AutomaticLogonWindows and AzureVirtualDesktop: Difference between pages

From Piszczynski
(Difference between pages)
piszczynski>Aleks
(Created page with " == Automatically Logon to windows without entering password == Best used with a home PC and a local account you can set to not require a password. First create a local acco...")
 
piszczynski>Aleks
 
Line 1: Line 1:


== Automatically Logon to windows without entering password ==
== Automate creation of azure virtual desktop ==


Best used with a home PC and a local account you can set to not require a password.
This cmdlet will create the host pool, workspace, and desktop app group. Additionally, it will register the desktop app group to the workspace. You can either create a workspace with this cmdlet or use an existing workspace


First create a local account with the permissions you require.
*New-AzWvdHostPool -ResourceGroupName <resourcegroupname> -Name <hostpoolname> -WorkspaceName <workspacename> -HostPoolType <Pooled|Personal> -LoadBalancerType <BreadthFirst|DepthFirst|Persistent> -Location <region> -DesktopAppGroupName <appgroupname>
----
Run the next cmdlet to create a registration token to authorize a session host to join the host pool and save it to a new file on your local computer. You can specify how long the registration token is valid by using the -ExpirationHours parameter.


Then enter in the following changes in the registry using a powershell script;
*New-AzWvdRegistrationInfo -ResourceGroupName <resourcegroupname> -HostPoolName <hostpoolname> -ExpirationTime $((get-date).ToUniversalTime().AddDays(1).ToString('yyyy-MM-ddTHH:mm:ss.fffffffZ'))
----
After that, run this cmdlet to add Azure Active Directory users to the default desktop app group for the host pool.
 
*New-AzRoleAssignment -SignInName <userupn> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <hostpoolname+"-DAG"> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'
----
Run this next cmdlet to add Azure Active Directory user groups to the default desktop app group for the host pool:
 
*New-AzRoleAssignment -ObjectId <usergroupobjectid> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <hostpoolname+"-DAG"> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'
----
Run the following cmdlet to export the registration token to a variable, which will be used later to register the virtual machines to the Azure Virtual Desktop host pool.
 
*$token = Get-AzWvdRegistrationInfo -ResourceGroupName <resourcegroupname> -HostPoolName <hostpoolname>
 
 
== Assign Users to Host Pool ==
===Automatic assignment===
 
To configure a host pool to automatically assign users to VMs, run the following PowerShell cmdlet:
 
*Update-AzWvdHostPool -ResourceGroupName <resourcegroupname> -Name <hostpoolname> -PersonalDesktopAssignmentType Automatic```
 
To assign a user to the personal desktop host pool, run the following PowerShell cmdlet:
 
*New-AzRoleAssignment -SignInName <userupn> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'
----
===Direct Assignment===
 
To configure a host pool to require direct assignment of users to session hosts, run the following PowerShell cmdlet:
 
*Update-AzWvdHostPool -ResourceGroupName <resourcegroupname> -Name <hostpoolname> -PersonalDesktopAssignmentType Direct
 
To assign a user to the personal desktop host pool, run the following PowerShell cmdlet:
 
*New-AzRoleAssignment -SignInName <userupn> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'
 
To assign a user to a specific session host, run the following PowerShell cmdlet:
 
*Update-AzWvdSessionHost -HostPoolName <hostpoolname> -Name <sessionhostname> -ResourceGroupName <resourcegroupname> -AssignedUser <userupn>
 
Use the Azure portal also to assign users directly - Azure Virtual Desktop page > Host pools
 
 
== Edit Remote Desktop Protocol properties for users (RDP settings) ==
 
To add or edit a single custom Remote Desktop Protocol property, run the following PowerShell cmdlet:
 
*Set-RdsHostPool -TenantName <tenantname> -Name <hostpoolname> -CustomRdpProperty "<property>"
 
Edit multiple custom properties using semi colon seperated list:
 
*$properties="<property1>;<property2>;<property3>"
**Set-RdsHostPool -TenantName <tenantname> -Name <hostpoolname> -CustomRdpProperty $properties
 
To enable access from Windows devices not joined to Azure AD, add targetisaadjoined:i:1 as a custom RDP property to the host pool.
 
