Search Highlight is a feature in Windows 11 (Enterprise\Multi-session) that highlights search results in the Start menu and taskbar search box. While this feature can be helpful for some users, others may find it distracting or unnecessary. Fortunately, it is possible to disable the Search Highlight feature in Windows 11 using Microsoft Intune. Plenty of information is available on disabling the Windows 11 Search Highlight using Group policy, Registry and UI. However, we will leverage Custom OMA-URI settings from Microsoft Intune in this blog post.
Search – CSP Details
The Search – Policy configuration service provider enables the enterprise to configure policies on Windows 11. Following are the details on the one we are using for disabling the search highlights:
How to disable Search Highlights in Microsoft Endpoint Manager
To disable the Search Highlight feature in Windows 11 (Enterprise/Multi-session) using Microsoft Intune, follow these steps:
For Profile type, select Templates > Custom and select Create.
Enter a Name – DisableSearchHighlight and description and choose Next
Under the OMA-URI Settings, clicks on Add
Enter the Name, Description, and OMA-URI fetched in the references from the MS CSP link below. The value is an integer based on the documentation, and as we disable the setting, the value is 0.
Remember the MS documentation called out this setting only applies to Devices. In the case of Assignments, we will target Windows 365 Device Group and Azure Virtual Desktop Session Host Pools.
Click on Review and Save
Validate the Policy is applying
After 10-15 mins of waiting, go into the newly configured configuration profiles policy, and you will start seeing it getting applied to the targeted devices (MEM Portal > Devices > Configuration Profiles > DisableSearchHighlights)
Cloud PC – Within Windows 11
Login to the Windows 365 Cloud PC, and now when you click on Search, the advertisements and search highlights are gone.
I hope you will find this helpful information towards disabling the annoying Search Highlights on Windows 365, AVD environment and physical endpoints using Microsoft Endpoint Manager. Please let me know if I have missed any steps or details, and I will be happy to update the post.
In today’s world, online security has become more important than ever, especially for businesses. As more and more companies shift their workloads to the cloud, the need for effective security measures has increased. One of the most critical aspects of security is web content filtering. Microsoft Defender for Endpoint is an excellent solution for protecting your Windows 365 Cloud PC and Azure Virtual Desktop environments. If you haven’t see my previous blog post on – Microsoft Defender for Endpoint (MDE) – Getting started for Windows 365 Cloud PC and Azure Virtual Desktop check that first.
Usecase
Web content filtering is a critical aspect of online security that can be used in many different scenarios. Here are some common use cases for web content filtering:
Business Security: Blocking access to malicious websites and other dangerous content, web content filtering helps prevent cyber attacks and data breaches.
Compliance: Many organizations are required to comply with industry-specific regulations and standards, such as HIPAA or PCI-DSS. Web content filtering can help ensure that employees are not accessing websites or content that violates these regulations.
Employee Productivity: Web content filtering can also be used to enhance employee productivity by blocking access to non-work-related websites, such as social media or gaming sites.
Education: Educational institutions can use web content filtering to prevent students from accessing websites that are not educational or age-appropriate.
Guest Wi-Fi: Businesses that offer guest Wi-Fi can use web content filtering to protect their network and guests from online threats.
Overall, web content filtering is a versatile tool that can be used in a variety of settings to enhance online security, productivity, and compliance.
Pre-requisites
To use Microsoft Defender for Endpoint web content filtering on Windows 365 Cloud PC and Azure Virtual Desktop, there are a few prerequisites that you need to meet:
I hope you will find this helpful information towards web content filtering journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.
If you are using Windows 365 Cloud PC and Azure Virtual Desktop, the Microsoft Defender for Endpoint (MDE) is a security solution designed for protecting endpoints, such as Windows 11/Windows 11 Mutli-Session computers, servers, Azure Virtual Desktops and more from various types of cyber threats. The main reason it’s evident to use MDE is that it seamlessly integrates with the solution with minimal to less effort compared to other solutions. This blog post will discuss how to get started with Microsoft Defender for Endpoint in the Windows 365 Cloud and Azure Virtual Desktop.
