Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop
Today we’re announcing the Insider preview for enabling an Azure AD-based single sign-on experience and support for passwordless authentication, using Windows Hello and security devices (like FIDO2 keys). With this preview, you can now: Enable a single sign-on experience to Azure AD-joined and Hybrid Azure AD-joined session hosts Use passwordless authentication to sign in to the host using Azure AD Use passwordless authentication inside the session Use third-party Identity Providers (IdP) that integrate with Azure AD to sign in to the host Getting started This new functionality is currently available in Insider builds of Windows 11 22H2, available in the Azure Gallery when deploying new session hosts in a host pool. Want a quick overview of the new functionality? Watch this intro video on Azure Academy! To get started with single sign-on, follow the instructions to Configure single sign-on which will guide you in enabling the new authentication protocol. To start using Windows Hello and FIDO2 keys inside the session, follow the instructions for In-session passwordless authentication to use the new WebAuthn redirection functionality. Learn more about the supported authentication methods supported by Azure Virtual Desktop, including single sign-on on our Identities and authentication page. Stay tuned for news about the upcoming public preview which will add support for Windows 10 and current Windows 11 hosts.Collect and query Graphics Data for Azure Virtual Desktop connections – Now in Public Preview
Graphics data logs for Azure Virtual Desktop are in public preview! You can now set up the diagnostics table in Azure Log Analytics and collect graphics data for your Azure Virtual Desktop connections. The graphics data table generates information whenever end-to-end delay and dropped frames percentages fall below a healthy threshold for Azure Virtual Desktop. This table helps administrators understand factors across the server, client, and network that could be contributing to slow or choppy experiences for a user. Set up To start collecting graphics data, you’ll need to ensure your Azure Virtual Desktop host pools have diagnostics enabled and that the Connection Graphics Data Logs Preview table is selected. You can check and modify these settings in the Azure Portal: Visit your Azure Virtual Desktop Host Pools in the Azure Portal. Select the host pool where you’d like to set up network data, then select Diagnostic settings. Select Edit setting, or +add diagnostic setting if you don’t have a diagnostic setting already. Select allLogs or the individual categories you would like to collect. Confirm Connection Graphics Data Logs Preview is selected. Select a destination (Log Analytics workspace for Azure Virtual Desktop Insights users) Save and repeat for other host pools. Sample queries You can run these sample Kusto queries in the Log Analytics query editor. For each query, replace alias@domain, start_time, end_time, VmName, or HostPoolName with the information you would like to search for. Search graphics data by a specific user or users // Query for a specific user or group of users let Users = datatable(User:string) [ "alias@domain.com", "alias@domain.com" ]; WVDConnectionGraphicsDataPreview | join kind = leftouter ( WVDConnections | extend Protocol = iff(UdpUse in ("<>", "0"), "TCP", "UDP") | extend GatewayRegion = iff(GatewayRegion in ("<>", ""), "Unknow", GatewayRegion) | summarize GatewayRegion = take_anyif(GatewayRegion, GatewayRegion != "Unknown") by CorrelationId, UserName, SessionHostName, Protocol ) on CorrelationId | where UserName in (Users) | project-away CorrelationId1 | project-reorder TimeGenerated, UserName, Protocol, GatewayRegion, SessionHostName Search graphics data in a specific time range // Query for a specific time range let start_time = todatetime('2022-09-01 00:00:00.0'); let