Day 43: AZ-140 Pt.6 - Summary
Quick overview of things to consider:
- In the below, its a list of points to scan over and quickly go away and research.
- All opinions below are my own and are not representative of any company I am linked with.
- All scripts and information followed below is at your own risk and I hold no responsibility if you run any of it in production without testing in pre-production first.
- Understand RBAC roles and who is going to be assigned them (Users, Support and Admins), use groups and nest users in those groups.
- Desktop Virtualization User
- Host Pool Contributor, Application Group Contributor, User Session Operator, Session Host Operator, Virtual Machine Contributor
- Understand OS types, why use Multisession over Standard images
- Plan your host pools, use similar naming convention as to RG creation.
- Understand the difference between Breath-first and Depth-first.
- Depth-first, machines will get allocated once resources have been used up.
- Breath-first, we don't really care how the users get allocated, we'll leave this to Azure.
- Understand the difference between Pooled and Personal.
- Configure workspace meta data to be in same region as hostpool if possible.
- Understand minimum / recommended VM specifications I.e. MS D4s_v3, Standard D2s_v3
- Create Resource Groups - Follow a naming convention of some kind like
- The resource group will be called: rg-wvd-prod-uksouth-01
- rg (resource group)
- wvd (windows virtual desktop)
- prod (production)
- uksouth (location)
- 01 (incase we create more)
- Decide between Azure files or NetApp Files
- Calculate costs of WVD and where to find this info.
- Understand User Profiles
- Why use FSLogix, how its configured, ability to use cloud sync.
- Connecting to your WVD
- Use Bastion if possible, or use remote desktop from within the domain environment to manage sessions.
- Understand ADConnect and how to sync on-prem users/computers with Azure, use passthrough authentication (you'll need to install the agent for this) and use hash passwords as backups.
- Understand Network Security Gateways in Azure
- Understand how to create a Virtual Network in Azure
- Ensure all groups and resources follow naming conventions as in Planning phase
- Understand how to configure Bastion - I.e. 10.2.1.0/27, must be 27.
- Understand how Virtual Network Peering works, your hostpool RG will need visibility of wherever your AD controller is hosted.
- Understand how to monitor your network, and how to use the Monitoring blade within Azure.
- You'll need to ensure AD Connect is installed on your domain somewhere, preferably not on a DC.
- You'll need to have a storage account created, you can use FileStorage is you use premium or StorageV2 on standard.
- The storage account cannot be longer than 15 characters else FileSync won't work.
- Create folders for profile and office if you intend on splitting, else create 1 folder for both which is recommended by Microsoft.
- Utilize AzFilesHybrid script to sync and create storage account in your organization.
- Assign users access to the FSLogix folders locations. so they can write their .vhds to the fileshares.
- Understand how to create hostpools
- The differences between pooled and personal
- The differences between breadth first and depth first.
- If adding machines, have a account with access to domain join.
- Understand how to configure the hostpool settings.
- Understand how to add users into the hostpool and assign the correct role: Desktop Virtualization User.
- Understand how to manage the updates of the machines, ensure an update process is in place.
- Understand how to create a gold image
- Understand how to optimize the image
- Use the Virtual Desktop Optimization Tool (preview)
- Understand how to sysprep and snapshot that image for gold image use
- Intune doesn't support a lot of multi-session functionality
- Intune also doesn't support much in the way of standard images for WVD either
- However, understand what is "available" in Intune just incase this changes
- Understand how to create a policy that requires users have MFA enabled
- Understand how to access security center, observe "recommendations"
- Understand regulatory compliance within the security center
- Understand how to enable Azure Defender and what it gives you vs not being enabled
- Understand costings for the defender
- Endpoint protection is covered by Microsoft Antimalware
- Ensure FSLogix folders are excluded from scans (for performance)
- Decide on if to use Real Time or Scheduled scans
- In the planning phase, you would've checked the relevant roles
- Understand how to add these roles via the resource manager
- Understand these roles can be also pushed via powershell
New-AzRoleAssignment -SignInName <userupn> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'
New-AzRoleAssignment -ObjectId <usergroupobjectid> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'
- Understand best practices
- Understand why you would have 1 profile or split it in to 2
- Understand the pros and cons of enabling Cloud Cache
- Understand what Application Masking is and how it works, use the masking tool
- Understand what Java version control is and if you plan to use it
- FSLogix is now installed as standard on all newer MS images
- Ensure FSLogix profile locations are configured via GPO or baked into the gold image
Value Enabled Type DWORD Value 1 - 0: Profile Containers disabled. 1: Profile Containers enabled.
- Understand how to import ADMX files into your environment and how to generate and apply GPOs
- Understand you can migrate users profiles using tools provided by FSLogix which converts vhd to vhdx
- Understand how to install and configure Universal Print (preview)
- It has limitations, many vendors only support out the box on newer models
- Only supports OS 1903 and above, needs internet and client installed
- A universal printer connector is required to be installed
- A license needs to be assigned by the M365 tenant to a GA or Printer Admin
- You need to use a tool for older versions
- It's available on most F, E and A subscriptions
- Its available in most regions:
- UK South East US 2 North Central US South Central US West US 2 Brazil South Canada Central Canada East
- Australia East North Europe West Europe
- East Asia Japan East Southeast Asia
- Understand how to configure users sessions and if they're persistent or not and for how long, and why you would use persistent over non persistent, its essentially a balance of cost and convenience.
