Archive | Azure RSS feed for this section

Azure Virtual Desktop – Terraform – Create a Host Pool, Desktop Application Group and Workspace for Personal Desktop (Part 1)

8 May

In the past, I have written blog posts on creating the Azure Virtual Desktop (AVD) solution using PowerShell. In this blog post series, I will demonstrate how to create the AVD Host Pool, Application Group and Workspace using Terraform. Terraform is an open-source infrastructure as code (IaC) software tool that enables you to safely and predictably create, change, and improve infrastructure. Terraform can be used to manage infrastructure on various cloud providers, including Azure.

We are going to create the following three types of configurations using Terraform:

  • Azure Virtual Desktop – Personal Desktop (1×1)
  • Azure Virtual Desktop – Pooled Desktop (Multi-Session Full Desktop Experience)
  • Azure Virtual Desktop – Remote App (Multi-Session Application aka Published Apps)

Note – We are creating the Personal Desktop in this post, and the other desktop/app types will be created in the subsequent post. In this post, I will showcase the creation of service principal and secret. In the next part, we shall move straight onto the Terraform code. Referring to part 1 in the series will be essential if you are doing the basics.

Pre-requisites

Following are the pre-requisites before you begin

  • An Azure subscription
  • The Terraform CLI
  • The Azure CLI
  • Permissions within the Azure Subscription for using Terraform

Terraform Service Principal and Secret (Azure AD – App Registrations)

Let’s pre-create the application ID and client secret we will use to connect and leverage the Terraform code in VScode.

  • Connect to Azure Portal and go to Azure Active Directory
  • Click on App Registrations and select – New Registration
  • Give the App a Name – Terraform
  • You will get two important information created for later use within Terraform
    • Application ID
    • Tenant ID
  • Now let’s grant this App Terraform Permission. Click on Add a permission and select MS Graph and search for AppRoleAssignment.ReadWrite.All and select read/write permissions and Add Permissions
  • Select Grant admin consent for domain
  • We are using client secret so now lets enable that. Click on Certificates & Secrets – Client Secrets and select New client secret\
  • Give it a name (Terra-secret) and expiry date (12 months)
  • Copy the Secret Value

Terraform – Authenticating via Service Principal & Client Secret

In the above step, we created the Service Principal and Client secret. We will use it before running any Terraform code in PowerShell (Ensure to run as administrator). We will execute and store the credentials as environment variables. If we do this via the environment variable, we don’t have to store the below information within the providers.tf file. In a future blog post, there are better ways to keep the below details, and I hope to showcase them:

# PowerShell
$env:ARM_CLIENT_ID = "9e453b62-0000-0000-0000-00000006e1ac"
$env:ARM_CLIENT_SECRET = "Z318Q~00000000000000000000000000000000_"
$env:ARM_TENANT_ID = "a02e602c-0000-000-0000-0e0000008bba61"
$env:ARM_SUBSCRIPTION_ID = "7b051460-00000-00000-00000-000000ecb1"
  • Azure Subscription ID – Azure Portal Subscription copy the ID.
  • Client ID – From the above step, you will have the details
  • Client Secret – From the above step, you will have the details
  • Tenant ID – While creating the Enterprise Apps in Azure AD, you will have the details

Terraform Folder Structure

The following is the folder structure for the Terraform code:

Azure Virtual Desktop Personal Pool – Create a directory in which the below Terraform code will be published (providers.tf, main.tf, variables.tf and output.tf)

+---Config-AVD-Personal-Desktop
|   |   main.tf
|   |   output.tf
|   |   providers.tf
|   |   variables.tf

Note – I am not demonstrating how to install Terraform as it’s dead simple, and the information is available everywhere.

Configure AVD – Personal Desktop Pool – Providers.tf

Create a file named providers.tf and insert the following code. (We are using the AzureRM and AzureAD providers)

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.49.0"
    }
    azuread = {
      source = "hashicorp/azuread"
    }
  }
}

provider "azurerm" {
  features {}
}

Configure AVD – Personal Desktop Pool – main.tf

Create a file named main.tf and insert the following code. Let me explain what we are attempting to accomplish here: (Note I have # commented the lines with additional info)

  • Create a Resource Group
  • Create a Workspace
  • Create a Host Pool
  • Create a Desktop Application Group (DAG)
  • Associate Workspace and DAG
  • Assign Azure AD Group to the Desktop Application Group (DAG)
  • Assign Azure AD Group to the Resource Group for RBAC for the Session Host (Virtual Machine User Login)
# Resource group name is output when execution plan is applied.
resource "azurerm_resource_group" "rg" {
  name     = var.rg_name
  location = var.resource_group_location
  tags = var.tags
}

# Create AVD workspace
resource "azurerm_virtual_desktop_workspace" "workspace" {
  name                = var.workspace
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  friendly_name       = "${var.prefix} Workspace"
  description         = "${var.prefix} Workspace"
  tags = var.tags
}

# Create AVD host pool
resource "azurerm_virtual_desktop_host_pool" "hostpool" {
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  name                     = var.hostpool
  friendly_name            = var.hostpool
  validate_environment     = true #[true false]
  start_vm_on_connect      = true
  custom_rdp_properties    = "targetisaadjoined:i:1;drivestoredirect:s:*;audiomode:i:0;videoplaybackmode:i:1;redirectclipboard:i:1;redirectprinters:i:1;devicestoredirect:s:*;redirectcomports:i:1;redirectsmartcards:i:1;usbdevicestoredirect:s:*;enablecredsspsupport:i:1;redirectwebauthn:i:1;use multimon:i:1;enablerdsaadauth:i:1;"
  description              = "${var.prefix} HostPool"
  type                     = "Personal" #[Pooled or Personal]
  personal_desktop_assignment_type = "Automatic"
  load_balancer_type       =  "Persistent"
  tags = var.tags
scheduled_agent_updates {
  enabled = true
  timezone = "AUS Eastern Standard Time"  # Update this value with your desired timezone
  schedule {
    day_of_week = "Saturday"
    hour_of_day = 1   #[1 here means 1:00 am]
  }
}
}

resource "azurerm_virtual_desktop_host_pool_registration_info" "registrationinfo" {
  hostpool_id     = azurerm_virtual_desktop_host_pool.hostpool.id
  expiration_date = var.rfc3339
}

# Create AVD DAG
resource "azurerm_virtual_desktop_application_group" "dag" {
  resource_group_name = azurerm_resource_group.rg.name
  host_pool_id        = azurerm_virtual_desktop_host_pool.hostpool.id
  location            = azurerm_resource_group.rg.location
  type                = "Desktop"
  name                = var.app_group_name
  friendly_name       = "Desktop AppGroup"
  description         = "${var.prefix} AVD application group"
  depends_on          = [azurerm_virtual_desktop_host_pool.hostpool, azurerm_virtual_desktop_workspace.workspace]
  tags = var.tags
}