end_time = todatetime('2022-09-15 00:00:00.0'); WVDConnectionGraphicsDataPreview | join kind = leftouter ( WVDConnections | extend Protocol = iff(UdpUse in ("<>", "0"), "TCP", "UDP") | extend GatewayRegion = iff(GatewayRegion in ("<>", ""), "Unknown", GatewayRegion) | summarize GatewayRegion = take_anyif(GatewayRegion, GatewayRegion != "Unknown") by CorrelationId, UserName, SessionHostName, Protocol ) on CorrelationId | where TimeGenerated between (start_time .. end_time) | project-away CorrelationId1 | project-reorder TimeGenerated, UserName, Protocol, GatewayRegion, SessionHostName Search graphics data for a specific session host // Query for a specific Session Host let VmName = ""; WVDConnectionGraphicsDataPreview | join kind = leftouter ( WVDConnections | extend Protocol = iff(UdpUse in ("<>=", "0"), "TCP", "UDP") | extend GatewayRegion = iff(GatewayRegion in ("<>", ""), "Unknown", GatewayRegion) | summarize GatewayRegion = take_anyif(GatewayRegion, GatewayRegion != "Unknown") by CorrelationId, UserName, SessionHostName, Protocol ) on CorrelationId | where SessionHostName == VmName | project-away CorrelationId1 | project-reorder TimeGenerated, UserName, Protocol, GatewayRegion, SessionHostName Search graphics data for a specific host pool // Query for a specific Host Pool let HostPoolName = ""; WVDConnectionGraphicsDataPreview | join kind = leftouter ( WVDConnections | extend Protocol = iff(UdpUse in ("<>", "0"), "TCP", "UDP") | extend GatewayRegion = iff(GatewayRegion in ("<>", ""), "Unknown", GatewayRegion) | summarize GatewayRegion = take_anyif(GatewayRegion, GatewayRegion != "Unknown") by CorrelationId, UserName, SessionHostName, Protocol ) on CorrelationId | where extract("/subscriptions/.*/resourcegroups/.*/providers/.*/hostpools/(.*)", 1, _ResourceId) == HostPoolName | project-away CorrelationId1 | project-reorder TimeGenerated, UserName, Protocol, GatewayRegion, SessionHostName Query all graphics data and correlate with username, protocol, gateway region, and session host name // Query all rows from graphics data table and add username, protocol, gateway region, and session host name information from connections table WVDConnectionGraphicsDataPreview | join kind = leftouter ( WVDConnections | extend Protocol = iff(UdpUse in ("<>", "0"), "TCP", "UDP") | extend GatewayRegion = iff(GatewayRegion in ("<>", ""), "Unknown", GatewayRegion) | summarize GatewayRegion = take_anyif(GatewayRegion, GatewayRegion != "Unknown") by CorrelationId, UserName, SessionHostName, Protocol ) on CorrelationId | project-away CorrelationId1 | project-reorder TimeGenerated, UserName, Protocol, GatewayRegion, SessionHostName Please feel free to submit feedback here or leave questions on this post! To learn more about the Connection Graphics Data Logs Preview and other connection quality resources, see Connection quality in Azure Virtual Desktop or our Network Data announcement from April.Collect and query Network Data for Azure Virtual Desktop connections
You can now collect network data for Azure Virtual Desktop connections using the NetworkData diagnostics table in Azure Log Analytics. The NetworkData table records round trip time and available bandwidth regularly throughout the connection (~ every 2 minutes). It has several benefits for Azure Virtual Desktop users over the RemoteFX network performance counters: Each record is connection-specific and includes the correlation ID of the Azure Virtual Desktop connection that can be tied back to the user The round trip time measured in this table is protocol-agnostic and will record the measured latency for TCP or UDP connections Set up The NetworkData table is only supported in commercial clouds. To start collecting network data, you’ll need to ensure your Azure Virtual Desktop host pools have diagnostics enabled and that the NetworkData table is selected. You can check and modify these settings in the Azure Portal: Visit