Tag Archives: Azure

Alternate Azure Network Connection for Windows 365 Cloud PC

15 Mar

Alternate ANCs (Azure Network Connections) are secondary or backup connections to the Microsoft Azure network used to provide redundancy and high availability for Windows 365 Cloud PC provisioning of new desktops. Alternate ANCs can be used when a primary connection fails or experiences connectivity issues, ensuring access to Windows 365 Cloud Provisioning continues for the desktops uninterrupted using the backup ANC.

Introduction

Alternate ANCs can be used when a primary region availability fails, ensuring access to Windows 365 Cloud Provisioning continues for the new desktops uninterrupted using the backup ANC. As long as the first ANC in the list is Healthy, it will always be used for provisioning Cloud PCs using this policy. If the first ANC is not healthy, the policy will use the next ANC in the list that is healthy.

My Scenario

I have an Azure VNET in the region (Australia East) and a dedicated subnet for the Windows 365 Cloud PC desktops in my environment. Now imagine a scenario if the Azure region Australia East had issues. It will directly impact the provisioning of the new Cloud PC desktops.

How will we increase HA/DR capability during Cloud PC Provisioning Issues

Create a backup VNET in different region (Asia Pacific East Asia – HK)

Go to you Azure Portal and create a new VNET in a different region of you choice (Azure Portal — Virtual Networks – Create Network)

Create a dedicated subnet for Windows 365 Cloud PC

Go into the newly created VNET – W365-Bckup-VNET01 and select Subnet and click + Subnet and create a dedicated subnet for the Windows 365 Cloud PC.

Add the additional Azure Network Connection in Intune Portal

I have a previous blog post on creating the the PowerShell – Create Azure Network Connection (ANC) for Windows 365 Cloud PC you can either use that or create one in the Microsoft Intune admin center. We are creating an Azure Network Connection that includes the following:

  • Display Name of the network – Win365-Bckup-ANC01
  • Azure Subscription Name – Azure subcription 1
  • Type – There are two types we are selecting Azure AD join – azureADJoin
  • Resource Group ID – The resource group within Azure – W365-AVD-RG01
  • Virtual Network ID – The VNET within Azure – W365-Bckup-VNET01
  • Subnet ID – The subnet for W365 within VNET – Win365-ASE-Bac-Sub01

Cloud Provisioning Policy

Go into your Cloud PC Provisioning Policy and select Edit. Under the Azure Network Connection you will be able to see the newly added ANC – Win365-Bckup-ANC01 make sure you choose that. It will automatically assign the priority as 2 and will come into effect during network outages in the region.

In the above scenario, at all times, it will use the ANC-W365-Sub01 (Priority 1) network for provisioning all Cloud PC. If there is a contention or issues with the primary ANC, then the backup Win365-Bckup-ANC01 (Priority 2) network will kick in and continue provisioning the new desktops in that region/network.

Note

At the time of writting this blogpost, when i tried to create the backup VNET in Australia SouthEast and Australia Cental it said unsupported region when adding the Azure Network Connection. This was the reason i selected the Asiapacifc East (Honkong) region as the second best choice. I am sure at somepoint in time it will be fixed and I would be able to create a backup ANC within the country.

I hope you will find this helpful information for creating an Alternate Azure Network Connection for increasing the HA and DR on the cloud pc provisioning of new desktops. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

Microsoft Defender for Endpoint – Web Content Filtering for Windows 365 Cloud PC and Azure Virtual Desktop

22 Feb

In today’s world, online security has become more important than ever, especially for businesses. As more and more companies shift their workloads to the cloud, the need for effective security measures has increased. One of the most critical aspects of security is web content filtering. Microsoft Defender for Endpoint is an excellent solution for protecting your Windows 365 Cloud PC and Azure Virtual Desktop environments. If you haven’t see my previous blog post on – Microsoft Defender for Endpoint (MDE) – Getting started for Windows 365 Cloud PC and Azure Virtual Desktop check that first.

Usecase

Web content filtering is a critical aspect of online security that can be used in many different scenarios. Here are some common use cases for web content filtering:

  1. Business Security: Blocking access to malicious websites and other dangerous content, web content filtering helps prevent cyber attacks and data breaches.
  2. Compliance: Many organizations are required to comply with industry-specific regulations and standards, such as HIPAA or PCI-DSS. Web content filtering can help ensure that employees are not accessing websites or content that violates these regulations.
  3. Employee Productivity: Web content filtering can also be used to enhance employee productivity by blocking access to non-work-related websites, such as social media or gaming sites.
  4. Education: Educational institutions can use web content filtering to prevent students from accessing websites that are not educational or age-appropriate.
  5. Guest Wi-Fi: Businesses that offer guest Wi-Fi can use web content filtering to protect their network and guests from online threats.

Overall, web content filtering is a versatile tool that can be used in a variety of settings to enhance online security, productivity, and compliance.

Pre-requisites

To use Microsoft Defender for Endpoint web content filtering on Windows 365 Cloud PC and Azure Virtual Desktop, there are a few prerequisites that you need to meet:

  • Portal Access to Microsoft 365 Defender Portal
  • Windows Defender SmartScreen Enabled on all Browsers (Edge, Chrome etc.)
  • Network Protection must be enable on the endpoint devices
  • Microsoft Defender for Endpoint (MDE) Plan 1 or 2
  • MDE for Business
  • Windows 10/11 or Multi-session Operating System

Enable Web Content Filtering

To enable Web Content Filtering in Microsoft Defender for Endpoint (MDE), you need to follow these steps:

  • Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
  • Navigate to Settings and select Endpoints
  • Click on Advance Features and enable Web Content Filtering

Create Device Group for Windows 365 & AVD in Microsoft 365 Defender Portal

To assign the policy to particular devices such as Windows 365 Cloud and Azure Virtual Desktop Session, we will create the Device Groups:

  • Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
  • Navigate to Settings and select Endpoints
  • Under Permissions, click on Device Groups
  • Select Add device group and give it a name – Win365Devices
  • The Cloud PC start with CPC, I will be using that along with OS type – Windows 11
  • For the Azure Virtual Desktop – My Session host start with AVD-, I will use that as the device group along with OS Type – Windows 11

Enable Network Protection under Microsoft Endpoint Portal (Intune)

Under the Enpoint Secruity – Antivirus policy we will enable the configuration:

  • Login to the MEM Portal – https://endpoint.microsoft.com/
  • Select Endpoint security > Antivirus > Create Policy.
  • For Platform, select Windows 10, Windows 11, and Windows Servers.
  • For Profile type, select Microsoft Defender Antivirus, and then select Create.
  • Enter a Name – W365-AVD-AV-P01 and description and choose Next
  • Under the Configuration Settings
  • Enable Network Protection – Enable (Block Mode)

In my previous blog post on getting started, I enabled Network Protect and other configurations. Here I am trying to give you a quick config guidance.

Enable Smart Screen under Microsoft Edge Browser via Intune

I want to use the security baseline around Microsoft Edge for enabling global configuration across all the endpoints:

  • Login to the MEM Portal – https://endpoint.microsoft.com/
  • Select Endpoint security > Security Baseline > Microsoft Endge Baseline.
  • Click on Create a profile and give it a name – MSEdge-Sbaseline-01
  • Enable the SmartScreen config
  • I am applying this security baseline to All Devices

Note you can enable them via configuration profiles too. In this scenario, I prefer using the security baselines.