- Understand how to configure the RDP session, such as resolution, local device mapping etc
- Understand how to configure session time out and reconnect settings
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name KeepAliveEnable -Value 1 -Type DWord -Force
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name KeepAliveInterval -Value 1 -Type DWord -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name KeepAliveTimeout -Value 1 -Type DWord -Force
Set the reconnect options:
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name fDisableAutoReconnect -Value 0 -Type DWord -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name fInheritReconnectSame -Value 1 -Type DWord -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp' -Name fReconnectSame -Value 0 -Type DWord -Force
Understand how to troubleshoot issues with WVD
Use azure status for outages and service health or the multitude of guides MS supply on their site
- Understand how to package software as MSIX
- Understand how to convert MSIX into MSIX App Attach
- Understand why you would use MSIX App Attach over FSLogix App Masking, or vice versa.
- If using app attach, note the following
#Disable Store auto update:
reg add HKLM\Software\Policies\Microsoft\WindowsStore /v AutoDownload /t REG_DWORD /d 0 /f
Schtasks /Change /Tn "\Microsoft\Windows\WindowsUpdate\Automatic app update" /Disable
Schtasks /Change /Tn "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable
#Disable Content Delivery auto download apps that they want to promote to users:
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Debug /v ContentDeliveryAllowedOverride /t REG_DWORD /d 0x2 /f
- Understand the following process fully, each and every step:
- Download 7zip.msi installer - https://www.7-zip.org/download.html
- Download MSIX Packaging Tool - https://www.microsoft.com/en-gb/p/msix-packaging-tool/9n5lw3jbcxkf?rtc=1&activetab=pivot:overviewtab
- Install 7zip to local machine using the MSIX packaging tool - this will create my MSIX file.
- Create my VHDX by using disk management, this will house my MSIX extracted files.
- Download the MSIX Manager tool - https://aka.ms/msixmgr
- Use the MSIX manager tool to publish the files to your VHDX and apply ACLS.
- Create a file store (within a storage account) in Azure
- Configure NTFS permissions so your host pool machines have access to the store.
- Configure Storage SMB contributor role in Azure for the host pool machines to the store.
- Upload the VHD into your store (I just copy / paste rather than upload through ARM).
- On each of the hostpool machines, make sure the cert for the MSIX is installed to "Trusted People" within Local Computers.
- In your hostpool, add the MSIX, note the file path needs to be \\filestore\store\nameofvhd
- It will can the file, check everything's all good with your MSIX and then it'll add it to your hostpool
- You then create an application group for the MSIX, and choose whether you want it in the hostpools itself or as an app that runs by itself but spins up a WVD box in the background to host the app, or both... just select both, its cool.
- Understand what app masking is and how to configure
- Understand how to implement One Drive and its caveats:
- The minimum supported versions are: OneDrive 19.174.0902.0013 and FSLogix Apps 2.9.7486.53382.
- For Windows Server, the SMB network file sharing protocol is also required.
- The OneDrive sync app is not supported in remote app scenarios.
- The OneDrive sync app with FSLogix does not support running multiple instances of the same container simultaneously.
- Older systems only support VHDX, most newer use VHDX (which you should be using anyway).
- Understand how Teams works on WVD and how to configure correctly
- Is your environment persistent or not?
- Have you installed Teams to your gold layer?
- Have you configured the WVD registry setting in your environment?
#Install Teams for Users - Persistent
msiexec /i <path_to_msi> /l*v <install_logfile_name> ALLUSERS=1
#Install Teams for Machine - Non Persistent
msiexec /i <path_to_msi> /l*v <install_logfile_name> ALLUSER=1 ALLUSERS=1
- Understand how to configure an application group
- Understand how to push applications and provide access to the groups
- Use the Azure Site Recovery tool to backup VMs
- Use: Remove-AzWvdUserSession to remove users from VMs
- Configure backup sites to have network visibility
- Configure user profiles with a secondary location in the registry
VHDLocations - REG_MULTI_SZ \\profileloc1\profiles \\profileloc2\profiles
- Ensure your identities are able to access the bcp solution
- Ensure any LOB application has access both ways to your new environments
- Ensure you've looked at runbooks and automation accounts
- Look into the AZAutoScaling scripts available
- Understand how to create the logic apps and configure for your environment
- Ensure you've configured an Azure Run As Account for your AutoScale scripts
Monitoring & optimization
- Understand how to implement Azure Monitoring
- Understand "Insights" and how to enable
- Understand what the monitoring tools give us access to see, and that its not enabled by default
- Look into how to deploy the windows agent for logging
Why would we use monitoring? It allows us to monitor the below and more:
- Optimization - CPU, Memory, Disk IO, Networking etc.
Ask questions and know answers to things like:
- Antivirus and Exceptions to things being scanned, how will this impact IO?
- Is FSLogix configured correctly?
- What features are enabled, do we need them all?
- What UI elements can we address, can we look at performance tweaks like animated elements?
- Did we clear down the image enough, did we remove UWP apps taking up space?
- What maintenance tasks are being performed and when, are they all needed?
- Questions around local policies, services that are running, is Windows Defender setup for WVD?