Blog Post

Windows IT Pro Blog
10 MIN READ

Getting started with Windows Virtual Desktop

PieterWigleven's avatar
Mar 29, 2019

Updated 12/20/2019

With the Windows Virtual Desktop now General Available (GA), we wanted to provide a quick overview of the steps required to get your environment up and running.

Before I begin; however, I’d like to take a few moments to explain what Windows Virtual Desktop is and how it can help you deploy and scale Windows and Office on Azure in minutes, with built-in security and compliance.

Windows Virtual Desktop is a comprehensive desktop and app virtualization service that runs in the cloud. Here is a quick list of some of the key features and functionality:

  • Infrastructure services like gateway, brokering, licensing, diagnostics are provided as a service in Azure. There’s no need to deploy and maintain any on-premises infrastructure.
  • Windows Virtual Desktop can leverage Azure Active Directory (Azure AD) as the identity provider, allowing you to leverage additional security controls like multi-factor authentication (MFA) or conditional access.
  • Once a user is connected to Windows Virtual Desktop service, access to Active Directory joined virtual machines (VMs) will be provided using Azure AD identities. In environments where Active Directory Federation Services (AD FS) is implemented for single sign-on (SSO), the user won’t be prompted for credentials when connecting to the VM, providing a seamless sign-on experience.
  • Reverse connect technology means your destination VM doesn’t need any inbound ports to be opened. Even the default RDP port, TCP/3389, doesn’t have to be open. Instead, an agent creates an outbound connection using TCP/443 into the Windows Virtual Desktop management plane. Azure is your reverse proxy for RDP traffic.
  • Virtual machines in Windows Virtual Desktop are not exposed to the Internet directly. They can run using a private IP address and run isolated from other workloads or even the Internet. (The reverse connect technology allows the VMs to be accessed.)
  • Windows Virtual Desktop introduces Windows 10 multi-session, allowing you to offer a Windows 10 Enterprise experience where multiple users can log into the same Windows client VM simultaneously via RDP. (multi-session was historically only possible on Windows Server operating systems.)
  • Access to FSLogix technology, making your Office experience in a non-persistent environment feel like you are using a traditional PC.
  • Windows Virtual Desktop supports full desktop, RemoteApp, and persistent or non-persistent, dedicated or multi-session experiences.
  • Organizations with “Windows 10 Enterprise E3 Per User” licenses or better (e.g. Windows 10 Enterprise E5 or Microsoft 365 E3, E5, F1, or Business) or RDS CALs can use Windows Virtual Desktop for no additional charge apart from Azure compute/storage and network usage billing. Reserved instances can be used to reduce Azure costs up to 80%.

Now let’s move on to the steps you need to take to get started.

Windows Virtual Desktop prerequisites

To set up Windows Virtual Desktop, you will need a few resources and to complete a few initial setup steps:

  • An Azure subscription with sufficient credit (needed to host resources).
  • Download and install the Windows Virtual Desktop cmdlets for Windows PowerShell on a device.
  • Make sure your virtual network in Azure is configured in such a way that new VMs have your Domain Controller or Azure AD Domain Services (Azure AD DS) set as the DNS (otherwise the domain join step will likely fail). For guidance on how to configure DNS when using Azure AD DS, see Enable Azure Active Director Domain Services. For guidance for using a Domain Controller, see Name resolution for resources in Azure virtual networks.
  • Make sure all Azure resources are in the same region.
  • If you require seamless SSO (HTML5 client excluded), you will need AD FS or users will have to authenticate when gaining access to the VM. (Steps on how to enable this with AD FS will follow at a later stage.)
  • An Active Directory to which you can join your VMs. For this, you have three options:

    Option

    Pros

    Cons

    Use Azure AD DS.

    Great for test or isolated environments that do not need connectivity to on-premises resources.

    Azure AD will be your leading source for identities.

    AD DS will always be running, resulting in a fixed charge per month.

    Spin up a DC in your Azure subscription.

    Can sync with on-premises DCs if VPN or ExpressRoute is configured.

    All familiar AD Group Policies can be used.

    Virtual machines can be paused or stopped when needed to reduce costs.

    Adds additional management of a VM and Active Directory in Azure.

    Use VPN or ExpressRoute and make sure your on-premises DCs can be found in Azure.

    No AD DS or Domain Controller required in Azure.

    Latency could be increased adding delays during user authentication to VMs.

    This assumes you have an on-premises environment, not suitable for cloud only tests.

In our test environment, we decided to spin up a new VM with Windows Server 2019 for our domain controller and install Azure AD Connect to sync identities to Azure AD.

Finally, you’ll also need to make sure you have the right credentials. Here’s an overview of the accounts being used throughout the deployment process:

Once the prerequisites have been met, you can move on to the initial setup of Windows Virtual Desktop. Once these steps have been completed, you will be ready to deploy your initial VMs:

  1. Allow the Windows Virtual Desktop service to access Azure AD.
  2. Assign the “TenantCreator” role to a user account.
  3. Create a Windows Virtual Desktop tenant.
  4. Deploy your first Windows Virtual Desktop host pool.
  5. Test if a user can access a full desktop session.

