Tag Archives: AVD

Azure Virtual Desktop – Terraform – Create a Host Pool, Desktop Application Group and Workspace for Pooled Remote App aka Published Applications (Part 3)

15 May

In the previous blog post we look at creating the Personal Desktop (1×1 mapping) and Pooled Desktop (1 x Many) using Terraform Azure Virtual Desktop – Terraform – Create a Host Pool, Desktop Application Group and Workspace for Personal Desktop (Part 1) | AskAresh and Azure Virtual Desktop – Terraform – Create a Host Pool, Desktop Application Group and Workspace for Pooled Desktop (Part 2). In this blog post series I am going to demonstrate how to create the AVD Host Pool, Application Group and Workspace using Terraform for Pooled Remote App aka Published Applications (1xMany)

We are going to create the following three types of configurations using Terraform:

  • Azure Virtual Desktop – Personal Desktop (1×1) – Part 1
  • Azure Virtual Desktop – Pooled Desktop (Multi-Session Full Desktop Experience) – Part 2
  • Azure Virtual Desktop – Remote App (Multi-Session Application aka Published Apps) – Part 3

Note – We are creating the Pooled RemoteApp in this post and in the subsequent post the other types were. In this post In this post I will not show case the creation of service principal and secret please refer for the Part 1 for that activity.

Pre-requisites

Following are the pre-requisites before you begin

  • An Azure subscription
  • The Terraform CLI
  • The Azure CLI
  • Permissions within the Azure Subscription for using Terraform

Terraform – Authenticating via Service Principal & Client Secret

Before running any Terraform code the following powershell (Make sure run as administrator) we will execute and store the credentials as enviornment variables. If we do this via the environment variable we dont have to store the below information within the providers.tf file. In the future blog post there are better way to store the below details and I hope to showcase them:

# PowerShell
$env:ARM_CLIENT_ID = "9e453b62-0000-0000-0000-00000006e1ac"
$env:ARM_CLIENT_SECRET = "Z318Q~00000000000000000000000000000000_"
$env:ARM_TENANT_ID = "a02e602c-0000-000-0000-0e0000008bba61"
$env:ARM_SUBSCRIPTION_ID = "7b051460-00000-00000-00000-000000ecb1"
  • Azure Subcription ID – Azure Portal Subcription copy the ID
  • Client ID – From the above step you will have the details
  • Client Secret – From the above step you will have the details
  • Tenant ID – While creating the Enterprise Apps in ADD you will have the details

Terraform Folder Structure

The following is the folder structure for the terrraform code:

Azure Virtual Desktop Pooled RemoteApp – Create a directory in which the below Terraform code will be published (providers.tf, main.tf, variables.tf and output.tf)

+---Config-AVD-Pooled-RemoteApp
|   |   main.tf
|   |   output.tf
|   |   providers.tf
|   |   variables.tf

Configure AVD – Pooled RemoteApp – Providers.tf

Create a file named providers.tf and insert the following code:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.49.0"
    }
    azuread = {
      source = "hashicorp/azuread"
    }
  }
}

provider "azurerm" {
  features {}
}

Configure AVD – Pooled RemoteApp – main.tf

Create a file named main.tf and insert the following code. Let me explain what all we are attempting to accomplish here:

  • Create a Resource Group
  • Create a Workspace
  • Create a Host Pool
  • Create a Remote Application Group (RAG)
  • Associate Workspace and RAG
  • Assign Azure AD Group to the Desktop Application Group (RAG)
  • Assign Azure AD Group to the Resource Group for RBAC for the Session Host (Virtual Machine User Login)
# Resource group name is output when execution plan is applied.
resource "azurerm_resource_group" "rg" {
  name     = var.rg_name
  location = var.resource_group_location
  tags = var.tags
}

# Create AVD workspace
resource "azurerm_virtual_desktop_workspace" "workspace" {
  name                = var.workspace
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  friendly_name       = "${var.prefix} Workspace"
  description         = "${var.prefix} Workspace"
  tags = var.tags
}

# Create AVD host pool
resource "azurerm_virtual_desktop_host_pool" "hostpool" {
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  name                     = var.hostpool
  friendly_name            = var.hostpool
  validate_environment     = true #[true false]
  start_vm_on_connect      = true
  custom_rdp_properties    = "targetisaadjoined:i:1;drivestoredirect:s:*;audiomode:i:0;videoplaybackmode:i:1;redirectclipboard:i:1;redirectprinters:i:1;devicestoredirect:s:*;redirectcomports:i:1;redirectsmartcards:i:1;usbdevicestoredirect:s:*;enablecredsspsupport:i:1;redirectwebauthn:i:1;use multimon:i:1;enablerdsaadauth:i:1;"
  description              = "${var.prefix} HostPool"
  type                     = "Pooled" #[Pooled or Personal]
  preferred_app_group_type = "RailApplications" #[Desktop or RailApplications]
  maximum_sessions_allowed = 5  #[Tweak based on your vm tshirt size]
  load_balancer_type       = "DepthFirst" #[BreadthFirst or DepthFirst]
  tags = var.tags
scheduled_agent_updates {
  enabled = true
  timezone = "AUS Eastern Standard Time"  # Update this value with your desired timezone
  schedule {
    day_of_week = "Saturday"
    hour_of_day = 1   #[1 here means 1:00 am]
  }
}
}

resource "azurerm_virtual_desktop_host_pool_registration_info" "registrationinfo" {
  hostpool_id     = azurerm_virtual_desktop_host_pool.hostpool.id
  expiration_date = var.rfc3339
}

# Create AVD RAG
resource "azurerm_virtual_desktop_application_group" "rag" {
  resource_group_name = azurerm_resource_group.rg.name
  host_pool_id        = azurerm_virtual_desktop_host_pool.hostpool.id
  location            = azurerm_resource_group.rg.location
  type                = "RemoteApp"
  name                = var.app_group_name
  friendly_name       = "RemoteApp AppGroup"
  description         = "${var.prefix} AVD RemoteApp application group"
  depends_on          = [azurerm_virtual_desktop_host_pool.hostpool, azurerm_virtual_desktop_workspace.workspace]
  tags = var.tags
}

# Associate Workspace and DAG
resource "azurerm_virtual_desktop_workspace_application_group_association" "ws-dag" {
  application_group_id = azurerm_virtual_desktop_application_group.rag.id
  workspace_id         = azurerm_virtual_desktop_workspace.workspace.id
}

# Assign AAD Group to the Remote Application Group (RAG)
resource "azurerm_role_assignment" "AVDGroupRemoteAppAssignment" {
  scope                = azurerm_virtual_desktop_application_group.rag.id
  role_definition_name = "Desktop Virtualization User"
  principal_id         = data.azuread_group.AVDGroup.object_id
}

# Assign AAD Group to the Resource Group for RBAC for the Session Host
resource "azurerm_role_assignment" "RBACAssignment" {
  scope                = azurerm_resource_group.rg.id
  role_definition_name = "Virtual Machine User Login"
  principal_id         = data.azuread_group.AVDGroup.object_id
}

Note – The individual applications are not published yet. They can be published once you have the session host created. After which, using Terraform, the individual applications can be published too. The exe path of apps needs to be mapped within the operating system. I plan to create a separate blog post on session host creation via Terraform.

