Azure Virtual Desktop enterprise configuration options

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
(music) - Today, I'll walk you through all the steps to configure Azure Virtual Desktop with the enterprise-grade configurations you'll want in place for secure authentication, improved connectivity, flexible user data, and service resiliency. This is part three in our series on the service. And if you're watching this, we'll assume you've got a basic deployment of Azure Virtual Desktop up and running already, or general knowledge of the Azure Virtual Desktop service. If not, I'd encourage you to check out the first two episodes in the series which introduce the service and walk you through basic setup at aka.ms/AVDMechanicsSeries. So, let's start with your options for secure authentication. First, you can use on-prem directory services, with Azure Virtual Desktop, in environments with hybrid Azure Active Directory joined hosts. Alternatively, you can use Azure Active Directory joined hosts if your directory is running entirely in the cloud. Now, these options are configured when you set up new host pools in Azure Virtual Desktop. In either configuration, you can achieve Single Sign On and passwordless authentication to the host using the new Azure AD authentication for remote desktop. This means that, by simply signing into your device, you'll already have the required authentication established. So, I'll open Start, and connect to my Azure Virtual Desktop host. Now, if you've tried this before, notice here that I'm not prompted for a second sign-in, and it seamlessly establishes the connection to my remote desktop. Now, for this next part, while I'm in the session, if I need to connect to an app or service that requires multifactor authentication, Azure Virtual Desktop enables that using the new Web Authentication or WebAuthn redirection. So, I'll open a site to test this, WebAuthen.io. And just to prove that the command is sent to my local computer, I'll make the window to my remote desktop smaller - there we go, and now I'll be able to overlap the authentication popup. So, I'll hit Authenticate on the site, and you'll see this even allows you to use passwordless authentication to access apps and sites. And this is the reason I resized the remote desktop window, because this pop-up could look like it's in the remote host, but it's not. And as I drag it to the right, you'll see the window is from my local device. Now, in this case, I'll enter my local device pin, and then I'll use the FIDO key, I've enrolled with my fingerprint. And in a few seconds, I'm securely logged into the site with the authentication strength required by my organization. Now, beyond authentication, reliable and efficient connectivity to the service is important to ensure the user experience is highly responsive with low latency, so the remote desktop or app feels local. Now, for that, we recommend RDP Shortpath. And let me explain why. Normally, when you access VMs in Azure over RDP, the connection goes through a gateway. RDP Shortpath uses the more reliable UDP protocol. This establishes a direct network connection between the client device and the destination VM host in Azure, bypassing the gateway. RDP Shortpath is the connection type used by Azure Virtual Desktop, and this is by default. Now, something really important to point out here is that you need your devices to allow UDP connections, so don't block them. Equally, your network and firewalls should also allow UDP connections and should permit traffic from STUN servers or can use TURN traffic. We've got more details on this at aka.ms/AVDconnectivity. Now, with your authentication and connectivity options sorted, let's move on to another core aspect commonly deployed with enterprise configurations, which is connecting users to their profile data seamlessly, using FSLogix profile containers. Here, user profiles are stored in Azure as virtual hard disc files, and then are mounted when a user signs in and unmounted when they sign out. So, let me walk you through how you'll set up FSLogix profiles to get everything working. Now, for detailed step by step guidance, check out aka.ms/FSLogix, but I'm going to walk you through the high level steps. First, FSLogix profiles use SMB file shares to store profile containers with the appropriate permissions configured For Azure Virtual Desktop, you can use either Azure files or Azure NetApp files. And using either option, these services need to be configured to work with the same active directory domain service's authentication, which can be run on premises or in Azure, used by your host VMs. Additionally, Azure files can also use Azure Active Directory Kerberos authentication for hybrid identities for Azure AD joined hosts. The FSLogix app needs to be installed or present in the host image. And to