Azure Virtual Desktop

Archive | Azure Virtual Desktop RSS feed for this section

Azure Virtual Desktop – Terraform – Create a Host Pool, Desktop Application Group and Workspace for Pooled Remote App aka Published Applications (Part 3)

In the previous blog post we look at creating the Personal Desktop (1×1 mapping) and Pooled Desktop (1 x Many) using Terraform Azure Virtual Desktop – Terraform – Create a Host Pool, Desktop Application Group and Workspace for Personal Desktop (Part 1) | AskAresh and Azure Virtual Desktop – Terraform – Create a Host Pool, Desktop Application Group and Workspace for Pooled Desktop (Part 2). In this blog post series I am going to demonstrate how to create the AVD Host Pool, Application Group and Workspace using Terraform for Pooled Remote App aka Published Applications (1xMany)

We are going to create the following three types of configurations using Terraform:

Azure Virtual Desktop – Personal Desktop (1×1) – Part 1
Azure Virtual Desktop – Pooled Desktop (Multi-Session Full Desktop Experience) – Part 2
Azure Virtual Desktop – Remote App (Multi-Session Application aka Published Apps) – Part 3

Note – We are creating the Pooled RemoteApp in this post and in the subsequent post the other types were. In this post In this post I will not show case the creation of service principal and secret please refer for the Part 1 for that activity.

Pre-requisites

Following are the pre-requisites before you begin

An Azure subscription
The Terraform CLI
The Azure CLI
Permissions within the Azure Subscription for using Terraform

Terraform – Authenticating via Service Principal & Client Secret

Before running any Terraform code the following powershell (Make sure run as administrator) we will execute and store the credentials as enviornment variables. If we do this via the environment variable we dont have to store the below information within the providers.tf file. In the future blog post there are better way to store the below details and I hope to showcase them:

# PowerShell
$env:ARM_CLIENT_ID = "9e453b62-0000-0000-0000-00000006e1ac"
$env:ARM_CLIENT_SECRET = "Z318Q~00000000000000000000000000000000_"
$env:ARM_TENANT_ID = "a02e602c-0000-000-0000-0e0000008bba61"
$env:ARM_SUBSCRIPTION_ID = "7b051460-00000-00000-00000-000000ecb1"

Azure Subcription ID – Azure Portal Subcription copy the ID
Client ID – From the above step you will have the details
Client Secret – From the above step you will have the details
Tenant ID – While creating the Enterprise Apps in ADD you will have the details

Terraform Folder Structure

The following is the folder structure for the terrraform code:

Azure Virtual Desktop Pooled RemoteApp – Create a directory in which the below Terraform code will be published (providers.tf, main.tf, variables.tf and output.tf)

+---Config-AVD-Pooled-RemoteApp
|   |   main.tf
|   |   output.tf
|   |   providers.tf
|   |   variables.tf

Configure AVD – Pooled RemoteApp – Providers.tf

Create a file named providers.tf and insert the following code:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.49.0"
    }
    azuread = {
      source = "hashicorp/azuread"
    }
  }
}

provider "azurerm" {
  features {}
}

Configure AVD – Pooled RemoteApp – main.tf

Create a file named main.tf and insert the following code. Let me explain what all we are attempting to accomplish here:

Create a Resource Group
Create a Workspace
Create a Host Pool
Create a Remote Application Group (RAG)
Associate Workspace and RAG
Assign Azure AD Group to the Desktop Application Group (RAG)
Assign Azure AD Group to the Resource Group for RBAC for the Session Host (Virtual Machine User Login)

# Resource group name is output when execution plan is applied.
resource "azurerm_resource_group" "rg" {
  name     = var.rg_name
  location = var.resource_group_location
  tags = var.tags
}

# Create AVD workspace
resource "azurerm_virtual_desktop_workspace" "workspace" {
  name                = var.workspace
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  friendly_name       = "${var.prefix} Workspace"
  description         = "${var.prefix} Workspace"
  tags = var.tags
}

# Create AVD host pool
resource "azurerm_virtual_desktop_host_pool" "hostpool" {
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  name                     = var.hostpool
  friendly_name            = var.hostpool
  validate_environment     = true #[true false]
  start_vm_on_connect      = true
  custom_rdp_properties    = "targetisaadjoined:i:1;drivestoredirect:s:*;audiomode:i:0;videoplaybackmode:i:1;redirectclipboard:i:1;redirectprinters:i:1;devicestoredirect:s:*;redirectcomports:i:1;redirectsmartcards:i:1;usbdevicestoredirect:s:*;enablecredsspsupport:i:1;redirectwebauthn:i:1;use multimon:i:1;enablerdsaadauth:i:1;"
  description              = "${var.prefix} HostPool"
  type                     = "Pooled" #[Pooled or Personal]
  preferred_app_group_type = "RailApplications" #[Desktop or RailApplications]
  maximum_sessions_allowed = 5  #[Tweak based on your vm tshirt size]
  load_balancer_type       = "DepthFirst" #[BreadthFirst or DepthFirst]
  tags = var.tags
scheduled_agent_updates {
  enabled = true
  timezone = "AUS Eastern Standard Time"  # Update this value with your desired timezone
  schedule {
    day_of_week = "Saturday"
    hour_of_day = 1   #[1 here means 1:00 am]
  }
}
}

resource "azurerm_virtual_desktop_host_pool_registration_info" "registrationinfo" {
  hostpool_id     = azurerm_virtual_desktop_host_pool.hostpool.id
  expiration_date = var.rfc3339
}

# Create AVD RAG
resource "azurerm_virtual_desktop_application_group" "rag" {
  resource_group_name = azurerm_resource_group.rg.name
  host_pool_id        = azurerm_virtual_desktop_host_pool.hostpool.id
  location            = azurerm_resource_group.rg.location
  type                = "RemoteApp"
  name                = var.app_group_name
  friendly_name       = "RemoteApp AppGroup"
  description         = "${var.prefix} AVD RemoteApp application group"
  depends_on          = [azurerm_virtual_desktop_host_pool.hostpool, azurerm_virtual_desktop_workspace.workspace]
  tags = var.tags
}

# Associate Workspace and DAG
resource "azurerm_virtual_desktop_workspace_application_group_association" "ws-dag" {
  application_group_id = azurerm_virtual_desktop_application_group.rag.id
  workspace_id         = azurerm_virtual_desktop_workspace.workspace.id
}

# Assign AAD Group to the Remote Application Group (RAG)
resource "azurerm_role_assignment" "AVDGroupRemoteAppAssignment" {
  scope                = azurerm_virtual_desktop_application_group.rag.id
  role_definition_name = "Desktop Virtualization User"
  principal_id         = data.azuread_group.AVDGroup.object_id
}

# Assign AAD Group to the Resource Group for RBAC for the Session Host
resource "azurerm_role_assignment" "RBACAssignment" {
  scope                = azurerm_resource_group.rg.id
  role_definition_name = "Virtual Machine User Login"
  principal_id         = data.azuread_group.AVDGroup.object_id
}

Note – The individual applications are not published yet. They can be published once you have the session host created. After which, using Terraform, the individual applications can be published too. The exe path of apps needs to be mapped within the operating system. I plan to create a separate blog post on session host creation via Terraform.

Configure AVD – Pooled RemoteApp – variables.tf

Create a file named variables.tf and insert the following code:

variable "resource_group_location" {
  default     = "australiaeast"
  description = "Location of the resource group - Australia East"
}

variable "rg_name" {
  type        = string
  default     = "AE-DEV-AVD-01-PO-A-RG"
  description = "Name of the Resource group in which to deploy service objects"
}

variable "workspace" {
  type        = string
  description = "Name of the Azure Virtual Desktop workspace"
  default     = "AE-DEV-AVD-01-WS"
}

variable "hostpool" {
  type        = string
  description = "Name of the Azure Virtual Desktop host pool"
  default     = "AE-DEV-AVD-01-PO-A-HP"
}

variable "app_group_name" {
  description = "Name of the Azure Virtual Desktop application group"
  type        = string
  default     = "AE-DEV-AVD-01-RAG"
}

variable "rfc3339" {
  type        = string
  default     = "2023-05-20T12:43:13Z"  #Update this value with a future date
  description = "Registration token expiration"
}

variable "prefix" {
  type        = string
  default     = "AE-DEV-AVD-01-HP-"
  description = "Prefix of the name of the AVD HostPools"
}

variable "tags" {
  type    = map(string)
  default = {
    Environment = "Dev"
    Department  = "IT"
    Location = "AustraliaEast"
    ServiceClass = "DEV"
    Workload = "Host Pool 01"
  }
}

data "azuread_client_config" "AzureAD" {}

data "azuread_group" "AVDGroup" {
  display_name     = "Win365-Users"  
}

Configure AVD – Pooled RemoteApp – output.tf

Create a file named output.tf and insert the following code. This will showcase in the console what is getting deployed in form of a output.