Allow the Windows Virtual Desktop service to access Azure AD

Before you can create a Windows Virtual Desktop tenant, you must allow Windows Virtual Desktop services to access your Azure AD tenant. The way Windows Virtual Desktop is designed requires explicit Azure AD consent. The process is much like how Azure requires you to enable non-standard resource providers before being able to use them.

  1. Navigate to https://rdweb.wvd.microsoft.com.
  2. Add your Azure AD tenant ID, also referred to as the Directory ID, and hit Submit. (Your Azure AD tenant ID can be found by visiting the Microsoft Azure Portal and navigating to Azure Active Directory > Properties > Directory ID, or by using whatismytenantid.com.)




  1. Wait a moment for the consent options to refresh, then change Consent Option to Client App and enter the same Azure AD tenant ID to the field for AAD Tenant GUID or Name. Click Submit to continue.

Assign the “TenantCreator” role to a user account

Once you have granted access to Azure AD, you will need to grant permissions for a user to create a Windows Virtual Desktop tenant as follows:

  1. Log in to the Microsoft Azure Portal.
  2. Navigate to Azure Active Directory from the left menu.
  3. Under Manage, click on Enterprise applications.
  4. Search for and select Windows Virtual Desktop.
  5. Under Manage, select Users and groups.
  6. Select Add user, select Users and groups, and search for the user to whom you want to grant permissions to perform the Windows Virtual Desktop tenant creation.
  7. Select the user and hit Select, followed by Assign.

Your user should now have the role of “TenantCreator.”

Create a Windows Virtual Desktop tenant

Now that you have a user with the right permissions to create a Windows Virtual Desktop tenant, let’s go ahead and create it. During this step, you will need two IDs:

  • Your Azure AD tenant ID (again).
  • Your Azure subscription ID, which can be found by visiting the Microsoft Azure Portal and doing a keyword search for “Subscriptions.” Select Subscriptions from the search results and your subscription ID, assuming you have an active subscription, will be displayed below.

Once you have these two IDs, you can create the Windows Virtual Desktop tenant.

Note: Before proceeding, make sure you import the Windows Virtual Desktop cmdlets for Windows PowerShell as described in the prerequisites section above. If you haven’t completed this step yet, see these instructions.

Create a new PowerShell script, modifying the bold variables to reflect your tenant ID and subscription ID, and execute the following commands. When prompted, sign in using the admin account that was assigned to the TenantCreator role.

#Install PowerShell modules
Install-Module -Name Microsoft.RDInfra.RDPowerShell
Import-Module -Name Microsoft.RDInfra.RDPowerShell
 
# Setting Deployment context
$brokerurl = "https://rdbroker.wvd.microsoft.com"
$aadTenantId = "<value from #1 above>"
$azureSubscriptionId = "<value from #2 above>"
Add-RdsAccount -DeploymentUrl $brokerurl

Next, use the following command to create the Windows Virtual Desktop tenant. Make sure to change the bold variable to a name of your choosing.

New-RdsTenant -Name Contoso -AadTenantId $aadTenantId -AzureSubscriptionId $azureSubscriptionId

For our example, these were the commands I used:

# Setting Deployment context
$brokerurl = "https://rdbroker.wvd.microsoft.com"
$aadTenantId = “f59f09fb-51fe-4e7f-a510-984671d28231”
$azureSubscriptionId = “d4092f2e-5cd5-4d7d-ae58-9c328523828b”
Add-RdsAccount -DeploymentUrl $brokerurl

New-RdsTenant -Name CSPieter -AadTenantId $aadTenantId -AzureSubscriptionId $azureSubscriptionId


Deploy your first Windows Virtual Desktop host pool

A host pool is a collection of VMs that offer a similar service, such as a full desktop experience. When users connect, they can access a virtual desktop session on any of the hosts in the pool.

Step 1: Configure basic settings

To get started, visit the Microsoft Azure Portal, select Create a Resource and search for Windows Virtual Desktop. Select Windows Virtual Desktop – Provision a host pool.

Select Windows Virtual Desktop – Provision a host pool and click Create. Enter details as follows:

  • Host Pool name - Choose something descriptive for the pool of hosts, e.g. “FullDesktop”
  • Desktop type: Pooled or Personal - Choose Pooled unless you are deploying a virtual desktop infrastructure (VDI) configuration wherein every user has their own dedicated VM.
  • Default desktop users - Add a comma separated list of users. (group support will follow later.) You can also use PowerShell to add users to this host pool at a later point.
  • Subscription – Select Microsoft Azure.
  • Resource group - Use an empty Resource Group or enter a name to create a new one.
  • Location - Enter the location where the resources, such as the VMs. will be created. This can be any existing Azure region of your choice.