Configure AVD – Pooled RemoteApp – variables.tf

Create a file named variables.tf and insert the following code:

variable "resource_group_location" {
  default     = "australiaeast"
  description = "Location of the resource group - Australia East"
}

variable "rg_name" {
  type        = string
  default     = "AE-DEV-AVD-01-PO-A-RG"
  description = "Name of the Resource group in which to deploy service objects"
}

variable "workspace" {
  type        = string
  description = "Name of the Azure Virtual Desktop workspace"
  default     = "AE-DEV-AVD-01-WS"
}

variable "hostpool" {
  type        = string
  description = "Name of the Azure Virtual Desktop host pool"
  default     = "AE-DEV-AVD-01-PO-A-HP"
}

variable "app_group_name" {
  description = "Name of the Azure Virtual Desktop application group"
  type        = string
  default     = "AE-DEV-AVD-01-RAG"
}

variable "rfc3339" {
  type        = string
  default     = "2023-05-20T12:43:13Z"  #Update this value with a future date
  description = "Registration token expiration"
}

variable "prefix" {
  type        = string
  default     = "AE-DEV-AVD-01-HP-"
  description = "Prefix of the name of the AVD HostPools"
}

variable "tags" {
  type    = map(string)
  default = {
    Environment = "Dev"
    Department  = "IT"
    Location = "AustraliaEast"
    ServiceClass = "DEV"
    Workload = "Host Pool 01"
  }
}

data "azuread_client_config" "AzureAD" {}

data "azuread_group" "AVDGroup" {
  display_name     = "Win365-Users"  
}

Configure AVD – Pooled RemoteApp – output.tf

Create a file named output.tf and insert the following code. This will showcase in the console what is getting deployed in form of a output.

output "azure_virtual_desktop_compute_resource_group" {
  description = "Name of the Resource group in which to deploy session host"
  value       = azurerm_resource_group.rg.name
}

output "azure_virtual_desktop_host_pool" {
  description = "Name of the Azure Virtual Desktop host pool"
  value       = azurerm_virtual_desktop_host_pool.hostpool.name
}

output "azurerm_virtual_desktop_application_group" {
  description = "Name of the Azure Virtual Desktop DAG"
  value       = azurerm_virtual_desktop_application_group.rag.name
}

output "azurerm_virtual_desktop_workspace" {
  description = "Name of the Azure Virtual Desktop workspace"
  value       = azurerm_virtual_desktop_workspace.workspace.name
}

output "location" {
  description = "The Azure region"
  value       = azurerm_resource_group.rg.location
}

data "azuread_group" "aad_group" {
  display_name = "Win365-Users"
}

output "AVD_user_groupname" {
  description = "Azure Active Directory Group for AVD users"
  value       = data.azuread_group.aad_group.display_name
}

Intialize Terraform – AVD – Pooled RemoteApp

Run terraform init to initialize the Terraform deployment. This command downloads the Azure provider required to manage your Azure resources. (Its pulling the AzureRM and AzureAD)

terraform init -upgrade

Create Terraform Execution Plan – AVD – Pooled RemoteApp

Run terraform plan to create an execution plan.

terraform plan -out mainavdremoteapp.tfplan

Apply Terraform Execution Plan – AVD – Pooled RemoteApp

Run terraform apply to apply the execution plan to your cloud infrastructure.

terraform apply mainavdremoteapp.tfplan

Validate the Output in Azure Portal

Go to the Azure portal, Select Azure Virtual Desktop and Select Host pools, Application Group and Workspace created using Terraform.

Clean-up the above resources (Optional)

If you want to delete all the above resources then you can use the following commands to destroy. Run terraform plan and specify the destroy flag.

terraform plan -destroy -out mainavdremoteapp.destroy.tfplan

Run terraform apply to apply the execution plan.

terraform apply mainavdremoteapp.destroy.tfplan

The intention here is to get you quickly started with Terraform on Azure Virtual Desktop Solution:

DescriptionLinks
Setting up your computer to get started with Terrafor using PowershellInstall Terraform on Windows with Azure PowerShell
AVD Configure Azure Virtual Desktophttps://learn.microsoft.com/en-us/azure/developer/terraform/configure-azure-virtual-desktop
Terraform Learninghttps://youtube.com/playlist?list=PLLc2nQDXYMHowSZ4Lkq2jnZ0gsJL3ArAw

I hope you will find this helpful information for getting started with Terraform to deploy the Azure Virtual Desktop – Pooled Remote App. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , ,

Azure Virtual Desktop – Terraform – Create a Host Pool, Desktop Application Group and Workspace for Pooled Desktop (Part 2)

15 May

In the previous blog post we look at creating the Personal Desktop (1×1 mapping) using Terraform. Azure Virtual Desktop – Terraform – Create a Host Pool, Desktop Application Group and Workspace for Personal Desktop (Part 1) | AskAresh. In this blog post series I am going to demonstrate how to create the AVD Host Pool, Application Group and Workspace using Terraform for Pooled Desktop (1xMany)

We are going to create the following three types of configurations using Terraform:

  • Azure Virtual Desktop – Personal Desktop (1×1) – Part 1
  • Azure Virtual Desktop – Pooled Desktop (Multi-Session Full Desktop Experience) – Part 2
  • Azure Virtual Desktop – Remote App (Multi-Session Application aka Published Apps) – Part 3

Note – We are creating the Pooled Desktop in this post and in the subsequent post the other types will be created. In this post In this post I will not show case the creation of service principal and secret please refer for the Part 1 for that activity.

Pre-requisites

Following are the pre-requisites before you begin

  • An Azure subscription
  • The Terraform CLI
  • The Azure CLI
  • Permissions within the Azure Subscription for using Terraform

Terraform – Authenticating via Service Principal & Client Secret

Before running any Terraform code the following powershell (Make sure run as administrator) we will execute and store the credentials as enviornment variables. If we do this via the environment variable we dont have to store the below information within the providers.tf file. In the future blog post there are better way to store the below details and I hope to showcase them:

# PowerShell
$env:ARM_CLIENT_ID = "9e453b62-0000-0000-0000-00000006e1ac"
$env:ARM_CLIENT_SECRET = "Z318Q~00000000000000000000000000000000_"
$env:ARM_TENANT_ID = "a02e602c-0000-000-0000-0e0000008bba61"
$env:ARM_SUBSCRIPTION_ID = "7b051460-00000-00000-00000-000000ecb1"
  • Azure Subcription ID – Azure Portal Subcription copy the ID
  • Client ID – From the above step you will have the details
  • Client Secret – From the above step you will have the details
  • Tenant ID – While creating the Enterprise Apps in ADD you will have the details

Terraform Folder Structure

The following is the folder structure for the terrraform code:

Azure Virtual Desktop Pooled Desktop – Create a directory in which the below Terraform code will be published (providers.tf, main.tf, variables.tf and output.tf)

+---Config-AVD-Pooled-Desktop
|   |   main.tf
|   |   output.tf
|   |   providers.tf
|   |   variables.tf

Configure AVD – Pooled Desktop Pool – Providers.tf

Create a file named providers.tf and insert the following code:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.49.0"
    }
    azuread = {
      source = "hashicorp/azuread"
    }
  }
}

provider "azurerm" {
  features {}
}

Configure AVD – Pooled Desktop Pool – main.tf

Create a file named main.tf and insert the following code. Let me explain what all we are attempting to accomplish here:

  • Create a Resource Group
  • Create a Workspace
  • Create a Host Pool (Pooled Desktops and Depth first load balancing)
  • Create a Desktop Application Group (DAG)
  • Associate Workspace and DAG
  • Assign Azure AD Group to the Desktop Application Group (DAG)
  • Assign Azure AD Group to the Resource Group for RBAC for the Session Host (Virtual Machine User Login)
# Resource group name is output when execution plan is applied.
resource "azurerm_resource_group" "rg" {
  name     = var.rg_name
  location = var.resource_group_location
  tags = var.tags
}

# Create AVD workspace
resource "azurerm_virtual_desktop_workspace" "workspace" {
  name                = var.workspace
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  friendly_name       = "${var.prefix} Workspace"
  description         = "${var.prefix} Workspace"
  tags = var.tags
}