output "azure_virtual_desktop_compute_resource_group" {
  description = "Name of the Resource group in which to deploy session host"
  value       = azurerm_resource_group.rg.name
}

output "azure_virtual_desktop_host_pool" {
  description = "Name of the Azure Virtual Desktop host pool"
  value       = azurerm_virtual_desktop_host_pool.hostpool.name
}

output "azurerm_virtual_desktop_application_group" {
  description = "Name of the Azure Virtual Desktop DAG"
  value       = azurerm_virtual_desktop_application_group.rag.name
}

output "azurerm_virtual_desktop_workspace" {
  description = "Name of the Azure Virtual Desktop workspace"
  value       = azurerm_virtual_desktop_workspace.workspace.name
}

output "location" {
  description = "The Azure region"
  value       = azurerm_resource_group.rg.location
}

data "azuread_group" "aad_group" {
  display_name = "Win365-Users"
}

output "AVD_user_groupname" {
  description = "Azure Active Directory Group for AVD users"
  value       = data.azuread_group.aad_group.display_name
}

Intialize Terraform – AVD – Pooled RemoteApp

Run terraform init to initialize the Terraform deployment. This command downloads the Azure provider required to manage your Azure resources. (Its pulling the AzureRM and AzureAD)

terraform init -upgrade

Create Terraform Execution Plan – AVD – Pooled RemoteApp

Run terraform plan to create an execution plan.

terraform plan -out mainavdremoteapp.tfplan

Apply Terraform Execution Plan – AVD – Pooled RemoteApp

Run terraform apply to apply the execution plan to your cloud infrastructure.

terraform apply mainavdremoteapp.tfplan

Validate the Output in Azure Portal

Go to the Azure portal, Select Azure Virtual Desktop and Select Host pools, Application Group and Workspace created using Terraform.

Clean-up the above resources (Optional)

If you want to delete all the above resources then you can use the following commands to destroy. Run terraform plan and specify the destroy flag.

terraform plan -destroy -out mainavdremoteapp.destroy.tfplan

Run terraform apply to apply the execution plan.

terraform apply mainavdremoteapp.destroy.tfplan

Quick Start Links

The intention here is to get you quickly started with Terraform on Azure Virtual Desktop Solution:

Description	Links
Setting up your computer to get started with Terrafor using Powershell	Install Terraform on Windows with Azure PowerShell
AVD Configure Azure Virtual Desktop	https://learn.microsoft.com/en-us/azure/developer/terraform/configure-azure-virtual-desktop
Terraform Learning	https://youtube.com/playlist?list=PLLc2nQDXYMHowSZ4Lkq2jnZ0gsJL3ArAw

I hope you will find this helpful information for getting started with Terraform to deploy the Azure Virtual Desktop – Pooled Remote App. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: AVD, Azure, Azure Virtual Desktop, HashiCorp, IaC, Microsoft, PowerShell, Terraform

Comments 1 Comment
Categories Azure, Azure Virtual Desktop, Scripts-API

Azure Virtual Desktop – Terraform – Create a Host Pool, Desktop Application Group and Workspace for Pooled Desktop (Part 2)

15 May

In the previous blog post we look at creating the Personal Desktop (1×1 mapping) using Terraform. Azure Virtual Desktop – Terraform – Create a Host Pool, Desktop Application Group and Workspace for Personal Desktop (Part 1) | AskAresh. In this blog post series I am going to demonstrate how to create the AVD Host Pool, Application Group and Workspace using Terraform for Pooled Desktop (1xMany)

We are going to create the following three types of configurations using Terraform:

Azure Virtual Desktop – Personal Desktop (1×1) – Part 1
Azure Virtual Desktop – Pooled Desktop (Multi-Session Full Desktop Experience) – Part 2
Azure Virtual Desktop – Remote App (Multi-Session Application aka Published Apps) – Part 3

Note – We are creating the Pooled Desktop in this post and in the subsequent post the other types will be created. In this post In this post I will not show case the creation of service principal and secret please refer for the Part 1 for that activity.

Pre-requisites

Following are the pre-requisites before you begin

An Azure subscription
The Terraform CLI
The Azure CLI
Permissions within the Azure Subscription for using Terraform

Terraform – Authenticating via Service Principal & Client Secret

# PowerShell
$env:ARM_CLIENT_ID = "9e453b62-0000-0000-0000-00000006e1ac"
$env:ARM_CLIENT_SECRET = "Z318Q~00000000000000000000000000000000_"
$env:ARM_TENANT_ID = "a02e602c-0000-000-0000-0e0000008bba61"
$env:ARM_SUBSCRIPTION_ID = "7b051460-00000-00000-00000-000000ecb1"

Azure Subcription ID – Azure Portal Subcription copy the ID
Client ID – From the above step you will have the details
Client Secret – From the above step you will have the details
Tenant ID – While creating the Enterprise Apps in ADD you will have the details

Terraform Folder Structure

The following is the folder structure for the terrraform code:

Azure Virtual Desktop Pooled Desktop – Create a directory in which the below Terraform code will be published (providers.tf, main.tf, variables.tf and output.tf)

+---Config-AVD-Pooled-Desktop
|   |   main.tf
|   |   output.tf
|   |   providers.tf
|   |   variables.tf

Configure AVD – Pooled Desktop Pool – Providers.tf

Create a file named providers.tf and insert the following code:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.49.0"
    }
    azuread = {
      source = "hashicorp/azuread"
    }
  }
}

provider "azurerm" {
  features {}
}

Configure AVD – Pooled Desktop Pool – main.tf

Create a file named main.tf and insert the following code. Let me explain what all we are attempting to accomplish here:

Create a Resource Group
Create a Workspace
Create a Host Pool (Pooled Desktops and Depth first load balancing)
Create a Desktop Application Group (DAG)
Associate Workspace and DAG
Assign Azure AD Group to the Desktop Application Group (DAG)
Assign Azure AD Group to the Resource Group for RBAC for the Session Host (Virtual Machine User Login)

# Resource group name is output when execution plan is applied.
resource "azurerm_resource_group" "rg" {
  name     = var.rg_name
  location = var.resource_group_location
  tags = var.tags
}

# Create AVD workspace
resource "azurerm_virtual_desktop_workspace" "workspace" {
  name                = var.workspace
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  friendly_name       = "${var.prefix} Workspace"
  description         = "${var.prefix} Workspace"
  tags = var.tags
}

# Create AVD host pool
resource "azurerm_virtual_desktop_host_pool" "hostpool" {
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  name                     = var.hostpool
  friendly_name            = var.hostpool
  validate_environment     = true #[true false]
  start_vm_on_connect      = true
  custom_rdp_properties    = "targetisaadjoined:i:1;drivestoredirect:s:*;audiomode:i:0;videoplaybackmode:i:1;redirectclipboard:i:1;redirectprinters:i:1;devicestoredirect:s:*;redirectcomports:i:1;redirectsmartcards:i:1;usbdevicestoredirect:s:*;enablecredsspsupport:i:1;redirectwebauthn:i:1;use multimon:i:1;enablerdsaadauth:i:1;"
  description              = "${var.prefix} HostPool"
  type                     = "Pooled" #[Pooled or Personal]
  maximum_sessions_allowed = 5
  load_balancer_type       = "DepthFirst" #[BreadthFirst DepthFirst]
  tags = var.tags
scheduled_agent_updates {
  enabled = true
  timezone = "AUS Eastern Standard Time"  # Update this value with your desired timezone
  schedule {
    day_of_week = "Saturday"
    hour_of_day = 1   #[1 here means 1:00 am]
  }
}
}

resource "azurerm_virtual_desktop_host_pool_registration_info" "registrationinfo" {
  hostpool_id     = azurerm_virtual_desktop_host_pool.hostpool.id
  expiration_date = var.rfc3339
}

# Create AVD DAG
resource "azurerm_virtual_desktop_application_group" "dag" {
  resource_group_name = azurerm_resource_group.rg.name
  host_pool_id        = azurerm_virtual_desktop_host_pool.hostpool.id
  location            = azurerm_resource_group.rg.location
  type                = "Desktop"
  name                = var.app_group_name
  friendly_name       = "Desktop AppGroup"
  description         = "${var.prefix} AVD application group"
  depends_on          = [azurerm_virtual_desktop_host_pool.hostpool, azurerm_virtual_desktop_workspace.workspace]
  tags = var.tags
}

# Associate Workspace and DAG
resource "azurerm_virtual_desktop_workspace_application_group_association" "ws-dag" {
  application_group_id = azurerm_virtual_desktop_application_group.dag.id
  workspace_id         = azurerm_virtual_desktop_workspace.workspace.id
}