# Associate Workspace and DAG
resource "azurerm_virtual_desktop_workspace_application_group_association" "ws-dag" {
  application_group_id = azurerm_virtual_desktop_application_group.dag.id
  workspace_id         = azurerm_virtual_desktop_workspace.workspace.id
}

# Assign AAD Group to the Desktop Application Group (DAG)
resource "azurerm_role_assignment" "AVDGroupDesktopAssignment" {
  scope                = azurerm_virtual_desktop_application_group.dag.id
  role_definition_name = "Desktop Virtualization User"
  principal_id         = data.azuread_group.AVDGroup.object_id
}

# Assign AAD Group to the Resource Group for RBAC for the Session Host
resource "azurerm_role_assignment" "RBACAssignment" {
  scope                = azurerm_resource_group.rg.id
  role_definition_name = "Virtual Machine User Login"
  principal_id         = data.azuread_group.AVDGroup.object_id
}

Configure AVD – Personal Desktop Pool – variables.tf

Create a file named variables.tf and insert the following code. I have followed a naming convention that includes the following:

  • AE – Australia East
  • Environment – PROD or DEV
  • Instance – 01
  • RG – Resource Group
  • WS – Workspace
  • DAG – Desktop Application Group
variable "resource_group_location" {
  default     = "australiaeast"
  description = "Location of the resource group - Australia East"
}

variable "rg_name" {
  type        = string
  default     = "AE-DEV-AVD-01-RG"
  description = "Name of the Resource group in which to deploy service objects"
}

variable "workspace" {
  type        = string
  description = "Name of the Azure Virtual Desktop workspace"
  default     = "AE-DEV-AVD-01-WS"
}

variable "hostpool" {
  type        = string
  description = "Name of the Azure Virtual Desktop host pool"
  default     = "AE-DEV-AVD-01-PE-D-HP"
}

variable "app_group_name" {
  description = "Name of the Azure Virtual Desktop application group"
  type        = string
  default     = "AE-DEV-AVD-01-DAG"
}

variable "rfc3339" {
  type        = string
  default     = "2023-05-20T12:43:13Z" #Update this value with a future date
  description = "Registration token expiration"
}

variable "prefix" {
  type        = string
  default     = "AE-DEV-AVD-01-HP-"
  description = "Prefix of the name of the AVD machine(s)"
}

variable "tags" {
  type    = map(string)
  default = {
    Environment = "Dev"
    Department  = "IT"
    Location = "AustraliaEast"
    ServiceClass = "DEV"
    Workload = "Host Pool 01"
  }
}

data "azuread_client_config" "AzureAD" {}

data "azuread_group" "AVDGroup" {
  display_name     = "Win365-Users"  
}

Configure AVD – Personal Desktop Pool – output.tf

Create a file named output.tf and insert the following code. This will showcase in the console what is getting deployed as output.

output "azure_virtual_desktop_compute_resource_group" {
  description = "Name of the Resource group in which to deploy session host"
  value       = azurerm_resource_group.rg.name
}

output "azure_virtual_desktop_host_pool" {
  description = "Name of the Azure Virtual Desktop host pool"
  value       = azurerm_virtual_desktop_host_pool.hostpool.name
}

output "azurerm_virtual_desktop_application_group" {
  description = "Name of the Azure Virtual Desktop DAG"
  value       = azurerm_virtual_desktop_application_group.dag.name
}

output "azurerm_virtual_desktop_workspace" {
  description = "Name of the Azure Virtual Desktop workspace"
  value       = azurerm_virtual_desktop_workspace.workspace.name
}

output "location" {
  description = "The Azure region"
  value       = azurerm_resource_group.rg.location
}

data "azuread_group" "aad_group" {
  display_name = "Win365-Users"
}

output "AVD_user_groupname" {
  description = "Azure Active Directory Group for AVD users"
  value       = data.azuread_group.aad_group.display_name
}

Intialize Terraform – AVD – Personal Desktop Pool

Run the following command to initialize the Terraform deployment. This command downloads the Azure provider required to manage your Azure resources. 

terraform init -upgrade

Create Terraform Execution Plan – AVD – Personal Desktop Pool

Run the following command to create an execution plan.

terraform plan -out mainavdpersonal.tfplan

Apply Terraform Execution Plan – AVD – Personal Desktop Pool

Run the following command to apply the execution plan to your cloud infrastructure.

terraform apply mainavdpersonal.tfplan

Validate the Output in Azure Portal

Go to the Azure portal, Select Azure Virtual Desktop and Select Host pools, Application Group and Workspace created using Terraform.

Clean-up the above resources (Optional)

If you want to delete all the above resources then you can use the following commands to destroy. Run terraform plan and specify the destroy flag.

terraform plan -destroy -out mainavdpersonal.destroy.tfplan

Run terraform apply to apply the execution plan.(Destroy)

terraform apply mainavdpersonal.destroy.tfplan

The intention here is to get you quickly started with Terraform on Azure Virtual Desktop Solution:

DescriptionLinks
Setting up your computer to get started with Terrafor using PowershellInstall Terraform on Windows with Azure PowerShell
AVD Configure Azure Virtual Desktophttps://learn.microsoft.com/en-us/azure/developer/terraform/configure-azure-virtual-desktop
Terraform Learninghttps://youtube.com/playlist?list=PLLc2nQDXYMHowSZ4Lkq2jnZ0gsJL3ArAw

I hope you will find this helpful information for getting started with Terraform to deploy the Azure Virtual Desktop – Personal Desktop Pool. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , ,

Windows 365 Cloud PC – Alert Monitoring – Get your alerts in a Microsoft Teams Channel using Azure Logic Apps

23 Mar

If you’re managing Windows 365 Cloud PCs, keeping track of alerts can be a daunting task. Fortunately, Azure Logic Apps can help automate this process by sending alerts directly to your Microsoft Teams channel. In this blog post, we’ll explore how to set up this integration, so you can stay on top of your Windows 365 environment without constantly checking the portal or notifications within the Intune portal.

Note – Within the Microsoft Intune admin center portal you can already send notifications via email.

Set up your Microsoft Teams channel

To start, you’ll need to create a Microsoft Teams channel where you want to receive alerts. If you don’t have one already, create a new channel and name it something like “Windows365Alerts.”

Next, within the newly created channel, add the Connector – Incoming Webhook

Click on Configure of the Incoming Webhook connectors by entering the Name – Win365Alerts and custom image. Why not use the Windows 365 Cloud PC Logo and click on create.