# Create AVD host pool
resource "azurerm_virtual_desktop_host_pool" "hostpool" {
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  name                     = var.hostpool
  friendly_name            = var.hostpool
  validate_environment     = true #[true false]
  start_vm_on_connect      = true
  custom_rdp_properties    = "targetisaadjoined:i:1;drivestoredirect:s:*;audiomode:i:0;videoplaybackmode:i:1;redirectclipboard:i:1;redirectprinters:i:1;devicestoredirect:s:*;redirectcomports:i:1;redirectsmartcards:i:1;usbdevicestoredirect:s:*;enablecredsspsupport:i:1;redirectwebauthn:i:1;use multimon:i:1;enablerdsaadauth:i:1;"
  description              = "${var.prefix} HostPool"
  type                     = "Pooled" #[Pooled or Personal]
  maximum_sessions_allowed = 5
  load_balancer_type       = "DepthFirst" #[BreadthFirst DepthFirst]
  tags = var.tags
scheduled_agent_updates {
  enabled = true
  timezone = "AUS Eastern Standard Time"  # Update this value with your desired timezone
  schedule {
    day_of_week = "Saturday"
    hour_of_day = 1   #[1 here means 1:00 am]
  }
}
}

resource "azurerm_virtual_desktop_host_pool_registration_info" "registrationinfo" {
  hostpool_id     = azurerm_virtual_desktop_host_pool.hostpool.id
  expiration_date = var.rfc3339
}

# Create AVD DAG
resource "azurerm_virtual_desktop_application_group" "dag" {
  resource_group_name = azurerm_resource_group.rg.name
  host_pool_id        = azurerm_virtual_desktop_host_pool.hostpool.id
  location            = azurerm_resource_group.rg.location
  type                = "Desktop"
  name                = var.app_group_name
  friendly_name       = "Desktop AppGroup"
  description         = "${var.prefix} AVD application group"
  depends_on          = [azurerm_virtual_desktop_host_pool.hostpool, azurerm_virtual_desktop_workspace.workspace]
  tags = var.tags
}

# Associate Workspace and DAG
resource "azurerm_virtual_desktop_workspace_application_group_association" "ws-dag" {
  application_group_id = azurerm_virtual_desktop_application_group.dag.id
  workspace_id         = azurerm_virtual_desktop_workspace.workspace.id
}

# Assign AAD Group to the Desktop Application Group (DAG)
resource "azurerm_role_assignment" "AVDGroupDesktopAssignment" {
  scope                = azurerm_virtual_desktop_application_group.dag.id
  role_definition_name = "Desktop Virtualization User"
  principal_id         = data.azuread_group.AVDGroup.object_id
}

# Assign AAD Group to the Resource Group for RBAC for the Session Host
resource "azurerm_role_assignment" "RBACAssignment" {
  scope                = azurerm_resource_group.rg.id
  role_definition_name = "Virtual Machine User Login"
  principal_id         = data.azuread_group.AVDGroup.object_id
}

Configure AVD – Pooled Desktop Pool – variables.tf

Create a file named variables.tf and insert the following code:

variable "resource_group_location" {
  default     = "australiaeast"
  description = "Location of the resource group - Australia East"
}

variable "rg_name" {
  type        = string
  default     = "AE-DEV-AVD-01-PO-D-RG"
  description = "Name of the Resource group in which to deploy service objects"
}

variable "workspace" {
  type        = string
  description = "Name of the Azure Virtual Desktop workspace"
  default     = "AE-DEV-AVD-01-WS"
}

variable "hostpool" {
  type        = string
  description = "Name of the Azure Virtual Desktop host pool"
  default     = "AE-DEV-AVD-01-PO-D-HP"
}

variable "app_group_name" {
  description = "Name of the Azure Virtual Desktop application group"
  type        = string
  default     = "AE-DEV-AVD-01-DAG"
}

variable "rfc3339" {
  type        = string
  default     = "2023-05-20T12:43:13Z"  #Update this value with a future date
  description = "Registration token expiration"
}

variable "prefix" {
  type        = string
  default     = "AE-DEV-AVD-01-HP-"
  description = "Prefix of the name of the AVD machine(s)"
}

variable "tags" {
  type    = map(string)
  default = {
    Environment = "Dev"
    Department  = "IT"
    Location = "AustraliaEast"
    ServiceClass = "DEV"
    Workload = "Host Pool 01"
  }
}

data "azuread_client_config" "AzureAD" {}

data "azuread_group" "AVDGroup" {
  display_name     = "Win365-Users"  
}

Configure AVD – Pooled Desktop Pool – output.tf

Create a file named output.tf and insert the following code. This will showcase in the console what is getting deployed in form of a output.

output "azure_virtual_desktop_compute_resource_group" {
  description = "Name of the Resource group in which to deploy session host"
  value       = azurerm_resource_group.rg.name
}

output "azure_virtual_desktop_host_pool" {
  description = "Name of the Azure Virtual Desktop host pool"
  value       = azurerm_virtual_desktop_host_pool.hostpool.name
}

output "azurerm_virtual_desktop_application_group" {
  description = "Name of the Azure Virtual Desktop DAG"
  value       = azurerm_virtual_desktop_application_group.dag.name
}

output "azurerm_virtual_desktop_workspace" {
  description = "Name of the Azure Virtual Desktop workspace"
  value       = azurerm_virtual_desktop_workspace.workspace.name
}

output "location" {
  description = "The Azure region"
  value       = azurerm_resource_group.rg.location
}

data "azuread_group" "aad_group" {
  display_name = "Win365-Users"
}

output "AVD_user_groupname" {
  description = "Azure Active Directory Group for AVD users"
  value       = data.azuread_group.aad_group.display_name
}

Intialize Terraform – AVD – Pooled Desktop Pool

Run terraform init to initialize the Terraform deployment. This command downloads the Azure provider required to manage your Azure resources. (Its pulling the AzureRM and AzureAD)

terraform init -upgrade

Create Terraform Execution Plan – AVD – Pooled Desktop Pool

Run terraform plan to create an execution plan.

terraform plan -out mainavdpooled.tfplan

Apply Terraform Execution Plan – AVD – Pooled Desktop Pool

Run terraform apply to apply the execution plan to your cloud infrastructure.

terraform apply mainavdpooled.tfplan

Validate the Output in Azure Portal

Go to the Azure portal, Select Azure Virtual Desktop and Select Host pools, Application Group and Workspace created using Terraform.

Clean-up the above resources (Optional)

If you want to delete all the above resources then you can use the following commands to destroy. Run terraform plan and specify the destroy flag.

terraform plan -destroy -out mainavdpooled.destroy.tfplan

Run terraform apply to apply the execution plan.

terraform apply mainavdpooled.destroy.tfplan

The intention here is to get you quickly started with Terraform on Azure Virtual Desktop Solution:

DescriptionLinks
Setting up your computer to get started with Terrafor using PowershellInstall Terraform on Windows with Azure PowerShell
AVD Configure Azure Virtual Desktophttps://learn.microsoft.com/en-us/azure/developer/terraform/configure-azure-virtual-desktop
Terraform Learninghttps://youtube.com/playlist?list=PLLc2nQDXYMHowSZ4Lkq2jnZ0gsJL3ArAw

I hope you will find this helpful information for getting started with Terraform to deploy the Azure Virtual Desktop – Pooled Desktop. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , ,

Azure Virtual Desktop – Terraform – Create a Host Pool, Desktop Application Group and Workspace for Personal Desktop (Part 1)

8 May

In the past, I have written blog posts on creating the Azure Virtual Desktop (AVD) solution using PowerShell. In this blog post series, I will demonstrate how to create the AVD Host Pool, Application Group and Workspace using Terraform. Terraform is an open-source infrastructure as code (IaC) software tool that enables you to safely and predictably create, change, and improve infrastructure. Terraform can be used to manage infrastructure on various cloud providers, including Azure.

We are going to create the following three types of configurations using Terraform:

  • Azure Virtual Desktop – Personal Desktop (1×1)
  • Azure Virtual Desktop – Pooled Desktop (Multi-Session Full Desktop Experience)
  • Azure Virtual Desktop – Remote App (Multi-Session Application aka Published Apps)

Note – We are creating the Personal Desktop in this post, and the other desktop/app types will be created in the subsequent post. In this post, I will showcase the creation of service principal and secret. In the next part, we shall move straight onto the Terraform code. Referring to part 1 in the series will be essential if you are doing the basics.

