this month!

 

RemoteApp (On Azure) is back

Azure RemoteApp was a great technology, but due to some problems it never took off and Microsoft decided to deprecate the service. Citrix Essentials was the replacement for certain use-cases in Azure IaaS as part of the Microsoft + Citrix increased partnership to emphasize the digital transformation to the Cloud.

 

Now, RemoteApp will be back in terms of functionality. The code is rewritten, and lessons learned from the past are used to improve the product. In case you were wondering about Windows 10 Multi-User, the answer is yes - you can use it with a RemoteApp solution.

One of the most interesting use-cases is consolidating your Win32 apps in Azure and place icons on the endpoint’s desktop - start menu and/or tiles in the start screen! The user doesn't see/know whether the app is locally installed or is running a RemoteApp in Azure. I personally think that this use-case will be very important for future Windows Virtual Desktop customers!

 

See below how fast and easy it works in conjunction with FSLogix/Microsoft Profile Containers as Profile Management solution!

 

 

The architecture behind it all

The first step that you must do is the create the master image, or golden image in Citrix terms. Most often, this will be based on the new Windows 10 Enterprise for Virtual Desktops (Multi-User) Operating System, which is now available from the Azure Marketplace. After enrolling the server, you can start installing the application on the machine. When you’re done, you must capture the machine as an image to use as a base for your Windows Virtual Desktop deployment.

 

The Microsoft-managed control-plane is a completely redesigned infrastructure which leverages native Azure platform services to scale automatically. Think about Azure traffic manager for managing the RDP connection, Azure App Services in Azure for hosting the infrastructure services, and Azure SQL DB for hosting the RDS Brokering databases. Leveraging these services is the main reasons why this service is so cost-effective, which is the purpose of the Cloud and what it’s built for!

 

 

WVD User connection Traffic Flow

To give you a better understanding of how Windows Virtual Desktop connections work, I’m sharing the traffic flow. This is also useful for troubleshooting purposes.

Connecting from your endpoint to your Host Pool (session hosts in Azure Infrastructure-As-a-Service) works differently with Windows Virtual Desktop. It uses Reverse Connect, which means that no inbound ports need to be opened on the VM to setup the RDP connection.

 

Once the connection flow proceeds, bidirectional communication between your session hosts/host pool will go over port https (443). This port is almost always open from the inside to the outside, so it’s perfect for a remote connection to Windows Virtual Desktop!

 

See below in more depth how the traffic flow works.

 

  • User launches RD client which connects to Azure AD, user signs in, and Azure AD returns token
  • RD client presents token to Web Access, Broker queries DB to determine resources authorized for user
  • User selects resource, RD client connects to Gateway
  • Broker orchestrates connection from host agent to Gateway

 

RDP traffic now flows between RD client and session host VM over connections 3 and 4

 

Note: Windows Virtual Desktop can be used as worldwide service depending on your location and the location of the VMs. The control-plane persists currently in the US – east US 2 to be specific, however, your host pool can exist everywhere. Just remember your performance using a host pool outside of the US might vary until the control plane is added to other regions. If you set up a host pool in a non-US location with the US control plane, you will automatically switch to the local control plane when it’s rolled out for your region.
 

 

Migrate existing machines to Windows Virtual Desktop

Migrating from your current Remote Desktop Solution – RDS environment to Windows Virtual Desktop is relatively easy. You could use Azure Site recovery to migrate your server infrastructure to Azure. Follow the next 5 steps after that and sessions can be launched via Windows Virtual Desktop.

 

Note: There are also ARM Templates available to automate the creation of the RDS Infrastructure components.

 

  1. Register / create host pool within Windows Virtual Desktop
  2. Install RD Agent on session host
  3. Agent registers with Windows Virtual Desktop
  4. Decommission your old environment
  5. Ready to launch your session!
As part of this article, I'm showing al the manual steps of deploying a custom Windows 10 Multi-User (EVD) image in Azure and connect them to the Broker. This is the same procedure that you've to follow when you are using an existing image prior to preparation for the usage as part of Windows Virtual Desktop. The steps are starting here.
 

 

Windows 10 Multi User - Sizing templates

Having the best end-user experience for your users is probably one of the most important goals when using Desktop-As-a-Service. Though the cloud takes over a lot of management tasks after a migration, you’ll still need to handle image management. The following matrix gives a good baseline on how your Windows 10 Enterprise for Virtual Desktops (CVAD) must be sized for 4 types of users. The amount of data in your profile is depending on your settings, think about Outlook retention slider settings for example. Due to the support of OneDrive Files On-Demand, the storage allocation for files sync should be minimal.