# Assign AAD Group to the Desktop Application Group (DAG)
resource "azurerm_role_assignment" "AVDGroupDesktopAssignment" {
  scope                = azurerm_virtual_desktop_application_group.dag.id
  role_definition_name = "Desktop Virtualization User"
  principal_id         = data.azuread_group.AVDGroup.object_id
}

# Assign AAD Group to the Resource Group for RBAC for the Session Host
resource "azurerm_role_assignment" "RBACAssignment" {
  scope                = azurerm_resource_group.rg.id
  role_definition_name = "Virtual Machine User Login"
  principal_id         = data.azuread_group.AVDGroup.object_id
}

Configure AVD – Pooled Desktop Pool – variables.tf

Create a file named variables.tf and insert the following code:

variable "resource_group_location" {
  default     = "australiaeast"
  description = "Location of the resource group - Australia East"
}

variable "rg_name" {
  type        = string
  default     = "AE-DEV-AVD-01-PO-D-RG"
  description = "Name of the Resource group in which to deploy service objects"
}

variable "workspace" {
  type        = string
  description = "Name of the Azure Virtual Desktop workspace"
  default     = "AE-DEV-AVD-01-WS"
}

variable "hostpool" {
  type        = string
  description = "Name of the Azure Virtual Desktop host pool"
  default     = "AE-DEV-AVD-01-PO-D-HP"
}

variable "app_group_name" {
  description = "Name of the Azure Virtual Desktop application group"
  type        = string
  default     = "AE-DEV-AVD-01-DAG"
}

variable "rfc3339" {
  type        = string
  default     = "2023-05-20T12:43:13Z"  #Update this value with a future date
  description = "Registration token expiration"
}

variable "prefix" {
  type        = string
  default     = "AE-DEV-AVD-01-HP-"
  description = "Prefix of the name of the AVD machine(s)"
}

variable "tags" {
  type    = map(string)
  default = {
    Environment = "Dev"
    Department  = "IT"
    Location = "AustraliaEast"
    ServiceClass = "DEV"
    Workload = "Host Pool 01"
  }
}

data "azuread_client_config" "AzureAD" {}

data "azuread_group" "AVDGroup" {
  display_name     = "Win365-Users"  
}

Configure AVD – Pooled Desktop Pool – output.tf

Create a file named output.tf and insert the following code. This will showcase in the console what is getting deployed in form of a output.

output "azure_virtual_desktop_compute_resource_group" {
  description = "Name of the Resource group in which to deploy session host"
  value       = azurerm_resource_group.rg.name
}

output "azure_virtual_desktop_host_pool" {
  description = "Name of the Azure Virtual Desktop host pool"
  value       = azurerm_virtual_desktop_host_pool.hostpool.name
}

output "azurerm_virtual_desktop_application_group" {
  description = "Name of the Azure Virtual Desktop DAG"
  value       = azurerm_virtual_desktop_application_group.dag.name
}

output "azurerm_virtual_desktop_workspace" {
  description = "Name of the Azure Virtual Desktop workspace"
  value       = azurerm_virtual_desktop_workspace.workspace.name
}

output "location" {
  description = "The Azure region"
  value       = azurerm_resource_group.rg.location
}

data "azuread_group" "aad_group" {
  display_name = "Win365-Users"
}

output "AVD_user_groupname" {
  description = "Azure Active Directory Group for AVD users"
  value       = data.azuread_group.aad_group.display_name
}

Intialize Terraform – AVD – Pooled Desktop Pool

Run terraform init to initialize the Terraform deployment. This command downloads the Azure provider required to manage your Azure resources. (Its pulling the AzureRM and AzureAD)

terraform init -upgrade

Create Terraform Execution Plan – AVD – Pooled Desktop Pool

Run terraform plan to create an execution plan.

terraform plan -out mainavdpooled.tfplan

Apply Terraform Execution Plan – AVD – Pooled Desktop Pool

Run terraform apply to apply the execution plan to your cloud infrastructure.

terraform apply mainavdpooled.tfplan

Validate the Output in Azure Portal

Go to the Azure portal, Select Azure Virtual Desktop and Select Host pools, Application Group and Workspace created using Terraform.

Clean-up the above resources (Optional)

If you want to delete all the above resources then you can use the following commands to destroy. Run terraform plan and specify the destroy flag.

terraform plan -destroy -out mainavdpooled.destroy.tfplan

Run terraform apply to apply the execution plan.

terraform apply mainavdpooled.destroy.tfplan

Quick Start Links

The intention here is to get you quickly started with Terraform on Azure Virtual Desktop Solution:

Description	Links
Setting up your computer to get started with Terrafor using Powershell	Install Terraform on Windows with Azure PowerShell
AVD Configure Azure Virtual Desktop	https://learn.microsoft.com/en-us/azure/developer/terraform/configure-azure-virtual-desktop
Terraform Learning	https://youtube.com/playlist?list=PLLc2nQDXYMHowSZ4Lkq2jnZ0gsJL3ArAw

I hope you will find this helpful information for getting started with Terraform to deploy the Azure Virtual Desktop – Pooled Desktop. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: AVD, Azure, Azure Virtual Desktop, HashiCorp, IaC, Microsoft, PowerShell, Terraform

Comments 2 Comments
Categories Azure, Azure Virtual Desktop, Scripts-API

Azure Virtual Desktop – Terraform – Create a Host Pool, Desktop Application Group and Workspace for Personal Desktop (Part 1)

8 May

In the past, I have written blog posts on creating the Azure Virtual Desktop (AVD) solution using PowerShell. In this blog post series, I will demonstrate how to create the AVD Host Pool, Application Group and Workspace using Terraform. Terraform is an open-source infrastructure as code (IaC) software tool that enables you to safely and predictably create, change, and improve infrastructure. Terraform can be used to manage infrastructure on various cloud providers, including Azure.

We are going to create the following three types of configurations using Terraform:

Azure Virtual Desktop – Personal Desktop (1×1)
Azure Virtual Desktop – Pooled Desktop (Multi-Session Full Desktop Experience)
Azure Virtual Desktop – Remote App (Multi-Session Application aka Published Apps)

Note – We are creating the Personal Desktop in this post, and the other desktop/app types will be created in the subsequent post. In this post, I will showcase the creation of service principal and secret. In the next part, we shall move straight onto the Terraform code. Referring to part 1 in the series will be essential if you are doing the basics.

Pre-requisites

Following are the pre-requisites before you begin

An Azure subscription
The Terraform CLI
The Azure CLI
Permissions within the Azure Subscription for using Terraform

Terraform Service Principal and Secret (Azure AD – App Registrations)

Let’s pre-create the application ID and client secret we will use to connect and leverage the Terraform code in VScode.

Connect to Azure Portal and go to Azure Active Directory
Click on App Registrations and select – New Registration
Give the App a Name – Terraform

You will get two important information created for later use within Terraform
- Application ID
- Tenant ID

Now let’s grant this App Terraform Permission. Click on Add a permission and select MS Graph and search for AppRoleAssignment.ReadWrite.All and select read/write permissions and Add Permissions
Select Grant admin consent for domain

We are using client secret so now lets enable that. Click on Certificates & Secrets – Client Secrets and select New client secret\
Give it a name (Terra-secret) and expiry date (12 months)
Copy the Secret Value

Terraform – Authenticating via Service Principal & Client Secret

In the above step, we created the Service Principal and Client secret. We will use it before running any Terraform code in PowerShell (Ensure to run as administrator). We will execute and store the credentials as environment variables. If we do this via the environment variable, we don’t have to store the below information within the providers.tf file. In a future blog post, there are better ways to keep the below details, and I hope to showcase them:

# PowerShell
$env:ARM_CLIENT_ID = "9e453b62-0000-0000-0000-00000006e1ac"
$env:ARM_CLIENT_SECRET = "Z318Q~00000000000000000000000000000000_"
$env:ARM_TENANT_ID = "a02e602c-0000-000-0000-0e0000008bba61"
$env:ARM_SUBSCRIPTION_ID = "7b051460-00000-00000-00000-000000ecb1"

Azure Subscription ID – Azure Portal Subscription copy the ID.
Client ID – From the above step, you will have the details
Client Secret – From the above step, you will have the details
Tenant ID – While creating the Enterprise Apps in Azure AD, you will have the details

Terraform Folder Structure

The following is the folder structure for the Terraform code:

Azure Virtual Desktop Personal Pool – Create a directory in which the below Terraform code will be published (providers.tf, main.tf, variables.tf and output.tf)

+---Config-AVD-Personal-Desktop
|   |   main.tf
|   |   output.tf
|   |   providers.tf
|   |   variables.tf

Note – I am not demonstrating how to install Terraform as it’s dead simple, and the information is available everywhere.

