I have written various individual blog posts on PowerShell creation of all configurational task for Windows 365 Cloud PC under Microsoft Endpoint Portal (MEM).
Based on public demand, I want to create a consolidated post for all the scripts and configuration items that can get you started with Windows 365 Cloud PC using PowerShell: (Of course all the below features can also be configured using the UI, however below is the guidance strictly using PowerShell)
PowerShell links to my blog post
Following are the links to my blog post for each and individual task:
I promise you once you have done the hard work, you can get up and running in a few hours using all the above PowerShell scripts with Windows 365 Cloud PC.
GitHub Link
Here is the repo with all the scripts and more – askaresh/avdwin365mem (github.com). A big thanks to Andrew Taylor for collabrating and updating the Provisioning policy script with the SSO details that was release in late Nov 2022.
I hope you will find this helpful information for all things PowerShell w.r.t Windows 365 Cloud PC. I will update the post if I publish or update more information.
If you want to establish a network connection that allows communication between the Windows 365 Cloud PC and the existing Azure Virtual Network (ANC), then keep following this post. Today, I will demonstrate the Powershell method of creating the Azure Network Connection (ANC). Note that we need information from the Azure Portal to make sure you have all the necessary information handy or/or involve the necessary teams who can provide you with the information on Azure Networking.
Overview
Create the ANC first before creating the Win365 – Cloud Provisioning Policy (CPP)
If the ANC precreated then during the cloud provisioning of the Cloud PC desktops it will create them on the Azure VNET on your desired subnet
Make sure you have a working DNS configured on the VNET which can communicate with your on-premise network using express route or other Azure VNETs
Open necessary firewall ports based on your requirements on the NSG or Azure Firewall for the communication to your on-premise network using express route or other Azure VNETs
Permissions
Intune Administrator in Azure AD
Cloud PC Administrator
Global Administrator
If you decide to alter or change the ANC, you will have to reprovision the Cloud PC, and it’s a destructive activity. Make sure you architect it properly
You can delete your ANC however, you will have to update your cloud provisioning policy with the new ANC first, and then you can delete the existing ANC.
Connect to MS Graph API
Step 1 – Install the MS Graph Powershell Module
#Install Microsoft Graph Module
PS C:WINDOWSsystem32> Install-Module Microsoft.Graph
Step 2 – Connect to scopes and specify which API you want to authenticate. If you are only doing read-only operations, I suggest you connect to “CloudPC.Read.All” in our case, we are creating the ANC, so we need to change the scope to “CloudPC.ReadWrite.All”
#Read-only
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.Read.All"
Welcome To Microsoft Graph!
OR
#Read-Write
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
Welcome To Microsoft Graph!
Step 3 – Choose between v1.0 (Generally Available) and Beta API versions. Note for Windows 365 Cloud PC, the API calls are BETA.
We are logging into Azure to grab all the details regarding to Resource Group, Subscription ID/Name, VNET and Subnets
Connect to the Azure Portal using the necessary credentials
Select the Azure Subscription that holds all the networking information
A display name of the Azure Network Connection – ANC – (ANC-W365-Sub01)
What is the join type of the ANC of the golden image virtual machine (azureADJoin)
Resource Group ID of the existing resource group. You will have to enter the resource group name (W365-AVD-RG01), and it will get us the ID we need.
Name of the existing subnet within the vNET (W365Workload-Sub01), and it will get us the ID we need.
Name of the existing VNET used for the connection. You will have to enter the VNET name (W365-AVD-VNET01), and it will get us the ID we need.
Connection to the MS Graph API and ensure you have the necessary write permissions.
