snit3r2020 Windows Vitual Desitop: Simple Step-by-Step Walkthrough -PolcyPak LOCKDOWN 2020 05:17 :28:49 CONTACT US 800.883.8002 | Customer Login (} Say HOUR MN See Why PlicyPak Testimonials What the Experts Say Case Studies Whitepapers On-Demand Webinars Blog Bootcamp Windows Virtual Desktop A Step-by-Step Walkthrough and Guide ‘Windows Virtual Desktop (WVD) Is not Hyper-V ara rehabilitate version Windows Vitual PC. doesnt even install on your local machine ke Viware Workstation or VMpayer. Rather, WD lets you deploy and scale virtualized Windows desktops and apps on Azure Windows Virtual Desktops. If youe looking fr more Informatlon about Windows Viral Desktop, youve come: ‘tothe eight place, Tis Gude to Geting Started is perfect fr those IT pros who are researching WWD, starting a trial with WWD or are onboarding WWD. Table of Contents Part 1: Before You Get Started Whats Windows Vitual Desktop? = Why Cloud, Why Now? = Benefits of Windows Vitual Desktop About This Gude = Our Methodology =Executve Overview Windows Virual Desktop Requirements Part 2: WWD Initial Setup with Azure and Registration ~Consent, and Permissions Assigning Users and Administrators Part 3 Prepping for Your WWD Environment with PowerShell = Finding Your Azure Subscription 1D and Active Directory Tenant {assigning_users_and administratos)~Configuring Powershell and Connecting to Azure {assigning_users_and _adminisrators)-Seting Up Windows Virtual Desktop Tenant {ossigning_users_snd_sdministrators}Part 4: Configuring Your Domain Controller and Virtual Machines Adding, Creating and Configuring Vitual Machines assigning_users_and administrators) Disk Configuration {ossigning_users_ and _sdministrators}~Network Configuration {assigning_users_and administrators)Part: Setting up Your VPN. =VPN Configuration (assigning_users_and sdministrators)- Resources, Certificates and Other Configurations htps:hwww-palcypak comipp-blogindows-vitwa-dosklop 1s.‘nitsr2020 hitps:www-palcypak comipp-blogindows-vitua Windows Vial Desktop: Simple Step-by-Step Walktrough -PoloyPak (assigning. usersand administrators) Installing and Connecting Your VPN (assigning_users_and_administators)Part 6: Completing Your Windows Virtual Desktop Configuration ~ Configuring and Connecting Your Domain Controller (assigning. users_and_administators)- Syncing Azure AD (assigning_users_and_administators)-Add VMs and Deploy to Azure (assigning_users_and_administators)-Veriy VMs and Assign Users (assigning users_and_ administrators) Publishing Apps {assigning users_and_administators)Final Thoughts Part 1: Before You Get Started What is Windows Virtual Desktop? Windows Vitual Desktop or WVD"Isa desktop and app virualization service that resides inthe cloud ands then accessed by Users using a device of their choice. Thnk af tas Desktop.as-a-Servce powered by Azure. WND delivers a Windows experience thats multsession yet personable and persistent, Whi it delvers a Windows 7 experience, most organizations "want Windows 10 since support And af caure, it delvers your essential 0265 apps to your users, Why Cloud, Why Now? While may seem out of the ordinary to push desktops frm the cloud, isthe next step inthe evolution af the digital transformation Similar to how you scale enterprise web-based applications to your employees and customers, you can now ‘uicly deploy desktop with the same sealabilty potent. you've migrated your applications and data othe cous, why not host the desktops t sion keeps everything congregated and increases performance potential By sofware Gefining the desktop, you clip your dependency on rigid hardware and diminishing product Hfecycles. While tratonal VD achieves this, deploying a cloud deskcap platform Is far simpler from a configuration and deployment perspective, Pls, youre benefiting from the power, security, and scalability of Azure re t00, Central Benefits of Windows Virtual Desktop ‘Companies are undergoing ther cial transformations ta become more ag, and Windows Virtual Desktop isa prime example of fluid flexbity, Users can acces their expected desktop experience regardless of location Access canbe fram any device ena contains elther the WD natve client application or @ Windows Virtual Desktop HIMLS wed client, Here's a partial lst of wnat WYD can do for you. «+ Vitustze both desktops and apps, then assign and connect users to therm + Vieuaie Ofc 365 Pro? hs and deve it 19 your wersin an optimized environment + Reduce your CAPEX costs by lessering the impact of hardware radu He yes «+ Lower cst by pooling mul-sesion resources and reduce the number of vital machines in your environment + rng your exiting Remote Desctop Services (05) and WindowsServer aesktops an apps to any computer with ease + Publish as many host pools as you need to accommodate your sverse workloads + Reduce your CAPEK costs by reducing the impact of hardware produc fe ech + Provides unied and simplified management experience for your admins About This Guide 1F course, we've only covered the tip of the iceberg concerning WD's potential advantages. Is also jus lendéto-end walkthrough of this new approach te desktop deployment. thebeginning ofan = “There ARE other excellent walkthroughs of WWD. This one by Christisan Brinkhof (retest ehristiaanbrinktot-com/2019/0/03/windowssvttual-desktopechnical-walkthrough-nuding-ther-unknown secrets.you-dld.notknowsabout-ahe-new.microsofemanaged-azure-service/} isa good