(music) - Today, I'll walk you
through all the steps to configure Azure Virtual Desktop with the enterprise-grade
configurations you'll want in place for secure authentication,
improved connectivity, flexible user data,
and service resiliency. This is part three in our
series on the service. And if you're watching this, we'll assume you've got a basic deployment of Azure Virtual Desktop
up and running already, or general knowledge of the
Azure Virtual Desktop service. If not, I'd encourage you to check out the first two episodes in the series which introduce the service and
walk you through basic setup at aka.ms/AVDMechanicsSeries. So, let's start with your options
for secure authentication. First, you can use on-prem
directory services, with Azure Virtual
Desktop, in environments with hybrid Azure Active
Directory joined hosts. Alternatively, you can use Azure Active Directory joined hosts if your directory is running
entirely in the cloud. Now, these options are configured when you set up new host pools
in Azure Virtual Desktop. In either configuration, you
can achieve Single Sign On and passwordless
authentication to the host using the new Azure AD
authentication for remote desktop. This means that, by simply
signing into your device, you'll already have the required
authentication established. So, I'll open Start, and connect to my Azure Virtual Desktop host. Now, if you've tried
this before, notice here that I'm not prompted
for a second sign-in, and it seamlessly
establishes the connection to my remote desktop. Now, for this next part,
while I'm in the session, if I need to connect to an app or service that requires multifactor authentication, Azure Virtual Desktop enables that using the new Web Authentication
or WebAuthn redirection. So, I'll open a site to
test this, WebAuthen.io. And just to prove that the command is sent to my local computer, I'll make the window to my remote desktop
smaller - there we go, and now I'll be able to overlap
the authentication popup. So, I'll hit Authenticate on the site, and you'll see this even allows you to use passwordless authentication
to access apps and sites. And this is the reason I resized
the remote desktop window, because this pop-up could look like it's in the remote
host, but it's not. And as I drag it to the right, you'll see the window
is from my local device. Now, in this case, I'll
enter my local device pin, and then I'll use the FIDO key, I've enrolled with my fingerprint. And in a few seconds, I'm securely logged into the site with the
authentication strength required by my organization. Now, beyond authentication, reliable and efficient
connectivity to the service is important to ensure the user experience is highly
responsive with low latency, so the remote desktop or app feels local. Now, for that, we recommend RDP Shortpath. And let me explain why. Normally, when you access
VMs in Azure over RDP, the connection goes through a gateway. RDP Shortpath uses the
more reliable UDP protocol. This establishes a
direct network connection between the client device
and the destination VM host in Azure, bypassing the gateway. RDP Shortpath is the connection type used by Azure Virtual Desktop,
and this is by default. Now, something really
important to point out here is that you need your devices
to allow UDP connections, so don't block them. Equally, your network and firewalls should also allow UDP connections and should permit
traffic from STUN servers or can use TURN traffic. We've got more details on this
at aka.ms/AVDconnectivity. Now, with your authentication
and connectivity options sorted, let's move on
to another core aspect commonly deployed with
enterprise configurations, which is connecting users to
their profile data seamlessly, using FSLogix profile containers. Here, user profiles are stored in Azure as virtual hard disc files, and then are mounted when a user signs in and unmounted when they sign out. So, let me walk you through
how you'll set up FSLogix profiles to get everything working. Now, for detailed step by step guidance, check out aka.ms/FSLogix, but I'm going to walk you
through the high level steps. First, FSLogix profiles
use SMB file shares to store profile containers with the appropriate
permissions configured For Azure Virtual Desktop,
you can use either Azure files or Azure NetApp files. And using either option, these services need to be configured to work with the same active
directory domain service's authentication, which
can be run on premises or in Azure, used by your host VMs. Additionally, Azure files can also use Azure Active
Directory Kerberos authentication for hybrid identities for
Azure AD joined hosts. The FSLogix app needs to be installed or present in the host image. And to configure FSLogix, you'll need to add a few registry settings in HKEY_LOCAL_MACHINE for FSLogix profiles to enable it, set its
behavior, size in megabytes, location in the file
share, and volume type. Now, this can be done using
scripts, group policy, or using Microsoft Intune, and we have configuration service provider support coming soon. Now, cloud cache is an
optional configuration which is used to mitigate short-term or intermittent connectivity problems with the remote storage providers. So, here, you'll add registry settings in the same location for CCD locations, along with recommended settings
for clear-cache-on-logoff and healthy providers
required for register. In this case, you're replacing the VHD location settings
path with the CCD locations, which supports both SMB
and Azure Page Blog paths, allowing updates to both. Now, as you configure
FSLogix profile containers, our recommendation is
to keep your settings as simple as possible to avoid complexity and operational overhead. Now, another important
topic we're managing in an enterprise grade
desktop virtualization service is resiliency, to ensure users can access fully functional desktops and apps, even in cases when a zone is unavailable. Now, you can use the same
Azure availability zone options for your session hosts as you would for your business-critical VMs in Azure Virtual Desktop host pools. For cases where you can't
risk users losing access to pooled session host VMs, you can use Azure Availability Zones combined with a calculated
over-provisioning strategy for resilience. So, for example, if you are
using three availability zones with host VMs equally
distributed across them, normally, you'd have a
few host VMs in reserve. So, by adding an
over-provisioning strategy, you would intentionally
add to the total number of host VMs by a third or more. Then, in the event that
one zone's unavailable, users can be redirected
to available host VMs in the remaining two zones. And this is also an advantage of using stateless shared host VMs over personal dedicated host VMs. The high levels of
resilience for personal hosts are also configurable
using Azure Site Recovery, where you can have a replica for selected host VMs in
a separate data center. Then, in the event of an outage, you can failover to the replica host VM. Now, beyond the session host VMs, this is also important when configuring your FSLogix containers in the service. So, here, you'll want to
configure Zone Redundant Storage so that FSLogix user profile
containers can be reached if a zone is unavailable. Now, as you provision
storage in Azure files, you'll select the
zone-redundant storage option so that replica profile containers stay in sync across zones. And you can learn more about your available configuration options at aka.ms/FSLogixHA. Azure Virtual Desktop offers
significant flexibility and control to set up your environment based on your organization's needs. For instance, if your organization or a subset of your users require highly secure virtual desktops, you can use Confidential
Computing VMs in Azure, which uses a trusted execution environment to extend encryption protections to your sensitive data while it's in use. And this also ensures that no one outside of your trust boundary, not even Microsoft datacenter personnel, can access any information
stored or running in these VMs. Now, in order to use Confidential Compute when provisioning your host pools in Azure Virtual Desktop,
for the security type, you'll choose confidential
virtual machines with secure boot enabled. And for the virtual machine size, you'll select DC or EDC
series virtual machines with AMD Secure Encrypted
Virtualization support. So, with that, I've highlighted a few of the most common and recommended configuration options for
an enterprise deployment to help provide a secure
low latency, flexible, and resilient experience
with Azure Virtual Desktop. And again, this is the third
in our series on Mechanics for Azure Virtual Desktop. So, check out the complete playlist at aka.ms/AVDMechanicsSeries. Be sure to subscribe to our channel for future updates, and
thanks for watching. (brief music)