Please copy the link and save it for all future reference purposes. We will be using this URL within the Azure Logic Apps.

https://blahblahblahblah.webhook.office.com/webhookb2/9cd8bac0-XXXX-4e30-XXXX-00700XXXX0@XXXX-d8f4-4c55-XXXX-0eec698XXXXXX/IncomingWebhook/3aXXXXXXXXbed497fbc4d9857XXXXX/57cadd96-b493-4bf6-a665-b0e9XXXXXXX

Azure Active Directory Enterprise App (MS Graph API)

Let’s pre-create the application ID and client secret we will use to connect and leverage the Microsoft Graph APIs via Powershell

  • Connect to Azure Portal and go to Azure Active Directory
  • Click on App Registrations and select – New Registration
  • Give the App a Name – GraphAPI-App
  • You will get two important information created for later use within Powershell
    • Application ID
    • Tenant ID
  • Now let’s grant this App GraphAPI-App Permission. Click on Add a permission and select MS Graph and search for Cloud PC– CloudPC.ReadAll and select read permissions and Add Permissions
  • Select Grant admin consent for domain
  • We are using client secret so now lets enable that. Click on Certificates & Secrets – Client Secrets and select New client secret\
  • Give it a name (Deviceconfig_secret) and expiry date (12 months)
  • Copy the Secret Value

Azure Key Vault – (Store the Secret)

This is an optional step, and I highly recommend this step for all production environments as the secret is stored within the Azure Key Vault, and within the Azure Logic Apps, you will call this secret.

After creating the value, go to Secret and click on Generate/Import, and under manual, enter a name and paste the secret key we created in the above step.

Additionally, I will dedicate a service account(svc_kv_api) specifically for this secret retrieval for the Azure Logic Apps. Let’s add the service account with the necessary permissions under the Access Policies and give it Get and List permissions.

Create an Azure Logic App

Next, you’ll need to create an Azure Logic App. In the Azure portal, search for “Logic Apps” and click “Create.” Give your Logic App a name and select your desired subscription, resource group, and location. Then click “Review + Create” and “Create” to create your Logic App.

Configure your Logic App

Once your Logic App is created, click “Logic App Designer” and select blank logic app template and add the other operations shown below:

Step 1 – Recurrence (A schedule that will be triggered)

Depending upon your SLA agreements, put a trigger. In this example, I have selected every 3 min.

Step 2 – Fetch the Secret from the Azure Key Vault

In the earlier step, we created the Azure Key vault and stored the secret there. In this step, we will make the Azure Logic Apps Fetch the Secret

  • Tenant ID – Copy from the above steps
  • KeyVault Name – Copy from the above steps
  • Click on Sign and use the dedicated service account to fetch this Secret

Step 3 – HTTP Get the Alerts for Windows 365 Using MS Graph API

We shall create the HTTP request using the Windows 365 Alert API – List and authenticate the call using the secret. Enter all the information shown in the screenshot.

https://graph.microsoft.com/beta/deviceManagement/monitoring/alertRecords

Step 4 – We shall Parse the JSON output from the above API GET request

Create the Parse JSON operation, and we will enter the below sample JSON output. Note I have run the GET and got the output from the API. Paste the below code into the schema example. It will auto-generate the below output for your use without values inside.

{
    "properties": {
        "@@odata.context": {
            "type": "string"
        },
        "value": {
            "items": {
                "properties": {
                    "alertImpact": {
                        "properties": {
                            "aggregationType": {
                                "type": "string"
                            },
                            "value": {
                                "type": "integer"
                            }
                        },
                        "type": "object"
                    },
                    "alertRuleId": {
                        "type": "string"
                    },
                    "alertRuleTemplate": {
                        "type": "string"
                    },
                    "detectedDateTime": {
                        "type": "string"
                    },
                    "displayName": {
                        "type": "string"
                    },
                    "id": {
                        "type": "string"
                    },
                    "lastUpdatedDateTime": {
                        "type": "string"
                    },
                    "resolvedDateTime": {
                        "type": "string"
                    },
                    "severity": {
                        "type": "string"
                    },
                    "status": {
                        "type": "string"
                    }
                },
                "required": [
                    "id",
                    "displayName",
                    "status",
                    "severity",
                    "alertRuleId",
                    "alertRuleTemplate",
                    "detectedDateTime",
                    "resolvedDateTime",
                    "lastUpdatedDateTime",
                    "alertImpact"
                ],
                "type": "object"
            },
            "type": "array"
        }
    },
    "type": "object"
}

Step 5 – Post the Alert to Microsoft Teams using the HTTP operation

Create the HTTP Operation, select POST, enter the webhook URL from the above step on MS Teams, and paste it within the URL. With the Headers add Content-Type: application/json and paste the below body code.

{
  "text": "**Alert name:** @{items('For_each')?['displayName']} \n\n **Status:** @{items('For_each')?['status']} \n\n **Severity:** @{items('For_each')?['severity']} \n\n **Detect Date:** @{items('For_each')?['detectedDateTime']} \n\n **Resolved Date:** @{items('For_each')?['resolvedDateTime']} \n\n **Alert Rule Template:** @{items('For_each')?['alertRuleTemplate']} \n\n **Alert Impact:** @{items('For_each')?['alertImpact']}",
  "title": "Windows 365 Cloud PC Alerts  with status and Severity "
}

Step 6 – Run the workflow

The above will now start running the Azure Logic Apps every 3 mins and keep sending the alerts to Microsoft teams

I need help filtering the alerts based on specific Status and Severity. If you manage to get to that, please message me, and I will happily include those bits in the blog post.

I hope you will find this helpful information for enabling Windows 365 Alerts within the MS Teams using the Azure Logic Apps. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , , , ,

Alternate Azure Network Connection for Windows 365 Cloud PC

15 Mar

Alternate ANCs (Azure Network Connections) are secondary or backup connections to the Microsoft Azure network used to provide redundancy and high availability for Windows 365 Cloud PC provisioning of new desktops. Alternate ANCs can be used when a primary connection fails or experiences connectivity issues, ensuring access to Windows 365 Cloud Provisioning continues for the desktops uninterrupted using the backup ANC.

Introduction

Alternate ANCs can be used when a primary region availability fails, ensuring access to Windows 365 Cloud Provisioning continues for the new desktops uninterrupted using the backup ANC. As long as the first ANC in the list is Healthy, it will always be used for provisioning Cloud PCs using this policy. If the first ANC is not healthy, the policy will use the next ANC in the list that is healthy.

My Scenario

I have an Azure VNET in the region (Australia East) and a dedicated subnet for the Windows 365 Cloud PC desktops in my environment. Now imagine a scenario if the Azure region Australia East had issues. It will directly impact the provisioning of the new Cloud PC desktops.