Prerequisites
Rights to use and deploy Windows 365 Cloud PC and Azure Virtual Desktop and the ncessary licenses
Microsoft Defender for Endpoint Plan 1 or Plan 2 depending upon the requirements and $$$.
Make sure the license is available and listed Microsoft admin center
Enable MDE in Microsoft 365 Security Portal/Intune
To enable Microsoft Defender for Endpoint (MDE) in the Microsoft Defender Security Center, you need to follow these steps:
Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
Navigate to Settings and select Endpoints
Click on On for Microsoft Intune Connection & Device Discovery
Scroll to the bottom and select Save Preferences
We will manage the endpoints via Intune, so all the rest of the actions and fun will be within the https://endpoint.microsoft.com/ and Endpoint Security. After a brief period of 10-15 mins, you can see the connection status being Available and synchronized.
Create the Endpoint detection and response policy (onboarding)
Our environment is managed via Modern Management, and we don’t have the overhead of legacy setup. We will use the Intune Endpoint detection response (EDR) policy to onboard the devices. This is the simplest method as it doesn’t involve installing the agent manually or via GPOs.
Sign in to the Microsoft Endpoint Manager admin center.
On the onboarded device, go and run the following command to verify the status
Get-MpComputerStatus
Device Compliance Policy (Update)
I already have my existing Windows 10/11 compliance policy after enabling MDE, and I will go ahead and update the compliance policy to accommodate the changes further. This will allow reporting within the tenant on what device compliance level the endpoints are on and whether corporate governance is maintained.
Create Antivirus Policy in Intune
The next step is creating the Antivirus (AV) Policy with the options that your organization demands. I am starting with a few, but remember most choices will require nailing out with internal security/endpoint/governance teams.
Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements.
Sign in to the Microsoft Endpoint Manager admin center.
For Platform, select Windows 10, Windows 11, and Windows Servers.
For Profile type, select Microsoft Defender Antivirus, and then select Create.
Enter a Name – W365-AVD-AV-P01 and description and choose Next
Under the Configuration Settings
Configuration Settings
Status (Value)
Allow Archive Scanning (Scanning through zip and cab files)
Allowed
Allow Behaviour Monitoring
Allowed
Allow Cloud Protection (Joining Microsoft MAPS Community)
Allowed
Allow Email Scanning (Very useful if you are using Microsoft 365)
Allowed
Allow Full Scan Removable Drive Scanning (Scanning of Pen Drives)
Allowed
Allow Intrusion Prevention System
Allowed
Allow scanning of all downloaded files and attachments
Allowed
Allow Realtime Monitoring
Allowed
Cloud Block Level
High
Allow Users UI Access (Defender Client)
Allowed
Enable Network Protection
Enabled (Audit mode)
Avg CPU Load Factor
Enabled (30%)
Schedule Quick Scan Time
Enable (120)
Signature Update Interval
Enable (8 hours)
Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop
Review and Create the policy and it will go ahead and enable AV across the fleet.
After sometime all your devices will show whether they are onboarded or not.
Create Attack surface reduction (ASR) Policy in Intune
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. This set of capabilities also includes network protection and web protection, which regulate access to malicious IP addresses, domains, and URLs. In my case I am starting with few, but remember most of the options will require nailing out with internal security/endpoint/governeance teams.
Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements. Here I would like to take the approach of Audit mode first, followed by adding exclusions to refine the block rules (production).
Sign in to the Microsoft Endpoint Manager admin center.
Next step, I plan to write a few blog posts on specific topics like URLs, Networks etc, blocking (TikTok, Facebook etc,) concerning MDE. I hope you will find this helpful information towards your journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Numerous scripts and vendor optimizers (VMware, Citrix and Microsoft) remove the default pre-installed Windows applications that come within the operating system, aka bloatware. You can get rid of all unnecessary applications using the Microsoft Store app (new) within Microsoft Intune.
I attended the Microsoft 365 Modern Management Meetup, and our very own Steven Hosking demonstrated the uninstall of default applications via Intune. I got inspired and thought about blogging and socializing this trick with everyone.
