Our company - as many others - decided to go full remote in the following days. It required some changes on our (IT) side, but not that much. We already supported this kind of work:
We’ve decided to launch Windows Virtual Desktop (WVD) as a backup access for some of our employees. This way they can use a secure desktop that has access to our on-premises through VPN S2Site (between us and Azue).
All seemed easy. Just follow Microsoft Mechanics (part1, part2 and part3).
I’ll have to admit that MS Docs for this topic are really good.
And RT*M if you’re stuck!
Most tutorials shows a simple deployment within a demo tenant where you’re using global admin for everything. My case, and probably your’s too, is a bit different.
In this post I’ll assume you already have configured:
In our case we’ve decided to deploy a VM in Azure that will be a Domain Controller - in addition to our on-premises. This is a Standard B2s (2 vcpus, 4 GiB memory) VM which doesn’t cost much!
Let me briefly describe the whole process:
AFAIK, as of today (18.03.2020), there is no way to:
There are scripts on Microsoft Github but as the readme states:
This sample PowerShell script that can be used as a starting point for developing a solution to automatically scale a session host virtual machiness in Windows Virtual Desktop deployment.
It is not near any ‘easy’ solutions now. Hopefully we will get more from the Dev Team soon
Here are Docs that will help you setting auto-scaling.
For now - if you’d like to scale out - you can go through Azure Marketplace and deploy it again - with a changed number of hosts. It won’t destroy current solution. It will just add/remove VMs from the Host Pool. Then you can delete/deprovision those not needed.
For all this you will need following variables
:
Let’s start!
This is simply done by visiting RDWeb site and providing your Tenant ID for both Consent Options - Server
and Client
To add RDS to Azure tenant you will need Tenant ID
and Subscription ID
where that will be deployed.
You can either get it through Azure GUI or with PowerShell. Use your Azure Global Admin account to conenct to Azure:
Connect-AZAccount
#Select in which subscription you want to deploy your WVD. This will also give you the Tenant ID
$Subscription = Get-AzSubscription | Out-GridView -PassThru
Install-Module Microsoft.RDInfra.RDPowerShell
Import-Module Microsoft.RDInfra.RDPowerShell
Add-RDSAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com
$WVDTenantName = 'WVD Pool 1'
New-RdsTenant -name $WVDTenantName -AadTenantId $Subscription.TenantId -AzureSubscriptionId $Subscription.Id
Now we need to create Azure Application and grant permissions. For this we will use another Azure PowerShell Module
Import-Module AzureAD
$AzureADAppDisplayName = 'Windows Virtual Desktop Svc Principal'
$aadContext = Connect-AzureAD
$svcPrincipal = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName $AzureADAppDisplayName
$svcPrincipalCreds = New-AzureADApplicationPasswordCredential -ObjectId $svcPrincipal.ObjectId
$AzureADApplication = @{
Name = $AzureADAppDisplayName
AppID = $svcPrincipal.AppId
Password =$svcPrincipalCreds.Value
TenantGuid =$aadContext.TenantId.Guid
}
#Output the information. Would be best to Export-CliXML if you do have PowerShell Logging enabled!
$AzureADApplication
I usually don’t do this for Azure AD Applications but…
Write down the password (in a Password Manager preferably)
You will need this identity every time you will want to redeploy the solution (scale out).
Now go to Azure Portal, select Create Resource and fill in the information.
Once the deployment is done we can grant users the access. In my case it’s adding them to:
Desktop Application Group
$UsersForWVD = @('user1', 'user2','user3')
$TenantName = 'WVD Pool 1'
$HostPoolName = 'WVD1-WE-HostPool'
$Context = Add-RDSAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com
$AzureContext = Connect-AzureAD
$DomainName = 'contoso.com'
$LicenseADGroup = 'Cloud_Windows10Enterprise_E5'
foreach ($user in $UsersForWVD) {
$UserUPN = '{0}@{1}' -f $user, $Domain
Add-ADGroupMember -Identity $LicenseADGroup -Members $User
Add-RdsAppGroupUser -TenantName $TenantName -HostPoolName $HostPoolName -AppGroupName "Desktop Application Group" -UserPrincipalName $UserUPN
}
Now we have the easiest part done. Next is guiding how to connect to the service.
Users can connect to Windows Virtual Desktop:
or
You’ll be prompted for your credentials once again (this time for the VM itself)
There is a dedicated app for Windows, Android, macOS or iOS
Once you have the application installed, run it, click Subscribe
and provide your corporate login:
If it won’t find the RDFeed, please provide this URL as a feed: https://rdweb.wvd.microsoft.com
Once you run the application you can adjust the settings - right click on the Session Desktop
and select Settings
If you unselect Use default settings
you can set more options:
I must admit that overall I’m pretty impressed by this solution.
I’ve set up on-premises RDS farms before - it wasn’t hard.
BUT, if you want to have a solution that is High Available - it’s getting pretty complex. With Windows Virtual Desktop - it’s very easy.
There are still some rough edges. It’s not a single-button-click
. Also not all options (compared to on-premises) are available but taking into consideration this is still a new solution - I’m very satisfied.
But, what’s more important - our users have access to secure environment without much issues.
Now, how to monitor the usage? Stay tuned!