Enable Smart Screen for Google Chrome Browser via Intune

To enable Smart Screen on Google Chrome, follow these steps:

  • Login to the MEM Portal – https://endpoint.microsoft.com/
  • Select Devices > Configuration profiles > Create profile
  • Under Platform – Windows 10 & Later
  • Profile Type – Templates and Select Administrative Templates
  • Give the policy a name – GoogleChrome-SmartScreen-CP01
  • Under Computer – Select Configure the list of force-installed apps and extensions
  • Click on Enable and enter the below URL for extension
  • Further assign the policy to the target devices
  • Click on Review and Save
bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx

Create policy for Web Content Filtering

To create a web content filtering policy in Microsoft Defender for Endpoint, follow these steps:

  • Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
  • Navigate to Settings and select Endpoints
  • Under Rules > Web Content Filtering > Add Item
    • Policy Name – Stop Social Media
    • Block Categories > Leisure > Social Networking & Instant Messaging & Professional Networking
    • Scope – Select the Windows 365 Device Group & AVD Device Group (Session Host VMs), as its a targeted policy
  • Wait for approx. 40 mins for the policy to implement for your endpoints

Validate the URLs within Windows 365 Cloud PC

Before going ahead and checking the URLs within the browser verify the following on the virtual desktop or endpoints:

SmartScreen

Open the browser and type edge://policy and make sure the Smart Screen is enabled

Network Protection

Open the Powershell and check if network protection is enable (Value 1) block mode

Microsoft Edge

Open Microsoft Edge and open https:\\www.facebook.com or https:\\www.snapchat.com

Google Chrome

Check reports in Defender Portal

Under the Microsoft Defender Portal go to Reports > Web Protection > Web content filtering categories details

Useful LinksCredits
Web content filtering – https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/web-content-filtering?view=o365-worldwideMicrosoft
How to configure Microsoft Defender SmartScreen via Microsoft Intune? – Endpoint CaveRene Laas
Enabling web filtering with Microsoft Defender for Endpoint – CIAOPSRobert Crane

I hope you will find this helpful information towards web content filtering journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , , , , ,

Microsoft Defender for Endpoint (MDE) – Getting started for Windows 365 Cloud PC and Azure Virtual Desktop

16 Feb

If you are using Windows 365 Cloud PC and Azure Virtual Desktop, the Microsoft Defender for Endpoint (MDE) is a security solution designed for protecting endpoints, such as Windows 11/Windows 11 Mutli-Session computers, servers, Azure Virtual Desktops and more from various types of cyber threats. The main reason it’s evident to use MDE is that it seamlessly integrates with the solution with minimal to less effort compared to other solutions. This blog post will discuss how to get started with Microsoft Defender for Endpoint in the Windows 365 Cloud and Azure Virtual Desktop.

Prerequisites

  • Rights to use and deploy Windows 365 Cloud PC and Azure Virtual Desktop and the ncessary licenses
  • Microsoft Defender for Endpoint Plan 1 or Plan 2 depending upon the requirements and $$$.
  • Make sure the license is available and listed Microsoft admin center

Enable MDE in Microsoft 365 Security Portal/Intune

To enable Microsoft Defender for Endpoint (MDE) in the Microsoft Defender Security Center, you need to follow these steps:

  1. Log in to the Microsoft Defender Security Center: Go to https://security.microsoft.com/ and log in with your Microsoft 365 account.
  2. Navigate to Settings and select Endpoints
  3. Click on On for Microsoft Intune Connection & Device Discovery
  4. Scroll to the bottom and select Save Preferences

We will manage the endpoints via Intune, so all the rest of the actions and fun will be within the https://endpoint.microsoft.com/ and Endpoint Security. After a brief period of 10-15 mins, you can see the connection status being Available and synchronized.

Create the Endpoint detection and response policy (onboarding)

Our environment is managed via Modern Management, and we don’t have the overhead of legacy setup. We will use the Intune Endpoint detection response (EDR) policy to onboard the devices. This is the simplest method as it doesn’t involve installing the agent manually or via GPOs.

Sign in to the Microsoft Endpoint Manager admin center.

  • Login to the MEM Portal – https://endpoint.microsoft.com/
  • Select Endpoint security > Endpoint detection and response > Create Policy.
  • For Platform, select Windows 10, Windows 11, and Windows Servers.
  • For Profile type, select Endpoint detection and response, and then select Create.
  • Enter a Name – W365-AVD-EDR-P01 and description and choose Next
  • Under the Configuration Settings
    • MDE client configuration package type – Auto from connector (We are a 100% modern managed environment we can leverage this simple option)
    • Sample Sharing – Not configured
    • Telemetry Reporting Frequency – Expedite (We want reporting to be lightning-fast)
  • Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop
  • Review and Create the policy and it will go ahead and enable MDE on the fleet.
  • After sometime all your devices will show whether they are onboarded or not.

Many ways to carry out the onboarding. This is just one way and the most straightforward. Read more options here – https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager?view=o365-worldwide

On the onboarded device, go and run the following command to verify the status

Get-MpComputerStatus

Device Compliance Policy (Update)

I already have my existing Windows 10/11 compliance policy after enabling MDE, and I will go ahead and update the compliance policy to accommodate the changes further. This will allow reporting within the tenant on what device compliance level the endpoints are on and whether corporate governance is maintained.

Create Antivirus Policy in Intune

The next step is creating the Antivirus (AV) Policy with the options that your organization demands. I am starting with a few, but remember most choices will require nailing out with internal security/endpoint/governance teams.

Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements.

Sign in to the Microsoft Endpoint Manager admin center.

  • For Platform, select Windows 10, Windows 11, and Windows Servers.
  • For Profile type, select Microsoft Defender Antivirus, and then select Create.
  • Enter a Name – W365-AVD-AV-P01 and description and choose Next
  • Under the Configuration Settings
Configuration SettingsStatus (Value)
Allow Archive Scanning (Scanning through zip and cab files)Allowed
Allow Behaviour Monitoring Allowed
Allow Cloud Protection (Joining Microsoft MAPS Community)Allowed
Allow Email Scanning (Very useful if you are using Microsoft 365)Allowed
Allow Full Scan Removable Drive Scanning (Scanning of Pen Drives)Allowed
Allow Intrusion Prevention SystemAllowed
Allow scanning of all downloaded files and attachmentsAllowed
Allow Realtime MonitoringAllowed
Cloud Block LevelHigh
Allow Users UI Access (Defender Client)Allowed
Enable Network ProtectionEnabled (Audit mode)
Avg CPU Load Factor Enabled (30%)
Schedule Quick Scan TimeEnable (120)
Signature Update IntervalEnable (8 hours)
  • Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop
  • Review and Create the policy and it will go ahead and enable AV across the fleet.
  • After sometime all your devices will show whether they are onboarded or not.

Create Attack surface reduction (ASR) Policy in Intune

The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. This set of capabilities also includes network protection and web protection, which regulate access to malicious IP addresses, domains, and URLs. In my case I am starting with few, but remember most of the options will require nailing out with internal security/endpoint/governeance teams.

Below configurations are not an exhaustive list – Consult with the endpoint/security teams to meet the organization’s requirements. Here I would like to take the approach of Audit mode first, followed by adding exclusions to refine the block rules (production).

Sign in to the Microsoft Endpoint Manager admin center.