Pre-requisites

Following are the pre-requisites before you begin

  • An Azure subscription
  • The Terraform CLI
  • The Azure CLI
  • Permissions within the Azure Subscription for using Terraform

Terraform Service Principal and Secret (Azure AD – App Registrations)

Let’s pre-create the application ID and client secret we will use to connect and leverage the Terraform code in VScode.

  • Connect to Azure Portal and go to Azure Active Directory
  • Click on App Registrations and select – New Registration
  • Give the App a Name – Terraform
  • You will get two important information created for later use within Terraform
    • Application ID
    • Tenant ID
  • Now let’s grant this App Terraform Permission. Click on Add a permission and select MS Graph and search for AppRoleAssignment.ReadWrite.All and select read/write permissions and Add Permissions
  • Select Grant admin consent for domain
  • We are using client secret so now lets enable that. Click on Certificates & Secrets – Client Secrets and select New client secret\
  • Give it a name (Terra-secret) and expiry date (12 months)
  • Copy the Secret Value

Terraform – Authenticating via Service Principal & Client Secret

In the above step, we created the Service Principal and Client secret. We will use it before running any Terraform code in PowerShell (Ensure to run as administrator). We will execute and store the credentials as environment variables. If we do this via the environment variable, we don’t have to store the below information within the providers.tf file. In a future blog post, there are better ways to keep the below details, and I hope to showcase them:

# PowerShell
$env:ARM_CLIENT_ID = "9e453b62-0000-0000-0000-00000006e1ac"
$env:ARM_CLIENT_SECRET = "Z318Q~00000000000000000000000000000000_"
$env:ARM_TENANT_ID = "a02e602c-0000-000-0000-0e0000008bba61"
$env:ARM_SUBSCRIPTION_ID = "7b051460-00000-00000-00000-000000ecb1"
  • Azure Subscription ID – Azure Portal Subscription copy the ID.
  • Client ID – From the above step, you will have the details
  • Client Secret – From the above step, you will have the details
  • Tenant ID – While creating the Enterprise Apps in Azure AD, you will have the details

Terraform Folder Structure

The following is the folder structure for the Terraform code:

Azure Virtual Desktop Personal Pool – Create a directory in which the below Terraform code will be published (providers.tf, main.tf, variables.tf and output.tf)

+---Config-AVD-Personal-Desktop
|   |   main.tf
|   |   output.tf
|   |   providers.tf
|   |   variables.tf

Note – I am not demonstrating how to install Terraform as it’s dead simple, and the information is available everywhere.

Configure AVD – Personal Desktop Pool – Providers.tf

Create a file named providers.tf and insert the following code. (We are using the AzureRM and AzureAD providers)

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.49.0"
    }
    azuread = {
      source = "hashicorp/azuread"
    }
  }
}

provider "azurerm" {
  features {}
}

Configure AVD – Personal Desktop Pool – main.tf

Create a file named main.tf and insert the following code. Let me explain what we are attempting to accomplish here: (Note I have # commented the lines with additional info)

  • Create a Resource Group
  • Create a Workspace
  • Create a Host Pool
  • Create a Desktop Application Group (DAG)
  • Associate Workspace and DAG
  • Assign Azure AD Group to the Desktop Application Group (DAG)
  • Assign Azure AD Group to the Resource Group for RBAC for the Session Host (Virtual Machine User Login)
# Resource group name is output when execution plan is applied.
resource "azurerm_resource_group" "rg" {
  name     = var.rg_name
  location = var.resource_group_location
  tags = var.tags
}

# Create AVD workspace
resource "azurerm_virtual_desktop_workspace" "workspace" {
  name                = var.workspace
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  friendly_name       = "${var.prefix} Workspace"
  description         = "${var.prefix} Workspace"
  tags = var.tags
}

# Create AVD host pool
resource "azurerm_virtual_desktop_host_pool" "hostpool" {
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  name                     = var.hostpool
  friendly_name            = var.hostpool
  validate_environment     = true #[true false]
  start_vm_on_connect      = true
  custom_rdp_properties    = "targetisaadjoined:i:1;drivestoredirect:s:*;audiomode:i:0;videoplaybackmode:i:1;redirectclipboard:i:1;redirectprinters:i:1;devicestoredirect:s:*;redirectcomports:i:1;redirectsmartcards:i:1;usbdevicestoredirect:s:*;enablecredsspsupport:i:1;redirectwebauthn:i:1;use multimon:i:1;enablerdsaadauth:i:1;"
  description              = "${var.prefix} HostPool"
  type                     = "Personal" #[Pooled or Personal]
  personal_desktop_assignment_type = "Automatic"
  load_balancer_type       =  "Persistent"
  tags = var.tags
scheduled_agent_updates {
  enabled = true
  timezone = "AUS Eastern Standard Time"  # Update this value with your desired timezone
  schedule {
    day_of_week = "Saturday"
    hour_of_day = 1   #[1 here means 1:00 am]
  }
}
}

resource "azurerm_virtual_desktop_host_pool_registration_info" "registrationinfo" {
  hostpool_id     = azurerm_virtual_desktop_host_pool.hostpool.id
  expiration_date = var.rfc3339
}

# Create AVD DAG
resource "azurerm_virtual_desktop_application_group" "dag" {
  resource_group_name = azurerm_resource_group.rg.name
  host_pool_id        = azurerm_virtual_desktop_host_pool.hostpool.id
  location            = azurerm_resource_group.rg.location
  type                = "Desktop"
  name                = var.app_group_name
  friendly_name       = "Desktop AppGroup"
  description         = "${var.prefix} AVD application group"
  depends_on          = [azurerm_virtual_desktop_host_pool.hostpool, azurerm_virtual_desktop_workspace.workspace]
  tags = var.tags
}

# Associate Workspace and DAG
resource "azurerm_virtual_desktop_workspace_application_group_association" "ws-dag" {
  application_group_id = azurerm_virtual_desktop_application_group.dag.id
  workspace_id         = azurerm_virtual_desktop_workspace.workspace.id
}

# Assign AAD Group to the Desktop Application Group (DAG)
resource "azurerm_role_assignment" "AVDGroupDesktopAssignment" {
  scope                = azurerm_virtual_desktop_application_group.dag.id
  role_definition_name = "Desktop Virtualization User"
  principal_id         = data.azuread_group.AVDGroup.object_id
}

# Assign AAD Group to the Resource Group for RBAC for the Session Host
resource "azurerm_role_assignment" "RBACAssignment" {
  scope                = azurerm_resource_group.rg.id
  role_definition_name = "Virtual Machine User Login"
  principal_id         = data.azuread_group.AVDGroup.object_id
}

Configure AVD – Personal Desktop Pool – variables.tf

Create a file named variables.tf and insert the following code. I have followed a naming convention that includes the following:

  • AE – Australia East
  • Environment – PROD or DEV
  • Instance – 01
  • RG – Resource Group
  • WS – Workspace
  • DAG – Desktop Application Group
variable "resource_group_location" {
  default     = "australiaeast"
  description = "Location of the resource group - Australia East"
}

variable "rg_name" {
  type        = string
  default     = "AE-DEV-AVD-01-RG"
  description = "Name of the Resource group in which to deploy service objects"
}

variable "workspace" {
  type        = string
  description = "Name of the Azure Virtual Desktop workspace"
  default     = "AE-DEV-AVD-01-WS"
}

variable "hostpool" {
  type        = string
  description = "Name of the Azure Virtual Desktop host pool"
  default     = "AE-DEV-AVD-01-PE-D-HP"
}

variable "app_group_name" {
  description = "Name of the Azure Virtual Desktop application group"
  type        = string
  default     = "AE-DEV-AVD-01-DAG"
}

variable "rfc3339" {
  type        = string
  default     = "2023-05-20T12:43:13Z" #Update this value with a future date
  description = "Registration token expiration"
}

variable "prefix" {
  type        = string
  default     = "AE-DEV-AVD-01-HP-"
  description = "Prefix of the name of the AVD machine(s)"
}

variable "tags" {
  type    = map(string)
  default = {
    Environment = "Dev"
    Department  = "IT"
    Location = "AustraliaEast"
    ServiceClass = "DEV"
    Workload = "Host Pool 01"
  }
}

data "azuread_client_config" "AzureAD" {}

data "azuread_group" "AVDGroup" {
  display_name     = "Win365-Users"  
}

Configure AVD – Personal Desktop Pool – output.tf

Create a file named output.tf and insert the following code. This will showcase in the console what is getting deployed as output.