How will we increase HA/DR capability during Cloud PC Provisioning Issues

Create a backup VNET in different region (Asia Pacific East Asia – HK)

Go to you Azure Portal and create a new VNET in a different region of you choice (Azure Portal — Virtual Networks – Create Network)

Create a dedicated subnet for Windows 365 Cloud PC

Go into the newly created VNET – W365-Bckup-VNET01 and select Subnet and click + Subnet and create a dedicated subnet for the Windows 365 Cloud PC.

Add the additional Azure Network Connection in Intune Portal

I have a previous blog post on creating the the PowerShell – Create Azure Network Connection (ANC) for Windows 365 Cloud PC you can either use that or create one in the Microsoft Intune admin center. We are creating an Azure Network Connection that includes the following:

  • Display Name of the network – Win365-Bckup-ANC01
  • Azure Subscription Name – Azure subcription 1
  • Type – There are two types we are selecting Azure AD join – azureADJoin
  • Resource Group ID – The resource group within Azure – W365-AVD-RG01
  • Virtual Network ID – The VNET within Azure – W365-Bckup-VNET01
  • Subnet ID – The subnet for W365 within VNET – Win365-ASE-Bac-Sub01

Cloud Provisioning Policy

Go into your Cloud PC Provisioning Policy and select Edit. Under the Azure Network Connection you will be able to see the newly added ANC – Win365-Bckup-ANC01 make sure you choose that. It will automatically assign the priority as 2 and will come into effect during network outages in the region.

In the above scenario, at all times, it will use the ANC-W365-Sub01 (Priority 1) network for provisioning all Cloud PC. If there is a contention or issues with the primary ANC, then the backup Win365-Bckup-ANC01 (Priority 2) network will kick in and continue provisioning the new desktops in that region/network.

Note

At the time of writting this blogpost, when i tried to create the backup VNET in Australia SouthEast and Australia Cental it said unsupported region when adding the Azure Network Connection. This was the reason i selected the Asiapacifc East (Honkong) region as the second best choice. I am sure at somepoint in time it will be fixed and I would be able to create a backup ANC within the country.

I hope you will find this helpful information for creating an Alternate Azure Network Connection for increasing the HA and DR on the cloud pc provisioning of new desktops. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

Consolidated Scripts – All configurational task via PowerShell for Windows 365 Cloud PC under Microsoft Intune Portal (MEM)

18 Jan

I have written various individual blog posts on PowerShell creation of all configurational task for Windows 365 Cloud PC under Microsoft Endpoint Portal (MEM).

Based on public demand, I want to create a consolidated post for all the scripts and configuration items that can get you started with Windows 365 Cloud PC using PowerShell: (Of course all the below features can also be configured using the UI, however below is the guidance strictly using PowerShell)

PowerShell links to my blog post

Following are the links to my blog post for each and individual task:

PowerShell – Create Windows 365 Cloud PC Provisioning Policy https://askaresh.com/2022/10/11/powershell-create-windows-365-cloud-pc-provisioning-policy/

PowerShell – Assign a AAD group to the Windows 365 Cloud PC Provisioning Policy
https://askaresh.com/2022/10/12/powershell-assign-a-aad-group-to-the-windows-365-cloud-pc-provisioning-policy/

PowerShell – Unassign/Delete the Windows 365 Cloud PC Provisioning Policy
https://askaresh.com/2022/10/14/powershell-unassign-delete-the-windows-365-cloud-pc-provisioning-policy/

PowerShell – Create a custom Windows 11 Enterprise (22H2) + Microsoft 365 Apps golden image for Windows 365 Cloud PC using Marketplace Image
https://askaresh.com/2022/12/01/powershell-create-a-custom-windows-11-enterprise-22h2-microsoft-365-apps-golden-image-for-windows-365-cloud-pc-using-marketplace-image/

PowerShell – Create Azure Network Connection (ANC) for Windows 365 Cloud PC
https://askaresh.com/2023/01/16/powershell-create-azure-network-connection-anc-for-windows-365-cloud-pc/

PowerShell – Create and Assign Windows 365 Cloud PC – User Settings
https://askaresh.com/2022/11/08/powershell-create-and-assign-windows-365-cloud-pc-user-settings/

PowerShell – Report – Get Cloud PC Windows 365 with low utilization
https://askaresh.com/2022/11/24/powershell-report-get-cloud-pc-windows-365-with-low-utilization/

I promise you once you have done the hard work, you can get up and running in a few hours using all the above PowerShell scripts with Windows 365 Cloud PC.

Here is the repo with all the scripts and more – askaresh/avdwin365mem (github.com). A big thanks to Andrew Taylor for collabrating and updating the Provisioning policy script with the SSO details that was release in late Nov 2022.

I hope you will find this helpful information for all things PowerShell w.r.t Windows 365 Cloud PC. I will update the post if I publish or update more information.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , , ,

PowerShell – Create Azure Network Connection (ANC) for Windows 365 Cloud PC

16 Jan

If you want to establish a network connection that allows communication between the Windows 365 Cloud PC and the existing Azure Virtual Network (ANC), then keep following this post. Today, I will demonstrate the Powershell method of creating the Azure Network Connection (ANC). Note that we need information from the Azure Portal to make sure you have all the necessary information handy or/or involve the necessary teams who can provide you with the information on Azure Networking.

Overview

  • Create the ANC first before creating the Win365 – Cloud Provisioning Policy (CPP)
  • If the ANC precreated then during the cloud provisioning of the Cloud PC desktops it will create them on the Azure VNET on your desired subnet
  • Make sure you have a working DNS configured on the VNET which can communicate with your on-premise network using express route or other Azure VNETs
  • Open necessary firewall ports based on your requirements on the NSG or Azure Firewall for the communication to your on-premise network using express route or other Azure VNETs
  • Permissions
    • Intune Administrator in Azure AD
    • Cloud PC Administrator
    • Global Administrator
  • If you decide to alter or change the ANC, you will have to reprovision the Cloud PC, and it’s a destructive activity. Make sure you architect it properly
  • You can delete your ANC however, you will have to update your cloud provisioning policy with the new ANC first, and then you can delete the existing ANC.

Connect to MS Graph API

Step 1 – Install the MS Graph Powershell Module

#Install Microsoft Graph Module
PS C:WINDOWSsystem32> Install-Module Microsoft.Graph.Beta

Step 2 – Connect to scopes and specify which API you want to authenticate. If you are only doing read-only operations, I suggest you connect to “CloudPC.Read.All” in our case, we are creating the ANC, so we need to change the scope to “CloudPC.ReadWrite.All”

#Read-only
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.Read.All" -NoWelcome
Welcome To Microsoft Graph!

