Microsoft’s VDI solution from Azure has been almost six months in public preview phase. I have completed several successful customer experiments and proof of concepts with it in EMEA area, while the whole publishing endpoints are still only in US region. Customer’s are waiting a lot of GA and the publishing endpoint availability to be launched in EMEA.

I will write couple of useful tips and tricks here that I have found during my testings and pilots. Feel free to comment and share this post!

Azure AD Domain Services

If you have only workstations in workgroup (hope not) or Azure AD joined workstations without any on-premises Active Directory and you would like to use Windows Virtual Desktop, you have to create the AD DS somehow. Windows Virtual Desktop is currently supporting only Active Directory Domain Services joined workstations and servers in a session host role. This means that if you don’t have AD DS, you have to create it for Windows Virtual Desktop.

If Windows Virtual Desktop is the only thing why you need AD DS, I encourage you to use Azure AD Domain Services. AAD DS has been available several years, but there hasn’t been so many use cases for it before Windows Virtual Desktop.

There are Pros and Cons when using Azure AD Domain Services. I have listed those below from my opinion.

Pros

  • You don’t have to maintain domain controllers
  • You get traditional group policies for management
  • Automatic user and group synchronization between Azure AD and Azure AD Domain Services
  • Easy to deploy and manage
  • High-Availability implemented by Microsoft

Cons

  • You can’t use some AD related services with Azure AD Domain Services for example PKI or NPS server
  • Problems of traditional AD DS
  • LDAP related challenges

For more information about the Azure AD Domain Service, please refer Microsoft’s documentation.

Azure AD Domain Services

FSLogix for profile management

When using virtualized end-user environments there are always user profiles that should roam through all pooled session hosts. If user’s profile is large, it will take a lot of time to copy files over the network for later on usage.

In the end of 2018 Microsoft acquired a company called FSLogix. FSLogix has several tools to help profile and application management especially in virtualized envrionments. In Windows Virtual Desktop context, the most valuable product from FSLogix is Profile Containers.

Profile Container packs user’s profile to VHD(X) file and stores it in a traditional File share. When user logs on to the session host, VHD(X) is mounted through the network for profile usage and de-mounted, when user logs off from the session.

FSLogix Profile Container mounted from file share

FSLogix provides also extended caching mechanism called Cloud Cache, to reduce network traffic by caching profile files to the local machine. It has also capabilities for multiple sessions at a time, which is the basic requirement for tool like this. What is the best of this, FSLogix is licensed through other bundels, so you don’t need extra licenses for that. When writing this (5.9.2019) you are allowed to use FSLogix components if you have one of next licenses:

  • Microsoft 365 E3/E5
  • Microsoft 365 A3/A5/ Student Use Benefits
  • Microsoft 365 F1
  • Microsoft 365 Business
  • Windows 10 Enterprise E3/E5
  • Windows 10 Education A3/A5
  • Windows 10 VDA per user
  • Remote Desktop Services (RDS) Client Access License (CAL)
  • Remote Desktop Services (RDS) Subscriber Access License (SAL)

Check the latest license requirements from Microsoft’s documentation.

Storing the FSLogix VHD(X)

There are couple of scenarios where you can store your FSLogix Container depending of your infrastructure. If you have Azure AD Domain Services, I encourage you to use Azure Files and if traditional Active Directory Domain Services, you have to use traditional file server, which is shame that Azure Files does not have yet support for Active Directory Domain Services. Maybe some day..

Either or, you need a folder to be shared over SMB and appropriate NTFS-permissions for it.

UserFolderPermissions
WVD UsersThis Folder OnlyModify
Creator / OwnerSubfolders and Files OnlyModify
AdministratorsThis Folder, Subfolders, and FilesFull Control

Azure AD Domain Services

When using Azure AD Domain Services, it’s the easiest to store VHD(X)-files in Azure Storage Account. How to configure the Azure Storage Account and Azure Files for FSLogix usage use the Microsoft’s documentation to complete the configuration. Remember the folder NTFS-permissions as described above!

FSLogix Profiles in storage account

Active Directory Domain Services

When using Active Directory Domain Services, you can’t integrate Azure Storage Account NTFS-permissions to it. Create a file server and share a folder with appropriate NTFS-permissions as described earlier for it. I suggest you to create the server to Azure so it would be really close session hosts.