To access Azure AD-joined virtual machines using the web, Android, macOS and iOS clients, you must add targetisaadjoined:i:1 as a custom RDP property to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host.
 
== Apply Licence to Azure virtual desktop session host ==
 
*$vm = Get-AzVM -ResourceGroup <resourceGroupName> -Name <vmName>
**$vm.LicenseType = "Windows_Client"
***Update-AzVM -ResourceGroupName <resourceGroupName> -VM $vm
 
Verify license:
 
*Get-AzVM -ResourceGroupName <resourceGroupName> -Name <vmName>
 
Run the following cmdlet to see a list of all session host virtual machines that have the Windows license applied in your Azure subscription:
 
*$vms = Get-AzVM
**$vms | Where-Object {$_.LicenseType -like "Windows_Client"} | Select-Object ResourceGroupName, Name, LicenseType
 
 
== Create and configure session host images ==
 
=== Create Local Image ===
Can use Hyper-V manager to create a VM with a copied VHD
 
Ensure checkpoints are disabled:
*Set-VM -Name <VMNAME> -CheckpointType Disabled
 
Ensure that the Disk is a Fixed disk as disks by default are created as dynamic. Using Hyper-V powershell module convert the disk to fixed:
*Convert-VHD –Path c:\test\MY-VM.vhdx –DestinationPath c:\test\MY-NEW-VM.vhd -VHDType Fixed
 
Then you can upload the image (VHD) to an azure Blob container either with storage explorer or using azcopy
 
=== Modify/Configure Session Host image ===
 
Disable Automatic Updates via regkey:
*reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 1 /f
 
Specify Start layout for Windows 10 computers:
*reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SpecialRoamingOverrideAllowed /t REG_DWORD /d 1 /f
 
Set up time zone redirection
*reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableTimeZoneRedirection /t REG_DWORD /d 1 /f
 
Disable Storage Sense (Microsoft recommends for azure virtual desktop hosts)
*reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v 01 /t REG_DWORD /d 0 /f
 
'''Install Office 365''' - see [[OfficeDeploymentTool]]
 
'''Configure onedrive''' - see [[OneDrive]]
 
 
After Completing the install of apps and configuration changes run the sysprep tool to generalize the image:
*C:\Windows\System32\Sysprep\sysprep.exe /oobe /generalize /shutdown
 
 
== Setup Network for Virtual Desktop Session Hosts ==
 
===Outbound Access===
'''Outbound for Azure Virtual Desktop'''
 
Azure virtual machines you create for Azure Virtual Desktop must have access to several Fully Qualified Domain Names (FQDNs) to function properly.
 
Azure Firewall provides an Azure Virtual Desktop FQDN Tag to simplify this configuration. Use the following steps to allow outbound Azure Virtual Desktop platform traffic:
 
Deploy Azure Firewall and configure your Azure Virtual Desktop host pool subnet User Defined Route (UDR) to route all traffic via the Azure Firewall. Your default route now points to the firewall.
 
Create an application rule collection and add a rule to enable the WindowsVirtualDesktop FQDN tag. The source IP address range is the host pool virtual network, the protocol is https, and the destination is WindowsVirtualDesktop.
 
The set of required storage and service bus accounts for your Azure Virtual Desktop host pool is deployment-specific. It isn't captured in the WindowsVirtualDesktop FQDN tag. You can address this in one of the following ways:
*Allow https access from your host pool subnet to *xt.blob.core.windows.net, *eh.servicebus.windows.net and *xt.table.core.windows.net. These wildcard FQDNs enable the required access, but are less restrictive.
*Use the following log analytics query to list the exact required FQDNs, and then allow them explicitly in your firewall application rules:
<pre>
<pre>
$Username =’<username>’
AzureDiagnostics
$Pass = ‘<password>’
| where Category == "AzureFirewallApplicationRule"
$RegistryPath = ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon’
| search "Deny"
Set-ItemProperty $RegistryPath ‘AutoAdminLogon’ -Value “1” -Type String
| search "gsm*eh.servicebus.windows.net" or "gsm*xt.blob.core.windows.net" or "gsm*xt.table.core.windows.net"
Set-ItemProperty $RegistryPath ‘DefaultUsername’ -Value $Username -type String
| parse msg_s with Protocol " request from " SourceIP ":" SourcePort:int " to " FQDN ":" *
Set-ItemProperty $RegistryPath ‘DefaultPassword’ -Value $Pass -type String
| project TimeGenerated,Protocol,FQDN
</pre>
</pre>


The computer should be restarted to take effect.
Create a network rule to add the following rules:
*Allow DNS. Traffic from your AD DS private IP address to * for TCP and UDP ports 53.
*Allow KMS. Traffic from your Azure Virtual Desktop virtual machines to Windows Activation Service TCP port 1688.
 
===RDP Shortpath===
Enable RDP shortpath to improve connections to session hosts for clients that have direct connection to the network that the session hosts are on.
 
You will need to enable the RDP shortpath listener on the session hosts:
 
To enable the RDP Shortpath listener:
 
Install administrative templates that add rules and settings for Azure Virtual Desktop. Download the Azure Virtual Desktop policy templates file (https://aka.ms/avdgpo)(AVDGPTemplate.cab) and extract the contents of the .cab file and .zip archive.
 
Copy the terminalserver-avd.admx file, then paste it into the %windir%\PolicyDefinitions folder.
 
Copy the en-us\terminalserver-avd.admlfile, then paste it into the%windir%\PolicyDefinitions\en-us folder.
 
To confirm the files copied correctly, open the Group Policy Editor and go to Computer Configuration, select Administrative Templates, select Windows Components, select Remote Desktop Services, select Remote Desktop Session Host, and select Azure Virtual Desktop.
 
You should see one or more Azure Virtual Desktop policies.
 
Open the Enable RDP Shortpath for managed networks policy and set it to Enabled. If you enable this policy setting, you can also configure the port number that the Azure Virtual Desktop session host will use to listen for incoming connections. The default port is 3390.
 
Restart your session host to apply the changes.
 
'''Configure Windows defender firewall for RDP shortpath'''
*New-NetFirewallRule -DisplayName 'Remote Desktop - Shortpath (UDP-In)'  -Action Allow -Description 'Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3390]' -Group '@FirewallAPI.dll,-28752' -Name 'RemoteDesktop-UserMode-In-Shortpath-UDP'  -PolicyStore PersistentStore -Profile Domain, Private -Service TermService -Protocol udp -LocalPort 3390 -Program '%SystemRoot%\system32\svchost.exe' -Enabled:True

Revision as of 15:24, 30 December 2022

Automate creation of azure virtual desktop

This cmdlet will create the host pool, workspace, and desktop app group. Additionally, it will register the desktop app group to the workspace. You can either create a workspace with this cmdlet or use an existing workspace

  • New-AzWvdHostPool -ResourceGroupName <resourcegroupname> -Name <hostpoolname> -WorkspaceName <workspacename> -HostPoolType <Pooled|Personal> -LoadBalancerType <BreadthFirst|DepthFirst|Persistent> -Location <region> -DesktopAppGroupName <appgroupname>

Run the next cmdlet to create a registration token to authorize a session host to join the host pool and save it to a new file on your local computer. You can specify how long the registration token is valid by using the -ExpirationHours parameter.

  • New-AzWvdRegistrationInfo -ResourceGroupName <resourcegroupname> -HostPoolName <hostpoolname> -ExpirationTime $((get-date).ToUniversalTime().AddDays(1).ToString('yyyy-MM-ddTHH:mm:ss.fffffffZ'))

After that, run this cmdlet to add Azure Active Directory users to the default desktop app group for the host pool.

  • New-AzRoleAssignment -SignInName <userupn> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <hostpoolname+"-DAG"> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'

Run this next cmdlet to add Azure Active Directory user groups to the default desktop app group for the host pool:

  • New-AzRoleAssignment -ObjectId <usergroupobjectid> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <hostpoolname+"-DAG"> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'

Run the following cmdlet to export the registration token to a variable, which will be used later to register the virtual machines to the Azure Virtual Desktop host pool.

  • $token = Get-AzWvdRegistrationInfo -ResourceGroupName <resourcegroupname> -HostPoolName <hostpoolname>


Assign Users to Host Pool

Automatic assignment

To configure a host pool to automatically assign users to VMs, run the following PowerShell cmdlet:

  • Update-AzWvdHostPool -ResourceGroupName <resourcegroupname> -Name <hostpoolname> -PersonalDesktopAssignmentType Automatic```

To assign a user to the personal desktop host pool, run the following PowerShell cmdlet:

  • New-AzRoleAssignment -SignInName <userupn> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'

Direct Assignment

To configure a host pool to require direct assignment of users to session hosts, run the following PowerShell cmdlet:

  • Update-AzWvdHostPool -ResourceGroupName <resourcegroupname> -Name <hostpoolname> -PersonalDesktopAssignmentType Direct

To assign a user to the personal desktop host pool, run the following PowerShell cmdlet:

  • New-AzRoleAssignment -SignInName <userupn> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'

To assign a user to a specific session host, run the following PowerShell cmdlet:

  • Update-AzWvdSessionHost -HostPoolName <hostpoolname> -Name <sessionhostname> -ResourceGroupName <resourcegroupname> -AssignedUser <userupn>

Use the Azure portal also to assign users directly - Azure Virtual Desktop page > Host pools


Edit Remote Desktop Protocol properties for users (RDP settings)

To add or edit a single custom Remote Desktop Protocol property, run the following PowerShell cmdlet:

  • Set-RdsHostPool -TenantName <tenantname> -Name <hostpoolname> -CustomRdpProperty "<property>"

Edit multiple custom properties using semi colon seperated list:

  • $properties="<property1>;<property2>;<property3>"
    • Set-RdsHostPool -TenantName <tenantname> -Name <hostpoolname> -CustomRdpProperty $properties

To enable access from Windows devices not joined to Azure AD, add targetisaadjoined:i:1 as a custom RDP property to the host pool.

To access Azure AD-joined virtual machines using the web, Android, macOS and iOS clients, you must add targetisaadjoined:i:1 as a custom RDP property to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host.

Apply Licence to Azure virtual desktop session host

  • $vm = Get-AzVM -ResourceGroup <resourceGroupName> -Name <vmName>
    • $vm.LicenseType = "Windows_Client"
      • Update-AzVM -ResourceGroupName <resourceGroupName> -VM $vm

Verify license:

  • Get-AzVM -ResourceGroupName <resourceGroupName> -Name <vmName>

Run the following cmdlet to see a list of all session host virtual machines that have the Windows license applied in your Azure subscription:

  • $vms = Get-AzVM
    • $vms | Where-Object {$_.LicenseType -like "Windows_Client"} | Select-Object ResourceGroupName, Name, LicenseType


Create and configure session host images

Create Local Image

Can use Hyper-V manager to create a VM with a copied VHD

Ensure checkpoints are disabled:

  • Set-VM -Name <VMNAME> -CheckpointType Disabled

Ensure that the Disk is a Fixed disk as disks by default are created as dynamic. Using Hyper-V powershell module convert the disk to fixed:

  • Convert-VHD –Path c:\test\MY-VM.vhdx –DestinationPath c:\test\MY-NEW-VM.vhd -VHDType Fixed

Then you can upload the image (VHD) to an azure Blob container either with storage explorer or using azcopy

Modify/Configure Session Host image

Disable Automatic Updates via regkey:

  • reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 1 /f

Specify Start layout for Windows 10 computers:

  • reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SpecialRoamingOverrideAllowed /t REG_DWORD /d 1 /f

Set up time zone redirection

  • reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableTimeZoneRedirection /t REG_DWORD /d 1 /f

Disable Storage Sense (Microsoft recommends for azure virtual desktop hosts)

  • reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v 01 /t REG_DWORD /d 0 /f

Install Office 365 - see OfficeDeploymentTool

Configure onedrive - see OneDrive


After Completing the install of apps and configuration changes run the sysprep tool to generalize the image:

  • C:\Windows\System32\Sysprep\sysprep.exe /oobe /generalize /shutdown


Setup Network for Virtual Desktop Session Hosts

Outbound Access

Outbound for Azure Virtual Desktop

Azure virtual machines you create for Azure Virtual Desktop must have access to several Fully Qualified Domain Names (FQDNs) to function properly.