We are using the beta API for Cloud PC
# Connect to the Azure Subcription
Connect-AzAccount
# Get existing context
$currentAzContext = Get-AzContext
# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id
# Your subscription. This command gets your current subscription name
$subscriptionName = $currentAzContext.Subscription.Name
# ANC Display Name
$ancdname = "ANC-W365-Sub01"
# Join Ype for the Azure Network Connection
# Two types Azure AD and Hyrbird "azureADJoin" or "hybridAzureADJoin"
$ancjointype = "azureADJoin"
# Get your Win365 Resouce Group id for RG Name - W365-AVD-RG01
# Put your RG Name
$win365RGID = Get-AzResourceGroup -Name "W365-AVD-RG01" | Select-Object -ExpandProperty ResourceId
# Get your Azure VNET id used for Windows 365 Cloud PC
# Put your VNET Name
$win365VNETID = Get-AzVirtualNetwork -Name "W365-AVD-VNET01" | Select-Object -ExpandProperty Id
# Get your Subnet ID within the Azure VNET for Windows 365 Cloud PC
# Put your VNET Name
$win365VNET = Get-AzVirtualNetwork -Name "W365-AVD-VNET01"
# Enter your Subnet Name
$win365SubID = Get-AzVirtualNetworkSubnetConfig -Name "W365Workload-Sub01" -VirtualNetwork $win365VNET | Select-Object -ExpandProperty Id
# Connec to MS Graph for Cloud PC W365
Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
# Select Beta Profile for Cloud PC APIs
Select-MgProfile -Name "beta"
We shall pass the above variable into the final ANC creation.
Create the Azure Network Connection
We are creating a Azure Network Connection that includes the following:
Display Name of the network – $ancdname
Azure Subscription ID – $subscriptionID
Azure Subscription Name – $subscriptionName
Type – There are two types we are selecting Azure AD join – azureADJoin
Resource Group ID – The resource group within Azure – $win365RGID
Virtual Network ID – The VNET within Azure – $win365VNETID
Subnet ID – The subnet for W365 within VNET – $win365SubID
# Create the ANC for Windows 365 with AAD join type
try
{
write-host "Create the ANC for Windows 365 with AAD join type"
$params = @{
displayName = "$ancdname"
subscriptionId = "$subscriptionID"
type = "$ancjointype"
subscriptionName = "$subscriptionName"
resourceGroupId = "$win365RGID"
virtualNetworkId = "$win365VNETID"
subnetId = "$win365SubID"
}
New-MgDeviceManagementVirtualEndpointOnPremisesConnection -BodyParameter $params -Debug
}
catch
{
Write-Host $_.Exception.Message -ForegroundColor Yellow
}
# Import module Az and MS Graph
Import-Module Az.Accounts
Install-Module Microsoft.Graph
# Connect to the Azure Subcription
Connect-AzAccount
# Get existing context
$currentAzContext = Get-AzContext
# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id
# Your subscription. This command gets your current subscription name
$subscriptionName = $currentAzContext.Subscription.Name
# ANC Display Name
$ancdname = "ANC-W365-Sub01"
# Join Ype for the Azure Network Connection
# Two types Azure AD and Hyrbird "azureADJoin" or "hybridAzureADJoin"
$ancjointype = "azureADJoin"
# Get your Win365 Resouce Group id for RG Name - W365-AVD-RG01
# Put your RG Name
$win365RGID = Get-AzResourceGroup -Name "W365-AVD-RG01" | Select-Object -ExpandProperty ResourceId
# Get your Azure VNET id used for Windows 365 Cloud PC
# Put your VNET Name
$win365VNETID = Get-AzVirtualNetwork -Name "W365-AVD-VNET01" | Select-Object -ExpandProperty Id
# Get your Subnet ID within the Azure VNET for Windows 365 Cloud PC
# Put your VNET Name
$win365VNET = Get-AzVirtualNetwork -Name "W365-AVD-VNET01"
# Enter your Subnet Name
$win365SubID = Get-AzVirtualNetworkSubnetConfig -Name "W365Workload-Sub01" -VirtualNetwork $win365VNET | Select-Object -ExpandProperty Id
# Connec to MS Graph for Cloud PC W365
Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
# Select Beta Profile for Cloud PC APIs
Select-MgProfile -Name "beta"
# Create the ANC for Windows 365 with AAD join type
try
{
write-host "Create the ANC for Windows 365 with AAD join type"
$params = @{
displayName = "$ancdname"
subscriptionId = "$subscriptionID"
type = "$ancjointype"
subscriptionName = "$subscriptionName"
resourceGroupId = "$win365RGID"
virtualNetworkId = "$win365VNETID"
subnetId = "$win365SubID"
}
New-MgDeviceManagementVirtualEndpointOnPremisesConnection -BodyParameter $params -Debug
}
catch
{
Write-Host $_.Exception.Message -ForegroundColor Yellow
}
I hope you will find this helpful information for creating Azure Network Connection using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.