  • For Platform, select Windows 10, Windows 11, and Windows Servers.
  • For Profile type, select Attack Surface Reduction Rules, and then select Create.
  • Enter a Name – W365-AVD-ASR-P01 and description and choose Next
  • Under the Configuration Settings
Configuration SettingsStatus (Value)
Block Adobe Reader from creating child processesAudit
Block execution of potentially obfuscated scriptsAudit
Block Win32 API calls from office macrosAudit
Block credential stealing from the Windows local security authority subsystemAudit
Block JavaScript or VBScript from launching downloaded executable contentAudit
Block process creatons originating from PSExec and WMI commandsAudit
Block untrusted and unsigned processes that run from USBAudit
Block abuse of exploited vulnerable signed drivers (Devices)Audit
  • Next, the most critical part is the target assignments. I am explicitly creating this policy to target Windows 365 Cloud PC and Azure Virtual Desktop
  • Review and Create the policy and it will go ahead and enable ASR across the fleet.
  • After sometime all your devices will show whether they are onboarded or not.
Useful LinksCredits
Microsoft Defender for Endpoint series – Tips and tricks/ common mistakes – Part10 (jeffreyappel.nl) – The most mind blowing and detailed blog post series on MDE. I think I only scratch the surface here however, Jeffrey takes an indept approach.Jeffrey Appel
Configure Microsoft Defender for Endpoint in IntuneMicrosoft
Defend Cloud PCs against threats with Microsoft Defender for Endpoint | Windows in the Cloud – YouTubeChristiaan Brinkhoff | LinkedIn and Paul Huijbregts | LinkedIn

Next step, I plan to write a few blog posts on specific topics like URLs, Networks etc, blocking (TikTok, Facebook etc,) concerning MDE. I hope you will find this helpful information towards your journey to secure your Windows 365 and AVD environments using Microsoft Defender for Endpoint. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , , , , , ,

Compliance Policy for Azure Virtual Desktop Session Host Virtual machine managed via Microsoft Intune

3 Feb

Microsoft Intune Compliance Policy can be used to manage the security and compliance of Azure Virtual Desktop (AVD) Session Host virtual machines. The policy can enforce specific configuration settings such as password complexity, security updates, and device encryption to ensure that the virtual machines meet the organization’s security and compliance requirements.

To set up an Intune Compliance Policy for an AVD Session Host virtual machine, the virtual machine must be enrolled with Intune. Then, the policy can be created in the Intune portal and assigned to the virtual machine. The policy settings will be enforced on the virtual machine and monitored for compliance.

Note: The Intune Compliance Policy is just one of the ways to manage the security and compliance of AVD Session Host virtual machines. Other tools such as Azure Security Center and Azure Policy can also be used.

Why create the azure virtual desktop session host compliance policy?

There are several reasons why organizations create Azure Virtual Desktop (AVD) Session Host Compliance Policies:

  1. Security: Compliance policies help ensure that the AVD Session Host virtual machines are configured with the necessary security measures to protect sensitive data and prevent unauthorized access. This includes enforcing encryption, password policies, and software updates.
  2. Compliance: Compliance policies help organizations meet regulatory requirements, such as HIPAA, PCI, and SOC, by ensuring that the AVD Session Host virtual machines are configured in accordance with these regulations.
  3. Consistency: Compliance policies help ensure that all AVD Session Host virtual machines are configured consistently and meet the same standards. This makes it easier for administrators to manage the environment and ensures that all users have a consistent and secure experience.
  4. Monitoring: Compliance policies provide ongoing monitoring of the AVD Session Host virtual machines, so administrators can quickly identify and address any deviations from the desired configuration.

By creating an AVD Session Host Compliance Policy, organizations can ensure that their virtual machines are secure, compliant, consistent, and properly monitored, which can help reduce the risk of security breaches and regulatory violations.

What compliance policies are supported with Azure Virtual Desktop?

The following compliance policies are supported on Windows 10 or Windows 11 Enterprise multi-session VMs:

  • Minimum OS version
  • Maximum OS version
  • Valid operating system builds
  • Simple passwords
  • Password type
  • Minimum password length
  • Password Complexity
  • Password expiration (days)
  • Number of previous passwords to prevent reuse
  • Microsoft Defender Antimalware
  • Microsoft Defender Antimalware security intelligence up-to-date
  • Firewall
  • Antivirus
  • Antispyware
  • Real-time protection
  • Microsoft Defender Antimalware minimum version
  • Defender ATP Risk score

Note in my sceanrio I am not using all of the above only a few based on the configuration of my environment. You will need a Azure AD device group containing all the session host for AVD to apply this policy.

What am I configuring?

I am only configuring two things. However, I urge if you to leverage Microsoft Defender and make sure you use the Antivirus and Antimalware settings (Another blog post later day for Defender integrations):

  • Minimum OS version – 10.0.22621.963
  • Firewall – Require

The above is not an extensive list, but I am trying to give you an idea here.

Create the compliance policy for AVD

Open the Microsoft Endpoint Manager admin center and navigate to Devices and Compliance Policies.

  • Click on Create Policy and Select Platform Windows 10 and later
  • Give the policy a name and description
  • Configure the above two parameters
  • An assignment is the most critical aspect, here, you want an Azure AD Dynamic Device Group that will make sure all the AVD Session hosts are covered.
  • My current AAD Dynamic Group query is as follows, I am working towards getting a more refine query to make it understand Multi-session(I have raised a query internally within MS)

Device Compliance (AVD Session Host VMs)

After waiting for 15 mins you will start noticing all your AVD Session host VM’s will now begin to show as compliant.

I hope you will find this helpful information for creating a compliance policy for your AVD Session host VMs. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , ,

Windows 365 Cloud PC & Azure Virtual Desktop – Disk Cleanup using Storage Sense – Intune Configuration Policies

23 Jan

With the slightest effort, do you want to perform a disk cleanup operation? In this blogpost, we are setting up the Storage Sense to cleanup Temporary Files & Empty recycle bin on Windows 365 Cloud PC & AVD Multi-session host. Note by no means is Storage Sense a replacement for the detailed cleanmgr.exe tool, which can perform disk cleanup options in a much more granular manner. The below method is a quick method to get you started and later on improvise on your disk cleanup strategy.

What is Storage Sense?

Storage Sense is a feature in Microsoft Windows 11 that helps users free up space on their device by automatically deleting unnecessary files. It can delete temporary files, files in the recycle bin, and files that have not been accessed in a certain period of time. It also helps users to see what is taking up space on their device and gives them the option to delete specific files or move files to an external storage device.

What features are available within Storage Sense?

Storage Sense in Microsoft Windows 11 has the following features:

  • Automatic cleanup: Storage Sense can automatically delete temporary files, files in the recycle bin, and files that have not been accessed in a certain period of time.
  • Storage usage: It helps users to see what is taking up space on their device, and gives them the option to delete specific files or move files to an external storage device.
  • Storage sense can move files to external storage device
  • Storage sense can compress files to save space
  • Storage sense can move files to the cloud
  • Storage sense can delete files that are no longer needed
  • Storage sense can free up space by uninstalling apps
  • Storage sense can show you the storage usage of each app
  • Storage sense can help you to free up storage by cleaning up your downloads folder

What Configurations are available within Intune (MEM Portal)?