Group Policy Templates

To configure requried settings for session hosts, documentation says to use specific registry keys. In stead of updating straight registry, I suggest to use Group Policy Templates which are included in the FSLogix installation zip-archive.

FSLogix Group Policy templates

Frxtray.exe

When you have installed FSLogix client to your session host, you find a nice tool called Frxtray.exe. Use this tool to see traffic lights about the profile status, logs for troubleshooting and much more. Frxtray.exe is located in C:\Program Files\FSLogix\Apps\frxtray.exe if you used the default installation location for FSLogix client.

Frxtray.exe in basic view

Provide Win32 applications for externals

One of the use cases for Windows Virtual Desktop is publish applications and desktops to external users. If you are using Windows 10 as a session host, you have to have licenses for external users also to use it (which normally does not have Windows licenses in your environment). If you use Server based SKU e.g. Windows Server 2016 for session host, you need only RDS Cal’s as normally. Less license costs for your external partners!

Session host with external GPU

As Windows Virtual Desktop is only a way to use Virtual Machines resources in Azure environment, you can use any size of them as a session host. One way is to use NV- or NC-series virtual machines which has an external graphic card for work loads that requires it (e.g. Video or CAD-rendering, editing and so on).

When you use virtual machine with a graphic card, it is not used in Remote Desktop Sessions automatically. To get graphic card working correctly in Remote Desktop Sessions, turn next Group Policy setting Enabled for those session hosts:

  • Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment
    • Use the hardware default graphics adapter for all Remote Desktop Services sessions = Enabled
3D Demo with NV-series Virtual Machine

More than one administrator

When there are more than one administrator for RDS tenant, you should give tenant owner permissions to them as easy way as possible. The best way to achieve this is that create a AAD Group e.g. WVDTenantOwners and give Owner role for that specific group.

#Get AzureAD Group
$group = Get-AzureADGroup -SearchString "WVDTenantOwners"

#Make the role assignment
New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -GroupObjectId $group.ObjectId -TenantGroupName "MyWVDTenantGroup" -TenantName "MyWVDTenant"

Use cases

There are plenty of different use cases for Windows Virtual Desktop from external partners to field engineers. The coolest use case in my opinion is Samsung smart phone as the only device for end user. Samsung phone has own desktop experience called Samsung DeX. You can start it by connecting your device to the HDMI-monitor or Samsung DeX docking station (which has HDMI port to the separate monitor). Connect mouse, keyboard and bluetooth headset to your phone and you can start fully functional Windows 10 Enterprise to the external monitor from your phone. How cool is that!! You can even edit your videos or CAD drawings with your device just without high performance (and heavy) laptop or desktop.

Windows Virtual Desktop works also from Samsung S9+

Test and demo environment

When running test or demo environment you want to ramp down all extra costs and still stay as maintained as possible with your infrastructure. There are several things that I have in my demo environment to maintain the infrastructure automatically.

Azure Automation Update Management

I have one Azure Automation Account to manage Updates for my session hosts. That’s really powerful and free update management solution for single environment requirements.

Azure Automation Update Management for Windows Virtual Desktop

Auto Shutdown

I shut down my virtual machines when I don’t need those and VM’s are going to be also de-allocated, so only cost is the storage. If I don’t remember to shut down machines, those will be automatically turned off at midnight every day. Less expenses.

Auto shutdown for all machines.

Starting of demo environment

I want also to start my demo environment with a single button, so I’ve created a button to call Azure Automation script to turn on the demo environment. I use also schedule to turn them on once in a week for update management purposes.

Summary

Conclusion after several PoCs is clearly that this works as expected and Windows Virtual Desktop is enough for many use cases when using VDI- or virtualized application environments. The best thing is that the price point for this solution is really friendly and encourages to use it!


Markus Lintuala

I have worked most of my career on traditional infrastructure management side with enterprise architectures, workstation and server management. When Microsoft published the first IaaS-services on Azure I started my journey towards the cloud on productivity as well as on platform side. I like to work often with the newest technologies; currently specially in Microsoft 365 identity, security, device management and end-user experience area.

0 Comments

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.