Day 43: AZ-140 Pt.6 - Summary

   

Summary

Quick overview of things to consider:

Disclaimers: 

• In the below, its a list of points to scan over and quickly go away and research.
• All opinions below are my own and are not representative of any company I am linked with. 
• All scripts and information followed below is at your own risk and I hold no responsibility if you run any of it in production without testing in pre-production first.

Planning

• Understand RBAC roles and who is going to be assigned them (Users, Support and Admins), use groups and nest users in those groups.
• Desktop Virtualization User
• Host Pool Contributor, Application Group Contributor, User Session Operator, Session Host Operator, Virtual Machine Contributor
• Understand OS types, why use Multisession over Standard images
• Plan your host pools, use similar naming convention as to RG creation.
• Understand the difference between Breath-first and Depth-first.
• Depth-first, machines will get allocated once resources have been used up.
• Breath-first, we don't really care how the users get allocated, we'll leave this to Azure. 
• Understand the difference between Pooled and Personal.
• Configure workspace meta data to be in same region as hostpool if possible.
• Understand minimum / recommended VM specifications I.e. MS D4s_v3, Standard D2s_v3

• Create Resource Groups - Follow a naming convention of some kind like

1. The resource group will be called: rg-wvd-prod-uksouth-01
2. rg (resource group) 
3. wvd (windows virtual desktop) 
4. prod (production) 
5. uksouth (location) 
6. 01 (incase we create more)
   

• Decide between Azure files or NetApp Files
• Calculate costs of WVD and where to find this info.
• Understand User Profiles
• Why use FSLogix, how its configured, ability to use cloud sync.
• Connecting to your WVD
• Use Bastion if possible, or use remote desktop from within the domain environment to manage sessions.
• Understand ADConnect and how to sync on-prem users/computers with Azure, use passthrough authentication (you'll need to install the agent for this) and use hash passwords as backups.

Networks

• Understand Network Security Gateways in Azure
• Understand how to create a Virtual Network in Azure
• Ensure all groups and resources follow naming conventions as in Planning phase
• Understand how to configure Bastion - I.e. 10.2.1.0/27, must be 27.
• Understand how Virtual Network Peering works, your hostpool RG will need visibility of wherever your AD controller is hosted.
• Understand how to monitor your network, and how to use the Monitoring blade within Azure.

Storage

• You'll need to ensure AD Connect is installed on your domain somewhere, preferably not on a DC.
• You'll need to have a storage account created, you can use FileStorage is you use premium or StorageV2 on standard.
• The storage account cannot be longer than 15 characters else FileSync won't work.
• Create folders for profile and office if you intend on splitting, else create 1 folder for both which is recommended by Microsoft.
• Utilize AzFilesHybrid script to sync and create storage account in your organization.
• Assign users access to the FSLogix folders locations. so they can write their .vhds to the fileshares.

Hostpools

• Understand how to create hostpools
• The differences between pooled and personal
• The differences between breadth first and depth first.
• If adding machines, have a account with access to domain join.
• Understand how to configure the hostpool settings.
• Understand how to add users into the hostpool and assign the correct role: Desktop Virtualization User.
• Understand how to manage the updates of the machines, ensure an update process is in place.

Gold imaging

• Understand how to create a gold image
• Understand how to optimize the image
• Use the Virtual Desktop Optimization Tool (preview)
• Understand how to sysprep and snapshot that image for gold image use

Security

• Intune doesn't support a lot of multi-session functionality
• Intune also doesn't support much in the way of standard images for WVD either
• However, understand what is "available" in Intune just incase this changes
• Understand how to create a policy that requires users have MFA enabled
• Understand how to access security center, observe "recommendations"
• Understand regulatory compliance within the security center
• Understand how to enable Azure Defender and what it gives you vs not being enabled 
• Understand costings for the defender
• Endpoint protection is covered by Microsoft Antimalware
• Ensure FSLogix folders are excluded from scans (for performance)
• Decide on if to use Real Time or Scheduled scans

Access

• In the planning phase, you would've checked the relevant roles
• Understand how to add these roles via the resource manager
• Understand these roles can be also pushed via powershell

New-AzRoleAssignment -SignInName <userupn> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'

New-AzRoleAssignment -ObjectId <usergroupobjectid> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'

FSLogix

• Understand best practices
• Understand why you would have 1 profile or split it in to 2
• Understand the pros and cons of enabling Cloud Cache
• Understand what Application Masking is and how it works, use the masking tool
• Understand what Java version control is and if you plan to use it
• FSLogix is now installed as standard on all newer MS images
• Ensure FSLogix profile locations are configured via GPO or baked into the gold image

Value Enabled Type DWORD Value 1 - 0: Profile Containers disabled. 1: Profile Containers enabled.