start, but we think having anether walkthrough might be useful ityou get stuck In ether words, twe heads are better than one, ‘Think of our walkthrough as your one-source guide to everything you would need to get started deploying Windows Virual Desktop in Azure Remember: This walkthrough sour experience, and VO may change overtime, Wehere at PoliyPak are ako proudta be Windows Vitual Desktop Partners (hitps//docs microsoft. com/en-us/azure/vrtal ddeskton/partners) one ofthe fst! So we kind of know what we're taking about 2145‘nitsr2020 Windows Viual Desktop: Simple Step-by-Step Walktrough -PoloyPak “That sald, we hope this walk Airecions don’ work, o, worse, cause some problems in your tet lab or your real environment. rough helps you ge going implementa proof of concept. But, were not responsible i these Everything n guide is reasonably tested, but not guaranteed, and you should use your brain f something doesn't fel right to you. ‘There ae some other guides out there that explain how to set up WVD. Again those guides are useful ut this sour story, how we di, We went trough every step andlfll ita each le, so you doris have to, We documented every step expressly s0 you could get started and see what we dia, and you can cot 00, Our Methodology ‘The primary purpose ofthis article series sto guide you through the process of getting VD up and running so you can kick the tres and see how this new product can benefit your environment. Let fst say that, tke many frst product releases, the deployment process is as easy ast could be. In this gue, you wil nave to run quite a few Powershell emalets bo nat be intimidated! Okay, maybe ail ere are also severalintal configurations you will have to complet, Let's quickly say that ths int goingto be a ten-minute process, However, we have gone through the entire process and have outlined everything you need to know in an easyto follow guide Executive Overview Here sa basi outline ofthe material covered in this guide + Secury should always be job 1 in whatever we do in I today Since our WWD willbe running in Azure we ness to setup 2 Pointe VPN to tunnel aur traffic his process tarts wth te creation ofa vitual network followed by some necessary configurations. + ike any Windows computer, WWD rules a ONS and AD infastructure to function within an entrprse, so we vil help you ‘ensure these are setup and configures corey + Youneed Azure AD Connect unte your on-pem environment wth your Azure ane. We wil gue you trough the necessary procedures to ensure that users can authensicate succesfully to utlze the new vtualdesttops and resources. + Lastly, wel go over theo Desk, of itallng the PowerShell malts for managing and interacting wth Windows Virual Windows Virtual Desktop Requirements fare we dive in, you need ta do some homework. There a srallistof things you willneed to check ff to repeat the uttined steps inthis guide 1. Youre gong ta need ‘he virual machine resources (1: you dat have acess to a subscription, you an sign up fora fee account here You vl nied a ald phone number and creditcard a Microsoft uses these far identy verti, 2.Youwil need accesso your Aaure Active Dietary. 3. Youwit need accets toa user account tat has Global Administrator access ta Ofce 365, and owner ale on the Azure ‘These cnet te wha ows you todo the seal More well perform ate. ne projec. You can support the projec wih enough Azur subserpion crest hast So you may have afew tings to do until the next eg of the journey. Once youve completed your homework, we wil rll up ur sleeves and begin the inital WWD setup by completing the early configuration steps. » PRO TIP: Kill Local Admin Rights In WVD (https://kb.policypak.com/kb/article/811-policypak-wvd-elevate- application-inside-wvd-and-bypass-uac-prompts/) Part 2: Setup and Registration htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 145‘nitsr2020 Windows Viual Desktop: Simple Step-by-Step Walktrough -PoloyPak So ets get this party started and set out deploying WYO. These inital steps are quick and easy. "You frst have ta grant consent on behalf of your organization. Consent, and Permissions Step 1: Login Login to your Azure Subscription with your global aminstator account Step 2: Provide Consent “Then open another tab in your web browser and ist the Windaws Vitual Desktop Consent Page Ahtpssraeb wevdsmicrosofcomy(htpsf/rdweb wd microsoft com), + Start with the"Consent Option set 0"Serer App. then lin your"AAD Tenant GUID or name" anit submit. The Consent age explains what you agree to, a shown below. Windows Virtual Desktop Consent Page ‘eect consent option Select "Server App" to ge the consent to the back-end web app to spect tenant Select *Cilent App" to gve the consent othe font end client app to speci tenant Please note that you choose to consent to "Cent App" only, then user wil nee to consent at every signin ‘iso alow 30 seconds delay between consenting "Server and “Cllnt” apps so tat the changes ae propagated in Azure. Consent Option: [Server App W] ‘AAD Tenant GUID or Name: ‘Submit +The GUID is your Azure domainname, The tenant Of lng alphanumeric identifier hat is nearly impossible to remember but «easy lookup in your Azure postal *+ Note: You can find your “AAD Tenant GUID or rare” by siting hs aks ntpsstporalazuecom/sblade/M erosot_ AAD IAM/AcveDireconyMenuBlade/ Properties (teepstiprtal azure coma lade/Mierosof_AAD_LAMIAetveDirectoryMenublade/roperties) + sree