In the current security landscape, it’s pretty standard you will have to put your Windows 365 Cloud PC for digital forensic investigations. The security team or 3rd party vendor would ask you (the PC Ownership team) for a backup or snapshot of the Cloud PC to run security tools or skim through the files. This blog post intends to get you 100% ready to help and collaborate with security teams on the Cloud PC forensic review.
Pre-requsites
To put the Windows 365 Cloud PC for review you will need the following:
Azure Subscription with Storage Account Configured. Additionally, the Azure subscription is linked between Microsoft Intune (MEM Portal)
Permission Storage Account Contributor for the Windows 365 Application
A Windows 365 Cloud Enterprise license
The snapshot stored within the Containers in Azure Storage account – The AAD account, needs to have Storage Blob Data Reader or Storage Blob Data Contributor
Azure Storage Account for Windows 365
I already created the storage account within the Azure Subscription linked with my MEM portal. However, I encountered the below issue as I missed out on the RBAC permissions.
Issue
The storage account selection will be grey out when you try to put the Windows 365 Cloud PC in Review
Solution
Provide the Windows 365 Application Storage Account Contributor access. Once I added the permission, the storage account would be listed within the Cloud PC review blade.
The overall permissions within the storage account to store the snapshot and to see the snapshot you will need these two permissions:
Place a Cloud PC in review
Login to the Microsoft Endpoint Manager admin center portal and go to Devices – All Devices and select the device starting with CPC-***** and then click on the three dots and select “Place Cloud PC under review.”
Select the Azure subcription, the storage account and further depending upon the secruity incident you will choose allow or deny access to the Cloud PC
After approx 10 mins, you will see the following within the Device actions status
View Snapshot in Azure Storage Account
The Cloud PC snapshot will be listed under the Azure Storage Account – Containers
Snapshot details it’s a *.vhd disk, and the disk size matches the Cloud PC SKU size.
Provide the snapshots to the security teams for analysis. Optionally there is a download button if you wish to download the snapshot (*.vhd) and take it outside the Azure environment for analysis. Post the review, depending upon the outcome, the SOC team will guide you. Note as an admin you must attest that the digital evidence provided demonstrates a valid Chain of Custody (CoC). I am showing the next step of removing the Cloud PC from review.
Remove Cloud PC from Review
Login to the Microsoft Endpoint Manager admin center portal and go to Devices – All Devices and select the device starting with CPC-*****, which you previously kept under review and the notifications
After approx 3 mins, you will see the following within the Device actions status as completed
I hope you will find this helpful information for putting the Cloud PC under secruity review. Please let me know if I have missed any steps or details, and I will be happy to update the post.
In the previous blog post, I demonstrate how to create a Windows 11 Multi-session golden image for AVD. In today’s post, I want to showcase how to create a custom Windows 11 Enterprise 22H2 + Microsoft 365 for Windows 365 Cloud PC. (Note its not multi-session and instead, its Enterprise edition for 1×1 mapping of desktop/user aka Full Clone)
Why will you create a custom Windows 11 Ent Windows 365 Cloud PC Golden Image?
There are situations where you want to create a custom image with all corporate applications pre-installed (VPN or Zero trust agent, EDR/XDR Solutions agents or Anti-virus agent pre-installed). You may argue we can deploy those applications later using Win32 app deployment via Intune. But still, few security teams and corporations would like to have it available from the start.
Pre-requisites
Following are the pre-requisites before you begin
PowerShell 5.1 and above
Azure Subscription
Permissions within the Auzre Subscription for Azure Compute
Assumption
You have an existing Resource Group (RG)
You have an existing Azure Virtual Network (VNET)
You have an existing workload subnet within the VNET
Identify the VM Size you will be using for the golden image
To start working with Azure PowerShell, sign in with your Azure credentials.
