Image Management | Windows Virtual Desktop - #03

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

you know there's several things that are prerequisites for Windows virtual desktop chiefest among them are getting your network set up whether or not you need a VPN or Express route settling in on your identity strategy how you're gonna be using Active Directory then you have some of the optional stuff and one of those is how you're going to manage your images now you can certainly go with the azure marketplace image there are multiple versions of Windows that work with WVD but beyond that a lot of customers choose to still create their own custom images this of course has big benefits in something like Windows virtual desktop where you want to prepackaged all of your applications into that image along with your updates and configuration settings so that you can deploy new VMs very quickly instead of traditionally patching your VMs and we've already covered that process in our WVD update management video which you can check out right up here so just like you I update my VMs on a regular basis so today I thought we'd put all the pieces together I'll show you the process to create or update your custom image and then roll out those images with our new VMs for this month in Windows virtual desktop I'm Dean Cefola and this is the Azure Academy now of course there are many tools that you can use to do this kind of image creation or updating process and we are definitely not going to be able to cover all of them but if you've been doing this kind of process around Windows for long enough I'm sure at some point you've run across the Microsoft deployment toolkit or MDT as well as System Center Configuration Manager but around here we focus on what we can do in Azure so we're gonna rely on the native Azure tooling today and I'll give you some tips and tricks around how we're going to protect that image through the build update process so we don't have any issues and we can do rollback if we need to so let's jump right over to the azure Docs and get started on the main page of our Docs we'll scroll down just a little bit who windows virtual machines and over on the table of contents will go under how-to guides and then we'll go to this section on use images and we'll start off with the image builder overview and over on the right side we'll go to how it works because they have some great pictures here so no matter if you're using icd MDT config man packer image builder devops pipelines etc all of them follow this same basic process we start out with some kind of source and that would be your initial copy of Windows then we do some amount of customizations we package that for distribution and then we can start building VMs from it so it'll scroll back up to the top and click our Doc's link to go back to the beginning and then we'll scroll down to Windows virtual desktop go to the how-to guide and then we'll click on customize a session host image we have to first create a virtual machine and we're going to do this using the Windows 10 Enterprise multi-session image it will pull out of the azure marketplace and then we'll customize that image but if you scroll down just a little bit there is a section for doing this locally through hyper-v and you can read through that section if you need to either way once we're done we're going to proceed with the customizations and that's covered here in software preparation this could be anything from installing your applications monitoring tools and agents to setting your policy settings and those type of things go over to the azure portal and we'll like our plus at the top to get started and in the search box on this type Windows 10 and the one we want is at the bottom here Windows 10 plus office 365 and when we click on that we have our multi session image available here in a few different versions we'll be using the latest version and we'll hit create and you've seen us create many VMs in the past so we'll just zip right through this and I will be taking most of the defaults but we'll be putting this into a separate resource group called custom image inside the east us and everything looks good and we're ready to create so now that we've got a VM to work with the first thing that we need to do before we start customizing this is we need to take a snapshot now of course the first and biggest benefit of a snapshot is rollback so if something that we're doing ends up and not working out and we corrupt our image we don't have to start completely from scratch we can just roll back to our latest version and then we can keep going from there and avoid the same mistake we'll go to the VM and then go to disks then we'll click on the disk name we'll hit the create snapshot button then we have to store that snapshot somewhere and I'll store it in the same resource group where my VM is and then we have to give our snapshot a name since I'm rolling this out for next month's VMs I'm calling it snapshot 0 5 and this is the first iteration so this is 0 5 - 0 1 now we need to decide on a snapshot I though our choices here are a full snapshot which will be a actual replica of the disk or we can take an incremental snapshot benefit being of course that this is far smaller and then these storage cost will be less for this particular use case we're gonna take a full snapshot and it just takes a few seconds longer but this way we have a total rollback we don't have to worry about anything with incremental versions now for our storage type we have zone redundant here as default and we'll be using that your other choices are premium SSD and standard HDD so if you choose premium you will get a warning here the cost of premium is higher than a hard drive and it's recommended for a snapshot that you store it as a hard drive so it's stored at the lowest cost possible but we'll choose zone redundant here which is going to create a standard hard disk drive snapshot and then store it in a zone redundant state we'll hit next you can change the encryption option if you need to but all storage and azure is encrypted by default with a platform managed key though I'm fine with that if you need to change that to a customer manage key then you can do that and then supply the needed information oh click next we'll add a tag and now we know who's paying for these resources what our application is this is our lab