For my Windows 365 Cloud PC endpoint, I use the Azure image Gallery – Windows 11 22H2 + Cloud PC Optimized image, and for this example, we will uninstall Xbox pre-installed application.
Fetch the Application ID (MS Store)
In specific scenarios, when you try to search the application with the repository, it will not show, and the alternate method is to search via the ID.
Navigate to App — Windows – Click on Add and select App type as – Microsoft Store app (new) and hit select
Under Application Information, click on Select App and in my case, I will enter the Application ID I copied in the previous step.
Make sure all the application details that it has fetched (auto-populated) look good, and select Next
The critical step on the Assignments as we are going to Uninstall it from the environment, we will select Un-install and specify the device group, in this case, Windows 365 Cloud (AAD – Dynamic Device Group)
It is adviced you also leverage Filtering for targeting specifc device types within the environment.
Last step review and Create the Uninstall of the default Application
Rinse & Repeat for other applications
Using the above method, you can add other applications of your choice. Note the effort is one-time, so put it in and reap the benefits for all future versions of Windows.
Advantages of using Intune for Default App Removal
Lets take a look at the advantages of using this method:
There is no need of using 3rd party scripts posted by unknown sources.
You will still have to use the vendor optimizers for other things but you can setup these once within the Intune Portal and it will works for the current and future version of Windows.
The Intune method is not very socialized on removing bloatware from the default operating system.
I hope you will find this helpful information for removal of default applications from the Intune Portal. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Microsoft Intune Compliance Policy can be used to manage the security and compliance of Azure Virtual Desktop (AVD) Session Host virtual machines. The policy can enforce specific configuration settings such as password complexity, security updates, and device encryption to ensure that the virtual machines meet the organization’s security and compliance requirements.
To set up an Intune Compliance Policy for an AVD Session Host virtual machine, the virtual machine must be enrolled with Intune. Then, the policy can be created in the Intune portal and assigned to the virtual machine. The policy settings will be enforced on the virtual machine and monitored for compliance.
Note: The Intune Compliance Policy is just one of the ways to manage the security and compliance of AVD Session Host virtual machines. Other tools such as Azure Security Center and Azure Policy can also be used.
Why create the azure virtual desktop session host compliance policy?
There are several reasons why organizations create Azure Virtual Desktop (AVD) Session Host Compliance Policies:
Security: Compliance policies help ensure that the AVD Session Host virtual machines are configured with the necessary security measures to protect sensitive data and prevent unauthorized access. This includes enforcing encryption, password policies, and software updates.
Compliance: Compliance policies help organizations meet regulatory requirements, such as HIPAA, PCI, and SOC, by ensuring that the AVD Session Host virtual machines are configured in accordance with these regulations.
Consistency: Compliance policies help ensure that all AVD Session Host virtual machines are configured consistently and meet the same standards. This makes it easier for administrators to manage the environment and ensures that all users have a consistent and secure experience.
Monitoring: Compliance policies provide ongoing monitoring of the AVD Session Host virtual machines, so administrators can quickly identify and address any deviations from the desired configuration.
By creating an AVD Session Host Compliance Policy, organizations can ensure that their virtual machines are secure, compliant, consistent, and properly monitored, which can help reduce the risk of security breaches and regulatory violations.
What compliance policies are supported with Azure Virtual Desktop?
The following compliance policies are supported on Windows 10 or Windows 11 Enterprise multi-session VMs:
Minimum OS version
Maximum OS version
Valid operating system builds
Simple passwords
Password type
Minimum password length
Password Complexity
Password expiration (days)
Number of previous passwords to prevent reuse
Microsoft Defender Antimalware
Microsoft Defender Antimalware security intelligence up-to-date
Firewall
Antivirus
Antispyware
Real-time protection
Microsoft Defender Antimalware minimum version
Defender ATP Risk score
Note in my sceanrio I am not using all of the above only a few based on the configuration of my environment. You will need a Azure AD device group containing all the session host for AVD to apply this policy.
What am I configuring?