Connect-AzAccount
Identify the Windows 11 Multi-session (Marketplace Image)
Many versions of Windows 365 Cloud PC – Windows 11/10 Enterprise edition marketplace images from Microsoft. The operating systems is already optimized (Microsoft VDI Optimizations) for Cloud PC, and the only difference is with or without Microsoft 365.
Let’s identify what is available within the marketplace.
We are going to use the Windows 11 22H2 Enterprise + Microsoft 365 Apps within this script
Variable Region
Delcare all the variable within this section. Lets take a look at what we are declaring within the script:
Existing Resource Group within the Azure Subscription (AZ104-RG)
A location where you are deploying this virtual machine (Australia East)
Name of the golden image virtual machine (Win365-GI01)
NIC Interface name for the virtual machine (Win365-GI01-nic)
RG of the VNET (In my case they are same AZ104-RG, they can be seperate too and hence a independent variable)
Name of the existing subnet within the vNET (AZ104-VDI-Workload-L1)
Name of the existing VNET (AZ104-RG-vnet)
Mapping of the exisitng VNET
Mapping of the existing subnet
T-shirt size of the golden image we are deploying (Standard_D2s_v3)
Gallery details of the image
Published – MicrosoftWindowsDesktop
Offer – windows-ent-cpc
SKU – win11-22h2-ent-cpc-m365
version – Offcourse latest
Get credentials – A local admin account is created on the golden image (A input box to capture the uisername and password of your choice)
# Existing Resource Group to deploy the VM
$rgName = "AZ104-RG"
# Geo Location to deploy the VM
$location = "Australia East"
# Image template name
$vmName = "Win365-GI01"
# Networking Interfance Name for the VM
$nicName = "$vmName-nic"
# Resource Group for VNET
$vnetrgName = "AZ104-RG"
# Existing Subnet Name
$Existsubnetname = "AZ104-VDI-Workload-L1"
# Existing VNET Name
$Existvnetname = "AZ104-RG-vnet"
# Existing VNET where we are deploying this Virtual Machine
$vnet = Get-AzVirtualNetwork -Name $Existvnetname -ResourceGroupName $vnetrgName
# Existing Subnet within the VNET for the this virtual machine
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $Existsubnetname -VirtualNetwork $vnet
# T-shirt size of the VM
$vmSize = "Standard_D2s_v3"
# Gallery Publisher of the Image - Microsoft
$publisher = "MicrosoftWindowsDesktop"
# Version of Windows 10/11
$offer = "windows-ent-cpc"
# The SKY ending with avd are the multi-session
$sku = "win11-22h2-ent-cpc-m365"
# Choosing the latest version
$version = "latest"
# Setting up the Local Admin on the VM
$cred = Get-Credential `
-Message "Enter a username and password for the virtual machine."
Execution block
Execution code block within this section. Lets take a look at what we are we executing within the script:
First its creating the network interface for the virtual machine (Win365-GI01)
Next, under the variable $VM all virtual machine configurations
Tshirt size of the virtual machine
Credentials for the local admin (username/password)
The network interface assignment along with the delete option (Note delete option is essential or/else during deletion of VM it will not delete the network interface)
The gallery image, sku, offer from the Microsoft Market Place gallery
The OS disk assignment along with the delete option (Note delete option is essential or/else during deletion of VM it will not delete the disk)
The configuration around “Trusted Platform” and enabling of TPM and Secure Boot
The final command to create the virtual machine with all the above configurations
# Create New network interface for the virtual machine
$NIC = New-AzNetworkInterface -Name $nicName -ResourceGroupName $vnetrgName -Location $location -Subnet $subnet
# Creation of the new virtual machine with delete option for Disk/NIC together
$vm = New-AzVMConfig -VMName $vmName -VMSize $vmSize
$vm = Set-AzVMOperatingSystem `
-VM $vm -Windows `
-ComputerName $vmName `
-Credential $cred `
-ProvisionVMAgent `
-EnableAutoUpdate
# Delete option for NIC
$vm = Add-AzVMNetworkInterface -VM $vm `
-Id $NIC.Id `
-DeleteOption "Delete"
$vm = Set-AzVMSourceImage -VM $vm `
