Part One: Understanding the Status Quo
To deploy a Desktop as a Service (DaaS) solution under a public cloud service can be stressful, painful, and can take a huge amount of time and effort. In this series we will highlight the steps required to deploy and maintain a Desktop as a Service solution on Microsoft Azure, and ways to automate this process to make it quick and effortless.
Steps to Deploy & Maintain DaaS on Microsoft Azure
To create a DaaS solution successfully on Microsoft Azure you will need to do the following:
To deploy a Windows Virtual Desktop (WVD)/ Azure Virtual Desktop (AVD) solution you must first execute preparation steps required for the virtual desktop service. These steps are vital and are the most painful part of the configuration since it involves Integrating Azure Active Directory. The preparation steps are:
- Deploy an Azure Active Directory: Azure Active Directory (Azure AD) is used for identity and access management in Windows Virtual Desktop. This includes access to remote sessions, administration elements, and user provisioning.
- Integrate Azure AD with Active Directory Domain Services (AD DS): For WVD/AVD your remote sessions use AD DS the same way your current virtual and physical desktop environment on premises does for session logins at the VM layer. You have the following options to connect with or provision AD DS for Windows Virtual Desktop:
- Deploy a domain controller in a hosted Windows Server VM running in Azure.
- Provision Azure Active Directory Domain Services (Azure AD DS).
- Connect your network to Azure and establish a connection between your datacenter and Azure.
- Create Azure Resources: As is typical in all Azure deployments, you must create resource groups, virtual networks with specific outbound rules and joined to your domain; Storage accounts to store virtual disk files used with FSLogix; and Azure accounts for administrators, users, and system accounts to manage services.
- Assign Roles and Licenses: Make sure you configured all the necessary Azure Active Directory (AAD) roles such as Global Admin, User Admin, the Organizational ID, and subscription owner. Also make sure WVD/AVD users are licensed.
- Register WVD Provider with the subscription: Another required step is to register the Microsoft Desktop Virtualization provider.
The deployment of WVD/AVD can be as complex and time consuming as the preparation; depending on the requirements you have to configure a series of resources including workspaces, host pools, application groups, and load balancing options.
On each host pool it is necessary to:
- Configure new or register virtual machines
- Confirm each VM is joined to a domain and each has an image assigned
- Register application groups to workspaces
- Assign the app groups to the users
Once you have prepared and deployed Windows Virtual Desktop, you need to provide the best experience to your users. Using FSLogix profiles you can store complete user profiles in a single container and, at sign-in, this container is dynamically attached to the VM to which the user is trying to log in.
To configure FSLogix you must:
- Create a storage account
- Enable AAD authentication on Azure Files
- Assign roles to access storage data
- Create a file share to store user profiles virtual disks
- Install FSLogix
- Configure FSLogix
- Create FSLogix Profile
Other considerations are whether you are migrating from an on-premises Remote Desktop architecture and if you are using a file server for shared files. If those are both true, you can migrate all your data using Azure File Sync.
During the optimization process, one other aspect you must handle carefully is the automation of the scaling of virtual machine resources in your host pool. You can use the scale tool used for WVD/AVD that is built with Azure Automation and Azure Logic Apps. With this tool you can:
- Schedule VM start and stop based on Peak and Off-Peak hours
- Scale out VMs based on number of sessions per CPU core
- Scale in VMs during Off-Peak hours
Secure a Windows Virtual Desktop Deployment
As an Azure administrator you must understand the architecture and security capabilities of WVD/AVD explained below. You will also need to understand the shared responsibility model between Microsoft and you.
Microsoft manages the following WVD/AVD services:
- Azure Web Access
- Azure Infrastructure Services
You, as an Azure Administrator, manage the following:
- User profile management
- User host access
- Sizing and scaling policies for the VM
- Scaling policies for session host pools
- Networking policies
Windows Virtual Desktop requires Azure AD integration. It lets you handle identity and access capabilities. This integration is aligned with the Zero trust security model, meaning you also must handle aspects like:
- Using static and dynamic conditional Access policies
- Using authentication enhancement with MFA
- Integrating with Azure Security Center or Azure Defender
- Implementing strong credential management services and policies
Application Deployment on Windows Virtual Desktop
The final step in a WVD/AVD deployment is the enablement of a modern app packaging experience using MSIX App Attach.
MSIX App Attach is a Microsoft application-delivery approach that's been designed for modern workspaces. With MSIX App Attach you can deliver applications to both physical and virtual machines. This is a great technology that simplifies application delivery but adds a layer of administration that can get complex.
Deployment is Easier with DesktopReady
As explained above, there are numerous specific requirements regarding the preparation, deployment, and administration within a WVD/AVD environment that make deploying a Desktop as a Service solution under a public cloud service a very time-consuming, detailed job.
Despite all these meticulous steps and their complexity, there are tools that can help automate this process that will greatly simplify the administration of WVD/AVD. On the next post we’ll talk about DesktopReady and how this tool can bring enormous added value to this process.