is nthing at that tn hen you dont have an aeive subscription, sign up at htps/Zazuremicrosot comfer-usies) (teepsacuremicroson comvenausire/o yet free one if needed, Step 3: Accept Permissions 'Mieosoft wil hen ask you to accept permissions needed by Windows Virtual Desktop, hit Accept when prompted to grant htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 4165‘nitsr2020 Windows Vitual Desktop: Simple Step-by-Step Walkthrough -PolcyPak Bi icrosot Permissions requested Accept for your organization on = 17 done correcty, you'see the following confirmation: Thank You! AAD Agpleston na haan succeseuy rapstres Nextisa rinse and repeat type of process, as we have to repeat the same series of steps except for this time, we choose the ‘ent Ape. Step 4: Provide Consent ‘tera comfortable 30-socond wai as suggested, repeat the previous steps and set the Consent Option” to “Cent App," then {lin your “AAD Tenanc GUID or name” and hit submk. htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 5145‘nitsr2020 Windows Vitual Desktop: Simple Step-by-Step Walkthrough -PolcyPak orn ast AD Tera GUD o Windows Virtual Desktop Consent Page eet coment pon ‘eect "Se A ghee cSet the ack we gp spent ‘Sacre pts const bee a tt pp spt ant ‘Peso neta at you choose conser “Ie APP oy tena vl ees const onto Step 5: Accept Permissions (once again, Micraoft wil then ask you to accept permissions needed by Windows Virtual Desktop Client, hit"Accept when prompted to grant access ‘Accopt for your orgarization ‘Once again, tis followed by a confirmation of your registration Thank You! AAD Aopeson nas been success esos htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop e145‘nitsr2020 Windows Viual Desktop’ Simple Step-by-Step Walktrough -PoloyPak PolicyPak. What most IT Admins don’t know about VDI... And why they need PolicyPak. (hstpssnpolypak comtepapersivhat-mastitadmins dencknow-aboutva Think You Know VDI? Think Again ‘lisa powerful way of ensuring you can deliver a normal Windows image to your BVOD users, But it requires careful Implementation to ensure that the user experience is optimal efficient and secure. The whitepaper shows you some of the key points to watch for in setting and delivering your VOI image to your users, and how adding PoyPak to your toolbox _rants you increased contal over bath the VOI image andthe applications with it oon More https poliypak comivhitepapersihat mostit-admins-don-knowaboutd) Assigning Users and Administrators Step 1: Assign Enterprise Application Administrators. htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 7148‘nitsr2020 Windows Vial Desktop: Simple Step-by-Step Walktrough -PoloyPak ‘The nex step isto Configure Enterprise Application Administrators in Azure AD to grant at least one of your accounts permission to create the Windows Virtual Desktop tenant. Either open “Azure Active Directory" and click on “Enterprise Applications” or vis this blade in your Azure Portat htos1yportal azure.con/sblade/Microsof AAD IAMIStartboardApplicationsMenuBlade/AlApps/menuld (heipsportalazure.comiitblade/Microsof_AAD_lAM/StartboardApplicationsMenuslade/AlApps/menuid Microsoft Azure ao HR cnericeapplisons eo Step 2: Go to Windows Virtual Desktop ext, clek on “Windows Vinual Desktop" You can search (rtps//winw polcypak.com/suppore-sharinglsearch htm for fife ienot visi, Home > Enterprise applications - ll applications Hf Enterprise applications - All applications Overview Apeaton pos Windows Virtual Des I User sett o a Step 3: Select Users and Groups Select“Users and Groups" than dick on “Add User* hitps:www-palcypak comipp-blogindows-vitua aus‘nitsr2020 ‘Windows Viual Desktop: Simple Step-by-Step Walktrough -PoloyPak Click hereto add users 1G Windows Virtual Desktop - Users and group oh acd user Step 4: Assign Users Search for then select the user you would lke to grant permission to create Windows Virtual Tenants to and then lick “assign” {add aaignment DA ween enee rennet ry weer Step 5: Confirm Results ‘he result should look similar to below e wvdTenantCreator —_User TenantCreator Next. we will have afew more intial steps to go through, and then we wil ip our oes inthe water and inate our frst PowerShell sripts require for this process. » PRO TIP: Simplify Start Screen and Taskbar Customization in WWD (https://kb.policypak.com/kb/article/812-policypak-wvd-manage-the-start- screen-and-taskbar/) Part 3: Prepping Your WVD En Finding Your Azure Subscription ID and AD Tenant ID Before we create our VM environment, we have Co wrap up a few more Ina steps ‘onment 1. Your azure Ace Directory tenant (or Directory 1D) 2.Your ure subscription D ‘You can find the Active Directory tenant 1D (or Directory ID} in the Azure Portal by selecting “Azure Actve Directory" then licking on Properties” or by viking this lnk while logged inte your Azure Portal hutpsiJportalazure.com/#blade/Microsofl AAD IAM/ActveDirectoryMeruBlade/Properties (hetpsviportalazure.com/blade/Microsof_AAD_JAMVActveDirectoryMenuBlade/Properties) htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 9s‘nitsr2020 Windows Vitual Desktop: Simple Step-by-Step Walkthrough -PolcyPak Copy the Active Direccory tenant IO (or Directory ID, and save ie somewhere safe as you need later. one tec eae Step 1: Find Subscription ID ‘To find the Subscription ID, tom the same Azure Portal session ether use the “Search option to search for “Subscriptions” of| ‘st the following