• Understand how to import ADMX files into your environment and how to generate and apply GPOs
• Understand you can migrate users profiles using tools provided by FSLogix which converts vhd to vhdx

User Settings

• Understand how to install and configure Universal Print (preview)
• It has limitations, many vendors only support out the box on newer models
• Only supports OS 1903 and above, needs internet and client installed
• A universal printer connector is required to be installed
• A license needs to be assigned by the M365 tenant to a GA or Printer Admin
• You need to use a tool for older versions
• It's available on most F, E and A subscriptions
• Its available in most regions:
• UK South East US 2 North Central US South Central US West US 2 Brazil South Canada Central Canada East
• Australia East North Europe West Europe
• East Asia Japan East Southeast Asia
• Understand how to configure users sessions and if they're persistent or not and for how long, and why you would use persistent over non persistent, its essentially a balance of cost and convenience.
• Understand how to configure the RDP session, such as resolution, local device mapping etc
• Understand how to configure session time out and reconnect settings

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name KeepAliveEnable -Value 1  -Type DWord -Force

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name KeepAliveInterval -Value 1  -Type DWord -Force

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name KeepAliveTimeout -Value 1 -Type DWord -Force

Set the reconnect options:

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name fDisableAutoReconnect -Value 0 -Type DWord -Force

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name fInheritReconnectSame -Value 1 -Type DWord -Force

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name fReconnectSame -Value 0 -Type DWord -Force

Understand how to troubleshoot issues with  WVD

Use azure status for outages and service health or the multitude of guides MS supply on their site

Configure Applications

• Understand how to package software as MSIX
• Understand how to convert MSIX into MSIX App Attach
• Understand why you would use MSIX App Attach over FSLogix App Masking, or vice versa.
• If using app attach, note the following

#Disable Store auto update:

reg add HKLM\Software\Policies\Microsoft\WindowsStore /v AutoDownload /t REG_DWORD /d 0 /f

Schtasks /Change /Tn "\Microsoft\Windows\WindowsUpdate\Automatic app update" /Disable

Schtasks /Change /Tn "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable

#Disable Content Delivery auto download apps that they want to promote to users:

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Debug /v ContentDeliveryAllowedOverride /t REG_DWORD /d 0x2 /f

• Understand the following process fully, each and every step:

1. Download 7zip.msi installer - https://www.7-zip.org/download.html
2. Download MSIX Packaging Tool - https://www.microsoft.com/en-gb/p/msix-packaging-tool/9n5lw3jbcxkf?rtc=1&activetab=pivot:overviewtab
3. Install 7zip to local machine using the MSIX packaging tool - this will create my MSIX file.
4. Create my VHDX by using disk management, this will house my MSIX extracted files.
5. Download the MSIX Manager tool - https://aka.ms/msixmgr
6. Use the MSIX manager tool to publish the files to your VHDX and apply ACLS.
7. Create a file store (within a storage account) in Azure
8. Configure NTFS permissions so your host pool machines have access to the store.
9. Configure Storage SMB contributor role in Azure for the host pool machines to the store.
10. Upload the VHD into your store (I just copy / paste rather than upload through ARM).
11. On each of the hostpool machines, make sure the cert for the MSIX is installed to "Trusted People" within Local Computers.
12. In your hostpool, add the MSIX, note the file path needs to be \\filestore\store\nameofvhd
13. It will can the file, check everything's all good with your MSIX and then it'll add it to your hostpool
14. You then create an application group for the MSIX, and choose whether you want it in the hostpools itself or as an app that runs by itself but spins up a WVD box in the background to host the app, or both... just select both, its cool. 

• Understand what app masking is and how to configure
• Understand how to implement One Drive and its caveats:
• The minimum supported versions are: OneDrive 19.174.0902.0013 and FSLogix Apps 2.9.7486.53382.
• For Windows Server, the SMB network file sharing protocol is also required.
• The OneDrive sync app is not supported in remote app scenarios.
• The OneDrive sync app with FSLogix does not support running multiple instances of the same container simultaneously.
• Older systems only support VHDX, most newer use VHDX (which you should be using anyway).
• Understand how Teams works on WVD and how to configure correctly
• Is your environment persistent or not?
• Have you installed Teams to your gold layer?
• Have you configured the WVD registry setting in your environment?

#Install Teams for Users - Persistent

msiexec /i <path_to_msi> /l*v <install_logfile_name> ALLUSERS=1

#Install Teams for Machine - Non Persistent

msiexec /i <path_to_msi> /l*v <install_logfile_name> ALLUSER=1 ALLUSERS=1

• Understand how to configure an application group
• Understand how to push applications and provide access to the groups

Business Continuity

• Use the Azure Site Recovery tool to backup VMs
• Use: Remove-AzWvdUserSession to remove users from VMs
• Configure backup sites to have network visibility
• Configure user profiles with a secondary location in the registry

HKLM\Software\FSLogix\Profiles

VHDLocations - REG_MULTI_SZ \\profileloc1\profiles \\profileloc2\profiles

• Ensure your identities are able to access the bcp solution
• Ensure any LOB application has access both ways to your new environments

Automate

• Ensure you've looked at runbooks and automation accounts
• Look into the AZAutoScaling scripts available
• Understand how to create the logic apps and configure for your environment
• Ensure you've configured an Azure Run As Account for your AutoScale scripts

Monitoring & optimization

• Understand how to implement Azure Monitoring
• Understand "Insights" and how to enable
• Understand what the monitoring tools give us access to see, and that its not enabled by default
• Look into how to deploy the windows agent for logging

Why would we use monitoring? It allows us to monitor the below and more:

• Multisession
• Troubleshooting 
• Optimization - CPU, Memory, Disk IO, Networking etc.

Ask questions and know answers to things like:

• Antivirus and Exceptions to things being scanned, how will this impact IO?
• Is FSLogix configured correctly?
• What features are enabled, do we need them all? 
• What UI elements can we address, can we look at performance tweaks like animated elements?
• Did we clear down the image enough, did we remove UWP apps taking up space?
• What maintenance tasks are being performed and when, are they all needed?
• Questions around local policies, services that are running, is Windows Defender setup for WVD?