-PublisherName $publisher `
-Offer $offer `
-Skus $sku `
-Version $version
# Delete option for Disk
$vm = Set-AzVMOSDisk -VM $vm `
-StorageAccountType "StandardSSD_LRS" `
-CreateOption "FromImage" `
-DeleteOption "Delete"
# The sauce around enabling the Trusted Platform
$vm = Set-AzVmSecurityProfile -VM $vm `
-SecurityType "TrustedLaunch"
# The sauce around enabling TPM and Secure Boot
$vm = Set-AzVmUefi -VM $vm `
-EnableVtpm $true `
-EnableSecureBoot $true
New-AzVM -ResourceGroupName $rgName -Location $location -VM $vm
# Step 1: Import module
#Import-Module Az.Accounts
# Connect to the Azure Subcription
#Connect-AzAccount
# Get existing context
$currentAzContext = Get-AzContext
# Your subscription. This command gets your current subscription
$subscriptionID=$currentAzContext.Subscription.Id
# Command to get the Multi-session Image in Gallery
# Details from this command will help in filling out variables below on Gallery Image
# Get-AzVMImageSku -Location australiaeast -PublisherName MicrosoftWindowsDesktop -Offer windows-ent-cpc
# Existing Resource Group to deploy the VM
$rgName = "AZ104-RG"
# Geo Location to deploy the VM
$location = "Australia East"
# Image template name
$vmName = "Win365-GI01"
# Networking Interfance Name for the VM
$nicName = "$vmName-nic"
# Resource Group for VNET
$vnetrgName = "AZ104-RG"
# Existing Subnet Name
$Existsubnetname = "AZ104-VDI-Workload-L1"
# Existing VNET Name
$Existvnetname = "AZ104-RG-vnet"
# Existing VNET where we are deploying this Virtual Machine
$vnet = Get-AzVirtualNetwork -Name $Existvnetname -ResourceGroupName $vnetrgName
# Existing Subnet within the VNET for the this virtual machine
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $Existsubnetname -VirtualNetwork $vnet
# T-shirt size of the VM
$vmSize = "Standard_D2s_v3"
# Gallery Publisher of the Image - Microsoft
$publisher = "MicrosoftWindowsDesktop"
# Version of Windows 10/11
$offer = "windows-ent-cpc"
# The SKY ending with avd are the multi-session
$sku = "win11-22h2-ent-cpc-m365"
# Choosing the latest version
$version = "latest"
# Setting up the Local Admin on the VM
$cred = Get-Credential `
-Message "Enter a username and password for the virtual machine."
# Create New network interface for the virtual machine
$NIC = New-AzNetworkInterface -Name $nicName -ResourceGroupName $vnetrgName -Location $location -Subnet $subnet
# Creation of the new virtual machine with delete option for Disk/NIC together
$vm = New-AzVMConfig -VMName $vmName -VMSize $vmSize
$vm = Set-AzVMOperatingSystem `
-VM $vm -Windows `
-ComputerName $vmName `
-Credential $cred `
-ProvisionVMAgent `
-EnableAutoUpdate
# Delete option for NIC
$vm = Add-AzVMNetworkInterface -VM $vm `
-Id $NIC.Id `
-DeleteOption "Delete"
$vm = Set-AzVMSourceImage -VM $vm `
-PublisherName $publisher `
-Offer $offer `
-Skus $sku `
-Version $version
# Delete option for Disk
$vm = Set-AzVMOSDisk -VM $vm `
-StorageAccountType "StandardSSD_LRS" `
-CreateOption "FromImage" `
-DeleteOption "Delete"
# The sauce around enabling the Trusted Platform
$vm = Set-AzVmSecurityProfile -VM $vm `
-SecurityType "TrustedLaunch"
# The sauce around enabling TPM and Secure Boot
$vm = Set-AzVmUefi -VM $vm `
-EnableVtpm $true `
-EnableSecureBoot $true
New-AzVM -ResourceGroupName $rgName -Location $location -VM $vm
Note – It will give you a pop-up box for entering the username and password for the local account, and in under 10 mins you will see your virtual machine within the Azure portal
Next Steps on Golden Image
Now that the virtual machine is ready following are the next steps involved:
Using Azure Bastion console and install the required applications
Zero Trust Agent
EDR/XDR Agent
Antivirus Software Agent
Line of Business Apps
Generalize and sysprep and shutdown the image
Capture the image to the Azure Compute Galleries
Add the image within Microsoft Intune
I hope you will find this helpful information for deploying a golden image within Azure – Virtual Machine to deploy the custom Image for Windows 365 Cloud PC. Please let me know if I have missed any steps or details, and I will be happy to update the post.