configure FSLogix, you'll need to add a few registry settings in HKEY_LOCAL_MACHINE for FSLogix profiles to enable it, set its behavior, size in megabytes, location in the file share, and volume type. Now, this can be done using scripts, group policy, or using Microsoft Intune, and we have configuration service provider support coming soon. Now, cloud cache is an optional configuration which is used to mitigate short-term or intermittent connectivity problems with the remote storage providers. So, here, you'll add registry settings in the same location for CCD locations, along with recommended settings for clear-cache-on-logoff and healthy providers required for register. In this case, you're replacing the VHD location settings path with the CCD locations, which supports both SMB and Azure Page Blog paths, allowing updates to both. Now, as you configure FSLogix profile containers, our recommendation is to keep your settings as simple as possible to avoid complexity and operational overhead. Now, another important topic we're managing in an enterprise grade desktop virtualization service is resiliency, to ensure users can access fully functional desktops and apps, even in cases when a zone is unavailable. Now, you can use the same Azure availability zone options for your session hosts as you would for your business-critical VMs in Azure Virtual Desktop host pools. For cases where you can't risk users losing access to pooled session host VMs, you can use Azure Availability Zones combined with a calculated over-provisioning strategy for resilience. So, for example, if you are using three availability zones with host VMs equally distributed across them, normally, you'd have a few host VMs in reserve. So, by adding an over-provisioning strategy, you would intentionally add to the total number of host VMs by a third or more. Then, in the event that one zone's unavailable, users can be redirected to available host VMs in the remaining two zones. And this is also an advantage of using stateless shared host VMs over personal dedicated host VMs. The high levels of resilience for personal hosts are also configurable using Azure Site Recovery, where you can have a replica for selected host VMs in a separate data center. Then, in the event of an outage, you can failover to the replica host VM. Now, beyond the session host VMs, this is also important when configuring your FSLogix containers in the service. So, here, you'll want to configure Zone Redundant Storage so that FSLogix user profile containers can be reached if a zone is unavailable. Now, as you provision storage in Azure files, you'll select the zone-redundant storage option so that replica profile containers stay in sync across zones. And you can learn more about your available configuration options at aka.ms/FSLogixHA. Azure Virtual Desktop offers significant flexibility and control to set up your environment based on your organization's needs. For instance, if your organization or a subset of your users require highly secure virtual desktops, you can use Confidential Computing VMs in Azure, which uses a trusted execution environment to extend encryption protections to your sensitive data while it's in use. And this also ensures that no one outside of your trust boundary, not even Microsoft datacenter personnel, can access any information stored or running in these VMs. Now, in order to use Confidential Compute when provisioning your host pools in Azure Virtual Desktop, for the security type, you'll choose confidential virtual machines with secure boot enabled. And for the virtual machine size, you'll select DC or EDC series virtual machines with AMD Secure Encrypted Virtualization support. So, with that, I've highlighted a few of the most common and recommended configuration options for an enterprise deployment to help provide a secure low latency, flexible, and resilient experience with Azure Virtual Desktop. And again, this is the third in our series on Mechanics for Azure Virtual Desktop. So, check out the complete playlist at aka.ms/AVDMechanicsSeries. Be sure to subscribe to our channel for future updates, and thanks for watching. (brief music)
Info
Channel: Microsoft Mechanics
Views: 15,564
Rating: undefined out of 5
Keywords: windows virtual desktop, rds, rdp, remote desktop, remote app, citrix, xen desktop, windows 365, windows multi-session, terminal services, azure virtual desktop, windows 10, remote desktop services, microsoft azure, cloud pc, wvd, AVD, host pool, VDI, Virtual Machine, Windows 11, availability zones in azure, windows server 2022, Windows Client OS, fslogix, Azure Portal, Azure AD Join, zero trust security, Secure desktop, multi factor authentication, AVD Mechanics
Id: QmWVmMFVF0Q
Channel Id: undefined
Length: 8min 11sec (491 seconds)
Published: Thu Apr 27 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.