OR

#Read-Write
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.ReadWrite.All" -NoWelcome
Welcome To Microsoft Graph!


Step 3 – Check the User account by running the following beta command.

#Beta User
PS C:WINDOWSsystem32> Get-MgBetaUser -UserId admin@wdomain.com

Connect to Azure & Grab Details (Variable Region)

We are logging into Azure to grab all the details regarding to Resource Group, Subscription ID/Name, VNET and Subnets

  • Connect to the Azure Portal using the necessary credentials
  • Select the Azure Subscription that holds all the networking information
  • A display name of the Azure Network Connection – ANC – (ANC-W365-Sub01)
  • What is the join type of the ANC of the golden image virtual machine (azureADJoin)
  • Resource Group ID of the existing resource group. You will have to enter the resource group name (W365-AVD-RG01), and it will get us the ID we need.
  • Name of the existing subnet within the vNET (W365Workload-Sub01), and it will get us the ID we need.
  • Name of the existing VNET used for the connection. You will have to enter the VNET name (W365-AVD-VNET01), and it will get us the ID we need.
  • Connection to the MS Graph API and ensure you have the necessary write permissions.
  • We are using the beta API for Cloud PC
# Connect to the Azure Subcription
Connect-AzAccount

# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id

# Your subscription. This command gets your current subscription name
$subscriptionName = $currentAzContext.Subscription.Name

# ANC Display Name
$ancdname = "ANC-W365-Sub01"

# Join Ype for the Azure Network Connection
# Two types Azure AD and Hyrbird "azureADJoin" or "hybridAzureADJoin"
$ancjointype = "azureADJoin"

# Get your Win365 Resouce Group id for RG Name - W365-AVD-RG01
# Put your RG Name
$win365RGID = Get-AzResourceGroup -Name "W365-AVD-RG01" | Select-Object -ExpandProperty ResourceId

# Get your Azure VNET id used for Windows 365 Cloud PC
# Put your VNET Name
$win365VNETID = Get-AzVirtualNetwork -Name "W365-AVD-VNET01" | Select-Object -ExpandProperty Id

# Get your Subnet ID within the Azure VNET for Windows 365 Cloud PC
# Put your VNET Name
$win365VNET = Get-AzVirtualNetwork -Name "W365-AVD-VNET01"

# Enter your Subnet Name
$win365SubID = Get-AzVirtualNetworkSubnetConfig -Name "W365Workload-Sub01" -VirtualNetwork $win365VNET | Select-Object -ExpandProperty Id

# Connec to MS Graph for Cloud PC W365
Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"

We shall pass the above variable into the final ANC creation.

Create the Azure Network Connection

We are creating a Azure Network Connection that includes the following:

  • Display Name of the network – $ancdname
  • Azure Subscription ID – $subscriptionID
  • Azure Subscription Name – $subscriptionName
  • Type – There are two types we are selecting Azure AD join – azureADJoin
  • Resource Group ID – The resource group within Azure – $win365RGID
  • Virtual Network ID – The VNET within Azure – $win365VNETID
  • Subnet ID – The subnet for W365 within VNET – $win365SubID
# Create the ANC for Windows 365 with AAD join type
try
{
write-host "Create the ANC for Windows 365 with AAD join type"
$params = @{
    displayName = "$ancdname"
    subscriptionId = "$subscriptionID"
    type = "$ancjointype"
    subscriptionName = "$subscriptionName"
    resourceGroupId = "$win365RGID"
    virtualNetworkId = "$win365VNETID"
    subnetId = "$win365SubID"
}

New-MgBetaDeviceManagementVirtualEndpointOnPremiseConnection -BodyParameter $params -Debug
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

Final Script

Here I will paste the entire script block for seamless execution in single run. Following is the link to my Github for this script – avdwin365mem/win365CreateANC at main · askaresh/avdwin365mem (github.com)

# Import module Az and MS Graph
Import-Module Az.Accounts
Install-Module Microsoft.Graph

# Connect to the Azure Subcription
Connect-AzAccount

# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id

# Your subscription. This command gets your current subscription name
$subscriptionName = $currentAzContext.Subscription.Name

# ANC Display Name
$ancdname = "ANC-W365-Sub01"

# Join Ype for the Azure Network Connection
# Two types Azure AD and Hyrbird "azureADJoin" or "hybridAzureADJoin"
$ancjointype = "azureADJoin"

# Get your Win365 Resouce Group id for RG Name - W365-AVD-RG01
# Put your RG Name
$win365RGID = Get-AzResourceGroup -Name "W365-AVD-RG01" | Select-Object -ExpandProperty ResourceId

# Get your Azure VNET id used for Windows 365 Cloud PC
# Put your VNET Name
$win365VNETID = Get-AzVirtualNetwork -Name "W365-AVD-VNET01" | Select-Object -ExpandProperty Id

# Get your Subnet ID within the Azure VNET for Windows 365 Cloud PC
# Put your VNET Name
$win365VNET = Get-AzVirtualNetwork -Name "W365-AVD-VNET01"

# Enter your Subnet Name
$win365SubID = Get-AzVirtualNetworkSubnetConfig -Name "W365Workload-Sub01" -VirtualNetwork $win365VNET | Select-Object -ExpandProperty Id

# Connec to MS Graph for Cloud PC W365
Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"

# Create the ANC for Windows 365 with AAD join type
try
{
write-host "Create the ANC for Windows 365 with AAD join type"
$params = @{
    displayName = "$ancdname"
    subscriptionId = "$subscriptionID"
    type = "$ancjointype"
    subscriptionName = "$subscriptionName"
    resourceGroupId = "$win365RGID"
    virtualNetworkId = "$win365VNETID"
    subnetId = "$win365SubID"
}

New-MgBetaDeviceManagementVirtualEndpointOnPremiseConnection -BodyParameter $params -Debug
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

I hope you will find this helpful information for creating Azure Network Connection using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , ,

PowerShell – Create a custom Windows 11 Enterprise (22H2) + Microsoft 365 Apps golden image for Windows 365 Cloud PC using Marketplace Image

1 Dec

In the previous blog post, I demonstrate how to create a Windows 11 Multi-session golden image for AVD. In today’s post, I want to showcase how to create a custom Windows 11 Enterprise 22H2 + Microsoft 365 for Windows 365 Cloud PC. (Note its not multi-session and instead, its Enterprise edition for 1×1 mapping of desktop/user aka Full Clone)

Why will you create a custom Windows 11 Ent Windows 365 Cloud PC Golden Image?

There are situations where you want to create a custom image with all corporate applications pre-installed (VPN or Zero trust agent, EDR/XDR Solutions agents or Anti-virus agent pre-installed). You may argue we can deploy those applications later using Win32 app deployment via Intune. But still, few security teams and corporations would like to have it available from the start.