We have numerous articles showcasing how to create the golden master image to deploy within the Host Pool. This blog post will showcase how to perform recurring monthly security patch updates within the golden master image and push that into your Host Pools within Azure Virtual Desktop.
Pre-requisites
Azure Compute Galleries – Create VM
Console to Golden Image (RDP or Azure Bastion)
Install the Microsoft Latest Cumulative Update (LCU)
Sysprep (Generalize and Shutdown)
Capture the Virtual Machine
Azure Compute Galleries – New Version
Drain and remove old session host vms
Feature Whishlist
If Microsoft is listening – requesting the feature of leveraging the Update Rings from Micorosft Intune can be integrated into applying the quality updates from #Intune on Microsoft Windows 10/11 Multi-session
Pre-requisites
The assumption here is that you already have a golden image and existing versions available. Below is an example from Azure Computer Galleries of a Windows 11 Multi-session and current running version 0.0.2 within my Host Pools. (Note its an already generalized image – See the OS State)
Azure Compute Galleries – Create VM
The first step here is to update the golden image with the monthly Microsoft Cumulative Security update, and we want to create a new virtual machine from the existing version of 0.0.2. (Background version 0.0.2 include the October 2022 Latest Cumulative Updates)
Now you will be presented with a Create VM wizard
Select Next – Disk Settings
Select Next – Networking Settings
Select Next – Management Settings
Select Next – Monitoring Settings
Select Tags
Select Review & Create the Virtual Machine – Golden Image.
#Tip – On the rare occasion that the creation of the virtual machine fails, in one instance, I had forgotten to perform Sysprep on the existing version in Azure Compute Galleries (e.g. 0.0.1). In such scenarios, create a virtual machine from the previous version number you know that works well.
Console to Golden Image (RDP or Azure Bastion)
We now have the newly created golden image from the existing version 0.0.2 within the Azure – Virtual Machines blade listed and status=Running.
Download the RDP file and console into the Virtual machine – Win11MSGI04 (Note, as previously mentioned, this is a bad practice in a production environment as it needs public IP for access. The best approach here is to leverage Azure Bastion and click on the Bastion option, and securely console the VM via browser)
Install the Microsoft Latest Cumulative Update (LCU)
In our scenario, we shall install the November 8, 2022—KB5019980 (OS Build 22621.819) for Windows 11 22H2 Multi-session. Note I am using the Powershell pswindowsupdate module, but you can download and offline install the Windows update (LCU, which also includes SSU)
#Tip – Make sure the end state of the virtual machine status = Stopped (deallocated) before following the next step of Capture. Sysprep is the most crucial step if you forget this, your provisioning will fail with an error.
Capture the Virtual Machine
We will capture this image into Azure Compute Galleries
Next Capture wizard
#Tip – As we selected “Delete” post creation, the virtual machine will not appear within the Azure – Virtual Machines. Below is the task for the deletion.
Azure Compute Galleries – New Version
We can now see the latest version showing up 0.0.3 post the capture process. This version is now ready to be added to the AVD – Host Pools
Add Session Host Virtual Machine (New security patch version 0.0.3)
After clicking on Add, it will open the “Add virtual machine to a host pool” wizard
Select Next – Virtual Machines
Next enter the tags of your choice and hit Create
Drain and remove old session host vms
Put the old session host virtual machines in the drain and remove the virtual machine. This step will depend on how much time log-off all the end-user sessions will take on the VM.
Next, if all the sessions are drained. Select the old virtual machine and select Remove.
Note – When you hit remove for the session host virtual machine within the Host Pools blade, it will only remove the virtual machine from there. You will have to go into the Azure – Virtual Machines blade and stop and delete the virtual machine from there. The good thing here is that as we had selected delete disk/network (checkbox) during creation, it will delete everything associated with the VM.