Configure AVD – Personal Desktop Pool – Providers.tf

Create a file named providers.tf and insert the following code. (We are using the AzureRM and AzureAD providers)

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.49.0"
    }
    azuread = {
      source = "hashicorp/azuread"
    }
  }
}

provider "azurerm" {
  features {}
}

Configure AVD – Personal Desktop Pool – main.tf

Create a file named main.tf and insert the following code. Let me explain what we are attempting to accomplish here: (Note I have # commented the lines with additional info)

Create a Resource Group
Create a Workspace
Create a Host Pool
Create a Desktop Application Group (DAG)
Associate Workspace and DAG
Assign Azure AD Group to the Desktop Application Group (DAG)
Assign Azure AD Group to the Resource Group for RBAC for the Session Host (Virtual Machine User Login)

# Resource group name is output when execution plan is applied.
resource "azurerm_resource_group" "rg" {
  name     = var.rg_name
  location = var.resource_group_location
  tags = var.tags
}

# Create AVD workspace
resource "azurerm_virtual_desktop_workspace" "workspace" {
  name                = var.workspace
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  friendly_name       = "${var.prefix} Workspace"
  description         = "${var.prefix} Workspace"
  tags = var.tags
}

# Create AVD host pool
resource "azurerm_virtual_desktop_host_pool" "hostpool" {
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  name                     = var.hostpool
  friendly_name            = var.hostpool
  validate_environment     = true #[true false]
  start_vm_on_connect      = true
  custom_rdp_properties    = "targetisaadjoined:i:1;drivestoredirect:s:*;audiomode:i:0;videoplaybackmode:i:1;redirectclipboard:i:1;redirectprinters:i:1;devicestoredirect:s:*;redirectcomports:i:1;redirectsmartcards:i:1;usbdevicestoredirect:s:*;enablecredsspsupport:i:1;redirectwebauthn:i:1;use multimon:i:1;enablerdsaadauth:i:1;"
  description              = "${var.prefix} HostPool"
  type                     = "Personal" #[Pooled or Personal]
  personal_desktop_assignment_type = "Automatic"
  load_balancer_type       =  "Persistent"
  tags = var.tags
scheduled_agent_updates {
  enabled = true
  timezone = "AUS Eastern Standard Time"  # Update this value with your desired timezone
  schedule {
    day_of_week = "Saturday"
    hour_of_day = 1   #[1 here means 1:00 am]
  }
}
}

resource "azurerm_virtual_desktop_host_pool_registration_info" "registrationinfo" {
  hostpool_id     = azurerm_virtual_desktop_host_pool.hostpool.id
  expiration_date = var.rfc3339
}

# Create AVD DAG
resource "azurerm_virtual_desktop_application_group" "dag" {
  resource_group_name = azurerm_resource_group.rg.name
  host_pool_id        = azurerm_virtual_desktop_host_pool.hostpool.id
  location            = azurerm_resource_group.rg.location
  type                = "Desktop"
  name                = var.app_group_name
  friendly_name       = "Desktop AppGroup"
  description         = "${var.prefix} AVD application group"
  depends_on          = [azurerm_virtual_desktop_host_pool.hostpool, azurerm_virtual_desktop_workspace.workspace]
  tags = var.tags
}

# Associate Workspace and DAG
resource "azurerm_virtual_desktop_workspace_application_group_association" "ws-dag" {
  application_group_id = azurerm_virtual_desktop_application_group.dag.id
  workspace_id         = azurerm_virtual_desktop_workspace.workspace.id
}

# Assign AAD Group to the Desktop Application Group (DAG)
resource "azurerm_role_assignment" "AVDGroupDesktopAssignment" {
  scope                = azurerm_virtual_desktop_application_group.dag.id
  role_definition_name = "Desktop Virtualization User"
  principal_id         = data.azuread_group.AVDGroup.object_id
}

# Assign AAD Group to the Resource Group for RBAC for the Session Host
resource "azurerm_role_assignment" "RBACAssignment" {
  scope                = azurerm_resource_group.rg.id
  role_definition_name = "Virtual Machine User Login"
  principal_id         = data.azuread_group.AVDGroup.object_id
}

Configure AVD – Personal Desktop Pool – variables.tf

Create a file named variables.tf and insert the following code. I have followed a naming convention that includes the following:

AE – Australia East
Environment – PROD or DEV
Instance – 01
RG – Resource Group
WS – Workspace
DAG – Desktop Application Group

variable "resource_group_location" {
  default     = "australiaeast"
  description = "Location of the resource group - Australia East"
}

variable "rg_name" {
  type        = string
  default     = "AE-DEV-AVD-01-RG"
  description = "Name of the Resource group in which to deploy service objects"
}

variable "workspace" {
  type        = string
  description = "Name of the Azure Virtual Desktop workspace"
  default     = "AE-DEV-AVD-01-WS"
}

variable "hostpool" {
  type        = string
  description = "Name of the Azure Virtual Desktop host pool"
  default     = "AE-DEV-AVD-01-PE-D-HP"
}

variable "app_group_name" {
  description = "Name of the Azure Virtual Desktop application group"
  type        = string
  default     = "AE-DEV-AVD-01-DAG"
}

variable "rfc3339" {
  type        = string
  default     = "2023-05-20T12:43:13Z" #Update this value with a future date
  description = "Registration token expiration"
}

variable "prefix" {
  type        = string
  default     = "AE-DEV-AVD-01-HP-"
  description = "Prefix of the name of the AVD machine(s)"
}

variable "tags" {
  type    = map(string)
  default = {
    Environment = "Dev"
    Department  = "IT"
    Location = "AustraliaEast"
    ServiceClass = "DEV"
    Workload = "Host Pool 01"
  }
}

data "azuread_client_config" "AzureAD" {}

data "azuread_group" "AVDGroup" {
  display_name     = "Win365-Users"  
}

Configure AVD – Personal Desktop Pool – output.tf

Create a file named output.tf and insert the following code. This will showcase in the console what is getting deployed as output.

output "azure_virtual_desktop_compute_resource_group" {
  description = "Name of the Resource group in which to deploy session host"
  value       = azurerm_resource_group.rg.name
}

output "azure_virtual_desktop_host_pool" {
  description = "Name of the Azure Virtual Desktop host pool"
  value       = azurerm_virtual_desktop_host_pool.hostpool.name
}

output "azurerm_virtual_desktop_application_group" {
  description = "Name of the Azure Virtual Desktop DAG"
  value       = azurerm_virtual_desktop_application_group.dag.name
}

output "azurerm_virtual_desktop_workspace" {
  description = "Name of the Azure Virtual Desktop workspace"
  value       = azurerm_virtual_desktop_workspace.workspace.name
}

output "location" {
  description = "The Azure region"
  value       = azurerm_resource_group.rg.location
}

data "azuread_group" "aad_group" {
  display_name = "Win365-Users"
}

output "AVD_user_groupname" {
  description = "Azure Active Directory Group for AVD users"
  value       = data.azuread_group.aad_group.display_name
}

Intialize Terraform – AVD – Personal Desktop Pool

Run the following command to initialize the Terraform deployment. This command downloads the Azure provider required to manage your Azure resources.

terraform init -upgrade

Create Terraform Execution Plan – AVD – Personal Desktop Pool

Run the following command to create an execution plan.

terraform plan -out mainavdpersonal.tfplan

Apply Terraform Execution Plan – AVD – Personal Desktop Pool

Run the following command to apply the execution plan to your cloud infrastructure.

terraform apply mainavdpersonal.tfplan

Validate the Output in Azure Portal

Go to the Azure portal, Select Azure Virtual Desktop and Select Host pools, Application Group and Workspace created using Terraform.

Clean-up the above resources (Optional)

If you want to delete all the above resources then you can use the following commands to destroy. Run terraform plan and specify the destroy flag.

terraform plan -destroy -out mainavdpersonal.destroy.tfplan

Run terraform apply to apply the execution plan.(Destroy)

terraform apply mainavdpersonal.destroy.tfplan

Quick Start Links

The intention here is to get you quickly started with Terraform on Azure Virtual Desktop Solution:

Description	Links
Setting up your computer to get started with Terrafor using Powershell	Install Terraform on Windows with Azure PowerShell
AVD Configure Azure Virtual Desktop	https://learn.microsoft.com/en-us/azure/developer/terraform/configure-azure-virtual-desktop
Terraform Learning	https://youtube.com/playlist?list=PLLc2nQDXYMHowSZ4Lkq2jnZ0gsJL3ArAw

I hope you will find this helpful information for getting started with Terraform to deploy the Azure Virtual Desktop – Personal Desktop Pool. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: AVD, Azure Virtual Desktop, IaC, Microsoft, PowerShell, Terraform

Comments 4 Comments
Categories Azure, Azure Virtual Desktop, Scripts-API

Disable Search Highlights on Windows 365 Cloud PC and Azure Virtual Desktop using Microsoft Intune

24 Feb

Search Highlight is a feature in Windows 11 (Enterprise\Multi-session) that highlights search results in the Start menu and taskbar search box. While this feature can be helpful for some users, others may find it distracting or unnecessary. Fortunately, it is possible to disable the Search Highlight feature in Windows 11 using Microsoft Intune. Plenty of information is available on disabling the Windows 11 Search Highlight using Group policy, Registry and UI. However, we will leverage Custom OMA-URI settings from Microsoft Intune in this blog post.