your Azure Virtual Desktop Host Pools in the Azure Portal. Select the host pool where you’d like to set up network data, then select Diagnostic settings. Select Edit setting, or +add diagnostic setting if you don’t have a diagnostic setting already. Select allLogs* or the individual categories you would like to collect. Confirm NetworkData is selected. Select a destination (Log Analytics workspace for Azure Virtual Desktop Insights users) Save and repeat for other host pools. You can verify data is flowing by returning to the host pool page, selecting Logs, and running one of the sample queries below. Users must be connecting to generate data, and the data may take up to 15 minutes to show up in the Azure Portal. Sample queries You can run these sample Kusto queries in the Log Analytics query editor or find them using the QoE label. For each query, replace alias@domain with the alias of the user you want to look up. Query average RTT and bandwidth: // 90th, 50th, 10th Percentile for RTT in 10 min increments WVDConnectionNetworkData | summarize RTTP90=percentile(EstRoundTripTimeInMs,90),RTTP50=percentile(EstRoundTripTimeInMs,50),RTTP10=percentile(EstRoundTripTimeInMs,10) by bin(TimeGenerated,10m) | render timechart // 90th, 50th, 10th Percentile for BW in 10 min increments WVDConnectionNetworkData | summarize BWP90=percentile(EstAvailableBandwidthKBps,90),BWP50=percentile(EstAvailableBandwidthKBps,50),BWP10=percentile(EstAvailableBandwidthKBps,10) by bin(TimeGenerated,10m) | render timechart Query available bandwidth for a specific user: let user = "alias@domain"; WVDConnectionNetworkData | join kind=leftouter ( WVDConnections | distinct CorrelationId, UserName ) on CorrelationId | where UserName == user | project EstAvailableBandwidthKBps, TimeGenerated | render columnchart Query available RTT for a specific user: let user = "alias@domain"; WVDConnectionNetworkData | join kind=leftouter ( WVDConnections | extend Protocol = iff(UdpUse in ("0","<>"),"TCP","UDP") | distinct CorrelationId, UserName, Protocol ) on CorrelationId | where UserName == user | project EstRoundTripTimeInMs, TimeGenerated, Protocol | render columnchart Top 10 users with the highest RTT: WVDConnectionNetworkData | join kind=leftouter ( WVDConnections | distinct CorrelationId, UserName ) on CorrelationId | summarize AvgRTT=avg(EstRoundTripTimeInMs),RTT_P95=percentile(EstRoundTripTimeInMs,95) by UserName | top 10 by AvgRTT desc Top 10 users with the lowest available bandwidth: WVDConnectionNetworkData | join kind=leftouter ( WVDConnections | distinct CorrelationId, UserName ) on CorrelationId | summarize AvgBW=avg(EstAvailableBandwidthKBps),BW_P95=percentile(EstAvailableBandwidthKBps,95) by UserName | top 10 by AvgBW asc Glossary: Estimated available bandwidth (kilobytes per second): The average estimated available network bandwidth over the last connection time interval. Estimated round trip time (milliseconds): The average estimated time it takes for a network request to go from the end user device, over the network to the session host, and back to the end user device over the last connection time interval. Correlation ID: The activity ID of the Azure Virtual Desktop connection that can be correlated with other diagnostics from that connection. Thank you, and please feel free to submit feedback here or leave questions on this post!Signing in to Azure AD using smart cards now supported in Azure Virtual Desktop
For those of you who use smart cards to help increase the security of your environment, Azure Virtual Desktop now support signing in to Azure AD with smart cards. While this isn't a new feature for Azure AD, configuring Active Directory Federation Services to sign in with smart cards is now supported in Azure Virtual Desktop. To get started, have a look at the newly updated Authentication page for Azure Virtual Desktop.RDP Shortpath for managed networks is generally available!