 

The Windows Virtual Desktop Host Pool enrollment of the Azure Marketplace also advises your which Virtual Machine SKU in Azure fits best for the number of users you need / going to use.

 

Microsoft Teams (and OneDrive) per-Machine is available for VDI!

Microsoft just released a new Per-Machine (Machine-Wide) version of Teams, and will place the Teams application back to the Program Files directory. Currently, this per-machine version is only available for RDS, Citrix or VMware VDI machines. The Windows Virtual Desktop - Windows 10 Multi-User OS will follow soon as well as the video and audio offloading agent. Though it's too important not to share, so that's why I included the release in this article. Follow up here. OneDrive Per-Machine is currently working as of today on Windows 10 Multi-User - the steps for doing this are listed here.
 
Note: Teams can be used in a VDI environment for chat and collaboration, but audio / video features are currently not supported. For admins who would like to deploy Teams for chat / collab only. Please follow up with this official Microsoft Docs article to disable Audio and Video from the Teams program with policies. 
 
New Per-Machine installation locations are:
 
Teams installation folder location – %ProgramFiles(x86)%\Microsoft\Teams\
OneDrive installation folder location – %ProgramFiles(x86)%\Microsoft OneDrive\
 

 

OneDrive per-Machine is (also) available

By default, the OneDrive sync client installs per user on Windows, meaning OneDrive.exe needs to be installed for each user account on the PC under the %localappdata% folder. With the new per-machine installation option, you can install OneDrive under the “Program Files (x86)” directory, meaning all profiles on the computer will use the same OneDrive.exe binary.

 

New Azure Portal - Management Console

Windows Virtual Desktop (WVD) is just released in Public Preview. What it also means is that the product will be improved before the GA release later this year.

 

Currently, there are some manual PowerShell tasks needed to assign Desktops and RemoteApps to your end-users or groups when you enroll in a WVD environment. Another thing that is missing in the public preview is a management console in the Azure Portal.

 

Both tasks will be simplified, and to give you a sneak preview – the following Azure Portal integration console will be part of the native solutions soon. It gives you the ability to manage and maintain desktop and RemoteApp assignments, check and change virtual machine status more.

 

Note: The new WVD management Portal below will be released after the GA date of Windows Virtual Desktop. 

 

Walkthrough Guidance: How to enroll Windows Virtual Desktop on Azure

In the next steps, I'll explain how you enroll Windows Virtual Desktop from scratch with a customer created Windows 10 Enterprise for Virtual Desktop (Multi-User) image among tips and tricks.

Pre-requisites for Windows Virtual Desktop

The following requirements are needed for the use of Windows Virtual Desktop on Azure.
  • Entitled for licensing
  • Azure Subscription
    • Azure Active Directory setup
    • Global Administrator rights
      • Granting consent to the WVD service / Azure AD Enterprise Applications
    • Azure AD Connect
    • ADFS (optional for the best SSO end-user experience)
  • Domain controller
    • This AD must be in sync with Azure AD so users can be associated between the two
    • VMs must domain-join this AD
    • Optional: Azure AD Domain Services (in replacement for domain controller)
  • Profile Containers network share (S2D cluster recommended)
  • Network must route to a Windows Server Active...Directory (AD)
    • Optional: Networking/on-prem connectivity – express route, VPN, etc.

Read the rest of the Windows Virtual Desktop walkthrough here:

https://www.christiaanbrinkhoff.com/2019/05/03/windows-virtual-desktop-technical-walkthrough-includi...

 

Hope to see you back soon – and feel free to leave a comment if you’ve any questions.
 
Thank you, Christiaan Brinkhoff
2 Replies

@Christiaan Brinkhoff 

Thank you for your technical walkthrough.

 

We should control traffics between the WVD hostpool VMs and Internet by Network Virtual Appliance(NVA) deployed on Azure.

After we applied user defined route 0.0.0.0(nexthop: NVA) to the WVD hostpool VMs subnet, the access to the WVD hostpool VMs were stopped.

 

Could the WVD Broker and Gateway access via NVA to control the WVD hostpool VMs?

 

Best regards,

do we need to install teams individually for all users in my WVD environment? As i have only one session-host and i installed teams into it but the other users are not able to see the application. can you please help out with this? @Christiaan Brinkhoff