environment and our specific workload is for Windows virtual desktop and this is related to our images and we'll hit next and then we'll hit create and now back in our resource group we have a snapshot so if we click on that just to take a look we can see what the source image was for our snapshot what type it is the fact that it is unattached and what the size is so now that we've got that safety net we're ready to start customizing so I'll click on my VM and we'll click the connect button and we'll get in the system using Azure Bastion and we've covered how to use bash in a previous video which you can go check out up here and I'll provide my credentials and we'll hit connect and now that we're logged on to our VM we've got to make a choice and that is what customizations are we gonna do to this image now if you are making a custom image chances are you already have a process that you need to follow and that's exactly what you should do and so now I've got my edge installer on my system along with several other things that I want to use in my image and we'll walk through each of these rather quickly and if you have tools like configuration manager in your environment you can set up a distribution point and install all of your software using those tools and then we come to some of the other items so we want to install FSLogix so that's part of our image now when it comes to the customizations around FSLogix that part is a little more debatable if you have a single image dedicated to a single host pool then most likely you're aligning your images based on workloads if that is the case then installing FSLogix and adding those registry keys to point it at your ocular file-share where that workloads users are going to store their images is totally fine if however you're making more of a generic image then I would leave that part later and either do that by group policy or do it by a custom script extension now this also brings up the Windows virtual desktop agent itself we can certainly add the virtual desktop agent however that agent gets deployed using a token so if your plan is to update your image more frequently than when your registration token will expire then you can put it into your image but understand again you will have that potential risk of your token expiring and then your image deployments will fail you will also not be able to use that particular image or more than one host pool my general guidance is to leave it out so that you have more options later one thing that I do know however in my case is that I will be installing the log analytics agents that I can do my monitoring so I'm gonna install the MMA Agent here and I'll choose this middle option to connect our agent to as your Azure Log Analytics next now we need our workspace ID and Key which I can get from a sure my log analytics workspace we go to advanced for this and I'll copy my workspace ID so I'm good to go yes I do want to use Microsoft updates for this and that'll just take a few seconds to install while that's going I'll also install the service map dependency agent so I can see all the connections from my VM and I will not restart at this point we'll do that in a moment and then I have this folder this is from the Sepago monitoring solution for Windows virtual desktop and we did cover their solution in our WVD monitoring video which you can check out up here so we'll take our zip file here and extract everything and inside that folder we just need to edit our config file and in the config file we just need to add our customer ID and Key and this comes from our log analytics workspace and then I will do a shift right click on this screen we can open PowerShell right from here and I'll just run a command to make sure that I can my log analytics workspace and the sending test data was successful so I'm good to actually install the solution now and that can be done by running the same command with the install parameter and we're done and that brings us to some special applications back in the azure Docs we're gonna go back to our table of contents and click the next link or install office on a master VHD image and here there's a few different things to point down number one the image that we have selected from Azure already has office installed however if you need to install office you need to do so so that it's enabled for a shared VM though if we go down here to the install office in a shared computer activation mode this gives you a description of how to use the office custom deployment tool and then a little further down the road here we have how to do the actual install by running setup with the configuration XML here is an example of a configuration XML that will work for you now going a little further down the page we have the install onedrive per machine this is because onedrive is normally installed per user and we're in a shared environment so we need it set up per machine and I have this code already copied to the VM which will run in PowerShell in just a second and there's one more item here and that is teams and Skype and this is not yet supported although support for this is coming and when you do you're going to need to install teams also for machines instead of for users so here is the team's document for future reference again not supported at this time and also the commands here to do the installation for a shared environment and the first thing that you have to make sure of is that you uninstall the current version of onedrive so in your apps and features just select onedrive and click uninstall and I've opened the PowerShell ISE as an administrator and now I'm gonna run this command on line 11 here is gonna set up onedrive for our Windows 10 multi session image and now that that is done we need to run the install of onedrive and set the flag for all users and that'll just take a moment to finish and now that that's done we'll add these three final registry keys the onedrive is all ready to go let's reboot our VM and we're back in our VM so this is the point in the process we can move on to the system customization so in our temp drive I've created a custom MMC snap-in and from here you can pretty much edit and customize anything you want that this brings up a strategy question should you implement your systems using group policy or all of these local settings and my answer is going to be both reason why is when you're