link while logged into your Azure Portal betos/porta zure.conv/#blade/MicrosoftAzure_illng/SubscritionsBlade {htpst/portalazute.com/abladeMicrosoft Azure. iling/SubscrptionsBlade) Step 2: Copy Subscription ID Copy the Subscription ID and save it somewhere safe as you need it te. ‘Step 1: Search for “subscriptions ae Subseripton 10 Home > Suberpten ‘Subscriptions (Seong Q reienstminnntite iprcert ct Configure PowerShell Now its time for sme PowerShel tf (Sory fyou though that maving to the coud would exempt you from Powershel. Cloud management isnt always about pointing and clcking in GUL menus. Dole this imidae you, because were laying cut he Sequential tes qui and ear Step 1: Install PowerShell Modules Fis you ned onsale required modules for Powershel. Remember, n ar 2 you got prepared and downloases the ‘Windows Vital Desktop cmt for Windows PowerShell htpldecemicrsofcom/powershellvindowsiirtual desktop/overvew. Step 2: Run Commands htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 1015‘nitsr2020 Windows Viual Desktop: Simple Step-by-Step Walktrough -PoloyPak -Aiter you instal the cnet, you can eun Some commands. You can use ether PowerShell of PowerShell SE. recommend using PowerShell IE as you can save/document your steps along the way. Whichever one you choose, open with an elevated promt and type the following cmalets in the order shown. Entaliciaoile save AP -Alowclabber Force Noes: + sen prompted by the Set-auestionplicy enelete, answer "Yar" op Wes t9 AllY ta contin + You wit see may packages being uneipsed when intlating the Installed commands Step 3: Connect to Azure (once the required modules frorn the above have successfully Installed, you need to run the fllowing cmdle to connect to ure, ndechdshccount -Deployentird "htps://rearoker wid abrosoftcon™ “That command opens up a Windows popup in which you type In the credentials of your Tenant Creator account. ME mics Sign in Setting Up Windows Virtual Desktop Tenant Step 1: How to Create Windows Virtual Desktop Tenant Nowits te to run a commang to erate your Windows Virtual DesK.p tenant. You need fuse the Active Directory tenant 1D (or Directory 1D), and Subserption 1D you saved ear, The ROSTenant name shouldbe the name ofthe tenant you are eating, the AadTenar string shoul mateh the tenant i ting fom Your Azure portal an the AzureSubscriptonld sting Should match the Subscription I sting from your Azure poral For brample htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop Ms‘nitsr2020 Windows Vial Desktop: Simple Step-by-Step Walktrough -PoloyPak Note:The entire command should be on one line. You can copy and paste the command above nto NotePad and then edit accordingly ‘Any time you see “CompanyWvDtenan ina script, you need to change this value tothe core {ust using this value for this example + name ofyour tenant. 1am Once you issue the commands, you will see something Ike this: ecg os Pee a Picsc) i cars i Pears) arora Peotone Caprsc) ea tars : feign ent rare) Loganalyticsworkspaceld : era said CORN CCN TICLE r Es Step 2: RDS Owner You can use the TenantCreator ‘unt from the steps above or choose a afferent user account you fe, and “TenantGroypName’ Is ALWAYS "Default Tenant Group." Once agai, the entire command shouldbe on one fine. Fo sample: "WS owner” -userorinctpalNavewidlenencreaterSjeurCongany-ton -TenartGreupane "Detelt Terant Grouo" ~Teranthane Compe ‘Alter hiting Enter, you wll see som ing ike this OSes c) Bory ce acrcs ein Deen races etestaoc praese) se RoleDefinitionNane Cogan) Objectrd Osmaav recy Step 3: Create Your Host Pools Host pools are collections of one or more virtual machines. The machines are identical In my example il ereate Application Group". 10 host pools, One for the "Desktop Application Group” and 2 second one for the “Remote (0 keep things simple, host poalt will nly have full desktops, and host pool2 wil only have published applications To create the hast pools, run the following emles after changing "CompanyWWvDtenanto the corect tenant name for your organization Note thatthe commands are on swo separate lines htop 125 rom: polleypak comipp-blogwindows-virtua-‘nitsr2020 ‘Windows Vial Desktop’ Simple Step-by-Step Walktrough -PoloyPak Step 4: Create Desktop and Remote Application Groups Run the cndles below to crea $n Group" on host poole, “Desktop Application Group on host pool, and “Remote Appi (once again, change “CompanyWvDtanantta the correct tenant name for your organization. ‘CONGRATULATIONS! You completed the necessary PowerShell Scripts. Now that wasnt too bad, was I? Noe that ary Vits you create wll need to be domain Joined. That means ou must have an Acove Directory domain controler ‘ready in place fr these VMs jin. The domain contrller should also be configured with Azure AD Connect and have atleast one user account synced to Azure AD. You should aso havea Point-o-Site VPN already setup in Acre It you have no idea what ary of that means, then... dont panic! That’ what the next few sections are about en, perhaps you However, ifyou do know wat this means, and you know you already have all these prerequisites in plac can skip the next couple of lessons and stat creating the WVD's themselves, So, well assume you want o create the necessary DC and put together the other required components togetherin the next » PRO TIP: Reduce Number of GPOs in WVD (https://kb.policypak.com/kb/article/814-policypak-wvd-reducing-number-of- gpos-and-using-gpos-with-brains/) Part 