output "azure_virtual_desktop_compute_resource_group" {
  description = "Name of the Resource group in which to deploy session host"
  value       = azurerm_resource_group.rg.name
}

output "azure_virtual_desktop_host_pool" {
  description = "Name of the Azure Virtual Desktop host pool"
  value       = azurerm_virtual_desktop_host_pool.hostpool.name
}

output "azurerm_virtual_desktop_application_group" {
  description = "Name of the Azure Virtual Desktop DAG"
  value       = azurerm_virtual_desktop_application_group.dag.name
}

output "azurerm_virtual_desktop_workspace" {
  description = "Name of the Azure Virtual Desktop workspace"
  value       = azurerm_virtual_desktop_workspace.workspace.name
}

output "location" {
  description = "The Azure region"
  value       = azurerm_resource_group.rg.location
}

data "azuread_group" "aad_group" {
  display_name = "Win365-Users"
}

output "AVD_user_groupname" {
  description = "Azure Active Directory Group for AVD users"
  value       = data.azuread_group.aad_group.display_name
}

Intialize Terraform – AVD – Personal Desktop Pool

Run the following command to initialize the Terraform deployment. This command downloads the Azure provider required to manage your Azure resources. 

terraform init -upgrade

Create Terraform Execution Plan – AVD – Personal Desktop Pool

Run the following command to create an execution plan.

terraform plan -out mainavdpersonal.tfplan

Apply Terraform Execution Plan – AVD – Personal Desktop Pool

Run the following command to apply the execution plan to your cloud infrastructure.

terraform apply mainavdpersonal.tfplan

Validate the Output in Azure Portal

Go to the Azure portal, Select Azure Virtual Desktop and Select Host pools, Application Group and Workspace created using Terraform.

Clean-up the above resources (Optional)

If you want to delete all the above resources then you can use the following commands to destroy. Run terraform plan and specify the destroy flag.

terraform plan -destroy -out mainavdpersonal.destroy.tfplan

Run terraform apply to apply the execution plan.(Destroy)

terraform apply mainavdpersonal.destroy.tfplan

The intention here is to get you quickly started with Terraform on Azure Virtual Desktop Solution:

DescriptionLinks
Setting up your computer to get started with Terrafor using PowershellInstall Terraform on Windows with Azure PowerShell
AVD Configure Azure Virtual Desktophttps://learn.microsoft.com/en-us/azure/developer/terraform/configure-azure-virtual-desktop
Terraform Learninghttps://youtube.com/playlist?list=PLLc2nQDXYMHowSZ4Lkq2jnZ0gsJL3ArAw

I hope you will find this helpful information for getting started with Terraform to deploy the Azure Virtual Desktop – Personal Desktop Pool. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , ,

Disable Search Highlights on Windows 365 Cloud PC and Azure Virtual Desktop using Microsoft Intune

24 Feb

Search Highlight is a feature in Windows 11 (Enterprise\Multi-session) that highlights search results in the Start menu and taskbar search box. While this feature can be helpful for some users, others may find it distracting or unnecessary. Fortunately, it is possible to disable the Search Highlight feature in Windows 11 using Microsoft Intune. Plenty of information is available on disabling the Windows 11 Search Highlight using Group policy, Registry and UI. However, we will leverage Custom OMA-URI settings from Microsoft Intune in this blog post.

Search – CSP Details

The Search – Policy configuration service provider enables the enterprise to configure policies on Windows 11. Following are the details on the one we are using for disabling the search highlights:

How to disable Search Highlights in Microsoft Endpoint Manager

To disable the Search Highlight feature in Windows 11 (Enterprise/Multi-session) using Microsoft Intune, follow these steps:

  • Login to the MEM Portal – https://endpoint.microsoft.com/
  • Select Devices > Configuration Profiles > Create Profile.
  • For Platform, select Windows 10 and later.
  • For Profile type, select Templates > Custom and select Create.
  • Enter a Name – DisableSearchHighlight and description and choose Next
  • Under the OMA-URI Settings, clicks on Add
  • Enter the Name, Description, and OMA-URI fetched in the references from the MS CSP link below. The value is an integer based on the documentation, and as we disable the setting, the value is 0.
  • Remember the MS documentation called out this setting only applies to Devices. In the case of Assignments, we will target Windows 365 Device Group and Azure Virtual Desktop Session Host Pools.
  • Click on Review and Save

Validate the Policy is applying

After 10-15 mins of waiting, go into the newly configured configuration profiles policy, and you will start seeing it getting applied to the targeted devices (MEM Portal > Devices > Configuration Profiles > DisableSearchHighlights)

Cloud PC – Within Windows 11

Login to the Windows 365 Cloud PC, and now when you click on Search, the advertisements and search highlights are gone.

Useful LinksCredits
Search – CSP Policy – https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-searchMicrosoft
5 Unique Ways to Disable Search Highlights on Windows 11Prajwal Desai
Disable Enable Search Highlights in Windows 11Jitesh Kumar

I hope you will find this helpful information towards disabling the annoying Search Highlights on Windows 365, AVD environment and physical endpoints using Microsoft Endpoint Manager. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , , , ,

Compliance Policy for Azure Virtual Desktop Session Host Virtual machine managed via Microsoft Intune

3 Feb

Microsoft Intune Compliance Policy can be used to manage the security and compliance of Azure Virtual Desktop (AVD) Session Host virtual machines. The policy can enforce specific configuration settings such as password complexity, security updates, and device encryption to ensure that the virtual machines meet the organization’s security and compliance requirements.

To set up an Intune Compliance Policy for an AVD Session Host virtual machine, the virtual machine must be enrolled with Intune. Then, the policy can be created in the Intune portal and assigned to the virtual machine. The policy settings will be enforced on the virtual machine and monitored for compliance.

Note: The Intune Compliance Policy is just one of the ways to manage the security and compliance of AVD Session Host virtual machines. Other tools such as Azure Security Center and Azure Policy can also be used.

Why create the azure virtual desktop session host compliance policy?

There are several reasons why organizations create Azure Virtual Desktop (AVD) Session Host Compliance Policies:

  1. Security: Compliance policies help ensure that the AVD Session Host virtual machines are configured with the necessary security measures to protect sensitive data and prevent unauthorized access. This includes enforcing encryption, password policies, and software updates.
  2. Compliance: Compliance policies help organizations meet regulatory requirements, such as HIPAA, PCI, and SOC, by ensuring that the AVD Session Host virtual machines are configured in accordance with these regulations.
  3. Consistency: Compliance policies help ensure that all AVD Session Host virtual machines are configured consistently and meet the same standards. This makes it easier for administrators to manage the environment and ensures that all users have a consistent and secure experience.
  4. Monitoring: Compliance policies provide ongoing monitoring of the AVD Session Host virtual machines, so administrators can quickly identify and address any deviations from the desired configuration.

By creating an AVD Session Host Compliance Policy, organizations can ensure that their virtual machines are secure, compliant, consistent, and properly monitored, which can help reduce the risk of security breaches and regulatory violations.

What compliance policies are supported with Azure Virtual Desktop?

The following compliance policies are supported on Windows 10 or Windows 11 Enterprise multi-session VMs:

  • Minimum OS version
  • Maximum OS version
  • Valid operating system builds
  • Simple passwords
  • Password type
  • Minimum password length
  • Password Complexity
  • Password expiration (days)
  • Number of previous passwords to prevent reuse
  • Microsoft Defender Antimalware
  • Microsoft Defender Antimalware security intelligence up-to-date
  • Firewall
  • Antivirus
  • Antispyware
  • Real-time protection
  • Microsoft Defender Antimalware minimum version
  • Defender ATP Risk score

Note in my sceanrio I am not using all of the above only a few based on the configuration of my environment. You will need a Azure AD device group containing all the session host for AVD to apply this policy.