Pre-requisites

Following are the pre-requisites before you begin

  • PowerShell 5.1 and above
  • Azure Subscription
  • Permissions within the Auzre Subscription for Azure Compute
  • Assumption
    • You have an existing Resource Group (RG)
    • You have an existing Azure Virtual Network (VNET)
    • You have an existing workload subnet within the VNET
    • Identify the VM Size you will be using for the golden image
  • Azure PowerShell Modules

Sign to Azure

To start working with Azure PowerShell, sign in with your Azure credentials.

Connect-AzAccount

Identify the Windows 11 Multi-session (Marketplace Image)

Many versions of Windows 365 Cloud PC – Windows 11/10 Enterprise edition marketplace images from Microsoft. The operating systems is already optimized (Microsoft VDI Optimizations) for Cloud PC, and the only difference is with or without Microsoft 365.

Let’s identify what is available within the marketplace.

Get-AzVMImageSku -Location australiaeast -PublisherName MicrosoftWindowsDesktop -Offer windows-ent-cpc

We are going to use the Windows 11 22H2 Enterprise + Microsoft 365 Apps within this script

Variable Region

Delcare all the variable within this section. Lets take a look at what we are declaring within the script:

  • Existing Resource Group within the Azure Subscription (AZ104-RG)
  • A location where you are deploying this virtual machine (Australia East)
  • Name of the golden image virtual machine (Win365-GI01)
  • NIC Interface name for the virtual machine (Win365-GI01-nic)
  • RG of the VNET (In my case they are same AZ104-RG, they can be seperate too and hence a independent variable)
  • Name of the existing subnet within the vNET (AZ104-VDI-Workload-L1)
  • Name of the existing VNET (AZ104-RG-vnet)
  • Mapping of the exisitng VNET
  • Mapping of the existing subnet
  • T-shirt size of the golden image we are deploying (Standard_D2s_v3)
  • Gallery details of the image
    • Published – MicrosoftWindowsDesktop
    • Offer – windows-ent-cpc
    • SKU – win11-22h2-ent-cpc-m365
    • version – Offcourse latest
  • Get credentials – A local admin account is created on the golden image (A input box to capture the uisername and password of your choice)
# Existing Resource Group to deploy the VM
$rgName = "AZ104-RG"

# Geo Location to deploy the VM
$location = "Australia East"

# Image template name
$vmName = "Win365-GI01"

# Networking Interfance Name for the VM
$nicName = "$vmName-nic"

# Resource Group for VNET
$vnetrgName = "AZ104-RG"

# Existing Subnet Name
$Existsubnetname = "AZ104-VDI-Workload-L1"

# Existing VNET Name
$Existvnetname = "AZ104-RG-vnet"

# Existing VNET where we are deploying this Virtual Machine
$vnet = Get-AzVirtualNetwork -Name $Existvnetname -ResourceGroupName $vnetrgName

# Existing Subnet within the VNET for the this virtual machine
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $Existsubnetname -VirtualNetwork $vnet

# T-shirt size of the VM
$vmSize = "Standard_D2s_v3"

# Gallery Publisher of the Image - Microsoft
$publisher = "MicrosoftWindowsDesktop"

# Version of Windows 10/11
$offer = "windows-ent-cpc"

# The SKY ending with avd are the multi-session
$sku = "win11-22h2-ent-cpc-m365"

# Choosing the latest version
$version = "latest"

# Setting up the Local Admin on the VM
$cred = Get-Credential `
   -Message "Enter a username and password for the virtual machine."

Execution block

Execution code block within this section. Lets take a look at what we are we executing within the script:

  • First its creating the network interface for the virtual machine (Win365-GI01)
  • Next, under the variable $VM all virtual machine configurations
    • Tshirt size of the virtual machine
    • Credentials for the local admin (username/password)
    • The network interface assignment along with the delete option (Note delete option is essential or/else during deletion of VM it will not delete the network interface)
    • The gallery image, sku, offer from the Microsoft Market Place gallery
    • The OS disk assignment along with the delete option (Note delete option is essential or/else during deletion of VM it will not delete the disk)
    • The configuration around “Trusted Platform” and enabling of TPM and Secure Boot
    • The final command to create the virtual machine with all the above configurations
# Create New network interface for the virtual machine
$NIC = New-AzNetworkInterface -Name $nicName -ResourceGroupName $vnetrgName -Location $location -Subnet $subnet

# Creation of the new virtual machine with delete option for Disk/NIC together
$vm = New-AzVMConfig -VMName $vmName -VMSize $vmSize 

$vm = Set-AzVMOperatingSystem `
   -VM $vm -Windows `
   -ComputerName $vmName `
   -Credential $cred `
   -ProvisionVMAgent `
   -EnableAutoUpdate 

# Delete option for NIC
$vm = Add-AzVMNetworkInterface -VM $vm `
   -Id $NIC.Id `
   -DeleteOption "Delete"

$vm = Set-AzVMSourceImage -VM $vm `
   -PublisherName $publisher `
   -Offer $offer `
   -Skus $sku `
   -Version $version 

# Delete option for Disk
$vm = Set-AzVMOSDisk -VM $vm `
   -StorageAccountType "StandardSSD_LRS" `
   -CreateOption "FromImage" `
   -DeleteOption "Delete"

# The sauce around enabling the Trusted Platform
$vm = Set-AzVmSecurityProfile -VM $vm `
   -SecurityType "TrustedLaunch" 

# The sauce around enabling TPM and Secure Boot
$vm = Set-AzVmUefi -VM $vm `
   -EnableVtpm $true `
   -EnableSecureBoot $true 

New-AzVM -ResourceGroupName $rgName -Location $location -VM $vm

Final Script

Here I will paste the entire script block for seamless execution in single run. Following is the link to my Github for this script – avdwin365mem/createnewvmwin365 at main · askaresh/avdwin365mem (github.com)

# Step 1: Import module
#Import-Module Az.Accounts

# Connect to the Azure Subcription
#Connect-AzAccount

# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID=$currentAzContext.Subscription.Id

# Command to get the Multi-session Image in Gallery
# Details from this command will help in filling out variables below on Gallery Image
# Get-AzVMImageSku -Location australiaeast -PublisherName MicrosoftWindowsDesktop -Offer windows-ent-cpc

# Existing Resource Group to deploy the VM
$rgName = "AZ104-RG"

# Geo Location to deploy the VM
$location = "Australia East"

# Image template name
$vmName = "Win365-GI01"

# Networking Interfance Name for the VM
$nicName = "$vmName-nic"

# Resource Group for VNET
$vnetrgName = "AZ104-RG"

# Existing Subnet Name
$Existsubnetname = "AZ104-VDI-Workload-L1"

# Existing VNET Name
$Existvnetname = "AZ104-RG-vnet"

# Existing VNET where we are deploying this Virtual Machine
$vnet = Get-AzVirtualNetwork -Name $Existvnetname -ResourceGroupName $vnetrgName

# Existing Subnet within the VNET for the this virtual machine
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $Existsubnetname -VirtualNetwork $vnet

# T-shirt size of the VM
$vmSize = "Standard_D2s_v3"

# Gallery Publisher of the Image - Microsoft
$publisher = "MicrosoftWindowsDesktop"

# Version of Windows 10/11
$offer = "windows-ent-cpc"

# The SKY ending with avd are the multi-session
$sku = "win11-22h2-ent-cpc-m365"

# Choosing the latest version
$version = "latest"

# Setting up the Local Admin on the VM
$cred = Get-Credential `
   -Message "Enter a username and password for the virtual machine."