Search – CSP Details

The Search – Policy configuration service provider enables the enterprise to configure policies on Windows 11. Following are the details on the one we are using for disabling the search highlights:

How to disable Search Highlights in Microsoft Endpoint Manager

To disable the Search Highlight feature in Windows 11 (Enterprise/Multi-session) using Microsoft Intune, follow these steps:

Login to the MEM Portal – https://endpoint.microsoft.com/
Select Devices > Configuration Profiles > Create Profile.
For Platform, select Windows 10 and later.
For Profile type, select Templates > Custom and select Create.
Enter a Name – DisableSearchHighlight and description and choose Next
Under the OMA-URI Settings, clicks on Add

Enter the Name, Description, and OMA-URI fetched in the references from the MS CSP link below. The value is an integer based on the documentation, and as we disable the setting, the value is 0.

Remember the MS documentation called out this setting only applies to Devices. In the case of Assignments, we will target Windows 365 Device Group and Azure Virtual Desktop Session Host Pools.

Click on Review and Save

Validate the Policy is applying

After 10-15 mins of waiting, go into the newly configured configuration profiles policy, and you will start seeing it getting applied to the targeted devices (MEM Portal > Devices > Configuration Profiles > DisableSearchHighlights)

Cloud PC – Within Windows 11

References & Useful Links

Useful Links	Credits
Search – CSP Policy – https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search	Microsoft
5 Unique Ways to Disable Search Highlights on Windows 11	Prajwal Desai
Disable Enable Search Highlights in Windows 11	Jitesh Kumar

I hope you will find this helpful information towards disabling the annoying Search Highlights on Windows 365, AVD environment and physical endpoints using Microsoft Endpoint Manager. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: AVD, Azure Virtual Desktop, Cloud PC, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, MSIntune, W365, Windows 11, Windows 11 Multi-session, Windows 365 Cloud PC

Comments 4 Comments
Categories Azure Virtual Desktop, Microsoft Intune, Windows 365 Cloud PC

Microsoft Defender for Endpoint – Web Content Filtering for Windows 365 Cloud PC and Azure Virtual Desktop

22 Feb

In today’s world, online security has become more important than ever, especially for businesses. As more and more companies shift their workloads to the cloud, the need for effective security measures has increased. One of the most critical aspects of security is web content filtering. Microsoft Defender for Endpoint is an excellent solution for protecting your Windows 365 Cloud PC and Azure Virtual Desktop environments. If you haven’t see my previous blog post on – Microsoft Defender for Endpoint (MDE) – Getting started for Windows 365 Cloud PC and Azure Virtual Desktop check that first.

Usecase

Web content filtering is a critical aspect of online security that can be used in many different scenarios. Here are some common use cases for web content filtering:

Business Security: Blocking access to malicious websites and other dangerous content, web content filtering helps prevent cyber attacks and data breaches.
Compliance: Many organizations are required to comply with industry-specific regulations and standards, such as HIPAA or PCI-DSS. Web content filtering can help ensure that employees are not accessing websites or content that violates these regulations.
Employee Productivity: Web content filtering can also be used to enhance employee productivity by blocking access to non-work-related websites, such as social media or gaming sites.
Education: Educational institutions can use web content filtering to prevent students from accessing websites that are not educational or age-appropriate.
Guest Wi-Fi: Businesses that offer guest Wi-Fi can use web content filtering to protect their network and guests from online threats.

Overall, web content filtering is a versatile tool that can be used in a variety of settings to enhance online security, productivity, and compliance.

Pre-requisites

To use Microsoft Defender for Endpoint web content filtering on Windows 365 Cloud PC and Azure Virtual Desktop, there are a few prerequisites that you need to meet:

Portal Access to Microsoft 365 Defender Portal
Windows Defender SmartScreen Enabled on all Browsers (Edge, Chrome etc.)
Network Protection must be enable on the endpoint devices
Microsoft Defender for Endpoint (MDE) Plan 1 or 2
MDE for Business
Windows 10/11 or Multi-session Operating System

Enable Web Content Filtering

To enable Web Content Filtering in Microsoft Defender for Endpoint (MDE), you need to follow these steps:

Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
Navigate to Settings and select Endpoints
Click on Advance Features and enable Web Content Filtering

Create Device Group for Windows 365 & AVD in Microsoft 365 Defender Portal

To assign the policy to particular devices such as Windows 365 Cloud and Azure Virtual Desktop Session, we will create the Device Groups:

Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
Navigate to Settings and select Endpoints
Under Permissions, click on Device Groups
Select Add device group and give it a name – Win365Devices
The Cloud PC start with CPC, I will be using that along with OS type – Windows 11
For the Azure Virtual Desktop – My Session host start with AVD-, I will use that as the device group along with OS Type – Windows 11

Enable Network Protection under Microsoft Endpoint Portal (Intune)

Under the Enpoint Secruity – Antivirus policy we will enable the configuration:

Login to the MEM Portal – https://endpoint.microsoft.com/
Select Endpoint security > Antivirus > Create Policy.
For Platform, select Windows 10, Windows 11, and Windows Servers.
For Profile type, select Microsoft Defender Antivirus, and then select Create.
Enter a Name – W365-AVD-AV-P01 and description and choose Next
Under the Configuration Settings
Enable Network Protection – Enable (Block Mode)

In my previous blog post on getting started, I enabled Network Protect and other configurations. Here I am trying to give you a quick config guidance.

Enable Smart Screen under Microsoft Edge Browser via Intune

I want to use the security baseline around Microsoft Edge for enabling global configuration across all the endpoints:

Login to the MEM Portal – https://endpoint.microsoft.com/
Select Endpoint security > Security Baseline > Microsoft Endge Baseline.
Click on Create a profile and give it a name – MSEdge-Sbaseline-01
Enable the SmartScreen config
I am applying this security baseline to All Devices

Note you can enable them via configuration profiles too. In this scenario, I prefer using the security baselines.

Enable Smart Screen for Google Chrome Browser via Intune

To enable Smart Screen on Google Chrome, follow these steps:

Login to the MEM Portal – https://endpoint.microsoft.com/
Select Devices > Configuration profiles > Create profile
Under Platform – Windows 10 & Later
Profile Type – Templates and Select Administrative Templates
Give the policy a name – GoogleChrome-SmartScreen-CP01
Under Computer – Select Configure the list of force-installed apps and extensions
Click on Enable and enter the below URL for extension
Further assign the policy to the target devices
Click on Review and Save

bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx

Create policy for Web Content Filtering

To create a web content filtering policy in Microsoft Defender for Endpoint, follow these steps:

Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
Navigate to Settings and select Endpoints
Under Rules > Web Content Filtering > Add Item
- Policy Name – Stop Social Media
- Block Categories > Leisure > Social Networking & Instant Messaging & Professional Networking
- Scope – Select the Windows 365 Device Group & AVD Device Group (Session Host VMs), as its a targeted policy
Wait for approx. 40 mins for the policy to implement for your endpoints

Validate the URLs within Windows 365 Cloud PC

Before going ahead and checking the URLs within the browser verify the following on the virtual desktop or endpoints:

SmartScreen

Open the browser and type edge://policy and make sure the Smart Screen is enabled

Network Protection

Open the Powershell and check if network protection is enable (Value 1) block mode

Microsoft Edge

Open Microsoft Edge and open https:\\www.facebook.com or https:\\www.snapchat.com

Google Chrome

Check reports in Defender Portal

Under the Microsoft Defender Portal go to Reports > Web Protection > Web content filtering categories details

References & Useful Links

Useful Links	Credits
Web content filtering – https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/web-content-filtering?view=o365-worldwide	Microsoft
How to configure Microsoft Defender SmartScreen via Microsoft Intune? – Endpoint Cave	Rene Laas
Enabling web filtering with Microsoft Defender for Endpoint – CIAOPS	Robert Crane

I hope you will find this helpful information towards web content filtering journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: Azure, Azure Virtual Desktop, Cloud PC, MDE, MEM, Microsoft, Microsoft Defender for Endpoint, Microsoft Endpoint Manager, Microsoft Intune, MSIntune, W365, Web Content filtering, Windows 365 Cloud PC

Comments 4 Comments
Categories Azure Virtual Desktop, Microsoft Intune, Windows 365 Cloud PC

Microsoft Defender for Endpoint (MDE) – Getting started for Windows 365 Cloud PC and Azure Virtual Desktop

16 Feb

If you are using Windows 365 Cloud PC and Azure Virtual Desktop, the Microsoft Defender for Endpoint (MDE) is a security solution designed for protecting endpoints, such as Windows 11/Windows 11 Mutli-Session computers, servers, Azure Virtual Desktops and more from various types of cyber threats. The main reason it’s evident to use MDE is that it seamlessly integrates with the solution with minimal to less effort compared to other solutions. This blog post will discuss how to get started with Microsoft Defender for Endpoint in the Windows 365 Cloud and Azure Virtual Desktop.