What am I configuring?

I am only configuring two things. However, I urge if you to leverage Microsoft Defender and make sure you use the Antivirus and Antimalware settings (Another blog post later day for Defender integrations):

  • Minimum OS version – 10.0.22621.963
  • Firewall – Require

The above is not an extensive list, but I am trying to give you an idea here.

Create the compliance policy for AVD

Open the Microsoft Endpoint Manager admin center and navigate to Devices and Compliance Policies.

  • Click on Create Policy and Select Platform Windows 10 and later
  • Give the policy a name and description
  • Configure the above two parameters
  • An assignment is the most critical aspect, here, you want an Azure AD Dynamic Device Group that will make sure all the AVD Session hosts are covered.
  • My current AAD Dynamic Group query is as follows, I am working towards getting a more refine query to make it understand Multi-session(I have raised a query internally within MS)

Device Compliance (AVD Session Host VMs)

After waiting for 15 mins you will start noticing all your AVD Session host VM’s will now begin to show as compliant.

I hope you will find this helpful information for creating a compliance policy for your AVD Session host VMs. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

Azure Virtual Desktop – PowerShell – Create a Host Pool, Application Group and Workspace for RemoteApp aka Published Applications

13 Dec

In the previous blog post we learnt how to create the PowerShell – Create a Windows 11 Multi-session golden image for Azure Virtual Desktop using Marketplace Image | AskAresh and today we are going to take a step further and deploy the following features within Azure Virtual Desktop using PowerShell:

  • Create Host Pool with Type – RemoteApp
  • Create the Application Group (AG)
  • Create an Workspaces
  • Assign the Azure Active Directory Group to the (AG)

I will break down the code block into smaller chunks first to explain the critical bits, and in the end, I will post the entire code block that can be run all at once. In this way, explaining block by block becomes easier than pasting one single block.

RemoteApp

RemoteApp – This is a way to provide end-users with the business applications alone without giving them an entire desktop. They can access their applications anywhere on any device.

Pre-requisites

Following are the pre-requisites before you begin

  • PowerShell 5.1 and above
  • Azure Subscription
  • Permissions within the Azure Subscription for the creation of AVD – Host Pools
  • Assumption
    • You have an existing Resource Group (RG)
  • Azure PowerShell Modules – Az.DesktopVirtualization

Sign to Azure

To start working with Azure PowerShell, sign in with your Azure credentials.

Connect-AzAccount

Variable Region

Delcare all the variable within this section. Lets take a look at what we are declaring within the script:

  • Existing Resource Group within the Azure Subscription (AZ104-RG)
  • A location where you are deploying this Host Pool (Australia East)
  • Name of the Host Pool (RA-HP01)
  • Host Pool Type (Pooled) as it will be shared with multiple end-users
  • Load balancing method for the Host Pool (DepthFirst)
  • Maximum users per session host VM (10)
  • The type of Application Group (RailApplications). As we are only giving out end-users Apps
  • Application Group Name ($HPName-RAG)
  • Workspace grouping name ($HPName-WRK01)
  • Azure AD group that will be assigned to the application group (XXXX4b896-XXXX-XXXX-XXXX-33768d8XXXXX)
# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id

# Existing Resource Group to deploy the Host Pool
$rgName = "AZ104-RG"

# Geo Location to deploy the Host Pool
$location = "australiaeast"

# Host Pool name
$HPName = "RA-HP01"

# Host Pool Type Pooled|Personal
$HPType = "Pooled"

# Host Pool Load Balancing BreadthFirst|DepthFirst|Persistent
$HPLBType = "DepthFirst"

# Max number or users per session host
$Maxusers = "10"

# Preffered App group type Desktop|RailApplications
$AppGrpType = "RailApplications"

# ApplicationGroup Name
$AppGrpName = "$HPName-RAG"

# Workspace Name
$Wrkspace = "$HPName-WRK01"

# AAD Group used to assign the Application Group
# Copy the Object ID GUID from AAD Groups Blade
$AADGroupObjId = "XXXX4b896-XXXX-XXXX-XXXX-33768d8XXXXX"

Execution block

Execution code block within this section. Lets take a look at what we are we executing within the script:

  • Create the host pool with all the mentioned variables, tags and whether the validation enivornment yes/no.
  • Create the application group and tie it to the host pool
  • Finally, we create the workspace and tie it to the application group and hostpool
  • Last step, we assign the AAD group object ID to the Application Group for all entitlement purposes.
# Create the Host Pool with RemoteApp Configurations
try
{
    write-host "Create the Host Pool with Pooled RemoteApp Configurations"
    $DeployHPWRA = New-AzWvdHostPool -ResourceGroupName $rgName `
        -SubscriptionId $subscriptionID `
        -Name $HPName `
        -Location $location `
        -ValidationEnvironment:$true `
        -HostPoolType $HPType `
        -LoadBalancerType $HPLBType `
        -MaxSessionLimit $Maxusers `
        -PreferredAppGroupType $AppGrpType `
        -Tag:@{"Billing" = "IT"; "Department" = "IT"; "Location" = "AUS-East" } `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}


# Create the Application Group for the Remote App Host Pool
try
{
    write-host "Create the Application Group for the Remote App Host Pool"
    $CreateAppGroupRA = New-AzWvdApplicationGroup -ResourceGroupName $rgName `
        -Name $AppGrpName `
        -Location $location `
        -HostPoolArmPath $DeployHPWRA.Id `
        -ApplicationGroupType 'RemoteApp' `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

# Create the Workspace for the RemoteApp Host Pool
try
{
    write-host "Create the Workspace for the RemoteApp Host Pool"
    $CreateWorkspaceRA = New-AzWvdWorkspace -ResourceGroupName $rgName `
        -Name $Wrkspace `
        -Location $location `
        -ApplicationGroupReference $CreateAppGroupRA.Id `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

# Assign the AAD group (Object ID)  to the Application Group
try
{
    write-host "Assigning the AAD Group to the Application Group"
    $AssignAADGrpAG = New-AzRoleAssignment -ObjectId $AADGroupObjId `
        -RoleDefinitionName "Desktop Virtualization User" `
        -ResourceName $CreateAppGroupRA.Name `
        -ResourceGroupName $rgName `
        -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups' `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

Final Script

Here I will paste the entire script block for seamless execution in a single run. Following is the link to my GitHub for this script – avdwin365mem/createhp-ag-wk-RA at main · askaresh/avdwin365mem (github.com)

# Connect to the Azure Subcription
Connect-AzAccount

# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id

# Existing Resource Group to deploy the Host Pool
$rgName = "AZ104-RG"

# Geo Location to deploy the Host Pool
$location = "australiaeast"

# Host Pool name
$HPName = "RA-HP01"

# Host Pool Type Pooled|Personal
$HPType = "Pooled"

# Host Pool Load Balancing BreadthFirst|DepthFirst|Persistent
$HPLBType = "DepthFirst"

# Max number or users per session host
$Maxusers = "10"

# Preffered App group type Desktop|RailApplications
$AppGrpType = "RailApplications"

# ApplicationGroup Name
$AppGrpName = "$HPName-RAG"

# Workspace Name
$Wrkspace = "$HPName-WRK01"

# AAD Group used to assign the Application Group
# Copy the Object ID GUID from AAD Groups Blade
$AADGroupObjId = "dcc4b896-2f2d-49d9-9854-33768d8b65ba"