#Tip – As a precautionary step, you can delete the virtual machine after 2-3 days after production stabilizes in case you have to revert and manually add the VM’s back into the host pool
A big thanks to Mahammad Kubaib for reviewing this blog post based on his previous experience. I hope you will find this helpful information for performing monthly cumulative security updates on your Azure Virtual Desktop – Host Pools. If you want to see a Powershell version of the same activity, leave me a comment below or on my socials. Please let me know if I have missed any steps or details, and I will be happy to update the post.
This post is in continuation of my part 1 – Mindmap – Part 1 – Horizon Cloud on Microsoft Azure (HCoA) – Quick start guide where we look at pre-requisites and the initial deployment of the HCoA solution. In this post, I want to share my learnings about the configuration of Images, Virtual Desktops, Farms and Assignments. We shall take a look into the following topics:
Mind map for Horizon Cloud on Microsoft Azure – Part 2 – Configuration of Images – Desktops – Farms – Assignments
Creating a Virtual Desktop or RDSH Image
Import VM
Create Image (Converting VM to Image)
Farms (Published Applications)
Create Desktop Farm
Add Applications to the Farms
New Applications – Auto-Scan from Farm
Create an Application Assignment
Create an Assignment for Multi-session or Hosted Shared Desktop
Create a Virtual Desktop Assignment (Persistent – Full Clone)
Create a Virtual Desktop Assignment (Non-Persistent – Floating)
AppStacks
In the second part of this series, the mindmap acts as an visual representation of all the configurations to be performed post the initial deployment of the Horizon Cloud Pod. It also helps during customer discussions and allows everyone to be on the same page. You can figure out in advance the pre-requisites, deployment details, and requirements for performing the next steps in your HCoA journey.
HCoA – Part 2
Disclaimer – This guide is a deployment/configuration guide, and the production settings, configuration, and use-cases might be different. Please make sure you change the settings appropriate for production workloads. Here is the PDF version if you would like to download and zoom in (Don’t stress your eyes!) –
Horizon Cloud POD Managers + Unified Access Gateways
Note everything is deployed keeping in mind High availability.
2 x Horizon Cloud Pod Managers
2 x External Unified Access Gateways (Public IP)
2 x Internal Unified Access Gateways (Internal on-premise network)
Azure – Virtual Machines
Azure Load Balancers
1 x Horizon Cloud Pod Managers
1 x Public UAG Appliances
1 x Internal UAG Appliance
Azure – Load Balancers
Azure Virtual Network
I have created the vNet as part of pre-requisites in Part 1 series
1 x Subnet for DMZ (Unified Access Gateway)
1 x Subnet for Mgmt (Pod Managers)
1 x Subnet for Workload (Desktop/Farms)
Azure – vNet
Azure Resource Groups
Note these are auto-created during the Pod deployment.
Azure – Resource Groups
I hope you will find this helpful information on your HCoA journey. Please let me know if I have missed any steps in the mindmap, and I will be happy to update the post.
This will be a two part blog series on VMware Horizon Cloud on Microsoft Azure (HCoA). My aim is to get you started off the ground on HCoA, and I have a fair understanding of Azure due to my past certifications on AZ-140 and AZ-104(prep). I high recommend acquiring the Azure skills to make your life easier.
In part one, we shall take a look into the following topics:
Mind map for Horizon Cloud on Microsoft Azure – Part 1 – Getting started
Getting Started
Azure pre-requisites
Horizon Cloud Account
Configure the Azure Pod
Subscription
Pod Setup
Gateway Settings
General Setup
Domain Bind
Domain Join
Administrative Group
Universal Broker
The idea here is that the mindmap acts as an excellent visual representation of what to do during the end-2-end cycle of the project. It also helps during customer discussions and allows everyone to be on the same page. You can figure out in advance the pre-requisites, deployment, and requirements for the initial setup.
HCoA – Part 1
Disclaimer – This guide is a get you started guide, and the production settings, configuration and usecases might be different. Please make sure you change the settings appropriate for production workloads. Here is the PDF version if you would like to download and zoom in (Don’t stress your eyes!) –
I hope you will find this helpful information on your HCoA journey. Please let me know if I have missed any steps in the mindmap or reference links, and I will be happy to update the post.