I am only configuring two things. However, I urge if you to leverage Microsoft Defender and make sure you use the Antivirus and Antimalware settings (Another blog post later day for Defender integrations):
Minimum OS version – 10.0.22621.963
Firewall – Require
The above is not an extensive list, but I am trying to give you an idea here.
Click on Create Policy and Select Platform Windows 10 and later
Give the policy a name and description
Configure the above two parameters
An assignment is the most critical aspect, here, you want an Azure AD Dynamic Device Group that will make sure all the AVD Session hosts are covered.
My current AAD Dynamic Group query is as follows, I am working towards getting a more refine query to make it understand Multi-session(I have raised a query internally within MS)
Device Compliance (AVD Session Host VMs)
After waiting for 15 mins you will start noticing all your AVD Session host VM’s will now begin to show as compliant.
I hope you will find this helpful information for creating a compliance policy for your AVD Session host VMs. Please let me know if I have missed any steps or details, and I will be happy to update the post.
With the slightest effort, do you want to perform a disk cleanup operation? In this blogpost, we are setting up the Storage Sense to cleanup Temporary Files & Empty recycle bin on Windows 365 Cloud PC & AVD Multi-session host. Note by no means is Storage Sense a replacement for the detailed cleanmgr.exe tool, which can perform disk cleanup options in a much more granular manner. The below method is a quick method to get you started and later on improvise on your disk cleanup strategy.
What is Storage Sense?
Storage Sense is a feature in Microsoft Windows 11 that helps users free up space on their device by automatically deleting unnecessary files. It can delete temporary files, files in the recycle bin, and files that have not been accessed in a certain period of time. It also helps users to see what is taking up space on their device and gives them the option to delete specific files or move files to an external storage device.
What features are available within Storage Sense?
Storage Sense in Microsoft Windows 11 has the following features:
Automatic cleanup: Storage Sense can automatically delete temporary files, files in the recycle bin, and files that have not been accessed in a certain period of time.
Storage usage: It helps users to see what is taking up space on their device, and gives them the option to delete specific files or move files to an external storage device.
Storage sense can move files to external storage device
Storage sense can compress files to save space
Storage sense can move files to the cloud
Storage sense can delete files that are no longer needed
Storage sense can free up space by uninstalling apps
Storage sense can show you the storage usage of each app
Storage sense can help you to free up storage by cleaning up your downloads folder
What Configurations are available within Intune (MEM Portal)?
There are many ways to setup Storage Sense. However, the method we are going to opt is inline with the modern workplace management solution using Microsoft Intune (Microsoft Endpoint Manager admin center)
Setting Name
Details
Allow Disk Health Model Updates
Allows disk health model updates to predict disk hardware failure.
Allow Storage Sense Global
Storage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the
Allow Storage Sense Temporary Files Cleanup
When Storage Sense runs, it can delete the user’s temporary files that are not in use. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, Storage Sense will delete the user’s temporary files that are not in use.
Config Storage Sense Cloud Content Dehydration Threshold
When Storage Sense runs, it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it. Supported values are: 0–365. If you set this value to zero, Storage Sense will not dehydrate any cloud-backed content. The default value is 0, which never dehydrates cloud-backed content
Config Storage Sense Downloads Cleanup Threshold
When Storage Sense runs, it can delete files in the user’s Downloads folder if they haven’t been opened for more than a certain number of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from the Downloads folder. Supported values are: 0-365. If you set this value to zero, Storage Sense will not delete files in the user’s Downloads folder
Config Storage Sense Recycle Bin Cleanup Threshold
When Storage Sense runs, it can delete files in the user’s Recycle Bin if they have been there for over a certain amount of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0–365
Removable Disk Deny Write Access
If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting “Deny write access to drives not protected by BitLocker,” which is located in “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives.”
What policies are we applying?
In this scenario, we only focus on the deletion of temporary files, Recycle Bin, Moving the files to the OneDrive Known Folder (if configured) and checking the disk hardware.
What is the target of this policy?
We aim to kill two birds with one stone, and this policy configuration is not only applicable for Windows 10/11 based Windows 365 Cloud PC, it also works well for Windows 10/11 Multi-session host for Azure Virtual Desktop. This filter is critical to identifying whether the configuration setting will apply to your device type.
Assignments
We are assiging the policy to the Windows 365 AAD device group and add the Azure Virtual Desktop AAD device group here.
I hope you will find this helpful information for performing disk clean-up on Temporary & Recycle for Windows 365 Cloud PC & AVD. Please let me know if I have missed any steps or details, and I will be happy to update the post.
I have written various individual blog posts on PowerShell creation of all configurational task for Windows 365 Cloud PC under Microsoft Endpoint Portal (MEM).
Based on public demand, I want to create a consolidated post for all the scripts and configuration items that can get you started with Windows 365 Cloud PC using PowerShell: (Of course all the below features can also be configured using the UI, however below is the guidance strictly using PowerShell)
PowerShell links to my blog post
Following are the links to my blog post for each and individual task:
I promise you once you have done the hard work, you can get up and running in a few hours using all the above PowerShell scripts with Windows 365 Cloud PC.
GitHub Link
Here is the repo with all the scripts and more – askaresh/avdwin365mem (github.com). A big thanks to Andrew Taylor for collabrating and updating the Provisioning policy script with the SSO details that was release in late Nov 2022.
I hope you will find this helpful information for all things PowerShell w.r.t Windows 365 Cloud PC. I will update the post if I publish or update more information.
If you want to establish a network connection that allows communication between the Windows 365 Cloud PC and the existing Azure Virtual Network (ANC), then keep following this post. Today, I will demonstrate the Powershell method of creating the Azure Network Connection (ANC). Note that we need information from the Azure Portal to make sure you have all the necessary information handy or/or involve the necessary teams who can provide you with the information on Azure Networking.
Overview
Create the ANC first before creating the Win365 – Cloud Provisioning Policy (CPP)
If the ANC precreated then during the cloud provisioning of the Cloud PC desktops it will create them on the Azure VNET on your desired subnet
Make sure you have a working DNS configured on the VNET which can communicate with your on-premise network using express route or other Azure VNETs
Open necessary firewall ports based on your requirements on the NSG or Azure Firewall for the communication to your on-premise network using express route or other Azure VNETs
Permissions
Intune Administrator in Azure AD
Cloud PC Administrator
Global Administrator
If you decide to alter or change the ANC, you will have to reprovision the Cloud PC, and it’s a destructive activity. Make sure you architect it properly
You can delete your ANC however, you will have to update your cloud provisioning policy with the new ANC first, and then you can delete the existing ANC.
Connect to MS Graph API
Step 1 – Install the MS Graph Powershell Module
#Install Microsoft Graph Module
PS C:WINDOWSsystem32> Install-Module Microsoft.Graph
Step 2 – Connect to scopes and specify which API you want to authenticate. If you are only doing read-only operations, I suggest you connect to “CloudPC.Read.All” in our case, we are creating the ANC, so we need to change the scope to “CloudPC.ReadWrite.All”
#Read-only
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.Read.All"
Welcome To Microsoft Graph!
OR
#Read-Write
PS C:WINDOWSsystem32> Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
Welcome To Microsoft Graph!
Step 3 – Choose between v1.0 (Generally Available) and Beta API versions. Note for Windows 365 Cloud PC, the API calls are BETA.
We are logging into Azure to grab all the details regarding to Resource Group, Subscription ID/Name, VNET and Subnets
Connect to the Azure Portal using the necessary credentials
Select the Azure Subscription that holds all the networking information
A display name of the Azure Network Connection – ANC – (ANC-W365-Sub01)
What is the join type of the ANC of the golden image virtual machine (azureADJoin)
Resource Group ID of the existing resource group. You will have to enter the resource group name (W365-AVD-RG01), and it will get us the ID we need.
Name of the existing subnet within the vNET (W365Workload-Sub01), and it will get us the ID we need.
Name of the existing VNET used for the connection. You will have to enter the VNET name (W365-AVD-VNET01), and it will get us the ID we need.
Connection to the MS Graph API and ensure you have the necessary write permissions.