# Create the Host Pool with RemoteApp Configurations
try
{
    write-host "Create the Host Pool with Pooled RemoteApp Configurations"
    $DeployHPWRA = New-AzWvdHostPool -ResourceGroupName $rgName `
        -SubscriptionId $subscriptionID `
        -Name $HPName `
        -Location $location `
        -ValidationEnvironment:$true `
        -HostPoolType $HPType `
        -LoadBalancerType $HPLBType `
        -MaxSessionLimit $Maxusers `
        -PreferredAppGroupType $AppGrpType `
        -Tag:@{"Billing" = "IT"; "Department" = "IT"; "Location" = "AUS-East" } `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}


# Create the Application Group for the Remote App Host Pool
try
{
    write-host "Create the Application Group for the Remote App Host Pool"
    $CreateAppGroupRA = New-AzWvdApplicationGroup -ResourceGroupName $rgName `
        -Name $AppGrpName `
        -Location $location `
        -HostPoolArmPath $DeployHPWRA.Id `
        -ApplicationGroupType 'RemoteApp' `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

# Create the Workspace for the RemoteApp Host Pool
try
{
    write-host "Create the Workspace for the RemoteApp Host Pool"
    $CreateWorkspaceRA = New-AzWvdWorkspace -ResourceGroupName $rgName `
        -Name $Wrkspace `
        -Location $location `
        -ApplicationGroupReference $CreateAppGroupRA.Id `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

# Assign the AAD group (Object ID)  to the Application Group
try
{
    write-host "Assigning the AAD Group to the Application Group"
    $AssignAADGrpAG = New-AzRoleAssignment -ObjectId $AADGroupObjId `
        -RoleDefinitionName "Desktop Virtualization User" `
        -ResourceName $CreateAppGroupRA.Name `
        -ResourceGroupName $rgName `
        -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups' `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

Next Steps on the Host Pool

Now that the host pool, application group and workspaces are ready following are the next steps involved:

  • Generate a registration token
  • Add the session host virtual machine to the host pool
  • Create Applications within the Application Group. You can create multiple Applications in single AG or 1 AG per Application.

I hope you will find this helpful information for deploying a host pools, application group and workspaces within Azure Virtual Desktop. If you want to see a Powershell version of the applications & session host activities, leave me a comment below or on my socials. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , ,

PowerShell – Create a Windows 11 Multi-session golden image for Azure Virtual Desktop using Marketplace Image

28 Nov

Do you want to deploy an Azure Virtual Desktop – Host pools quickly and want a starting point for a golden image? Look no further in this blog post. I will show you how to create a golden image using PowerShell in no more than 10 min.

I will break down the code block into smaller chunks first to explain the critical bits, and in the end, I will post the entire code block that can be run all at once. In this way, explaining block by block becomes easier than pasting one single block.

Pre-requisites

Following are the pre-requisites before you begin

  • PowerShell 5.1 and above
  • Azure Subscription
  • Permissions within the Auzre Subscription for Azure Compute
  • Assumption
    • You have an existing Resource Group (RG)
    • You have an existing Azure Virtual Network (VNET)
    • You have an existing workload subnet within the VNET
    • Identify the VM Size you will be using for the golden image
  • Azure PowerShell Modules

Sign to Azure

To start working with Azure PowerShell, sign in with your Azure credentials.

Connect-AzAccount

Identify the Windows 11 Multi-session (Marketplace Image)

There are many different versions of Windows 11 marketplace images from Microsoft. Let’s identify what is available within the gallery.

Get-AzVMImageSku -Location australiaeast -PublisherName MicrosoftWindowsDesktop -Offer windows-11

#Bonus Information

If you want the Multi-session gallery image with Office, than use the following command

Get-AzVMImageSku -Location australiaeast -PublisherName MicrosoftWindowsDesktop -Offer office-365

We are going to use the Windows 11 22H2 Mutli-session – win11-22h2-avd within this script

Variable Region

Delcare all the variable within this section. Lets take a look at what we are declaring within the script:

  • Existing Resource Group within the Azure Subscription (AZ104-RG)
  • A location where you are deploying this virtual machine (Australia East)
  • Name of the golden image virtual machine (VM03)
  • NIC Interface name for the virtual machine (VM03-nic)
  • RG of the VNET (In my case they are same AZ104-RG, they can be seperate too and hence a independent variable)
  • Name of the existing subnet within the vNET (AZ104-VDI-Workload-L1)
  • Name of the existing VNET (AZ104-RG-vnet)
  • Mapping of the exisitng VNET
  • Mapping of the existing subnet
  • T-shirt size of the golden image we are deploying (Standard_D2s_v3)
  • Gallery details of the image
    • Published – MicrosoftWindowsDesktop
    • Offer – windows-11
    • SKU – win11-22h2-avd
    • version – Offcourse latest
  • Get credentials – A local admin account is created on the golden image (A input box to capture the uisername and password)
# Existing Resource Group to deploy the VM
$rgName = "AZ104-RG"

# Geo Location to deploy the VM
$location = "Australia East"

# Image template name
$vmName = "VM03"

# Networking Interfance Name for the VM
$nicName = "$vmName-nic"

# Resource Group for VNET
$vnetrgName = "AZ104-RG"

# Existing Subnet Name
$Existsubnetname = "AZ104-VDI-Workload-L1"

# Existing VNET Name
$Existvnetname = "AZ104-RG-vnet"

# Existing VNET where we are deploying this Virtual Machine
$vnet = Get-AzVirtualNetwork -Name $Existvnetname -ResourceGroupName $vnetrgName

# Existing Subnet within the VNET for the this virtual machine
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $Existsubnetname -VirtualNetwork $vnet

# T-shirt size of the VM
$vmSize = "Standard_D2s_v3"

# Gallery Publisher of the Image - Microsoft
$publisher = "MicrosoftWindowsDesktop"

# Version of Windows 10/11
$offer = "windows-11"

# The SKY ending with avd are the multi-session
$sku = "win11-22h2-avd"

# Choosing the latest version
$version = "latest"

# Setting up the Local Admin on the VM
$cred = Get-Credential `
   -Message "Enter a username and password for the virtual machine."

Execution block

Execution code block within this section. Lets take a look at what we are we executing within the script:

  • First its creating the network interface for the virtual machine (VM03)
  • Next, under the variable $VM all virtual machine configurations
    • Tshirt size of the virtual machine
    • Credentials for the local admin (username/password)
    • The network interface assignment along with the delete option (Note delete option is essential or/else during deletion of VM it will not delete the network interface)
    • The gallery image, sku, offer from the Microsoft Market Place gallery
    • The os disk assignment along with the delete option (Note delete option is essential or/else during deletion of VM it will not delete the disk)
    • The configuration around “Trusted Platform” and enabling of TPM and Secure Boot
    • The final command to create the virtual machine with all the above configurations
# Create New network interface for the virtual machine
$NIC = New-AzNetworkInterface -Name $nicName -ResourceGroupName $vnetrgName -Location $location -Subnet $subnet

# Creation of the new virtual machine with delete option for Disk/NIC together
$vm = New-AzVMConfig -VMName $vmName -VMSize $vmSize 

$vm = Set-AzVMOperatingSystem `
   -VM $vm -Windows `
   -ComputerName $vmName `
   -Credential $cred `
   -ProvisionVMAgent `
   -EnableAutoUpdate 

# Delete option for NIC
$vm = Add-AzVMNetworkInterface -VM $vm `
   -Id $NIC.Id `
   -DeleteOption "Delete"

$vm = Set-AzVMSourceImage -VM $vm `
   -PublisherName $publisher `
   -Offer $offer `
   -Skus $sku `
   -Version $version 

# Delete option for Disk
$vm = Set-AzVMOSDisk -VM $vm `
   -StorageAccountType "StandardSSD_LRS" `
   -CreateOption "FromImage" `
   -DeleteOption "Delete"

# The sauce around enabling the Trusted Platform
$vm = Set-AzVmSecurityProfile -VM $vm `
   -SecurityType "TrustedLaunch" 

# The sauce around enabling TPM and Secure Boot
$vm = Set-AzVmUefi -VM $vm `
   -EnableVtpm $true `
   -EnableSecureBoot $true 

New-AzVM -ResourceGroupName $rgName -Location $location -VM $vm

Final Script

Here I will paste the entire script block for seamless execution in single run. Following is the link to my Github for this script – Create Virtual Machine with Trusted Platform and Delete disk/nic options.