There are many ways to setup Storage Sense. However, the method we are going to opt is inline with the modern workplace management solution using Microsoft Intune (Microsoft Endpoint Manager admin center)

Setting NameDetails
Allow Disk Health Model UpdatesAllows disk health model updates to predict disk hardware failure.
Allow Storage Sense GlobalStorage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the
Allow Storage Sense Temporary Files CleanupWhen Storage Sense runs, it can delete the user’s temporary files that are not in use. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, Storage Sense will delete the user’s temporary files that are not in use.
Config Storage Sense Cloud Content Dehydration ThresholdWhen Storage Sense runs, it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it. Supported values are: 0–365. If you set this value to zero, Storage Sense will not dehydrate any cloud-backed content. The default value is 0, which never dehydrates cloud-backed content
Config Storage Sense Downloads Cleanup ThresholdWhen Storage Sense runs, it can delete files in the user’s Downloads folder if they haven’t been opened for more than a certain number of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from the Downloads folder. Supported values are: 0-365. If you set this value to zero, Storage Sense will not delete files in the user’s Downloads folder
Config Storage Sense Recycle Bin Cleanup ThresholdWhen Storage Sense runs, it can delete files in the user’s Recycle Bin if they have been there for over a certain amount of days. If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect. If you enable this policy setting, you must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Supported values are: 0–365
Removable Disk Deny Write AccessIf you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting “Deny write access to drives not protected by BitLocker,” which is located in “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives.”

What policies are we applying?

In this scenario, we only focus on the deletion of temporary files, Recycle Bin, Moving the files to the OneDrive Known Folder (if configured) and checking the disk hardware.

What is the target of this policy?

We aim to kill two birds with one stone, and this policy configuration is not only applicable for Windows 10/11 based Windows 365 Cloud PC, it also works well for Windows 10/11 Multi-session host for Azure Virtual Desktop. This filter is critical to identifying whether the configuration setting will apply to your device type.

Assignments

We are assiging the policy to the Windows 365 AAD device group and add the Azure Virtual Desktop AAD device group here.

Worth a mention, Jannik Reinhard has published a remediation method via cleanmgr.exe and PowerShell – Use Endpoint Analytics to clean up the disk – Modern Device Management (jannikreinhard.com) and is also a great resource if you decide to go into phase 2 strategy of disk clean-up.

I hope you will find this helpful information for performing disk clean-up on Temporary & Recycle for Windows 365 Cloud PC & AVD. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , , ,

Azure Virtual Desktop – PowerShell – Create a Host Pool, Application Group and Workspace for RemoteApp aka Published Applications

13 Dec

In the previous blog post we learnt how to create the PowerShell – Create a Windows 11 Multi-session golden image for Azure Virtual Desktop using Marketplace Image | AskAresh and today we are going to take a step further and deploy the following features within Azure Virtual Desktop using PowerShell:

  • Create Host Pool with Type – RemoteApp
  • Create the Application Group (AG)
  • Create an Workspaces
  • Assign the Azure Active Directory Group to the (AG)

I will break down the code block into smaller chunks first to explain the critical bits, and in the end, I will post the entire code block that can be run all at once. In this way, explaining block by block becomes easier than pasting one single block.

RemoteApp

RemoteApp – This is a way to provide end-users with the business applications alone without giving them an entire desktop. They can access their applications anywhere on any device.

Pre-requisites

Following are the pre-requisites before you begin

  • PowerShell 5.1 and above
  • Azure Subscription
  • Permissions within the Azure Subscription for the creation of AVD – Host Pools
  • Assumption
    • You have an existing Resource Group (RG)
  • Azure PowerShell Modules – Az.DesktopVirtualization

Sign to Azure

To start working with Azure PowerShell, sign in with your Azure credentials.

Connect-AzAccount

Variable Region

Delcare all the variable within this section. Lets take a look at what we are declaring within the script:

  • Existing Resource Group within the Azure Subscription (AZ104-RG)
  • A location where you are deploying this Host Pool (Australia East)
  • Name of the Host Pool (RA-HP01)
  • Host Pool Type (Pooled) as it will be shared with multiple end-users
  • Load balancing method for the Host Pool (DepthFirst)
  • Maximum users per session host VM (10)
  • The type of Application Group (RailApplications). As we are only giving out end-users Apps
  • Application Group Name ($HPName-RAG)
  • Workspace grouping name ($HPName-WRK01)
  • Azure AD group that will be assigned to the application group (XXXX4b896-XXXX-XXXX-XXXX-33768d8XXXXX)
# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id

# Existing Resource Group to deploy the Host Pool
$rgName = "AZ104-RG"

# Geo Location to deploy the Host Pool
$location = "australiaeast"

# Host Pool name
$HPName = "RA-HP01"

# Host Pool Type Pooled|Personal
$HPType = "Pooled"

# Host Pool Load Balancing BreadthFirst|DepthFirst|Persistent
$HPLBType = "DepthFirst"

# Max number or users per session host
$Maxusers = "10"

# Preffered App group type Desktop|RailApplications
$AppGrpType = "RailApplications"

# ApplicationGroup Name
$AppGrpName = "$HPName-RAG"

# Workspace Name
$Wrkspace = "$HPName-WRK01"

# AAD Group used to assign the Application Group
# Copy the Object ID GUID from AAD Groups Blade
$AADGroupObjId = "XXXX4b896-XXXX-XXXX-XXXX-33768d8XXXXX"

Execution block

Execution code block within this section. Lets take a look at what we are we executing within the script:

  • Create the host pool with all the mentioned variables, tags and whether the validation enivornment yes/no.
  • Create the application group and tie it to the host pool
  • Finally, we create the workspace and tie it to the application group and hostpool
  • Last step, we assign the AAD group object ID to the Application Group for all entitlement purposes.
# Create the Host Pool with RemoteApp Configurations
try
{
    write-host "Create the Host Pool with Pooled RemoteApp Configurations"
    $DeployHPWRA = New-AzWvdHostPool -ResourceGroupName $rgName `
        -SubscriptionId $subscriptionID `
        -Name $HPName `
        -Location $location `
        -ValidationEnvironment:$true `
        -HostPoolType $HPType `
        -LoadBalancerType $HPLBType `
        -MaxSessionLimit $Maxusers `
        -PreferredAppGroupType $AppGrpType `
        -Tag:@{"Billing" = "IT"; "Department" = "IT"; "Location" = "AUS-East" } `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}


# Create the Application Group for the Remote App Host Pool
try
{
    write-host "Create the Application Group for the Remote App Host Pool"
    $CreateAppGroupRA = New-AzWvdApplicationGroup -ResourceGroupName $rgName `
        -Name $AppGrpName `
        -Location $location `
        -HostPoolArmPath $DeployHPWRA.Id `
        -ApplicationGroupType 'RemoteApp' `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

# Create the Workspace for the RemoteApp Host Pool
try
{
    write-host "Create the Workspace for the RemoteApp Host Pool"
    $CreateWorkspaceRA = New-AzWvdWorkspace -ResourceGroupName $rgName `
        -Name $Wrkspace `
        -Location $location `
        -ApplicationGroupReference $CreateAppGroupRA.Id `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

# Assign the AAD group (Object ID)  to the Application Group
try
{
    write-host "Assigning the AAD Group to the Application Group"
    $AssignAADGrpAG = New-AzRoleAssignment -ObjectId $AADGroupObjId `
        -RoleDefinitionName "Desktop Virtualization User" `
        -ResourceName $CreateAppGroupRA.Name `
        -ResourceGroupName $rgName `
        -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups' `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