Another day, another release! Today I'm thrilled to announce that RDP Shortpath for managed networks is now generally available. This feature enables the client and session host to establish a direct and secure connection using a high-performant and reliable UDP-based transport. Key benefits of Shortpath for managed networks are: Reliability - RDP Shortpath transport uses highly efficient Universal Rate Control Protocol (URCP). URCP dynamically learns about network parameters and uses RDP-specific congestion control. URCP adds an enhanced error correction and flow control that is designed for networks that are known to experience sporadic and temporary losses, such as wireless networks or wide area networks with dynamic routing. Performance- URCP operates at low delay and loss levels as needed by Remote Desktop. URCP achieves the best performance by dynamically learning network parameters and providing protocol with a rate control mechanism. RDP Shortpath establishes the direct connectivity between Remote Desktop client and Session Host. Direct connectivity reduces the dependency on the gateways, improves the connection's reliability, and increases the bandwidth available for each user session. The removal of additional relay reduces the round-trip time, which improves user experience with latency-sensitive applications and input methods. RDP Shortpath brings support for configuring Quality of Service (QoS) priority for RDP connections through a Differentiated Services Code Point (DSCP) marks RDP Shortpath transport allows limiting outbound network traffic by specifying a throttle rate for each session. This release is part in a series of RDP transport improvements. Stay tuned for more previews and releases coming soon! Next steps Learn more in the networking section of Azure Virtual Desktop documentation : Understanding Azure Virtual Desktop network connectivity Azure Virtual Desktop RDP Shortpath for managed networks Implement Quality of Service (QoS) for Azure Virtual DesktopPublic Preview: Intune user configuration for Windows 11 multi-session VMs
Today we’re announcing the public preview for deploying Microsoft Intune user configuration from Microsoft Endpoint Manager admin center to Azure Virtual Desktop Windows 11 multi-session virtual machines (VMs). This is in addition to the recently announced general availability of device configuration for multi-session VMs. With this preview, you can now configure: User scope policies using the Settings catalog User certificates via Templates PowerShell scripts to run in the user context Getting started This new functionality is available in the Intune 2206 release and you must install the 2206 Cumulative Update for Windows 11 (KB5014697) on your session hosts. Learn more about the recommended ways to manage your Azure Virtual Desktop session hosts on our management page. To get started, follow the instructions to use Azure Virtual Desktop multi-session with Intune which will guide you in creating new user configurations. Stay tuned for news about the upcoming support for Intune user configuration on Windows 10 multi-session VMs.A better printing experience for Azure Virtual Desktop with Universal Print
Both Azure Virtual Desktop and Universal Print offer solutions that allow organizations to simplify their IT infrastructure and lower their costs. They also allow users to access their organization’s resources virtually anywhere. The upcoming Windows 11 22H2 release will offer an improved printing experience that combines the benefits of Azure Virtual Desktop and Universal Print for Windows 11 multi-session users. Experience improvements There are three improvements that streamline the printing experience on virtualized shared desktops. Printers are installed as part of the user profile Instead of printers being installed as a machine-wide resource (i.e., all installed printers are visible to all users who sign into the session host), printers are installed per user, so people see only those printers. Printers roam with user profiles When user profiles are configured to roam (e.g., using FSLogix), printers installed in one session will be automatically installed in other sessions for that person across session hosts. This behavior also works when people remove printers from their profile. Location-based printer search the local device location Instead of finding printers close to the location of the session host where the person is signed in (e.g., a VM hosted in a data center), the admin can configure location services so that printer search will find printers based on the location of the device the person is connecting from. Try it and share your feedback Try these improvements today on Windows 11 multi-session builds available through the Windows Insider Program. To deploy an Insider image from the Azure Gallery, select the Windows 11 version 22H2 Enterprise [multi-session], (Preview) image when deploying a new session host in Azure Virtual Desktop. For example: For more information, please visit https://aka.ms/AVDwithUniversalPrint You can share your feedback or ask for assistance at https://aka.ms/UniversalPrintDiscussionsSSO using AD FS is now generally available!
We're excited to announce that single sign-on (SSO) using Active Directory Federation Services (AD FS) for Azure Virtual Desktop is now generally available! This feature allows customers who use AD FS to configure their host pool to enable a single sign-on experience, removing the second credential prompt for the session host. This functionality is supported when using the Windows Desktop and web clients. Getting started: The documentation to configure AD FS single sign-on will guide you through the key steps needed to enable this functionality including: Configuring your certificate authority to issue certificates Configuring your AD FS server with a relying-party trust Configuring your Windows Virtual Desktop host pool to enable SSO This functionality is available in the Azure Commercial cloud and will soon be available in other Azure clouds.