In this blog post, we shall take a deeper look into the Azure VMware Solution network connectivity between the Azure VNet for accessing Azure native services such as Bastion, Azure AD, SQL etc. and further connectivity to the On-premise network to migrate virtual machines or hyrbid setup.
AVS Networking – Image courtesy @Microsoft
Step 1 & 2 – Connectivity between Azure VMware Solution (AVS) – Express Route to Azure VNet
After the deploying the AVS we need to connect it to the Azure VNet for consuming Azure Native Services such as Bastion, SQL, AAD etc.
Note AVS pre-deploys the ExpressRoute for you (AVS – Manage – Connectivity – Express Route).
We need to have a Virtual Network Gateway (VNG) existing on Azure VNet, or we need to create one. All steps to be performed under portal.azure.com
Deploy the Virtual Network Gateway (VNG) on Azure subscription
Make sure you have a VNG created on Azure VNET
Give it a name – AZ104-VNG01
Resource Group – Select New or existing
Location – Australia East
SKU – Standard (for demo and testing purposes)
Virtual Network – Select the existing VNET (E.g. 10.0.0.0/16) for Azure. Note it will create the Gateway Subnet automatically (10.x.x.x/24)
Type – ExpressRoute
Public IP Address – Create New (It will auto assign a public IP)
Optional Create Tags
Save and Create
Under AVS – Connectivity – Express Route
Request the Authorization key
Name – ToAzureVNET
Copy the Key and Express Route ID
Open the VNG (AZ104-VNG01) and Settings – Connections
Click on Add
Name – FromAVSPrivateCloud
Connection Type – Express Route
Enter the Authorization Key and Express Route ID and paste them here
Click OK
The Status will change from Updating to Succeeded
Now we have the connectivity between the AVS and Azure VNet.
Step 1 & 3 – Connectivity between Azure VMware Solution – ExpressRoute Global Reach to On-premise networks
Now we will establish the connectivity between AVS and On-premise networks
ExpressRoute Circuits – This is the coming from On-premise into Azure VNet
This will depend upon the partner network (Equinix, Telstra etc.)
I hope you will find this helpful information on your AVS Networking journey. Please let me know if I have missed any steps or good reference links, and I will be happy to update the post.
Automatically Power ON the Session host Virtual Machines
Monitoring Azure Virtual Desktop
Mindmap for Managing Azure Virtual Desktop (AVD)
I have managed to document all the high-level steps involved in managing the AVD on an ongoing basis. The idea here is that the mindmap acts as an excellent visual representation of what to do during ongoing maintenance activities. You can figure out in advance the requirements/steps and pre-requisites.
Managing Azure Virtual Desktop
Disclaimer – This guide is a get you started guide, and the production management may vary. Please make sure you always reference Microsoft documentation. Here is the PDF version if you would like to download and zoom in (Don’t stress your eyes!) –
I hope you will find this helpful information on your Managing Azure Virtual Desktop journey. Please let me know if I have missed any steps in the mindmap, and I will be happy to update the post.
Mind map for Azure Virtual Desktop – Getting started
Getting started with Azure Virtual Desktop (AVD)
Deployment – Pre-requisites for AVD
Master Images – (Windows 10 Multi-Session, Windows 10 1909 Enterprise or Windows Server 2019 DC)
Template and Shared Image Gallery
Host Pools
Application Groups
Workspaces
Windows Desktop Client
Quick Start Links
Mindmap for Azure Virtual Desktop (AVD) – Getting started
Managed to put together a mindmap on the AVD getting started from zero to a working desktop or application. The idea here is the mindmap acts as an excellent visual representation of what to do during pre-requisites, deployment and you can figure out in advance the requirements/steps and pre-requisites.
Azure Virtual Desktop
Disclaimer – This guide is a get you started guide, and the production settings and configuration might be different. Please make sure you change the settings appropriate for production workloads. Here is the PDF version if you would like to download and zoom in (Don’t stress your eyes!) –
I hope you will find this helpful information on your Azure Virtual Desktop journey. Please let me know if I have missed any steps in the mindmap, or reference links, and I will be happy to update the post.
Recent Comments