Final Script

Here I will paste the entire script block for seamless execution in a single run. Following is the link to my GitHub for this script – avdwin365mem/createhp-ag-wk-RA at main · askaresh/avdwin365mem (github.com)

# Connect to the Azure Subcription
Connect-AzAccount

# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID = $currentAzContext.Subscription.Id

# Existing Resource Group to deploy the Host Pool
$rgName = "AZ104-RG"

# Geo Location to deploy the Host Pool
$location = "australiaeast"

# Host Pool name
$HPName = "RA-HP01"

# Host Pool Type Pooled|Personal
$HPType = "Pooled"

# Host Pool Load Balancing BreadthFirst|DepthFirst|Persistent
$HPLBType = "DepthFirst"

# Max number or users per session host
$Maxusers = "10"

# Preffered App group type Desktop|RailApplications
$AppGrpType = "RailApplications"

# ApplicationGroup Name
$AppGrpName = "$HPName-RAG"

# Workspace Name
$Wrkspace = "$HPName-WRK01"

# AAD Group used to assign the Application Group
# Copy the Object ID GUID from AAD Groups Blade
$AADGroupObjId = "dcc4b896-2f2d-49d9-9854-33768d8b65ba"

# Create the Host Pool with RemoteApp Configurations
try
{
    write-host "Create the Host Pool with Pooled RemoteApp Configurations"
    $DeployHPWRA = New-AzWvdHostPool -ResourceGroupName $rgName `
        -SubscriptionId $subscriptionID `
        -Name $HPName `
        -Location $location `
        -ValidationEnvironment:$true `
        -HostPoolType $HPType `
        -LoadBalancerType $HPLBType `
        -MaxSessionLimit $Maxusers `
        -PreferredAppGroupType $AppGrpType `
        -Tag:@{"Billing" = "IT"; "Department" = "IT"; "Location" = "AUS-East" } `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}


# Create the Application Group for the Remote App Host Pool
try
{
    write-host "Create the Application Group for the Remote App Host Pool"
    $CreateAppGroupRA = New-AzWvdApplicationGroup -ResourceGroupName $rgName `
        -Name $AppGrpName `
        -Location $location `
        -HostPoolArmPath $DeployHPWRA.Id `
        -ApplicationGroupType 'RemoteApp' `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

# Create the Workspace for the RemoteApp Host Pool
try
{
    write-host "Create the Workspace for the RemoteApp Host Pool"
    $CreateWorkspaceRA = New-AzWvdWorkspace -ResourceGroupName $rgName `
        -Name $Wrkspace `
        -Location $location `
        -ApplicationGroupReference $CreateAppGroupRA.Id `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

# Assign the AAD group (Object ID)  to the Application Group
try
{
    write-host "Assigning the AAD Group to the Application Group"
    $AssignAADGrpAG = New-AzRoleAssignment -ObjectId $AADGroupObjId `
        -RoleDefinitionName "Desktop Virtualization User" `
        -ResourceName $CreateAppGroupRA.Name `
        -ResourceGroupName $rgName `
        -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups' `
        -ErrorAction STOP
}
catch
{
    Write-Host $_.Exception.Message -ForegroundColor Yellow
}

Next Steps on the Host Pool

Now that the host pool, application group and workspaces are ready following are the next steps involved:

  • Generate a registration token
  • Add the session host virtual machine to the host pool
  • Create Applications within the Application Group. You can create multiple Applications in single AG or 1 AG per Application.

I hope you will find this helpful information for deploying a host pools, application group and workspaces within Azure Virtual Desktop. If you want to see a Powershell version of the applications & session host activities, leave me a comment below or on my socials. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , ,

PowerShell – Create a custom Windows 11 Enterprise (22H2) + Microsoft 365 Apps golden image for Windows 365 Cloud PC using Marketplace Image

1 Dec

In the previous blog post, I demonstrate how to create a Windows 11 Multi-session golden image for AVD. In today’s post, I want to showcase how to create a custom Windows 11 Enterprise 22H2 + Microsoft 365 for Windows 365 Cloud PC. (Note its not multi-session and instead, its Enterprise edition for 1×1 mapping of desktop/user aka Full Clone)

Why will you create a custom Windows 11 Ent Windows 365 Cloud PC Golden Image?

There are situations where you want to create a custom image with all corporate applications pre-installed (VPN or Zero trust agent, EDR/XDR Solutions agents or Anti-virus agent pre-installed). You may argue we can deploy those applications later using Win32 app deployment via Intune. But still, few security teams and corporations would like to have it available from the start.

Pre-requisites

Following are the pre-requisites before you begin

  • PowerShell 5.1 and above
  • Azure Subscription
  • Permissions within the Auzre Subscription for Azure Compute
  • Assumption
    • You have an existing Resource Group (RG)
    • You have an existing Azure Virtual Network (VNET)
    • You have an existing workload subnet within the VNET
    • Identify the VM Size you will be using for the golden image
  • Azure PowerShell Modules

Sign to Azure

To start working with Azure PowerShell, sign in with your Azure credentials.

Connect-AzAccount

Identify the Windows 11 Multi-session (Marketplace Image)

Many versions of Windows 365 Cloud PC – Windows 11/10 Enterprise edition marketplace images from Microsoft. The operating systems is already optimized (Microsoft VDI Optimizations) for Cloud PC, and the only difference is with or without Microsoft 365.

Let’s identify what is available within the marketplace.

Get-AzVMImageSku -Location australiaeast -PublisherName MicrosoftWindowsDesktop -Offer windows-ent-cpc

We are going to use the Windows 11 22H2 Enterprise + Microsoft 365 Apps within this script

Variable Region

Delcare all the variable within this section. Lets take a look at what we are declaring within the script:

  • Existing Resource Group within the Azure Subscription (AZ104-RG)
  • A location where you are deploying this virtual machine (Australia East)
  • Name of the golden image virtual machine (Win365-GI01)
  • NIC Interface name for the virtual machine (Win365-GI01-nic)
  • RG of the VNET (In my case they are same AZ104-RG, they can be seperate too and hence a independent variable)
  • Name of the existing subnet within the vNET (AZ104-VDI-Workload-L1)
  • Name of the existing VNET (AZ104-RG-vnet)
  • Mapping of the exisitng VNET
  • Mapping of the existing subnet
  • T-shirt size of the golden image we are deploying (Standard_D2s_v3)
  • Gallery details of the image
    • Published – MicrosoftWindowsDesktop
    • Offer – windows-ent-cpc
    • SKU – win11-22h2-ent-cpc-m365
    • version – Offcourse latest
  • Get credentials – A local admin account is created on the golden image (A input box to capture the uisername and password of your choice)
# Existing Resource Group to deploy the VM
$rgName = "AZ104-RG"

# Geo Location to deploy the VM
$location = "Australia East"

# Image template name
$vmName = "Win365-GI01"

# Networking Interfance Name for the VM
$nicName = "$vmName-nic"

# Resource Group for VNET
$vnetrgName = "AZ104-RG"

# Existing Subnet Name
$Existsubnetname = "AZ104-VDI-Workload-L1"

# Existing VNET Name
$Existvnetname = "AZ104-RG-vnet"

# Existing VNET where we are deploying this Virtual Machine
$vnet = Get-AzVirtualNetwork -Name $Existvnetname -ResourceGroupName $vnetrgName

# Existing Subnet within the VNET for the this virtual machine
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $Existsubnetname -VirtualNetwork $vnet

# T-shirt size of the VM
$vmSize = "Standard_D2s_v3"

# Gallery Publisher of the Image - Microsoft
$publisher = "MicrosoftWindowsDesktop"

# Version of Windows 10/11
$offer = "windows-ent-cpc"

# The SKY ending with avd are the multi-session
$sku = "win11-22h2-ent-cpc-m365"

# Choosing the latest version
$version = "latest"

# Setting up the Local Admin on the VM
$cred = Get-Credential `
   -Message "Enter a username and password for the virtual machine."