We are using the beta API for Cloud PC
# Connect to the Azure Subcription
Connect-AzAccount
# Get existing context
$currentAzContext = Get-AzContext
# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id
# Your subscription. This command gets your current subscription name
$subscriptionName = $currentAzContext.Subscription.Name
# ANC Display Name
$ancdname = "ANC-W365-Sub01"
# Join Ype for the Azure Network Connection
# Two types Azure AD and Hyrbird "azureADJoin" or "hybridAzureADJoin"
$ancjointype = "azureADJoin"
# Get your Win365 Resouce Group id for RG Name - W365-AVD-RG01
# Put your RG Name
$win365RGID = Get-AzResourceGroup -Name "W365-AVD-RG01" | Select-Object -ExpandProperty ResourceId
# Get your Azure VNET id used for Windows 365 Cloud PC
# Put your VNET Name
$win365VNETID = Get-AzVirtualNetwork -Name "W365-AVD-VNET01" | Select-Object -ExpandProperty Id
# Get your Subnet ID within the Azure VNET for Windows 365 Cloud PC
# Put your VNET Name
$win365VNET = Get-AzVirtualNetwork -Name "W365-AVD-VNET01"
# Enter your Subnet Name
$win365SubID = Get-AzVirtualNetworkSubnetConfig -Name "W365Workload-Sub01" -VirtualNetwork $win365VNET | Select-Object -ExpandProperty Id
# Connec to MS Graph for Cloud PC W365
Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
# Select Beta Profile for Cloud PC APIs
Select-MgProfile -Name "beta"
We shall pass the above variable into the final ANC creation.
Create the Azure Network Connection
We are creating a Azure Network Connection that includes the following:
Display Name of the network – $ancdname
Azure Subscription ID – $subscriptionID
Azure Subscription Name – $subscriptionName
Type – There are two types we are selecting Azure AD join – azureADJoin
Resource Group ID – The resource group within Azure – $win365RGID
Virtual Network ID – The VNET within Azure – $win365VNETID
Subnet ID – The subnet for W365 within VNET – $win365SubID
# Create the ANC for Windows 365 with AAD join type
try
{
write-host "Create the ANC for Windows 365 with AAD join type"
$params = @{
displayName = "$ancdname"
subscriptionId = "$subscriptionID"
type = "$ancjointype"
subscriptionName = "$subscriptionName"
resourceGroupId = "$win365RGID"
virtualNetworkId = "$win365VNETID"
subnetId = "$win365SubID"
}
New-MgDeviceManagementVirtualEndpointOnPremisesConnection -BodyParameter $params -Debug
}
catch
{
Write-Host $_.Exception.Message -ForegroundColor Yellow
}
# Import module Az and MS Graph
Import-Module Az.Accounts
Install-Module Microsoft.Graph
# Connect to the Azure Subcription
Connect-AzAccount
# Get existing context
$currentAzContext = Get-AzContext
# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id
# Your subscription. This command gets your current subscription name
$subscriptionName = $currentAzContext.Subscription.Name
# ANC Display Name
$ancdname = "ANC-W365-Sub01"
# Join Ype for the Azure Network Connection
# Two types Azure AD and Hyrbird "azureADJoin" or "hybridAzureADJoin"
$ancjointype = "azureADJoin"
# Get your Win365 Resouce Group id for RG Name - W365-AVD-RG01
# Put your RG Name
$win365RGID = Get-AzResourceGroup -Name "W365-AVD-RG01" | Select-Object -ExpandProperty ResourceId
# Get your Azure VNET id used for Windows 365 Cloud PC
# Put your VNET Name
$win365VNETID = Get-AzVirtualNetwork -Name "W365-AVD-VNET01" | Select-Object -ExpandProperty Id
# Get your Subnet ID within the Azure VNET for Windows 365 Cloud PC
# Put your VNET Name
$win365VNET = Get-AzVirtualNetwork -Name "W365-AVD-VNET01"
# Enter your Subnet Name
$win365SubID = Get-AzVirtualNetworkSubnetConfig -Name "W365Workload-Sub01" -VirtualNetwork $win365VNET | Select-Object -ExpandProperty Id
# Connec to MS Graph for Cloud PC W365
Connect-MgGraph -Scopes "CloudPC.ReadWrite.All"
# Select Beta Profile for Cloud PC APIs
Select-MgProfile -Name "beta"
# Create the ANC for Windows 365 with AAD join type
try
{
write-host "Create the ANC for Windows 365 with AAD join type"
$params = @{
displayName = "$ancdname"
subscriptionId = "$subscriptionID"
type = "$ancjointype"
subscriptionName = "$subscriptionName"
resourceGroupId = "$win365RGID"
virtualNetworkId = "$win365VNETID"
subnetId = "$win365SubID"
}
New-MgDeviceManagementVirtualEndpointOnPremisesConnection -BodyParameter $params -Debug
}
catch
{
Write-Host $_.Exception.Message -ForegroundColor Yellow
}
I hope you will find this helpful information for creating Azure Network Connection using PowerShell. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Many customers are already in the process of upgrading from VMware Horizon 7.x to 8.x or will soon upgrade as the End Of Life dates are upcoming in April 2023. I want to share a rare experience wherein the Horizon upgrade from 7.13.1 to 8.6 version failed. In the rare occasion where in upgrade fails in the below mentioned manner, the workaround steps will come in handy.