# Create New network interface for the virtual machine
$NIC = New-AzNetworkInterface -Name $nicName -ResourceGroupName $vnetrgName -Location $location -Subnet $subnet

# Creation of the new virtual machine with delete option for Disk/NIC together
$vm = New-AzVMConfig -VMName $vmName -VMSize $vmSize 

$vm = Set-AzVMOperatingSystem `
   -VM $vm -Windows `
   -ComputerName $vmName `
   -Credential $cred `
   -ProvisionVMAgent `
   -EnableAutoUpdate 

# Delete option for NIC
$vm = Add-AzVMNetworkInterface -VM $vm `
   -Id $NIC.Id `
   -DeleteOption "Delete"

$vm = Set-AzVMSourceImage -VM $vm `
   -PublisherName $publisher `
   -Offer $offer `
   -Skus $sku `
   -Version $version 

# Delete option for Disk
$vm = Set-AzVMOSDisk -VM $vm `
   -StorageAccountType "StandardSSD_LRS" `
   -CreateOption "FromImage" `
   -DeleteOption "Delete"

# The sauce around enabling the Trusted Platform
$vm = Set-AzVmSecurityProfile -VM $vm `
   -SecurityType "TrustedLaunch" 

# The sauce around enabling TPM and Secure Boot
$vm = Set-AzVmUefi -VM $vm `
   -EnableVtpm $true `
   -EnableSecureBoot $true 

New-AzVM -ResourceGroupName $rgName -Location $location -VM $vm

Note – It will give you a pop-up box for entering the username and password for the local account, and in under 10 mins you will see your virtual machine within the Azure portal

Next Steps on Golden Image

Now that the virtual machine is ready following are the next steps involved:

  • Using Azure Bastion console and install the required applications
    • Zero Trust Agent
    • EDR/XDR Agent
    • Antivirus Software Agent
    • Line of Business Apps
  • Generalize and sysprep and shutdown the image
  • Capture the image to the Azure Compute Galleries
  • Add the image within Microsoft Intune

I hope you will find this helpful information for deploying a golden image within Azure – Virtual Machine to deploy the custom Image for Windows 365 Cloud PC. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , ,

Azure Virtual Desktop – Apply monthly Microsoft Security Cumulative Updates on the golden image with Azure Compute Galleries

14 Nov

We have numerous articles showcasing how to create the golden master image to deploy within the Host Pool. This blog post will showcase how to perform recurring monthly security patch updates within the golden master image and push that into your Host Pools within Azure Virtual Desktop.

  • Pre-requisites
  • Azure Compute Galleries – Create VM
  • Console to Golden Image (RDP or Azure Bastion)
  • Install the Microsoft Latest Cumulative Update (LCU)
  • Sysprep (Generalize and Shutdown)
  • Capture the Virtual Machine
  • Azure Compute Galleries – New Version
  • Drain and remove old session host vms

Feature Whishlist

If Microsoft is listening – requesting the feature of leveraging the Update Rings from Micorosft Intune can be integrated into applying the quality updates from #Intune on Microsoft Windows 10/11 Multi-session

Pre-requisites

The assumption here is that you already have a golden image and existing versions available. Below is an example from Azure Computer Galleries of a Windows 11 Multi-session and current running version 0.0.2 within my Host Pools. (Note its an already generalized image – See the OS State)

Azure Compute Galleries – Create VM

The first step here is to update the golden image with the monthly Microsoft Cumulative Security update, and we want to create a new virtual machine from the existing version of 0.0.2. (Background version 0.0.2 include the October 2022 Latest Cumulative Updates)

Now you will be presented with a Create VM wizard

Select Next – Disk Settings

Select Next – Networking Settings

Select Next – Management Settings

Select Next – Monitoring Settings

Select Tags

Select Review & Create the Virtual Machine – Golden Image.

#Tip – On the rare occasion that the creation of the virtual machine fails, in one instance, I had forgotten to perform Sysprep on the existing version in Azure Compute Galleries (e.g. 0.0.1). In such scenarios, create a virtual machine from the previous version number you know that works well. After updating the new vm from existing image version we can take a snapshot of that before sysprep and keep. It will be helpful if the vm due to any reason get destroyed during sysprep.

Console to Golden Image (RDP or Azure Bastion)

We now have the newly created golden image from the existing version 0.0.2 within the Azure – Virtual Machines blade listed and status=Running.

Download the RDP file and console into the Virtual machine – Win11MSGI04 (Note, as previously mentioned, this is a bad practice in a production environment as it needs public IP for access. The best approach here is to leverage Azure Bastion and click on the Bastion option, and securely console the VM via browser)

Install the Microsoft Latest Cumulative Update (LCU)

In our scenario, we shall install the November 8, 2022—KB5019980 (OS Build 22621.819) for Windows 11 22H2 Multi-session. Note I am using the Powershell pswindowsupdate module, but you can download and offline install the Windows update (LCU, which also includes SSU)

Get-WUList -MicrosoftUpdate

Install the Update

Get-WindowsUpdate -KBArticleID KB5019980 -Install -AutoReboot | Out-File "c:\Temp\$(get-date -f yyyy-MM-dd)-WindowsUpdate.log" -force

Post the reboot validate the windowsupdate log output to determine whether the patch was installed successfully. Optionally perform Disk Clean.

Sysprep (Generalize and Shutdown)

We are onto our final step before the capture. Perform Sysprep on the image and shutdown

%WINDIR%\system32\sysprep\sysprep.exe /generalize /shutdown /oobe

#Tip – Make sure the end state of the virtual machine status = Stopped (deallocated) before following the next step of Capture. Sysprep is the most crucial step if you forget this, your provisioning will fail with an error.

Capture the Virtual Machine

We will capture this image into Azure Compute Galleries

Next Capture wizard

#Tip – As we selected “Delete” post creation, the virtual machine will not appear within the Azure – Virtual Machines. Below is the task for the deletion.

Azure Compute Galleries – New Version

We can now see the latest version showing up 0.0.3 post the capture process. This version is now ready to be added to the AVD – Host Pools

Add Session Host Virtual Machine (New security patch version 0.0.3)

After clicking on Add, it will open the “Add virtual machine to a host pool” wizard

Select Next – Virtual Machines

Next enter the tags of your choice and hit Create

Drain and remove old session host vms

Put the old session host virtual machines in the drain and remove the virtual machine. This step will depend on how much time log-off all the end-user sessions will take on the VM.

Next, if all the sessions are drained. Select the old virtual machine and select Remove.

Note – When you hit remove for the session host virtual machine within the Host Pools blade, it will only remove the virtual machine from there. You will have to go into the Azure – Virtual Machines blade and stop and delete the virtual machine from there. The good thing here is that as we had selected delete disk/network (checkbox) during creation, it will delete everything associated with the VM.

#Tip – As a precautionary step, you can delete the virtual machine after 2-3 days after production stabilizes in case you have to revert and manually add the VM’s back into the host pool

A big thanks to Mahammad Kubaib for reviewing this blog post based on his previous experience. I hope you will find this helpful information for performing monthly cumulative security updates on your Azure Virtual Desktop – Host Pools. If you want to see a Powershell version of the same activity, leave me a comment below or on my socials. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , ,

Mindmap – Part 2 – Horizon Cloud on Microsoft Azure (HCoA) – Configuration of Images – Desktops – Farms – Assignments

13 Apr

This post is in continuation of my part 1 – Mindmap – Part 1 – Horizon Cloud on Microsoft Azure (HCoA) – Quick start guide where we look at pre-requisites and the initial deployment of the HCoA solution. In this post, I want to share my learnings about the configuration of Images, Virtual Desktops, Farms and Assignments. We shall take a look into the following topics:

  • Mind map for Horizon Cloud on Microsoft Azure – Part 2 – Configuration of Images – Desktops – Farms – Assignments
    • Creating a Virtual Desktop or RDSH Image
      • Import VM
      • Create Image (Converting VM to Image)
    • Farms (Published Applications)
      • Create Desktop Farm
    • Add Applications to the Farms
      • New Applications – Auto-Scan from Farm
    • Create an Application Assignment
    • Create an Assignment for Multi-session or Hosted Shared Desktop
    • Create a Virtual Desktop Assignment (Persistent – Full Clone)
    • Create a Virtual Desktop Assignment (Non-Persistent – Floating)
    • AppStacks

In the second part of this series, the mindmap acts as an visual representation of all the configurations to be performed post the initial deployment of the Horizon Cloud Pod. It also helps during customer discussions and allows everyone to be on the same page. You can figure out in advance the pre-requisites, deployment details, and requirements for performing the next steps in your HCoA journey.

HCoA – Part 2

Disclaimer – This guide is a deployment/configuration guide, and the production settings, configuration, and use-cases might be different. Please make sure you change the settings appropriate for production workloads. Here is the PDF version if you would like to download and zoom in (Don’t stress your eyes!) –

Horizon-Cloud-on-Azure-Part-2-Twitter-@askareshDownload

Screenshots from my deployment

Horizon Cloud POD Managers + Unified Access Gateways

Note everything is deployed keeping in mind High availability.

  • 2 x Horizon Cloud Pod Managers
  • 2 x External Unified Access Gateways (Public IP)
  • 2 x Internal Unified Access Gateways (Internal on-premise network)
Azure – Virtual Machines

Azure Load Balancers

  • 1 x Horizon Cloud Pod Managers
  • 1 x Public UAG Appliances
  • 1 x Internal UAG Appliance
Azure – Load Balancers

Azure Virtual Network

I have created the vNet as part of pre-requisites in Part 1 series

  • 1 x Subnet for DMZ (Unified Access Gateway)
  • 1 x Subnet for Mgmt (Pod Managers)
  • 1 x Subnet for Workload (Desktop/Farms)
Azure – vNet

Azure Resource Groups

Note these are auto-created during the Pod deployment.

Azure – Resource Groups

I hope you will find this helpful information on your HCoA journey. Please let me know if I have missed any steps in the mindmap, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

Mindmap – Part 1 – Horizon Cloud on Microsoft Azure (HCoA) – Quick start guide

7 Apr

This will be a two part blog series on VMware Horizon Cloud on Microsoft Azure (HCoA). My aim is to get you started off the ground on HCoA, and I have a fair understanding of Azure due to my past certifications on AZ-140 and AZ-104(prep). I high recommend acquiring the Azure skills to make your life easier.

In part one, we shall take a look into the following topics:

  • Mind map for Horizon Cloud on Microsoft Azure – Part 1 – Getting started
    • Getting Started
      • Azure pre-requisites
      • Horizon Cloud Account
    • Configure the Azure Pod
      • Subscription
      • Pod Setup
      • Gateway Settings
    • General Setup
      • Domain Bind
      • Domain Join
      • Administrative Group
      • Universal Broker

The idea here is that the mindmap acts as an excellent visual representation of what to do during the end-2-end cycle of the project. It also helps during customer discussions and allows everyone to be on the same page. You can figure out in advance the pre-requisites, deployment, and requirements for the initial setup.

HCoA – Part 1

Disclaimer – This guide is a get you started guide, and the production settings, configuration and usecases might be different. Please make sure you change the settings appropriate for production workloads. Here is the PDF version if you would like to download and zoom in (Don’t stress your eyes!) –

Horizon-Cloud-on-Azure-Part-1-Twitter-@askareshDownload

The useful links to get you quickly started on Horizon Cloud on Azure:

DescriptionLinks
Horizon Cloud on Microsoft Azure Architecture (Techzone)Horizon Cloud on Microsoft Azure Architecture | VMware
Evaluation Guide for VMware Horizon Cloud Service on Microsoft Azure (Techzone)https://techzone.vmware.com/quick-start-tutorial-vmware-horizon-cloud-service-microsoft-azure
Horizon Cloud on Azure Evaluation YouTube playlist – Awesome stuff by Caroline Arakelian(14) VMware Horizon Cloud on Microsoft Azure: Deploying a Cloud Manager–Based Pod – YouTube
Our local Oz hero – Shane Fowler – 0 to hero on HCoAFrom Zero to Hero: A Step by Step Guide How To Deploy Horizon Cloud Service on Azure – YouTube
Horizon Cloud on Azure Cost CalculatorPathfinder (vmware.com)

I hope you will find this helpful information on your HCoA journey. Please let me know if I have missed any steps in the mindmap or reference links, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , ,

← Older Entries
Newer Entries →