Execution block

Execution code block within this section. Lets take a look at what we are we executing within the script:

  • First its creating the network interface for the virtual machine (Win365-GI01)
  • Next, under the variable $VM all virtual machine configurations
    • Tshirt size of the virtual machine
    • Credentials for the local admin (username/password)
    • The network interface assignment along with the delete option (Note delete option is essential or/else during deletion of VM it will not delete the network interface)
    • The gallery image, sku, offer from the Microsoft Market Place gallery
    • The OS disk assignment along with the delete option (Note delete option is essential or/else during deletion of VM it will not delete the disk)
    • The configuration around “Trusted Platform” and enabling of TPM and Secure Boot
    • The final command to create the virtual machine with all the above configurations
# Create New network interface for the virtual machine
$NIC = New-AzNetworkInterface -Name $nicName -ResourceGroupName $vnetrgName -Location $location -Subnet $subnet

# Creation of the new virtual machine with delete option for Disk/NIC together
$vm = New-AzVMConfig -VMName $vmName -VMSize $vmSize 

$vm = Set-AzVMOperatingSystem `
   -VM $vm -Windows `
   -ComputerName $vmName `
   -Credential $cred `
   -ProvisionVMAgent `
   -EnableAutoUpdate 

# Delete option for NIC
$vm = Add-AzVMNetworkInterface -VM $vm `
   -Id $NIC.Id `
   -DeleteOption "Delete"

$vm = Set-AzVMSourceImage -VM $vm `
   -PublisherName $publisher `
   -Offer $offer `
   -Skus $sku `
   -Version $version 

# Delete option for Disk
$vm = Set-AzVMOSDisk -VM $vm `
   -StorageAccountType "StandardSSD_LRS" `
   -CreateOption "FromImage" `
   -DeleteOption "Delete"

# The sauce around enabling the Trusted Platform
$vm = Set-AzVmSecurityProfile -VM $vm `
   -SecurityType "TrustedLaunch" 

# The sauce around enabling TPM and Secure Boot
$vm = Set-AzVmUefi -VM $vm `
   -EnableVtpm $true `
   -EnableSecureBoot $true 

New-AzVM -ResourceGroupName $rgName -Location $location -VM $vm

Final Script

Here I will paste the entire script block for seamless execution in single run. Following is the link to my Github for this script – avdwin365mem/createnewvmwin365 at main · askaresh/avdwin365mem (github.com)

# Step 1: Import module
#Import-Module Az.Accounts

# Connect to the Azure Subcription
#Connect-AzAccount

# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID=$currentAzContext.Subscription.Id

# Command to get the Multi-session Image in Gallery
# Details from this command will help in filling out variables below on Gallery Image
# Get-AzVMImageSku -Location australiaeast -PublisherName MicrosoftWindowsDesktop -Offer windows-ent-cpc

# Existing Resource Group to deploy the VM
$rgName = "AZ104-RG"

# Geo Location to deploy the VM
$location = "Australia East"

# Image template name
$vmName = "Win365-GI01"

# Networking Interfance Name for the VM
$nicName = "$vmName-nic"

# Resource Group for VNET
$vnetrgName = "AZ104-RG"

# Existing Subnet Name
$Existsubnetname = "AZ104-VDI-Workload-L1"

# Existing VNET Name
$Existvnetname = "AZ104-RG-vnet"

# Existing VNET where we are deploying this Virtual Machine
$vnet = Get-AzVirtualNetwork -Name $Existvnetname -ResourceGroupName $vnetrgName

# Existing Subnet within the VNET for the this virtual machine
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $Existsubnetname -VirtualNetwork $vnet

# T-shirt size of the VM
$vmSize = "Standard_D2s_v3"

# Gallery Publisher of the Image - Microsoft
$publisher = "MicrosoftWindowsDesktop"

# Version of Windows 10/11
$offer = "windows-ent-cpc"

# The SKY ending with avd are the multi-session
$sku = "win11-22h2-ent-cpc-m365"

# Choosing the latest version
$version = "latest"

# Setting up the Local Admin on the VM
$cred = Get-Credential `
   -Message "Enter a username and password for the virtual machine."

# Create New network interface for the virtual machine
$NIC = New-AzNetworkInterface -Name $nicName -ResourceGroupName $vnetrgName -Location $location -Subnet $subnet

# Creation of the new virtual machine with delete option for Disk/NIC together
$vm = New-AzVMConfig -VMName $vmName -VMSize $vmSize 

$vm = Set-AzVMOperatingSystem `
   -VM $vm -Windows `
   -ComputerName $vmName `
   -Credential $cred `
   -ProvisionVMAgent `
   -EnableAutoUpdate 

# Delete option for NIC
$vm = Add-AzVMNetworkInterface -VM $vm `
   -Id $NIC.Id `
   -DeleteOption "Delete"

$vm = Set-AzVMSourceImage -VM $vm `
   -PublisherName $publisher `
   -Offer $offer `
   -Skus $sku `
   -Version $version 

# Delete option for Disk
$vm = Set-AzVMOSDisk -VM $vm `
   -StorageAccountType "StandardSSD_LRS" `
   -CreateOption "FromImage" `
   -DeleteOption "Delete"

# The sauce around enabling the Trusted Platform
$vm = Set-AzVmSecurityProfile -VM $vm `
   -SecurityType "TrustedLaunch" 

# The sauce around enabling TPM and Secure Boot
$vm = Set-AzVmUefi -VM $vm `
   -EnableVtpm $true `
   -EnableSecureBoot $true 

New-AzVM -ResourceGroupName $rgName -Location $location -VM $vm

Note – It will give you a pop-up box for entering the username and password for the local account, and in under 10 mins you will see your virtual machine within the Azure portal

Next Steps on Golden Image

Now that the virtual machine is ready following are the next steps involved:

  • Using Azure Bastion console and install the required applications
    • Zero Trust Agent
    • EDR/XDR Agent
    • Antivirus Software Agent
    • Line of Business Apps
  • Generalize and sysprep and shutdown the image
  • Capture the image to the Azure Compute Galleries
  • Add the image within Microsoft Intune

I hope you will find this helpful information for deploying a golden image within Azure – Virtual Machine to deploy the custom Image for Windows 365 Cloud PC. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , , , , ,

PowerShell – Create a Windows 11 Multi-session golden image for Azure Virtual Desktop using Marketplace Image

28 Nov

Do you want to deploy an Azure Virtual Desktop – Host pools quickly and want a starting point for a golden image? Look no further in this blog post. I will show you how to create a golden image using PowerShell in no more than 10 min.

I will break down the code block into smaller chunks first to explain the critical bits, and in the end, I will post the entire code block that can be run all at once. In this way, explaining block by block becomes easier than pasting one single block.