4: Configuring Your DC and VMs In this portion of our WWD series, we create DC in Azure. Yepl You're going to create a real"on-prem Domain Controller except ts going to ve in Arure and notin your datacenter. So, even Ifyou don't end up using WD anytime soon, this “How te" atcle may sll be super valuable to you For those who stl keep their AD Infrastructure on-prem, there are some great benefit to putting a DC in the Azure loud, By replicating AD from your on-prem envionment, you add resiliency and flexibly to your architecture. You can choose toad balance authen the cloud it your on-prem network's down, ion eatic or direct al Lees he process of reating avitual DC, one that ves in Azure Adding, Creating and Configuring Virtual Machines Step 1: Add Virtual Machines In the Azure Portal, select "Virtual Machines" rom the left sie ofthe screen then cick “Ade Ree ts Home > Virtual machines ees Virtual machines + ° Subseriptions: Visual tus BE Dashboard pre Seay Los Step 2: Create Virtual Machines htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 1915‘nitsr2020 Windows Vitual Desktop: Simple Step-by-Step Walkthrough -PolcyPak -Avthe “Create a virual machine” screen > Subscription > Resource group, dick on “Create new to create a new resource _group, Then, give the resource group a deserve name, Take note ofthe name as you use the same resautce group for your Ws. "Note Ifyou already have an existing Resource Group that you wish to use, then use that one instead, Create a virtual machine Bases Disks _Netovting Management Advanced Tags Sele + create ‘mage {orl te esi thn fei + ese se posi a inulin wh desu parame eee estab orf cing forse Ys? cust Vt on Anu Maratplce Project tas Slt th ubexption ta manage deployed resources accede. ne eure groups he folders o agai ane your resources Instance dese + Vieusmachee name © ‘resource group is a container tat hoe relate reroures for an Azure elution regen @ Name Step 3: Create Virtual Machines Fil out the “Instance Details section with the name af your VM. In my example, Ive Set the region as East US 2, forthe image choose ether Windows server 2016 Datacenter or Windows Server 2019 Datacenter, and for the size choose Standard DS1 WP" not already selected. Before licking OX, see the notes below. Instance detale * virtua machine nme @ Dea * Region @ (Weave Avaisbity options @ Ne inasrctre edundancy quired image @ Winona Sever 2019 Ouaceter ‘rowel pbc nd pvate ager, +5220 ‘Standard O51 v2 1 vepu, 35 GiB memery change size Notes + Note: Though vis can Ivein any Azure region, thel data g's Stored East US 2 see ntps/twmicrosotconver- sim crosof-36S/bog/20191032 windowssirtual-desktop-publi-prevet hips fm microsofeconvenusmirosot 35/blog/2019/05/21uindows-vitua-desktop-publi preview) or moreno, *+ You dort have to choose East US2as your region Ihe Key to select the region that offers the fastest response time for your area. this were fora production endronment you mould want conduct some speed tess tothe reglons to determine which cone s best. htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop sats‘nitsr2020 Windows Vitual Desitop: Simple Step-by-Step Walkthrough -PolcyPak + Aso, nate that i'you are adeng a DC to an exsting ronment, Server 2079 no longer suppers the Fle Replcavon Sanace (6S), The action may raqure yout perform an FRS ta OFS migration of your AD. You can read more about tat mpstacneommansyierosot com//Storage-at-MlerosofyStreamlined-Migrten-oF5RS-t-DFSR-SYSVO Ibe pl42S40S= (hespstechcommunty microsoft coms/Storage-ae MirasofUSteamlined Migration Ft DFSRS¥SVOUIbE 425405) Step 4: Administrator Account For the Administrator account, you cn put whatever you would Ike. lused "wedadmin’ since plan to use this same account later forthe VMs localadmin account. Next, choose a password thatyou can easily remember and contain at least 12 characters, For “Public inbound ports choose None." There's a better way a connect to your VMs in Azure wthout opening Up ROP over the internet that review later. “Aaministrator account * Username @ ‘wearin 7 + Password @ select which virtual machine network ports ate accessible from the public internet. You can specty more ited or granular network access on the Netnoring t= * public inbound ports Step 5: Save Money 1 you already have @ Windows license for the OS type you picked above, then you can save money by selecting the "Yes" radio burton under the*Save money" option, and checking the "Confirmation" box. Save money ‘Save up to 488 witha license you akeady own using Azure Hybrid Benefit Lear more * Already have a Windows license? © * ° onfrm have an lgble Windows license with Sofware As Server subscription to apply this Azure Hybrid Benefit Disk Configuration Step 1: Disk Options ‘Under the Disks option, leave the "OS disk type" at "Premium SSD" and choose “Create and attach a new disk" under the ‘Data isis" option htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop‘nitsr2020 Windows Vitual Desitop: Simple Step-by-Step Walkthrough -PolcyPak fasce _Dieke_Nebuoreng Mansgement Agkances) Tage Review + ame ‘awe Ms have ore operat stem sk anda tempera dike shor-tem sterage You can atch atonal dat sts These of te Vi determines te pe of sorageyeu cn ise andthe numberof ata dst lomed. Lean mee sos sckype@ Pemun te Yeu can 264 and contig aden data is for your viru machine a atach xing ss Ts YM abo comes