We have only received the workaround from VMware support, and I intend to update the post once I get a complete RCA. At least the workaround can help someone not have to revert the entire environment instead, follow the workaround and avoid a lot of rework.
Issue
During the upgrade of the first connection server in the POD1, we encountered the following error five mins into the upgrade. Note before starting the upgrade, the entire health dashboard for the POD was green and included backup and snapshots.
Environment Overview
Let take a look at the environment details to provide an high-level overview: Active Site (POD1)
5 VMware Horizon Connection Servers 7.13.1
SQL Database on Microsoft SQL 2016 Always-on – EventsDB
The 5 Brokers are behind an NSX Load balancer
Active Site (POD2)
5 VMware Horizon Connection Servers 7.13.1
SQL Database on Microsoft SQL 2016 Always-on – EventsDB
The 5 Brokers are behind an NSX Load balancer
Observations
The logs from the installer had the following message it’s complaining about insufficient privileges, which the installer is run with admin privileges already.
MSI (s) (A0:E0) [06:12:07:977]: Executing op: ActionStart(Name=InstallServices,Description=Installing new services,Template=Service: [2])
Action 6:12:07: InstallServices. Installing new services
MSI (s) (A0:E0) [06:12:07:977]: Executing op: ProgressTotal(Total=9,Type=1,ByteEquivalent=1300000)
MSI (s) (A0:E0) [06:12:07:977]: Executing op: ServiceInstall(Name=PCOIPSG,DisplayName=VMware Horizon View PCoIP Secure Gateway,ImagePath="C:\Program Files\VMware\VMware View\Server\bin\SecurityGateway.exe",ServiceType=16,StartType=3,ErrorControl=1,,Dependencies=[~],,,Password=**********,Description=Provides VMware Horizon View PCoIP gateway services.,,)
InstallServices: Service:
MSI (s) (A0:E0) [06:12:08:228]: Executing op: ServiceInstall(Name=VMBlastSG,DisplayName=VMware Horizon View Blast Secure Gateway,ImagePath="C:\Program Files\VMware\VMware View\Server\appblastgateway\nssm.exe",ServiceType=16,StartType=3,ErrorControl=0,,Dependencies=[~],,,Password=**********,Description=Provides VMware Horizon View Blast gateway services.,,)
InstallServices: Service:
Info 1923.Service VMware Horizon View Blast Secure Gateway (VMBlastSG) could not be installed. Verify that you have sufficient privileges to install system services.
Action ended 6:12:08: InstallFinalize. Return value 3.
Also noticed during the upgrade, it should uninstall the services from version 7.13.1, and new services would be created for version 8.6. In this case, they were listed as disabled.
Workaround
Later during the ongoing RCA investigation, a workaround provided was working well. The reason for socializing the workaround is that we spent a tremendous amount of time and effort in a revert operation, which was very time consuming and cumbersome. Only if we had known about this workaround during the failed upgrade would we have saved tremendous effort.