# Step 1: Import module
#Import-Module Az.Accounts

# Connect to the Azure Subcription
#Connect-AzAccount

# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID=$currentAzContext.Subscription.Id

# Command to get the Multi-session Image in Gallery
# Details from this command will help in filling out variables below on Gallery Image
# Get-AzVMImageSku -Location australiaeast -PublisherName MicrosoftWindowsDesktop -Offer windows-11

# Existing Resource Group to deploy the VM
$rgName = "AZ104-RG"

# Geo Location to deploy the VM
$location = "Australia East"

# Image template name
$vmName = "VM03"

# Networking Interfance Name for the VM
$nicName = "$vmName-nic"

# Resource Group for VNET
$vnetrgName = "AZ104-RG"

# Existing Subnet Name
$Existsubnetname = "AZ104-VDI-Workload-L1"

# Existing VNET Name
$Existvnetname = "AZ104-RG-vnet"

# Existing VNET where we are deploying this Virtual Machine
$vnet = Get-AzVirtualNetwork -Name $Existvnetname -ResourceGroupName $vnetrgName

# Existing Subnet within the VNET for the this virtual machine
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $Existsubnetname -VirtualNetwork $vnet

# T-shirt size of the VM
$vmSize = "Standard_D2s_v3"

# Gallery Publisher of the Image - Microsoft
$publisher = "MicrosoftWindowsDesktop"

# Version of Windows 10/11
$offer = "windows-11"

# The SKY ending with avd are the multi-session
$sku = "win11-22h2-avd"

# Choosing the latest version
$version = "latest"

# Setting up the Local Admin on the VM
$cred = Get-Credential `
   -Message "Enter a username and password for the virtual machine."

# Create New network interface for the virtual machine
$NIC = New-AzNetworkInterface -Name $nicName -ResourceGroupName $vnetrgName -Location $location -Subnet $subnet

# Creation of the new virtual machine with delete option for Disk/NIC together
$vm = New-AzVMConfig -VMName $vmName -VMSize $vmSize 

$vm = Set-AzVMOperatingSystem `
   -VM $vm -Windows `
   -ComputerName $vmName `
   -Credential $cred `
   -ProvisionVMAgent `
   -EnableAutoUpdate 

# Delete option for NIC
$vm = Add-AzVMNetworkInterface -VM $vm `
   -Id $NIC.Id `
   -DeleteOption "Delete"

$vm = Set-AzVMSourceImage -VM $vm `
   -PublisherName $publisher `
   -Offer $offer `
   -Skus $sku `
   -Version $version 

# Delete option for Disk
$vm = Set-AzVMOSDisk -VM $vm `
   -StorageAccountType "StandardSSD_LRS" `
   -CreateOption "FromImage" `
   -DeleteOption "Delete"

# The sauce around enabling the Trusted Platform
$vm = Set-AzVmSecurityProfile -VM $vm `
   -SecurityType "TrustedLaunch" 

# The sauce around enabling TPM and Secure Boot
$vm = Set-AzVmUefi -VM $vm `
   -EnableVtpm $true `
   -EnableSecureBoot $true 

New-AzVM -ResourceGroupName $rgName -Location $location -VM $vm

Note – It will give you a pop-up box for entering the username and password for the local account, and in under 10 mins you will see your virtual machine within the Azure portal

Next Steps on Golden Image

Now that the virtual machine is ready following are the next steps involved:

  • Using Azure Bastion console and installing all the required applications
  • Generalize and sysprep and shutdown the image
  • Capture the image to the Azure Compute Galleries
  • Deploy within the Azure Virtual Desktop

I hope you will find this helpful information for deploying a golden image within Azure – Virtual Machine to deploy the Azure Virtual Desktop – Host Pools. If you want to see a Powershell version of the host pool activities, leave me a comment below or on my socials. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , ,

Mindmap – Part 2 – Managing Azure Virtual Desktop (AVD)

21 Jan

This blog post is in continuation of my part 1 – Mindmap – Part 1 – Azure Virtual Desktop (AVD) – Quick start guide to virtual desktop/applications | AskAresh where we look at deploying the AVD solution. In this post, I want to share my learnings with you all around the management and #Day2 aspects of AVD. We shall take a look into the following topics:

  • Mind map – Managing Azure Virtual Desktop
    • Scale Out – Add extra Host (VM) to the Host Pools
    • Lifecycle – Update your Master Image – Shared Image Gallery aka Azure compute galleries
    • Drain the old Session Host VM
    • Automatically Power ON the Session host Virtual Machines
    • Monitoring Azure Virtual Desktop

Mindmap for Managing Azure Virtual Desktop (AVD)

I have managed to document all the high-level steps involved in managing the AVD on an ongoing basis. The idea here is that the mindmap acts as an excellent visual representation of what to do during ongoing maintenance activities. You can figure out in advance the requirements/steps and pre-requisites.

Managing Azure Virtual Desktop
Managing Azure Virtual Desktop

Disclaimer – This guide is a get you started guide, and the production management may vary. Please make sure you always reference Microsoft documentation. Here is the PDF version if you would like to download and zoom in (Don’t stress your eyes!) –

managing-azure-virtual-desktop-twitter-40askareshDownload

I hope you will find this helpful information on your Managing Azure Virtual Desktop journey. Please let me know if I have missed any steps in the mindmap, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , ,

Mindmap – Part 1 – Azure Virtual Desktop (AVD) – Quick start guide to virtual desktop/applications

1 Nov

I have been learning Azure Virtual Desktop (AVD) from the awesome book DaaS – The Complete Guide: A Step-by-Step Guide on deploying Desktop-as-a-Service solutions from Microsoft, Nutanix, Citrix, VMware, Accops. I want to share my learnings with you all, and in this post, we shall take a look into the following topics:

  • Mind map for Azure Virtual Desktop – Getting started
    • Getting started with Azure Virtual Desktop (AVD)
    • Deployment – Pre-requisites for AVD
    • Master Images – (Windows 10 Multi-Session, Windows 10 1909 Enterprise or Windows Server 2019 DC)
    • Template and Shared Image Gallery
    • Host Pools
    • Application Groups
    • Workspaces
    • Windows Desktop Client
  • Quick Start Links

Mindmap for Azure Virtual Desktop (AVD) – Getting started

Managed to put together a mindmap on the AVD getting started from zero to a working desktop or application. The idea here is the mindmap acts as an excellent visual representation of what to do during pre-requisites, deployment and you can figure out in advance the requirements/steps and pre-requisites.

Azure Virtual Desktop

Disclaimer – This guide is a get you started guide, and the production settings and configuration might be different. Please make sure you change the settings appropriate for production workloads. Here is the PDF version if you would like to download and zoom in (Don’t stress your eyes!) –

azure-virtual-desktop-twitter-40askaresh-1Download

Change log

  • The Mindmap was last updated on 21st Jan 2022 with lots of changes!

The intention here is to get you quickly started on Azure Virtual Desktop Solution:

DescriptionLinks
Azure Virtual Desktop OverviewWhat is Azure Virtual Desktop? – Azure | Microsoft Docs
Azure Virtual Desktop technical (ARM-based model) deployment walkthrough. (Christiaan Brinkhoff)Azure Virtual Desktop technical (ARM-based model) deployment walkthrough. It covers all you need to know and beyond! | christiaanbrinkhoff.com – Sharing Cloud and Virtualization Knowledge
AVD Zero to Hero (YouTube – I am IT Geek)Series 5: Episode 1 – AVD Zero to Hero Introduction – YouTube (Playlist)
AVD PowerShellAzure Virtual Desktop PowerShell – Azure | Microsoft Docs
AVD PricingAzure Virtual Desktop | Microsoft Azure

I hope you will find this helpful information on your Azure Virtual Desktop journey. Please let me know if I have missed any steps in the mindmap, or reference links, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , ,