Day 34: AZ-140 Pt.2.3 - Create Gold Images & Deploy

 


Section 2: Implement a Windows Virtual Desktop Infrastructure (25-30%)

Create and manage session host images  

The below should cover the following criteria for this section of the exam:
  • Create a gold image  
  • Modify a session host image  
  • Install language packs in Windows Virtual Desktop  
  • Deploy a session host by using a custom image  
  • Plan for image update and management  
  • Create and use a Shared Image Gallery  
  • Troubleshoot OS issues related to Windows Virtual Desktop 
Creating my gold image

I am going to create my image using a template provided by Microsoft but making some alterations to it, and then strip away the VHD and use that for my machines instead. 

In the below steps, it should be noted I am not going to say click this n that, I will give a general overview but you will need to fill in the gaps with your knowledge of Azure.

The following link goes over this all in a lot more detail. 


In the below screenshot I am performing the following tasks.
  • Selecting the latest image for multisession and O365 installed.
  • Disable boot diagnostics.
  • Disable Auto Shutdown.
  • Set Manual Patching.
  • Create a storage account.
  • You would try to use DSC here, and apply all manual powershell scripts here instead.
Note: Once we have used the gold image VM, we will remove it, so the settings below aren't permanent.


Installing Updates

Now we want to jump onto the box and kick off Windows Updates (note 20H2 is showing as I am using 2004 due to a script I'll be running). Whilst we download FSLogix from https://docs.microsoft.com/en-us/fslogix/install-ht - I'd suggest just downloading it locally and copying it over, saves you having to use Edge (shudders), we want to get a PowerShell ISE running in admin mode, and enable for us to run some scripts without it moaning at us every second with the below command - don't worry we'll reenable after I'm done). 

Set-ExecutionPolicy -ExecutionPolicy Bypass



Optimizing the image

Once WU is finished, we will run a couple registry tweaks to follow best practice, there are a bare minimum 2 or 3 one liners we need to run but from what I have seen, there's a fair few more so below is all of them. You can of course push these via GPO if you wanted, but for the purposes of getting this setup as quickly as possible for a lab, we'll only use GPO where really needed to save time.

#Disable automatic updates
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 1 /f

#Specify Start layout for Windows 10 PCs (optional)
#reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SpecialRoamingOverrideAllowed /t REG_DWORD /d 1 /f

#Set up time zone redirection
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableTimeZoneRedirection /t REG_DWORD /d 1 /f

#Disable Storage Sense
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v 01 /t REG_DWORD /d 0 /f

#Other applications and registry configuration
#For feedback hub collection of telemetry data on Windows 10 Enterprise multi-session, run this command:
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 3 /f

#Run the following command to fix Watson crashes:
#remove CorporateWerServer* from Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting

#Enter the following commands into the registry editor to fix 5k resolution support. You must run the commands before you can enable the side-by-side stack.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MaxMonitors /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MaxXResolution /t REG_DWORD /d 5120 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MaxYResolution /t REG_DWORD /d 2880 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\rdp-sxs" /v MaxMonitors /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\rdp-sxs" /v MaxXResolution /t REG_DWORD /d 5120 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\rdp-sxs" /v MaxYResolution /t REG_DWORD /d 2880 /f

#Run the SFC command:
sfc.exe /scannow

#Remove the WinHTTP proxy:
netsh.exe winhttp reset proxy

#Set Coordinated Universal Time (UTC) time for Windows. Also, set the startup type of the Windows time service w32time to Automatic:
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\TimeZoneInformation -Name RealTimeIsUniversal -Value 1 -Type DWord -Force
Set-Service -Name w32time -StartupType Automatic

#Set the power profile to high performance:
powercfg.exe /setactive SCHEME_MIN

#Make sure the environmental variables TEMP and TMP are set to their default values:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name TEMP -Value "%SystemRoot%\TEMP" -Type ExpandString -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name TMP -Value "%SystemRoot%\TEMP" -Type ExpandString -Force

#Make sure that each of the following Windows services is set to the Windows default value. These services are the minimum that must be configured to ensure VM connectivity.
Get-Service -Name BFE, Dhcp, Dnscache, IKEEXT, iphlpsvc, nsi, mpssvc, RemoteRegistry |
  Where-Object StartType -ne Automatic |
    Set-Service -StartupType Automatic

Get-Service -Name Netlogon, Netman, TermService |
  Where-Object StartType -ne Manual |
    Set-Service -StartupType Manual

#Remote Desktop Protocol (RDP) is enabled:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections -Value 0 -Type DWord -Force
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name fDenyTSConnections -Value 0 -Type DWord -Force

#he RDP port is set up correctly using the default port of 3389:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name PortNumber -Value 3389 -Type DWord -Force

#The listener is listening on every network interface:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name LanAdapter -Value 0 -Type DWord -Force

#Configure network-level authentication (NLA) mode for the RDP connections:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication -Value 1 -Type DWord -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name SecurityLayer -Value 1 -Type DWord -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name fAllowSecProtocolNegotiation -Value 1 -Type DWord -Force

#Set the keep-alive value:
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name KeepAliveEnable -Value 1  -Type DWord -Force
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name KeepAliveInterval -Value 1  -Type DWord -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name KeepAliveTimeout -Value 1 -Type DWord -Force

Set the reconnect options:
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name fDisableAutoReconnect -Value 0 -Type DWord -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name fInheritReconnectSame -Value 1 -Type DWord -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name fReconnectSame -Value 0 -Type DWord -Force

#Limit the number of concurrent connections:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name MaxInstanceCount -Value 4294967295 -Type DWord -Force

#Remove any self-signed certificates tied to the RDP listener:
if ((Get-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp').Property -contains 'SSLCertificateSHA1Hash')
{
    Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name SSLCertificateSHA1Hash -Force
}

#Turn on Windows Firewall on the three profiles (domain, standard, and public):
Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled True

#Run the following example to allow WinRM through the three firewall profiles (domain, private, and public), and enable the PowerShell remote service:
Enable-PSRemoting -Force
Set-NetFirewallRule -DisplayName 'Windows Remote Management (HTTP-In)' -Enabled True

#Enable the following firewall rules to allow the RDP traffic:
Set-NetFirewallRule -DisplayGroup 'Remote Desktop' -Enabled True

#Enable the rule for file and printer sharing so the VM can respond to ping requests inside the virtual network:
Set-NetFirewallRule -DisplayName 'File and Printer Sharing (Echo Request - ICMPv4-In)' -Enabled True

#Create a rule for the Azure platform network:
New-NetFirewallRule -DisplayName AzurePlatform -Direction Inbound -RemoteAddress 168.63.129.16 -Profile Any -Action Allow -EdgeTraversalPolicy Allow
New-NetFirewallRule -DisplayName AzurePlatform -Direction Outbound -RemoteAddress 168.63.129.16 -Profile Any -Action Allow

Installing Language packs

You could at this stage install some language packs, use the below link for this as its quite in-depth.


Running Virtual Desktop Optmization Tool (Preview)

Now we'll run an optimization script provided from below link, I would suggest downloading locally and copy across to the machine and run as per below, alternatively look at the readme file and follow that. I highly suggest also you read the github fully to understand what this does. It's worth point out that this script is in preview and thus shouldn't be in the exam but having its existence known will help in the future. I assume running registry changes like the last step would suffice in the exam.


The script threw up a few warning messages, but nothing to worry about. I think this is more todo with the image itself more than anything.  



Now reboot the box, once logged back in load up PowerShell and run the below command to revert.

Set-ExecutionPolicy -ExecutionPolicy Restricted

Sysprep and Snapshot Image

We also want to sysprep the machine, by running the below command.

Note: You should probably at this point take a snapshot, so we can go back and update or change certain scripts, but as this is a test environment I am not concerned, but its worth noting this for exam purposes I would imagine.




Once the machine is shutdown, we can then look to import this image into our hostpool.

Jump onto ARM, snapshot the disk, and copy the VHD URI.



Add machine to hostpool with new image

We now want to spin up a vm to use this image, go into the hostpool and add a machine.
  • You will need to ensure the image URI is the one you copied in the last step.
  • You need to make sure you specify a storage account.
  • You need to use a local admin username and password.
  • You need to specify a domain join account.
Oh and before you do the above, ensure your DC is actually online... as it might not be in a test env.



Once done, the machine should show up in AD as domain joined and you should be able to login via the RDP application.




Logging onto VDI session through the RDP tool

Now we can fire up the RD client and connect to our WVD.




Troubleshooting Issues

If we want some assistance with troubleshooting, we can use the below link:


Summary

We should find most of the points hit above, there will be more detail added later as I learn more.




Comments

Popular posts from this blog

Day 30: AZ-140 Pt.1 - Planning

Day 33: AZ-140 Pt.2.2 - Create & Configure Hostpools