making a custom image one of the things that's important is speed who deployment kind of why you're doing this in the first place so you might as well make all of these settings as much as you can locally inside the image then use group policy as a drift control mechanism and I'm going to start with the computer management and go to the system pools and then the local users and groups and finally into groups and here I'm gonna add exclusions or FSLogix for my local administrator because I don't want that user to be using an FSLogix profile and as far as the includes go the default is everyone though now everyone other than my local administrator will be able to use FSLogix in the Windows Firewall my inbound and outbound settings the one thing that I want to make sure is enabled is file print share echo request this is so that ping will work and I'll make sure that's enabled on the inbound and on outbound and that all looks good this is the point also where you can add any certificates that you'll need for your domain environment or if you're using MSIX AppAttach and you need a code signing cert in the local group policy section I'll go under administrative templates windows components and the file explorer and the policy I want to setup here is to prevent access to drives from my computer and the reason for this is in every Azure VM there is a D:\ this is your temporary storage and if you click on that there is a file here that says data loss warning and this is temporary storage anything that you put on here probably will be lost when you reboot the VM I want to make sure that people don't mistakenly put something on there so I'm going to restrict access to the D:\ and now try to go to the D:\ we will get an error message here telling us that we are restricted and we've got a few more to add here so we'll go now to the computer configuration administrative templates system group policy and then we'll go to configure user group policy loopback processing mode and we've got two choices here either merge or replace though to understand which one of these you should use let me explain for a second GPOs group policy objects is where we have user settings and computer settings merge mode will cause the computer settings GPO to have a higher precedence than user settings replace mode the users GPOs will not even be gathered if we're just gonna go at the computer object settings so it depends on how you're structuring your GPOs in your environment as to which one you want to pick in my case where I've got my WVD VMs I'm gonna set all of my GPOs based on those computer objects so I'm gonna choose replace mode so any user settings will basically be ignored and they'll have to live with the settings that I have enforced on my WVD VMs I'll click OK to that and we'll scroll back up here I'll close the system settings and go under Windows components we'll go down to the remote desktop services and we'll go to the session host first is session timeouts if a user is idle for too long we want them to log off because they're obviously not using their session think about when people go to lunch you take a half hour or an hour long break in the middle of the day do you want the users to have to log back in when they come back from that break then once the user does become disconnected from their session how long should that session live before we just close that session out and you can answer those questions for these particular settings I'll set my disconnected time for 10 minutes however if we're dealing with someone who's just using remote applications then we can also configure when they close their last remote application how long do we wait before we log off their session in the background I'm going to set that one to 5 minutes we do have the set timeout for active but I don't sessions like in that lunch time scenario and I'll set this one for 30 minutes and finally we'll go under connections and we'll open a set rules for remote control now this is a general feature of RDS it's not directly related or enabled in WVD specifically but this will give me the ability to do sessions shadowing and you have multiple options here to either just view the session with or without users permission and have full control with or without users permission this is just my lab I'm gonna set it for full control without permission but that's just some examples of a few things you can edit in your local group policy and then of course you can back this up from drift enforcement through your Active Directory group policy and certainly your settings here should match what's in your Active Directory GPOs so with that we'll bring up one final thing the local security policies setting and I'll go to password policy and we want to enforce our password history here to remember the last end and passwords set the maximum age of our passwords to be 28 days and set the minimum length to be 12 characters okay again just another example and you can certainly tweak things according to your policy so we'll give another reboot and then make sure that everything works all over again so it looks like we can still get in and our VM is in a ready state to be captured I've signed out of the VM because before we take our image of the VM we should take another snapshot just for safety's sake for a second snapshot is done what if during any of that process you locked yourself out of the image you corrupted it somehow and things did not go well we've got our snapshots how do we restore those and then go back to an earlier form of the image so at the very top here we'll click the search bar and type disks and we'll click on the disks and then we'll click the plus and we're gonna put this in the same resource group as our VM will call it snap restore 0 5 0 1 the same region then we have our source type and this is where the magic happens we click the drop down and we can choose a snapshot and then click the snapshot drop down and we can select any one of our snapshots that are here I'll choose our original snapshots we can see the full roll back and then we'll click to change our size will restore to the original size that we had of 128 gigabytes we'll select next we'll go with the default encryption use the same tags as before and click next and we will hit create go back in our resource group we now have our VM the two snapshots the original disk and our newly restored