#ProTip – If you have two POD, make sure before you start the upgrade. Take a snapshot of all the PODS together at the same time. This could help you in scenarios where the POD1 upgrade fails, and you can revert the entire environment (POD1 & POD2) from snapshots.
Prerequisite / Rollback Plan
Power off all the Connection Servers part of Cloud POD Federation
Take a powered-off snapshot
In case of an incident during the change activity which requires recovering Horizon Environment, Snapshots will be used as a fallback plan as the last option if break/fix, troubleshooting steps performed is not resolving the issue.
In troubleshooting scenarios of a failed upgrade
Workaround Steps
The following steps need to be performed on each Connection Server at a time
Uninstall HTML and Horizon Connection Server 7.13.1 component keeping ADLDS and ADLDSG Instances intact. Check services.msc, and Horizon Services will appear in the Disabled state
Perform a reboot of the Connection Server, and Horizon Services will be cleared from services.msc
Install Horizon 8.6 as Standard, which will pick the residing ADLDS and ADLDSG instance
After successful install, it can be verified using ldp utility as instructed in KB https://kb.vmware.com/s/article/2064157 and look for the fields whenChanged , and whenCreated . This step can be performed prior upgrade for comparing the state of ADLDS
The VMware GSS case handled by Jezill Asharaf (A very helpful support engineer) and a few of the backend engineering team has been instrumental. I hope you will find this information useful if you encounter the issue and it should help you save time. If you manage to tweak or improvise further on this solution, please don’t forget to keep me posted.
In the current security landscape, it’s pretty standard you will have to put your Windows 365 Cloud PC for digital forensic investigations. The security team or 3rd party vendor would ask you (the PC Ownership team) for a backup or snapshot of the Cloud PC to run security tools or skim through the files. This blog post intends to get you 100% ready to help and collaborate with security teams on the Cloud PC forensic review.
Pre-requsites
To put the Windows 365 Cloud PC for review you will need the following:
Azure Subscription with Storage Account Configured. Additionally, the Azure subscription is linked between Microsoft Intune (MEM Portal)
Permission Storage Account Contributor for the Windows 365 Application
A Windows 365 Cloud Enterprise license
The snapshot stored within the Containers in Azure Storage account – The AAD account, needs to have Storage Blob Data Reader or Storage Blob Data Contributor
Azure Storage Account for Windows 365
I already created the storage account within the Azure Subscription linked with my MEM portal. However, I encountered the below issue as I missed out on the RBAC permissions.
Issue
The storage account selection will be grey out when you try to put the Windows 365 Cloud PC in Review
Solution
Provide the Windows 365 Application Storage Account Contributor access. Once I added the permission, the storage account would be listed within the Cloud PC review blade.
The overall permissions within the storage account to store the snapshot and to see the snapshot you will need these two permissions:
Place a Cloud PC in review
Login to the Microsoft Endpoint Manager admin center portal and go to Devices – All Devices and select the device starting with CPC-***** and then click on the three dots and select “Place Cloud PC under review.”
Select the Azure subcription, the storage account and further depending upon the secruity incident you will choose allow or deny access to the Cloud PC
After approx 10 mins, you will see the following within the Device actions status
View Snapshot in Azure Storage Account
The Cloud PC snapshot will be listed under the Azure Storage Account – Containers
Snapshot details it’s a *.vhd disk, and the disk size matches the Cloud PC SKU size.
Provide the snapshots to the security teams for analysis. Optionally there is a download button if you wish to download the snapshot (*.vhd) and take it outside the Azure environment for analysis. Post the review, depending upon the outcome, the SOC team will guide you. Note as an admin you must attest that the digital evidence provided demonstrates a valid Chain of Custody (CoC). I am showing the next step of removing the Cloud PC from review.
Remove Cloud PC from Review
Login to the Microsoft Endpoint Manager admin center portal and go to Devices – All Devices and select the device starting with CPC-*****, which you previously kept under review and the notifications
After approx 3 mins, you will see the following within the Device actions status as completed
I hope you will find this helpful information for putting the Cloud PC under secruity review. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Recent Comments