Pre-requisites

Following are the pre-requisites before you begin

  • PowerShell 5.1 and above
  • Azure Subscription
  • Permissions within the Auzre Subscription for Azure Compute
  • Assumption
    • You have an existing Resource Group (RG)
    • You have an existing Azure Virtual Network (VNET)
    • You have an existing workload subnet within the VNET
    • Identify the VM Size you will be using for the golden image
  • Azure PowerShell Modules

Sign to Azure

To start working with Azure PowerShell, sign in with your Azure credentials.

Connect-AzAccount

Identify the Windows 11 Multi-session (Marketplace Image)

There are many different versions of Windows 11 marketplace images from Microsoft. Let’s identify what is available within the gallery.

Get-AzVMImageSku -Location australiaeast -PublisherName MicrosoftWindowsDesktop -Offer windows-11

#Bonus Information

If you want the Multi-session gallery image with Office, than use the following command

Get-AzVMImageSku -Location australiaeast -PublisherName MicrosoftWindowsDesktop -Offer office-365

We are going to use the Windows 11 22H2 Mutli-session – win11-22h2-avd within this script

Variable Region

Delcare all the variable within this section. Lets take a look at what we are declaring within the script:

  • Existing Resource Group within the Azure Subscription (AZ104-RG)
  • A location where you are deploying this virtual machine (Australia East)
  • Name of the golden image virtual machine (VM03)
  • NIC Interface name for the virtual machine (VM03-nic)
  • RG of the VNET (In my case they are same AZ104-RG, they can be seperate too and hence a independent variable)
  • Name of the existing subnet within the vNET (AZ104-VDI-Workload-L1)
  • Name of the existing VNET (AZ104-RG-vnet)
  • Mapping of the exisitng VNET
  • Mapping of the existing subnet
  • T-shirt size of the golden image we are deploying (Standard_D2s_v3)
  • Gallery details of the image
    • Published – MicrosoftWindowsDesktop
    • Offer – windows-11
    • SKU – win11-22h2-avd
    • version – Offcourse latest
  • Get credentials – A local admin account is created on the golden image (A input box to capture the uisername and password)
# Existing Resource Group to deploy the VM
$rgName = "AZ104-RG"

# Geo Location to deploy the VM
$location = "Australia East"

# Image template name
$vmName = "VM03"

# Networking Interfance Name for the VM
$nicName = "$vmName-nic"

# Resource Group for VNET
$vnetrgName = "AZ104-RG"

# Existing Subnet Name
$Existsubnetname = "AZ104-VDI-Workload-L1"

# Existing VNET Name
$Existvnetname = "AZ104-RG-vnet"

# Existing VNET where we are deploying this Virtual Machine
$vnet = Get-AzVirtualNetwork -Name $Existvnetname -ResourceGroupName $vnetrgName

# Existing Subnet within the VNET for the this virtual machine
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $Existsubnetname -VirtualNetwork $vnet

# T-shirt size of the VM
$vmSize = "Standard_D2s_v3"

# Gallery Publisher of the Image - Microsoft
$publisher = "MicrosoftWindowsDesktop"

# Version of Windows 10/11
$offer = "windows-11"

# The SKY ending with avd are the multi-session
$sku = "win11-22h2-avd"

# Choosing the latest version
$version = "latest"

# Setting up the Local Admin on the VM
$cred = Get-Credential `
   -Message "Enter a username and password for the virtual machine."

Execution block

Execution code block within this section. Lets take a look at what we are we executing within the script:

  • First its creating the network interface for the virtual machine (VM03)
  • Next, under the variable $VM all virtual machine configurations
    • Tshirt size of the virtual machine
    • Credentials for the local admin (username/password)
    • The network interface assignment along with the delete option (Note delete option is essential or/else during deletion of VM it will not delete the network interface)
    • The gallery image, sku, offer from the Microsoft Market Place gallery
    • The os disk assignment along with the delete option (Note delete option is essential or/else during deletion of VM it will not delete the disk)
    • The configuration around “Trusted Platform” and enabling of TPM and Secure Boot
    • The final command to create the virtual machine with all the above configurations
# Create New network interface for the virtual machine
$NIC = New-AzNetworkInterface -Name $nicName -ResourceGroupName $vnetrgName -Location $location -Subnet $subnet

# Creation of the new virtual machine with delete option for Disk/NIC together
$vm = New-AzVMConfig -VMName $vmName -VMSize $vmSize 

$vm = Set-AzVMOperatingSystem `
   -VM $vm -Windows `
   -ComputerName $vmName `
   -Credential $cred `
   -ProvisionVMAgent `
   -EnableAutoUpdate 

# Delete option for NIC
$vm = Add-AzVMNetworkInterface -VM $vm `
   -Id $NIC.Id `
   -DeleteOption "Delete"

$vm = Set-AzVMSourceImage -VM $vm `
   -PublisherName $publisher `
   -Offer $offer `
   -Skus $sku `
   -Version $version 

# Delete option for Disk
$vm = Set-AzVMOSDisk -VM $vm `
   -StorageAccountType "StandardSSD_LRS" `
   -CreateOption "FromImage" `
   -DeleteOption "Delete"

# The sauce around enabling the Trusted Platform
$vm = Set-AzVmSecurityProfile -VM $vm `
   -SecurityType "TrustedLaunch" 

# The sauce around enabling TPM and Secure Boot
$vm = Set-AzVmUefi -VM $vm `
   -EnableVtpm $true `
   -EnableSecureBoot $true 

New-AzVM -ResourceGroupName $rgName -Location $location -VM $vm

Final Script

Here I will paste the entire script block for seamless execution in single run. Following is the link to my Github for this script – Create Virtual Machine with Trusted Platform and Delete disk/nic options.

# Step 1: Import module
#Import-Module Az.Accounts

# Connect to the Azure Subcription
#Connect-AzAccount

# Get existing context
$currentAzContext = Get-AzContext

# Your subscription. This command gets your current subscription
$subscriptionID=$currentAzContext.Subscription.Id

# Command to get the Multi-session Image in Gallery
# Details from this command will help in filling out variables below on Gallery Image
# Get-AzVMImageSku -Location australiaeast -PublisherName MicrosoftWindowsDesktop -Offer windows-11

# Existing Resource Group to deploy the VM
$rgName = "AZ104-RG"

# Geo Location to deploy the VM
$location = "Australia East"

# Image template name
$vmName = "VM03"

# Networking Interfance Name for the VM
$nicName = "$vmName-nic"

# Resource Group for VNET
$vnetrgName = "AZ104-RG"

# Existing Subnet Name
$Existsubnetname = "AZ104-VDI-Workload-L1"

# Existing VNET Name
$Existvnetname = "AZ104-RG-vnet"

# Existing VNET where we are deploying this Virtual Machine
$vnet = Get-AzVirtualNetwork -Name $Existvnetname -ResourceGroupName $vnetrgName

# Existing Subnet within the VNET for the this virtual machine
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $Existsubnetname -VirtualNetwork $vnet

# T-shirt size of the VM
$vmSize = "Standard_D2s_v3"

# Gallery Publisher of the Image - Microsoft
$publisher = "MicrosoftWindowsDesktop"

# Version of Windows 10/11
$offer = "windows-11"

# The SKY ending with avd are the multi-session
$sku = "win11-22h2-avd"

# Choosing the latest version
$version = "latest"

# Setting up the Local Admin on the VM
$cred = Get-Credential `
   -Message "Enter a username and password for the virtual machine."