disk how now are we supposed to go about detaching this thing and then attaching the new one well we can click on the VM go to the disk section and then we have a button here that'll do this for us and there is PowerShell code for this as well but we'll click on the button to swap our OS disk choose our disk from the drop down of our snap restore and then we need to type in the name of our VM to confirm and then we press ok now the first step in the process here is it's going to stop our virtual machine because we can't make changes to it while it is running and now that that's complete we're gonna swap the OS disk out and that is complete so now if we go back to the VM and refresh we've got our snap restore here instead of our original image and back in our resource group we see that both of our disks are still here that we can go back to that one since we know that it was working but just for the tests sake let's start up our VM now that our VM is in a running state let's connect back into it using Bastion we've put in our creds and hit connect and if we open a ver move programs we can see that there are no applications installed and the same thing for all of our policies around our password history so this VM has been successfully restored before we did any of that stuff it will swap everything back using the same process so let me log off that can never remove programs you can see all of our apps are now stored as well as our security policy settings for our passwords so this image is ready to go now all that's left at this point is we need to run sysprep so this can be found in the C:\ in the windows system32 sysprep and we want to run this as the administrator and here we'll click the generalize button and then we have our shutdown option now because we're running this in Azure once this prep completes we're going to lose connectivity to the I'm gonna go with the shutdown option and we'll click ok and now we'll click the capture button we'll give our new image a name and I'll call it WVD-05-image we'll store it in our custom image resource group and we have checked the box to delete the VM object now that we're done with this particular machine and we'll hit create and here we have our completed image and finally we want to take this VM image and we want to be able to use it for Windows virtual desktop so at the bottom we have our resource ID for our image and we'll copy that and then go to the plus and we'll type in Windows virtual desktop and we'll select the provision a host pool and we'll hit create and I'll skip ahead to the virtual machine settings here and here's where we'll choose our managed image we'll put in our custom image name as well as our resource group name for that image is located and fill out the rest of this as is normal and I've gone out to my github page my Azure WVD repo we'll go to the wvd templates new host and then I've got a deploy to Azure button or my custom template that I use and this is a great template to use to build out an existing hosts pool as well it's already got all the wvd agent and FSLogix stuff built in I'll click to edit the template and then I'll go down to my virtual machine we'll scroll down just a little bit you can see we have an image reference section and what this is doing to pull the windows server or Windows 10 operating system out of the azure marketplace like we started with originally and to give you the needed values to make that happen if we wanted to use our custom template we'd replace these items out of our image reference section with the ID of our custom image and we'll click Save and we'll fill out the rest of this information and we'll scroll down to the bottom check the box and hit purchase and our build was complete and I've got my remote desktop app here and I'll just launch the task manager real quick just so we can see the real ugh into our new VM and I'll use the hostname command and Who am I which will show who we're logged in as we're definitely logged into W VD to our new VM that we just provisioned and we can open all of our new apps that I've already shared there's VLC player for the first time a new edge browser and we're able to get out to the azure academy we run Visual Studio code and I can even run something like notepad plus plus because I have access to the task manager and the and prompt even though I didn't bear that in the remote desktop application so just be careful what you share because it may give access to something that you didn't originally intend so I hope you've enjoyed walking through the process of creating your own custom image and getting that to work with Windows virtual desktop I know this was a little longer than a typical video on the Azure Academy but I think that it was worth it for this topic and if you enjoyed it or learn something new please click that thumbs up and just let us know that you appreciated it and while you're down there leave us some comments or questions that you have about doing custom images with WVD or about any other topic you're interested in especially if you have a suggestion for a future video we're always looking for more ideas and please feel free to share this video or anything else on the Azure Academy with anyone else who may be interested it we're just looking to help everybody learn all they can about Azure and while you're down there if you want to get an email notifying you when our new videos come out which is about once a week you can click the email notification bell as well and if you're looking for something else we've got our latest video over here on the top as well as a video that we picked out just for you over here at the bottom so you can keep learning about Azure thanks for joining us for this video and we will catch you in the next one happy learning

Info

Channel: Azure Academy

Views: 18,244

Rating: undefined out of 5

Keywords: WVDImage, WVD Image, WVD Imaging, image management, azure academy windows virtual desktop, Shared Image Gallery, azure image builder, azure virtual desktop, azure wvd, TheAzureAcademy, SharedImageGallery, WVD, Windows Virtual Desktop, windows virtual desktop azure, Azure Academy, Imaging, virtual desktop windows 10, azure microsoft, hhdhdh image, microsoft deployment toolkit, virtual desktop, wvd azure, azure vdi, yt:cc=on

Id: PCWJEoG8X-I

Channel Id: undefined

Length: 25min 5sec (1505 seconds)

Published: Sun Apr 05 2020