wth 2 tempera ok oo Advanced Step 2: Disk Types ‘At the next screen, choose any Disk type" you like and then cck“OK" atthe bottom ofthe screen, Create a new disk eae anew ditto toe appt and dita on your VS ping vais ase on Facts nding ase Sion bin eters rece. len ere at Aner Mee De, rockyp@ ty [Sander = DevaoiapeAaR ssoucesype @ iene ae ‘Thoughpal i (MB) Noe: Bo not forget thet the pricing for your vituol machines is cauloted based on the resources that you use When you are selecting options for storage, processing, and networking components, be aware thot the higher the performance or capacity, the mare the cost For this WWD demonstration, Ihave chosen the least expensive options, Here is an example of the options avalabe when selecting the disk ype and capacity, fr instance. htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop‘nitsr2020 Windows Vitual Desktop: Simple Step-by-Step Walkthrough -PolcyPak Selecta disk size owes valle ik sie and hese, ecount ype @ ‘srs 0D x 10268 ee) 0 Cy aueae S60 200 200 167 6B seo 200 500 Create a custom sine Step 3: Host Caching _ALthe next screen, make sure that "HOST CACHING" is set to "None" forthe data disk Data aia You ean add ans configure aeitona ata iss for your vital machine or atach existing dss. Thi VIM also comes with 3 temporary dk wun name sasiem serve ——wosTeaCHING Det 2019 padi 1028 Sndardt. [Re as Create and attach anew sk —_Altachan exiting de Network Configuration Step 1: Public IP Con the next screen, you can select ll f the defaults except fo ‘Publi I." Setitto “Nene” and then take nete of the “Virtual network” and “Subnet being created as you willuse this information again far the other VMs you creat later, There is no need fora Public P, as we will be accessing our Azure environment through a VPN. htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop Ts‘nitsr2020 Windows Vitual Desktop: Simple Step-by-Step Walkthrough -PolcyPak fase Disks Networking Management Advanced Taps Review + cate Deine netor connec your tual mace by conguing network aie cra (MC Stings You can couch ots abound ana eutboud carmel) with sect gfeup ls lace being an ein ad balancing SAN. Le hen ceting vital ching. nebo tre wil be estes fr you tatoo > eng or pubic P@ Nlcneorkssnrtyorp @ bound pons @ cela retworkng @ Load balancing sing las tlrcing shat Step 2: Select Timezone Under the “Management tab, select the correc Time Zone for your VM and set the default“Shutdown time” and notification If Gesired. You can also disable the autoshutdown if you do nat wish to use tat this time. Also, take note of the "Diagnostics storage account” being created. Then dick "Next Advanced a the bottom of the sreen, Nove Because this @ deme enviranment, choosing a Shutdown time helps economize the solutin becouse resources costs do nat accumulate wher the machine dormant. Step 3: Review and Create Skip the “Advanced” and "Tags" screens unless you wish to use them, then go straight tothe “Review + create" tab. Verity everything is correct and look for the “Validation passed atthe top of he screen, I there sa Screen checkbox, then you are Rood to go Click"Creat,"then wat fr the deployment to finish. Step 4: Goto VM (once the deployment is successful, click an the "Go to resource” button to go to your newly created VM. © cerns To esouce goup | _EASTUSE was sues t Now select “Networking” and dick an the name ofthe “Network Interface” Step 5: Networking. htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 10s‘nitsr2020 Windows Vitual Desitop: Simple Step-by-Step Walkthrough -PolcyPak DCI-2019 - Networking B Sab ev © nua natcrkitetace Detach netucrk 2 oversiew IB Network Intrtce: e1-2019 <@-— Vial netacdisonal Actetyiog Access cont 0) ou * 1 Network secur group 2X dagnese and sole pcan Impacs subnet nebvonnttaces Inbox port ules Outbound port es — Aownetintourd Step 6: IP Configurations ‘Then select“IP configurations” and click onthe name ofthe “IP Configuration shown on the right ofthe screen. de1-2019 IP configura BW onion 1P forarcing setings ashing meee sh sees con any Veta nats Oe 1® cnfigustions (at coniguation: qe os sn 1 neton WW roperies @ ox Step 7: Change Dynamic to Static (Change the “Assignment from “Dynamic “Static under the “Private IP address settings” an click SaveNote that sate addressing in Azure does net imply a person manually assigning an address. k merely reserves the frst address assigned by ‘the DHCR, so do not change the ® address to another value, ipconfig! PAs xX cies Pubic aces ceings viel otwortsubeet oy, gastuse netstat Step 8: Virtual Network/Subnet (nce the changes save, cick onthe "Virtual network/subnein blue text. htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 19145‘nitsr2020 Windows Vitual Desktop: Simple Step-by-Step Walkthrough -PolcyPak View netvertsubot Re te sasTuse inet Step 9: DNS Server (F course, we are going to need a DNS server reference for our environment. Select “DNS servers and choose the “Customn* ragio button. Then, ad the static IP for the VM you just crested (in my case, that would be 1.0.0.4). Next, ad a second ONS Server entry for any public DNS server on the internet. chose 8.8.8.8 for one of Google's public DNS servers allows the VM ‘tohaveintemet access while installing updates and promoting itto a domain controller. Also, tees the ONS server in advance for any VM you crate later, When done, dick Save" o save your changes [Bm P6_WVD_EASTUS2-vnet - DNS servers [ 7 Petes Xoscad WW ei seat ci nication sty See eae tears ada soe © connected dices > subnet Step 12: Edit Settings Ec the settings so they look ke below, and then dik “OK” ‘Add subnet E ate | {2010- Ton 5s O51 = Save ened ree Serica endpoints a subnet aetegaton Delegate subnet to asenice © Nn =a = ‘Note: f you connot add the address range, try refreshing the page inthe bromser then try again. More inf: + Vreualnerworkadaress space: 100.00/16(10.00- 10.0288.255) + Detaultsubnet 1a00.0724 10.000 1000255) + Gatenay subnet 100..0724(1001.0- 100.255) We hove now completed the creation of eur fst Azure server, which becomes our Domain Cotraller. But, we cannot access it securely. We could get to it insecurely, but that’s not a great idea as 1) being publicfacing and 2)insecure (even for a moment} rt such ahot idea So, hang tigh. ‘Wel getto connecting te and manipulating the VM, which wil be your OC.. after weve secures aur connection, which is coming up. 1 course, itis not 2 OC yet We have ye to install the domain server roles and promate the server toa DC, However, alin ‘ood time. htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 2s,‘nitsr2020 Windows Viual Desktop: Simple Step-by-Step Walktrough -PoloyPak Before we create an AD database, we need to secure aur environment to keep out the ba guys. That means we need to create a Point Site VPN, which s what we will do later in this guide, » Simplify Browser Management in WVD: Learn More (https://kb.policypak.com/kb/article/815-policypak-wvd-browser-router-the- right-browser-for-the-right-browser/) Part 5: Setting Up Your VPN Whether you are accessing your WWD machine from your ensprem network, oF your laptop at a remote site onthe road, You want secure, encrypted connections. Secunty is especially important you are repeating AD traffic between your or-prem DC's and the one you just created in ‘Azure, tn this installment of our series an WUD, we create and configure the VPN connection to secure our network VPN Configuration Step 1: Point to Site VPN Firs, we need to Set up a Point o Site VPN connection so we can manage the VMs) wehout having to enable RDP over the public internet. Todo tis, fist use the “Search in the Azure portalto search fr ‘virtual network gateway."then click on “Virtual network gateways" found in te results. Next, click an “Ade” or “Create a virtual network gateway’ to continue Q vewalnetworeorevaye gee Step 2: Create Virtual Network Gateway [Atthe “Create vitual network gatewsy” screen, fill out the values for your environment using the below as a guide, then clk con Review + create” htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 2248‘nitsr2020 Windows Viual Desktop’ Simple Step-by-Step Walktrough -PoloyPak Create virtual network gateway Instance deta eo pwns 4 cen ale “] yp @ ven CO ceprssite PN ype O ig aes (© ony vitae newors ioe cently sete subscrption nd region a8 ste Sr iio 2 > bee @ oisbee Aauresdecumetator rege vided VEN Secs, ‘ravens fr congue, ef Step 3: Confirm Validation ‘Again, if you see the green checkmark with the message “Validation passed” atthe top lf ofthe screen, then you are good to {go Next, click on "Create atthe bottom ofthe seren. Create virtual network gateway WV. Weition pase Note: Tis deployment takes longer to complete than any of the previous steps. Plan an at least 30 minutes fort to finish. would be a good time now to step avay and take a break Resources, Certificates, and Other Configurations Step 4: Add Resources (once te deployments sucessful ck onthe "Goto resource auton f aval, fnot then slat “All resources” rom the Ieftcolumn inthe portal and then click on the network gotenay name you created inthe previous step Ifyou have mary resources, Iemay hep to use the er. htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 2s,‘nitsr2020 hitps:www-palcypak comipp-blogindows-vitua ‘Windows Viual Desktop’ Simple Step-by-Step Walktrough -PoloyPak era ca All resources Bin v0 ASTD Network Gatemny ee Step 5: Point-to-site Configurations Athe nex screen, click on“Point-to-site-confguraion unde “Settings” then cliek the “Configure now" tink onthe right-hand side ofthe sereen Faint congicton Gee Step 6: Address Pool For the “Address Pool enter any private internet range (ve, 172.160.0724) tna snot present in your Azure Vitual Network range f you followed my steps correctly, then do not use anything within 1.0.0.0/1 (1.0.0.0 ~10.0.255.255) then click "Save" Regardless of which network address, remember to go back to your Vitual Network and add it in as an addtional address space, You may want to draw aut your IP configuration on paper to get a mental picture of howit all connected Step 7: Create Root and Client Certificates (0K, now Its time co use PowerShell again, which shouldnt be any big deal now, You need to create the Root and Chent certifcates forthe Pointtoite-configuraton, a they get used forthe encryption, From an elevated Powershell(or PowerShell) session, run the two scripts below. This procedure creates the rot and client certificates needed forthe P2S. connection under Current User» Personal Certfeates* Here isthe one forthe root cer Subjece “CAsP2Stotcert™ -keyexpertbeLtey por tachagorithe shase -Keylengen 2088 Here ithe one forthe client cer: 20s‘nitsr2020 ‘Windows Viual Desktop’ Simple Step-by-Step Walktrough -PoloyPak seitent cert Subject "Caceastniidere” ~keyportPolicy portable ashtgorithe