# Create New network interface for the virtual machine
$NIC = New-AzNetworkInterface -Name $nicName -ResourceGroupName $vnetrgName -Location $location -Subnet $subnet

# Creation of the new virtual machine with delete option for Disk/NIC together
$vm = New-AzVMConfig -VMName $vmName -VMSize $vmSize 

$vm = Set-AzVMOperatingSystem `
   -VM $vm -Windows `
   -ComputerName $vmName `
   -Credential $cred `
   -ProvisionVMAgent `
   -EnableAutoUpdate 

# Delete option for NIC
$vm = Add-AzVMNetworkInterface -VM $vm `
   -Id $NIC.Id `
   -DeleteOption "Delete"

$vm = Set-AzVMSourceImage -VM $vm `
   -PublisherName $publisher `
   -Offer $offer `
   -Skus $sku `
   -Version $version 

# Delete option for Disk
$vm = Set-AzVMOSDisk -VM $vm `
   -StorageAccountType "StandardSSD_LRS" `
   -CreateOption "FromImage" `
   -DeleteOption "Delete"

# The sauce around enabling the Trusted Platform
$vm = Set-AzVmSecurityProfile -VM $vm `
   -SecurityType "TrustedLaunch" 

# The sauce around enabling TPM and Secure Boot
$vm = Set-AzVmUefi -VM $vm `
   -EnableVtpm $true `
   -EnableSecureBoot $true 

New-AzVM -ResourceGroupName $rgName -Location $location -VM $vm

Note – It will give you a pop-up box for entering the username and password for the local account, and in under 10 mins you will see your virtual machine within the Azure portal

Next Steps on Golden Image

Now that the virtual machine is ready following are the next steps involved:

  • Using Azure Bastion console and installing all the required applications
  • Generalize and sysprep and shutdown the image
  • Capture the image to the Azure Compute Galleries
  • Deploy within the Azure Virtual Desktop

I hope you will find this helpful information for deploying a golden image within Azure – Virtual Machine to deploy the Azure Virtual Desktop – Host Pools. If you want to see a Powershell version of the host pool activities, leave me a comment below or on my socials. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , , ,

Azure Virtual Desktop – Apply monthly Microsoft Security Cumulative Updates on the golden image with Azure Compute Galleries

14 Nov

We have numerous articles showcasing how to create the golden master image to deploy within the Host Pool. This blog post will showcase how to perform recurring monthly security patch updates within the golden master image and push that into your Host Pools within Azure Virtual Desktop.

  • Pre-requisites
  • Azure Compute Galleries – Create VM
  • Console to Golden Image (RDP or Azure Bastion)
  • Install the Microsoft Latest Cumulative Update (LCU)
  • Sysprep (Generalize and Shutdown)
  • Capture the Virtual Machine
  • Azure Compute Galleries – New Version
  • Drain and remove old session host vms

Feature Whishlist

If Microsoft is listening – requesting the feature of leveraging the Update Rings from Micorosft Intune can be integrated into applying the quality updates from #Intune on Microsoft Windows 10/11 Multi-session

Pre-requisites

The assumption here is that you already have a golden image and existing versions available. Below is an example from Azure Computer Galleries of a Windows 11 Multi-session and current running version 0.0.2 within my Host Pools. (Note its an already generalized image – See the OS State)

Azure Compute Galleries – Create VM

The first step here is to update the golden image with the monthly Microsoft Cumulative Security update, and we want to create a new virtual machine from the existing version of 0.0.2. (Background version 0.0.2 include the October 2022 Latest Cumulative Updates)

Now you will be presented with a Create VM wizard

Select Next – Disk Settings

Select Next – Networking Settings

Select Next – Management Settings

Select Next – Monitoring Settings

Select Tags

Select Review & Create the Virtual Machine – Golden Image.

#Tip – On the rare occasion that the creation of the virtual machine fails, in one instance, I had forgotten to perform Sysprep on the existing version in Azure Compute Galleries (e.g. 0.0.1). In such scenarios, create a virtual machine from the previous version number you know that works well. After updating the new vm from existing image version we can take a snapshot of that before sysprep and keep. It will be helpful if the vm due to any reason get destroyed during sysprep.

Console to Golden Image (RDP or Azure Bastion)

We now have the newly created golden image from the existing version 0.0.2 within the Azure – Virtual Machines blade listed and status=Running.

Download the RDP file and console into the Virtual machine – Win11MSGI04 (Note, as previously mentioned, this is a bad practice in a production environment as it needs public IP for access. The best approach here is to leverage Azure Bastion and click on the Bastion option, and securely console the VM via browser)

Install the Microsoft Latest Cumulative Update (LCU)

In our scenario, we shall install the November 8, 2022—KB5019980 (OS Build 22621.819) for Windows 11 22H2 Multi-session. Note I am using the Powershell pswindowsupdate module, but you can download and offline install the Windows update (LCU, which also includes SSU)

Get-WUList -MicrosoftUpdate

Install the Update

Get-WindowsUpdate -KBArticleID KB5019980 -Install -AutoReboot | Out-File "c:\Temp\$(get-date -f yyyy-MM-dd)-WindowsUpdate.log" -force

Post the reboot validate the windowsupdate log output to determine whether the patch was installed successfully. Optionally perform Disk Clean.

Sysprep (Generalize and Shutdown)

We are onto our final step before the capture. Perform Sysprep on the image and shutdown

%WINDIR%\system32\sysprep\sysprep.exe /generalize /shutdown /oobe

#Tip – Make sure the end state of the virtual machine status = Stopped (deallocated) before following the next step of Capture. Sysprep is the most crucial step if you forget this, your provisioning will fail with an error.

Capture the Virtual Machine

We will capture this image into Azure Compute Galleries

Next Capture wizard

#Tip – As we selected “Delete” post creation, the virtual machine will not appear within the Azure – Virtual Machines. Below is the task for the deletion.

Azure Compute Galleries – New Version

We can now see the latest version showing up 0.0.3 post the capture process. This version is now ready to be added to the AVD – Host Pools

Add Session Host Virtual Machine (New security patch version 0.0.3)

After clicking on Add, it will open the “Add virtual machine to a host pool” wizard

Select Next – Virtual Machines

Next enter the tags of your choice and hit Create

Drain and remove old session host vms

Put the old session host virtual machines in the drain and remove the virtual machine. This step will depend on how much time log-off all the end-user sessions will take on the VM.

Next, if all the sessions are drained. Select the old virtual machine and select Remove.

Note – When you hit remove for the session host virtual machine within the Host Pools blade, it will only remove the virtual machine from there. You will have to go into the Azure – Virtual Machines blade and stop and delete the virtual machine from there. The good thing here is that as we had selected delete disk/network (checkbox) during creation, it will delete everything associated with the VM.

#Tip – As a precautionary step, you can delete the virtual machine after 2-3 days after production stabilizes in case you have to revert and manually add the VM’s back into the host pool

A big thanks to Mahammad Kubaib for reviewing this blog post based on his previous experience. I hope you will find this helpful information for performing monthly cumulative security updates on your Azure Virtual Desktop – Host Pools. If you want to see a Powershell version of the same activity, leave me a comment below or on my socials. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Tags: , , , , ,

← Older Entries
Newer Entries →