Prerequisites

Rights to use and deploy Windows 365 Cloud PC and Azure Virtual Desktop and the ncessary licenses
Microsoft Defender for Endpoint Plan 1 or Plan 2 depending upon the requirements and $$$.
Make sure the license is available and listed Microsoft admin center

Enable MDE in Microsoft 365 Security Portal/Intune

To enable Microsoft Defender for Endpoint (MDE) in the Microsoft Defender Security Center, you need to follow these steps:

Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
Navigate to Settings and select Endpoints
Click on On for Microsoft Intune Connection & Device Discovery
Scroll to the bottom and select Save Preferences

We will manage the endpoints via Intune, so all the rest of the actions and fun will be within the https://endpoint.microsoft.com/ and Endpoint Security. After a brief period of 10-15 mins, you can see the connection status being Available and synchronized.

Create the Endpoint detection and response policy (onboarding)

Our environment is managed via Modern Management, and we don’t have the overhead of legacy setup. We will use the Intune Endpoint detection response (EDR) policy to onboard the devices. This is the simplest method as it doesn’t involve installing the agent manually or via GPOs.

Login to the MEM Portal – https://endpoint.microsoft.com/
Select Endpoint security > Endpoint detection and response > Create Policy.
For Platform, select Windows 10, Windows 11, and Windows Servers.
For Profile type, select Endpoint detection and response, and then select Create.
Enter a Name – W365-AVD-EDR-P01 and description and choose Next
Under the Configuration Settings
- MDE client configuration package type – Auto from connector (We are a 100% modern managed environment we can leverage this simple option)
- Sample Sharing – Not configured
- Telemetry Reporting Frequency – Expedite (We want reporting to be lightning-fast)

Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop

Review and Create the policy and it will go ahead and enable MDE on the fleet.
After sometime all your devices will show whether they are onboarded or not.

Many ways to carry out the onboarding. This is just one way and the most straightforward. Read more options here – https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager?view=o365-worldwide

On the onboarded device, go and run the following command to verify the status

Get-MpComputerStatus

Device Compliance Policy (Update)

I already have my existing Windows 10/11 compliance policy after enabling MDE, and I will go ahead and update the compliance policy to accommodate the changes further. This will allow reporting within the tenant on what device compliance level the endpoints are on and whether corporate governance is maintained.

Create Antivirus Policy in Intune

The next step is creating the Antivirus (AV) Policy with the options that your organization demands. I am starting with a few, but remember most choices will require nailing out with internal security/endpoint/governance teams.

Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements.

Login to the MEM Portal – https://endpoint.microsoft.com/
Select Endpoint security > Antivirus > Create Policy.

For Platform, select Windows 10, Windows 11, and Windows Servers.
For Profile type, select Microsoft Defender Antivirus, and then select Create.
Enter a Name – W365-AVD-AV-P01 and description and choose Next
Under the Configuration Settings

Configuration Settings	Status (Value)
Allow Archive Scanning (Scanning through zip and cab files)	Allowed
Allow Behaviour Monitoring	Allowed
Allow Cloud Protection (Joining Microsoft MAPS Community)	Allowed
Allow Email Scanning (Very useful if you are using Microsoft 365)	Allowed
Allow Full Scan Removable Drive Scanning (Scanning of Pen Drives)	Allowed
Allow Intrusion Prevention System	Allowed
Allow scanning of all downloaded files and attachments	Allowed
Allow Realtime Monitoring	Allowed
Cloud Block Level	High
Allow Users UI Access (Defender Client)	Allowed
Enable Network Protection	Enabled (Audit mode)
Avg CPU Load Factor	Enabled (30%)
Schedule Quick Scan Time	Enable (120)
Signature Update Interval	Enable (8 hours)

Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop

Review and Create the policy and it will go ahead and enable AV across the fleet.
After sometime all your devices will show whether they are onboarded or not.

Create Attack surface reduction (ASR) Policy in Intune

The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. This set of capabilities also includes network protection and web protection, which regulate access to malicious IP addresses, domains, and URLs. In my case I am starting with few, but remember most of the options will require nailing out with internal security/endpoint/governeance teams.

Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements. Here I would like to take the approach of Audit mode first, followed by adding exclusions to refine the block rules (production).

Login to the MEM Portal – https://endpoint.microsoft.com/
Select Endpoint security > Antivirus > Create Policy.

For Platform, select Windows 10, Windows 11, and Windows Servers.
For Profile type, select Attack Surface Reduction Rules, and then select Create.
Enter a Name – W365-AVD-ASR-P01 and description and choose Next
Under the Configuration Settings

Configuration Settings	Status (Value)
Block Adobe Reader from creating child processes	Audit
Block execution of potentially obfuscated scripts	Audit
Block Win32 API calls from office macros	Audit
Block credential stealing from the Windows local security authority subsystem	Audit
Block JavaScript or VBScript from launching downloaded executable content	Audit
Block process creatons originating from PSExec and WMI commands	Audit
Block untrusted and unsigned processes that run from USB	Audit
Block abuse of exploited vulnerable signed drivers (Devices)	Audit

Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop

Review and Create the policy and it will go ahead and enable ASR across the fleet.
After sometime all your devices will show whether they are onboarded or not.

References & Useful Links

Useful Links	Credits
Microsoft Defender for Endpoint series – Tips and tricks/ common mistakes – Part10 (jeffreyappel.nl) – The most mind blowing and detailed blog post series on MDE. I think I only scratch the surface here however, Jeffrey takes an indept approach.	Jeffrey Appel
Configure Microsoft Defender for Endpoint in Intune	Microsoft
Defend Cloud PCs against threats with Microsoft Defender for Endpoint \| Windows in the Cloud – YouTube	Christiaan Brinkhoff \| LinkedIn and Paul Huijbregts \| LinkedIn

Next step, I plan to write a few blog posts on specific topics like URLs, Networks etc, blocking (TikTok, Facebook etc,) concerning MDE. I hope you will find this helpful information towards your journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: Antivirus, Azure, Azure Virtual Desktop, Cloud PC, Endpoint Detection and Response, MDE, MEM, Microsoft, Microsoft Defender for Endpoint, Microsoft Endpoint Manager, Microsoft Intune, MSIntune, W365, Windows 365 Cloud PC

Comments 4 Comments
Categories Azure Virtual Desktop, Microsoft Intune, Windows 365 Cloud PC

Compliance Policy for Azure Virtual Desktop Session Host Virtual machine managed via Microsoft Intune

3 Feb

Microsoft Intune Compliance Policy can be used to manage the security and compliance of Azure Virtual Desktop (AVD) Session Host virtual machines. The policy can enforce specific configuration settings such as password complexity, security updates, and device encryption to ensure that the virtual machines meet the organization’s security and compliance requirements.

To set up an Intune Compliance Policy for an AVD Session Host virtual machine, the virtual machine must be enrolled with Intune. Then, the policy can be created in the Intune portal and assigned to the virtual machine. The policy settings will be enforced on the virtual machine and monitored for compliance.

Note: The Intune Compliance Policy is just one of the ways to manage the security and compliance of AVD Session Host virtual machines. Other tools such as Azure Security Center and Azure Policy can also be used.

Why create the azure virtual desktop session host compliance policy?

There are several reasons why organizations create Azure Virtual Desktop (AVD) Session Host Compliance Policies:

Security: Compliance policies help ensure that the AVD Session Host virtual machines are configured with the necessary security measures to protect sensitive data and prevent unauthorized access. This includes enforcing encryption, password policies, and software updates.
Compliance: Compliance policies help organizations meet regulatory requirements, such as HIPAA, PCI, and SOC, by ensuring that the AVD Session Host virtual machines are configured in accordance with these regulations.
Consistency: Compliance policies help ensure that all AVD Session Host virtual machines are configured consistently and meet the same standards. This makes it easier for administrators to manage the environment and ensures that all users have a consistent and secure experience.
Monitoring: Compliance policies provide ongoing monitoring of the AVD Session Host virtual machines, so administrators can quickly identify and address any deviations from the desired configuration.

By creating an AVD Session Host Compliance Policy, organizations can ensure that their virtual machines are secure, compliant, consistent, and properly monitored, which can help reduce the risk of security breaches and regulatory violations.

What compliance policies are supported with Azure Virtual Desktop?

The following compliance policies are supported on Windows 10 or Windows 11 Enterprise multi-session VMs:

Minimum OS version
Maximum OS version
Valid operating system builds
Simple passwords
Password type
Minimum password length
Password Complexity
Password expiration (days)
Number of previous passwords to prevent reuse
Microsoft Defender Antimalware
Microsoft Defender Antimalware security intelligence up-to-date
Firewall
Antivirus
Antispyware
Real-time protection
Microsoft Defender Antimalware minimum version
Defender ATP Risk score

Note in my sceanrio I am not using all of the above only a few based on the configuration of my environment. You will need a Azure AD device group containing all the session host for AVD to apply this policy.

What am I configuring?

I am only configuring two things. However, I urge if you to leverage Microsoft Defender and make sure you use the Antivirus and Antimalware settings (Another blog post later day for Defender integrations):

Minimum OS version – 10.0.22621.963
Firewall – Require

The above is not an extensive list, but I am trying to give you an idea here.

Create the compliance policy for AVD

Open the Microsoft Endpoint Manager admin center and navigate to Devices and Compliance Policies.

Click on Create Policy and Select Platform Windows 10 and later
Give the policy a name and description

Configure the above two parameters

An assignment is the most critical aspect, here, you want an Azure AD Dynamic Device Group that will make sure all the AVD Session hosts are covered.

My current AAD Dynamic Group query is as follows, I am working towards getting a more refine query to make it understand Multi-session(I have raised a query internally within MS)

Device Compliance (AVD Session Host VMs)

After waiting for 15 mins you will start noticing all your AVD Session host VM’s will now begin to show as compliant.

I hope you will find this helpful information for creating a compliance policy for your AVD Session host VMs. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: AVD, Azure, Azure Virtual Desktop, Device Compliance, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, MSIntune

Comments 2 Comments
Categories Azure Active Directory, Azure Virtual Desktop, Microsoft Intune

Windows 365 Cloud PC & Azure Virtual Desktop – Disk Cleanup using Storage Sense – Intune Configuration Policies

23 Jan

With the slightest effort, do you want to perform a disk cleanup operation? In this blogpost, we are setting up the Storage Sense to cleanup Temporary Files & Empty recycle bin on Windows 365 Cloud PC & AVD Multi-session host. Note by no means is Storage Sense a replacement for the detailed cleanmgr.exe tool, which can perform disk cleanup options in a much more granular manner. The below method is a quick method to get you started and later on improvise on your disk cleanup strategy.

What is Storage Sense?

Storage Sense is a feature in Microsoft Windows 11 that helps users free up space on their device by automatically deleting unnecessary files. It can delete temporary files, files in the recycle bin, and files that have not been accessed in a certain period of time. It also helps users to see what is taking up space on their device and gives them the option to delete specific files or move files to an external storage device.

What features are available within Storage Sense?

Storage Sense in Microsoft Windows 11 has the following features:

Automatic cleanup: Storage Sense can automatically delete temporary files, files in the recycle bin, and files that have not been accessed in a certain period of time.
Storage usage: It helps users to see what is taking up space on their device, and gives them the option to delete specific files or move files to an external storage device.
Storage sense can move files to external storage device
Storage sense can compress files to save space
Storage sense can move files to the cloud
Storage sense can delete files that are no longer needed
Storage sense can free up space by uninstalling apps
Storage sense can show you the storage usage of each app
Storage sense can help you to free up storage by cleaning up your downloads folder

What Configurations are available within Intune (MEM Portal)?

There are many ways to setup Storage Sense. However, the method we are going to opt is inline with the modern workplace management solution using Microsoft Intune (Microsoft Endpoint Manager admin center)

Setting Name	Details
Allow Disk Health Model Updates	Allows disk health model updates to predict disk hardware failure.
Allow Storage Sense Global	Storage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the
Allow Storage Sense Temporary Files Cleanup	When Storage Sense runs, it can delete the user’s temporary files that are not in use. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, Storage Sense will delete the user’s temporary files that are not in use.
Config Storage Sense Cloud Content Dehydration Threshold	When Storage Sense runs, it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it. Supported values are: 0–365. If you set this value to zero, Storage Sense will not dehydrate any cloud-backed content. The default value is 0, which never dehydrates cloud-backed content
Config Storage Sense Downloads Cleanup Threshold	When Storage Sense runs, it can delete files in the user’s Downloads folder if they haven’t been opened for more than a certain number of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from the Downloads folder. Supported values are: 0-365. If you set this value to zero, Storage Sense will not delete files in the user’s Downloads folder
Config Storage Sense Recycle Bin Cleanup Threshold	When Storage Sense runs, it can delete files in the user’s Recycle Bin if they have been there for over a certain amount of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0–365
Removable Disk Deny Write Access	If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting “Deny write access to drives not protected by BitLocker,” which is located in “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives.”

What policies are we applying?

In this scenario, we only focus on the deletion of temporary files, Recycle Bin, Moving the files to the OneDrive Known Folder (if configured) and checking the disk hardware.

What is the target of this policy?

We aim to kill two birds with one stone, and this policy configuration is not only applicable for Windows 10/11 based Windows 365 Cloud PC, it also works well for Windows 10/11 Multi-session host for Azure Virtual Desktop. This filter is critical to identifying whether the configuration setting will apply to your device type.

Assignments

We are assiging the policy to the Windows 365 AAD device group and add the Azure Virtual Desktop AAD device group here.

Worth a mention, Jannik Reinhard has published a remediation method via cleanmgr.exe and PowerShell – Use Endpoint Analytics to clean up the disk – Modern Device Management (jannikreinhard.com) and is also a great resource if you decide to go into phase 2 strategy of disk clean-up.

I hope you will find this helpful information for performing disk clean-up on Temporary & Recycle for Windows 365 Cloud PC & AVD. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: Azure, Azure Virtual Desktop, Cloud PC, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, MSIntune, Storage Sense, W365, Windows 365 Cloud PC

Comments 3 Comments
Categories Azure Virtual Desktop, Microsoft Intune, Windows, Windows 365 Cloud PC

Restrict Cloud Apps (ServiceNow, GitHub Enterprise, Atlassian Cloud & Office 365) access to Windows 365 Cloud PC/Azure Virtual Desktop

15 Dec

A good security practice would restrict the access of business-critical applications only to trusted devices within the organizations. On personal and untrusted devices, there should deny access to business applications. This strategy helps in Data Loss Prevention and company information compromise, which is vital in today’s landscape.

In our scenario, we will allow Access to Cloud Apps – ServiceNow, GitHub & Atlassian Cloud only on the Windows 365 Cloud PC/Azure Virtual Desktop (AVD) and all other devices will block access. To achieve this outcome, we shall be using Azure Active Directory (AAD) Conditional Access Policies & further use device filtering on “Cloud PC”

Pre-requsites

You have Enterprise Apps integrated with Azure Active Directory (ServiceNow, GitHub Enterprise, Atlassian Cloud & Office 365)
- Make sure these applications are working with Azure AD credentials and assigned multi-factor authentication
Azure AD Group with end-users to whom you want to apply the restrictions
Necessary Azure AD P1 or P2 license

Portals on AAD Conditional Access Policy (CAP)

Following are all the portals where you can configure the CAP via different consoles. However, the outcome is going to be the same.

Microsoft Endpoint Manager admin Center (Microsoft Intune)

Azure Portal – Azure Active Directory – Security – Conditional Access

Microsoft Entra admin center

New Policy

Details of all the configurations we are entering within the policy and followed by screenshots:

Name of the CAP – Restrict CloudApps access to CPCs
Assignments
- Users or workloads Identities – AAD group, called Win365-Users
- Cloud apps or action
  - Include – Select – ServiceNow, GitHub Enterprise, Atlassian Cloud & Office 365
  - Exclude – Select – Windows 365, Azure Virtual Desktop and Microsoft Remote Desktop
- Conditions – Filter for devices – We are selecting model ‘Cloud PC’
Access Controls – Block Access
Enable Policy – Report-only

AAD Group used for restrictions

Inlcude Cloud Apps (ServiceNow, GitHub Enterprise, Atlassian Cloud & Office 365)

Exclude Windows 365 and AVD

Conditions (Select Model Cloud PC)

Access Controls (Block Access)

Before rolling out in production at this phase, only use the report-only mode. Once satisfied with your testing, you can select Enable Policy – On. Final click on Create

Insights & Reporting

You can notice my user name shows the blocking policy is applying when I access the CloudApp -Office365 from a personal device.

I hope you will find this helpful information for restricting Cloud Apps access to only Cloud PC. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: AAD, Azure Active Directory, Cloud PC, Conditional Access Policy, MEM, Microsoft, Microsoft Endpoint Manager, MSIntune, Windows 365 Cloud PC, Windows 365 Security Baseline

Comments 1 Comment
Categories Azure Active Directory, Azure Virtual Desktop, Microsoft Intune, Windows 365 Cloud PC

Azure Virtual Desktop – PowerShell – Create a Host Pool, Application Group and Workspace for RemoteApp aka Published Applications

13 Dec

In the previous blog post we learnt how to create the PowerShell – Create a Windows 11 Multi-session golden image for Azure Virtual Desktop using Marketplace Image | AskAresh and today we are going to take a step further and deploy the following features within Azure Virtual Desktop using PowerShell:

Create Host Pool with Type – RemoteApp
Create the Application Group (AG)
Create an Workspaces
Assign the Azure Active Directory Group to the (AG)

I will break down the code block into smaller chunks first to explain the critical bits, and in the end, I will post the entire code block that can be run all at once. In this way, explaining block by block becomes easier than pasting one single block.

RemoteApp

RemoteApp – This is a way to provide end-users with the business applications alone without giving them an entire desktop. They can access their applications anywhere on any device.

Pre-requisites

Following are the pre-requisites before you begin

PowerShell 5.1 and above
Azure Subscription
Permissions within the Azure Subscription for the creation of AVD – Host Pools
Assumption
- You have an existing Resource Group (RG)
Azure PowerShell Modules – Az.DesktopVirtualization

Sign to Azure

To start working with Azure PowerShell, sign in with your Azure credentials.

Connect-AzAccount

Variable Region

Delcare all the variable within this section. Lets take a look at what we are declaring within the script:

Existing Resource Group within the Azure Subscription (AZ104-RG)
A location where you are deploying this Host Pool (Australia East)
Name of the Host Pool (RA-HP01)
Host Pool Type (Pooled) as it will be shared with multiple end-users
Load balancing method for the Host Pool (DepthFirst)
Maximum users per session host VM (10)
The type of Application Group (RailApplications). As we are only giving out end-users Apps
Application Group Name ($HPName-RAG)
Workspace grouping name ($HPName-WRK01)
Azure AD group that will be assigned to the application group (XXXX4b896-XXXX-XXXX-XXXX-33768d8XXXXX)

# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id

# Existing Resource Group to deploy the Host Pool
$rgName = "AZ104-RG"

# Geo Location to deploy the Host Pool
$location = "australiaeast"

# Host Pool name
$HPName = "RA-HP01"

# Host Pool Type Pooled|Personal
$HPType = "Pooled"

# Host Pool Load Balancing BreadthFirst|DepthFirst|Persistent
$HPLBType = "DepthFirst"

# Max number or users per session host
$Maxusers = "10"

# Preffered App group type Desktop|RailApplications
$AppGrpType = "RailApplications"

# ApplicationGroup Name
$AppGrpName = "$HPName-RAG"

# Workspace Name
$Wrkspace = "$HPName-WRK01"

# AAD Group used to assign the Application Group
# Copy the Object ID GUID from AAD Groups Blade
$AADGroupObjId = "XXXX4b896-XXXX-XXXX-XXXX-33768d8XXXXX"

Execution block

Execution code block within this section. Lets take a look at what we are we executing within the script:

Create the host pool with all the mentioned variables, tags and whether the validation enivornment yes/no.
Create the application group and tie it to the host pool
Finally, we create the workspace and tie it to the application group and hostpool
Last step, we assign the AAD group object ID to the Application Group for all entitlement purposes.

# Create the Host Pool with RemoteApp Configurations
try
{
    write-host "Create the Host Pool with Pooled RemoteApp Configurations"
    $DeployHPWRA = New-AzWvdHostPool -ResourceGroupName $rgName `
        -SubscriptionId $subscriptionID `
        -Name $HPName `
        -Location $location `
        -ValidationEnvironment:$true `
        -HostPoolType $HPType `
        -LoadBalancerType $HPLBType `
        -MaxSessionLimit $Maxusers `
        -PreferredAppGroupType $AppGrpType `
        -Tag:@{"Billing" = "IT"; "Department" = "IT"; "Location" = "AUS-East" } `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}


# Create the Application Group for the Remote App Host Pool
try
{
    write-host "Create the Application Group for the Remote App Host Pool"
    $CreateAppGroupRA = New-AzWvdApplicationGroup -ResourceGroupName $rgName `
        -Name $AppGrpName `
        -Location $location `
        -HostPoolArmPath $DeployHPWRA.Id `
        -ApplicationGroupType 'RemoteApp' `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

# Create the Workspace for the RemoteApp Host Pool
try
{
    write-host "Create the Workspace for the RemoteApp Host Pool"
    $CreateWorkspaceRA = New-AzWvdWorkspace -ResourceGroupName $rgName `
        -Name $Wrkspace `
        -Location $location `
        -ApplicationGroupReference $CreateAppGroupRA.Id `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

# Assign the AAD group (Object ID)  to the Application Group
try
{
    write-host "Assigning the AAD Group to the Application Group"
    $AssignAADGrpAG = New-AzRoleAssignment -ObjectId $AADGroupObjId `
        -RoleDefinitionName "Desktop Virtualization User" `
        -ResourceName $CreateAppGroupRA.Name `
        -ResourceGroupName $rgName `
        -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups' `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

Final Script

Here I will paste the entire script block for seamless execution in a single run. Following is the link to my GitHub for this script – avdwin365mem/createhp-ag-wk-RA at main · askaresh/avdwin365mem (github.com)

# Connect to the Azure Subcription
Connect-AzAccount

# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id

# Existing Resource Group to deploy the Host Pool
$rgName = "AZ104-RG"

# Geo Location to deploy the Host Pool
$location = "australiaeast"

# Host Pool name
$HPName = "RA-HP01"

# Host Pool Type Pooled|Personal
$HPType = "Pooled"

# Host Pool Load Balancing BreadthFirst|DepthFirst|Persistent
$HPLBType = "DepthFirst"

# Max number or users per session host
$Maxusers = "10"

# Preffered App group type Desktop|RailApplications
$AppGrpType = "RailApplications"

# ApplicationGroup Name
$AppGrpName = "$HPName-RAG"

# Workspace Name
$Wrkspace = "$HPName-WRK01"

# AAD Group used to assign the Application Group
# Copy the Object ID GUID from AAD Groups Blade
$AADGroupObjId = "dcc4b896-2f2d-49d9-9854-33768d8b65ba"

# Create the Host Pool with RemoteApp Configurations
try
{
    write-host "Create the Host Pool with Pooled RemoteApp Configurations"
    $DeployHPWRA = New-AzWvdHostPool -ResourceGroupName $rgName `
        -SubscriptionId $subscriptionID `
        -Name $HPName `
        -Location $location `
        -ValidationEnvironment:$true `
        -HostPoolType $HPType `
        -LoadBalancerType $HPLBType `
        -MaxSessionLimit $Maxusers `
        -PreferredAppGroupType $AppGrpType `
        -Tag:@{"Billing" = "IT"; "Department" = "IT"; "Location" = "AUS-East" } `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}


# Create the Application Group for the Remote App Host Pool
try
{
    write-host "Create the Application Group for the Remote App Host Pool"
    $CreateAppGroupRA = New-AzWvdApplicationGroup -ResourceGroupName $rgName `
        -Name $AppGrpName `
        -Location $location `
        -HostPoolArmPath $DeployHPWRA.Id `
        -ApplicationGroupType 'RemoteApp' `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

# Create the Workspace for the RemoteApp Host Pool
try
{
    write-host "Create the Workspace for the RemoteApp Host Pool"
    $CreateWorkspaceRA = New-AzWvdWorkspace -ResourceGroupName $rgName `
        -Name $Wrkspace `
        -Location $location `
        -ApplicationGroupReference $CreateAppGroupRA.Id `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

# Assign the AAD group (Object ID)  to the Application Group
try
{
    write-host "Assigning the AAD Group to the Application Group"
    $AssignAADGrpAG = New-AzRoleAssignment -ObjectId $AADGroupObjId `
        -RoleDefinitionName "Desktop Virtualization User" `
        -ResourceName $CreateAppGroupRA.Name `
        -ResourceGroupName $rgName `
        -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups' `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

Next Steps on the Host Pool

Now that the host pool, application group and workspaces are ready following are the next steps involved:

Generate a registration token
Add the session host virtual machine to the host pool
Create Applications within the Application Group. You can create multiple Applications in single AG or 1 AG per Application.

I hope you will find this helpful information for deploying a host pools, application group and workspaces within Azure Virtual Desktop. If you want to see a Powershell version of the applications & session host activities, leave me a comment below or on my socials. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: AVD, Azure, Azure Virtual Desktop, Microsoft, MVPBuzz, PowerShell, VDI

Comments 5 Comments
Categories Azure Virtual Desktop, PowerShell

← Older Entries

	Intune Newsletter -… on PowerShell – Frontline W…
	Weekly Newsletter -… on PowerShell – Frontline W…
	Intune Newsletter -… on Azure Virtual Desktop – Terraf…
	Niran on Azure Virtual Desktop –…
	PowerShell – F… on PowerShell – Create Wind…