Azure Firewall provides an Azure Virtual Desktop FQDN Tag to simplify this configuration. Use the following steps to allow outbound Azure Virtual Desktop platform traffic:

Deploy Azure Firewall and configure your Azure Virtual Desktop host pool subnet User Defined Route (UDR) to route all traffic via the Azure Firewall. Your default route now points to the firewall.

Create an application rule collection and add a rule to enable the WindowsVirtualDesktop FQDN tag. The source IP address range is the host pool virtual network, the protocol is https, and the destination is WindowsVirtualDesktop.

The set of required storage and service bus accounts for your Azure Virtual Desktop host pool is deployment-specific. It isn't captured in the WindowsVirtualDesktop FQDN tag. You can address this in one of the following ways:

  • Allow https access from your host pool subnet to *xt.blob.core.windows.net, *eh.servicebus.windows.net and *xt.table.core.windows.net. These wildcard FQDNs enable the required access, but are less restrictive.
  • Use the following log analytics query to list the exact required FQDNs, and then allow them explicitly in your firewall application rules:
AzureDiagnostics
| where Category == "AzureFirewallApplicationRule"
| search "Deny"
| search "gsm*eh.servicebus.windows.net" or "gsm*xt.blob.core.windows.net" or "gsm*xt.table.core.windows.net"
| parse msg_s with Protocol " request from " SourceIP ":" SourcePort:int " to " FQDN ":" *
| project TimeGenerated,Protocol,FQDN

Create a network rule to add the following rules:

  • Allow DNS. Traffic from your AD DS private IP address to * for TCP and UDP ports 53.
  • Allow KMS. Traffic from your Azure Virtual Desktop virtual machines to Windows Activation Service TCP port 1688.

RDP Shortpath

Enable RDP shortpath to improve connections to session hosts for clients that have direct connection to the network that the session hosts are on.

You will need to enable the RDP shortpath listener on the session hosts:

To enable the RDP Shortpath listener:

Install administrative templates that add rules and settings for Azure Virtual Desktop. Download the Azure Virtual Desktop policy templates file (https://aka.ms/avdgpo)(AVDGPTemplate.cab) and extract the contents of the .cab file and .zip archive.

Copy the terminalserver-avd.admx file, then paste it into the %windir%\PolicyDefinitions folder.

Copy the en-us\terminalserver-avd.admlfile, then paste it into the%windir%\PolicyDefinitions\en-us folder.

To confirm the files copied correctly, open the Group Policy Editor and go to Computer Configuration, select Administrative Templates, select Windows Components, select Remote Desktop Services, select Remote Desktop Session Host, and select Azure Virtual Desktop.

You should see one or more Azure Virtual Desktop policies.

Open the Enable RDP Shortpath for managed networks policy and set it to Enabled. If you enable this policy setting, you can also configure the port number that the Azure Virtual Desktop session host will use to listen for incoming connections. The default port is 3390.

Restart your session host to apply the changes.

Configure Windows defender firewall for RDP shortpath

  • New-NetFirewallRule -DisplayName 'Remote Desktop - Shortpath (UDP-In)' -Action Allow -Description 'Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3390]' -Group '@FirewallAPI.dll,-28752' -Name 'RemoteDesktop-UserMode-In-Shortpath-UDP' -PolicyStore PersistentStore -Profile Domain, Private -Service TermService -Protocol udp -LocalPort 3390 -Program '%SystemRoot%\system32\svchost.exe' -Enabled:True