Step 2: Configure the virtual machines

Next, you’ll enter the VM size details:

  • Select a Usage Profile that matches your environment: Light, Medium, Heavy, or Custom.
  • Enter the number of Total users that will be using this host pool.
  • If desired, change the Virtual machine size. For your test environment, which will likely have very few users, you could opt for a smaller size. You can use the Azure Calculator to get an idea on costs, find "compute" and select "windows virtual desktop".
  • Add a prefix for the VMs. Note: make sure your prefix is unique; don’t reuse your prefixes. Also, don't use underscores.

Step 3: Configure VM settings

To configure the VMs for Azure, you will need to:

  • Select a custom image from Blob storage, a Managed image in Azure, or one from the Gallery. Our recommendation would be to test “Windows 10 Enterprise multi-session with Office 365 ProPlus” from the Azure Gallery. Office 365 ProPlus has been preconfigured for the ideal state of Windows 10 multi-session.
  • Select the Image OS
  • Select the Disk Type. SSD is recommended.
  • Enter credentials that have permissions to join a VM to Active Directory.
    • Important: check out the username requirements, some usernames are not allowed (like administrator/admin and more) 
  • (Optional) Specify the domain and/or OU.
  • (Optional) Use managed disks.
  • Configure the virtual network and subnet. Pay close attention to this step as this wizard will spin up virtual machines and join them to AD. This means the virtual machine must be able to locate the Domain Controller. Consequently, we recommend opening a separate tab in your browser and validate that:
    • The DNS server IP address that is assigned to the VM points to the DC or AD DS; this can be configured in multiple locations including on your virtual network.
    • The DC, VM, and network resources are in the same Azure region. (Otherwise, your deployment is likely to fail.)

Here an example of what step 3 of the wizard could look like:

The main reasons a deployment fails is due to: 

  • The VM is unable to locate the DC due to networking configuration
    • Troubleshoot this by connecting to your DC via RDP and then RDP to one of the hosts, see if you can manually domain join the VM. 
  • A blacklisted username is used to domain join the VM, see details here
  • Wrong credentials are supplied 

Step 4: Enter authentication details

Once you have configured your VM settings, you will need to enter details about your Windows Virtual Desktop tenant and Azure AD tenant. Unless otherwise directed, leave the Windows Virtual Desktop tenant group name as “Default Tenant Group.” For the Windows Virtual Desktop tenant name, enter the name of the tenant you created earlier in this process.

Note: If you are unsure what your Windows Virtual Desktop tenant name is, use the PowerShell command “Get-RdsTenant” to obtain it.

Enter valid credentials for your Azure AD environment (UPN and password).

Step 5: Check the summary

Check the summary windows to see your setup passed validation, then click OK.

Step 6: Finalize the creation of your host pool

Hit Create, sit back, and relax. Wait for the deployment to finish. The process takes roughly 20 minutes.

Test if a user can access a full desktop session

Once you have created your Windows Virtual Desktop host pool, you can download the client for Android or Windows, or use the HTML5 client. Here’s how to test with Windows or the HTML5 client.

Test with the Windows client

Download the latest Windows Remote Desktop client and subscribe to the feed using the following URL: https://rdweb.wvd.microsoft.com. Once subscribed, you will find the virtualized apps and desktops in the Start menu. You’ll also notice that it’s possible to enable conditional access and/or MFA for users when subscribing to a feed.

Test with the HTML5 client

Launch a browser InPrivate or incognito mode and visit http://aka.ms/wvdweb to access the HTML5 client. Authenticate using the login information to which you assigned a full desktop session.

If you are successful, you should be able to view the desktop:

What’s next?

Once you have completed your setup of Windows Virtual Desktop, you can assign other users to your host pool using the following PowerShell command, replacing <WVDTENANTNAME> with the name of your tenant, <HOSTPOOLNAME> with the name of your host pool, and leveraging the appropriate user principal name:

Add-RdsAppGroupUser <WVDTENANTNAME> <HOSTPOOLNAME> "Desktop Application Group" -UserPrincipalName USER@TENANT.onmicrosoft.com

In our environment, this is what the command looks like:

Add-RdsAppGroupUser CSPieter FullDesktop "Desktop Application Group" -UserPrincipalName user2@cspieter.onmicrosoft.com

You can also move on to more advanced tasks, such as:

  • Setting up a host pool dedicated for RemoteApps instead of full desktops.
  • Installing FSLogix profile containers so that you can benefit from the profile solution that makes Office365 ProPlus work, just like on a local PC and/or laptop.

To explore other scenarios and learn more about Windows Virtual Desktop, please see the Windows Virtual Desktop documentation on Docs and watch What is Windows Virtual Desktop? on Microsoft Mechanics. I also encourage you to join the Windows Virtual Desktop community on Tech Community to connect with the Windows Virtual Desktop team and your fellow public preview participants.

Updated Mar 18, 2020
Version 14.0