shes -Koylengeh 2988 = Shaner cert “Textxtersion @(2,5:28-37=(Uext}8.3.6.1.5.5.7:5.2°) Notes + nd more info andthe erignal PowerShel serine at hps/docs microsoft conver-ulaeuretvon-goteway!ven-gtey cerfeaterpointo-ste htps//docs microsoft com/enus/azuelypngatevayivpr-gatenay-cerieaterpoitto-te) + styouravean esting rewall protecting the perimeter of your omarem endranment you can create a siteto-site VPN ‘connection using the interface of your frawalapplance In ths deme, we are merly using apointo-ite connection, Step 8: Create Root and Client Certificates Inthe sare PowerShell session above, run“certmgr to open Certificate Manager in the current user scope. Expand "Current User > Personal > Certificates [Getto -Coven Der veaeso ‘sey Vrms a S certricates ee _— F25Root Cet Step 9: P2SRootCert Rightclck on the P2SRootCert and choose “Al Tasks" > “Export,” and dick Nexto continue, Now click "Next again (tlk with the default of not exporting Private Key, selat the “Base.64 encaded X:509.CERY radio button, and cick Next once (Que weet 9c) he Gee ctenasancs (crm ere Meee Snin Sane PCS #7 ne (978) —. ed oe Step 10: Save Certificate Click Browse." and choose a location to save the fle, Remember to give the Mla descriptive name with CER" asthe extension, then cick"Next then ‘Finish’ to export the certfieate © BP cathe pen Win Soc tenon thee rawere ener — ee Step 11: Copy Certificate Text Browse tothe certificate and then open the certificate using Notepad (nght-click> Open With > Notepad, Highligh he text between “BEGIN CERTIFICATE" and -END CERTIFICATE then copy that tex ‘othe clipboard (CTRL*C), htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 255‘nitsr2020 Windows Vitual Desktop: Simple Step-by-Step Walkthrough -PolcyPak Step 12: Add Name Backin the Azure Portal, under the “Poit-co-ske-configuration*> Root certificates,” adel a descriptive name under the “NAME eld. Then, paste (CTRL*V) the text you copied from Notepad into the “PUBLIC CERTIFICATE DATAT eld on the right. Finally click anywhere off the eld so thatthe “Save” option becomes avalable, Last but not last dick Save” eta | RAs Kom omni aren acy ep ‘ean z oon core ose lens a te omen ew tad Installing and Connecting Your VPN Step 1: Download VPN Client [Alter the changes get saved, the option to “Download VPN Client” becomes available, Download the VPN client package and take note of where the rp gets saved as you need to extract and run the relevant VPN executable for your client 0S later. Step 2: Export Point-to-site Cl "Next, we need to export the Pointto-Ske Client cerca, We do this incase we need (a intl he cetfeate on another ‘machine, Using the computer fram which you exported the Paint-t-Ske Root certificate, reopen “Certticate Manager" by running "cert" in your PowerShell session. Then, expand "Current User > Personal > Certificates." Now right-click on “PS2Chlldcer and choose“AllTasks"> “Export. then click "Nest”to continue, this time make sure the option "es, export ‘the private ke” is selected, then click Next.” htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 264s‘nitsr2020 Windows Vitual Desitop: Simple Step-by-Step Walkthrough -PolcyPak © P cetfeas teen PH Ore cortteiatees Ore srateguemapitalay — =D Step 3: Export Point-to-Site Client Certificate “The default format should slready be “PFK" I'yourstreen matches the one below, then cckniext (© resend enter sadage PS #12(F9) nau stcaahanein ne catansoniannse (osetia eat ance [Desplat aarsieceote ney ee Step 4: Password -Atthe “Secu screen, place a checkbox in the *Passwor<” box and type in 2 password to secure the private Key. Change the encryption levelifdasired before clcking "Next" Take special note of ths password, as you needt every ime you need to Install chs ent certificate for a new user. htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 274s,‘nitsr2020 Windows Vial Desktop: Simple Step-by-Step Walktrough -PoloyPak contests pon Wen “rorya, youre Herat enn etry > Brac — na Step 5: Finish Certificate Export At the Fle to Export screen liek Browse..” and choose a location to save the le, Remember to give the fi name with "PPX" as the extension and click "Next." and then “Finsb” to export the certificate, ‘pea bene oft ey rtte oert he GPE terre re RT = —= en es Step 6: P2SRootCert (Optional) (Optional: ’s an excellent time to repeat the process above fr the “P25RootCer” so that you aso have a PPX version of the cerca that includes the private key. Step 7: Install VPN Client Now, on your Windows client machine where you have been performing allthe steps above, extract the VPN Client Zip you ‘downloaded earlier. then, install the VPI Client versin that matches your clan OS (remember to run the install as ‘Administrator. Since you have already installed the P2S Chent certificate, you don't have to install the client certifiate th time around, However, i'you dont have the P2S Client ceticate installed, you need to double-click the Client certifiate {while logged n as the user who needs fo use the VPN) and enter the password for the P25 Client Cercae pate Key. AC ‘this point, you can install the VPN Step 8: Connect to VPN + Connectto the VPN from your elent PCy eleking the network icon onthe bottom ight of your taskbar and selec the VPN +e the VN Settings sereen, agin cick the name ofthe VPN connection and den cee"Conneet hitps:www-palcypak comipp-blogindows-vitua 20s‘nitsr2020 Windows Viual Desktop’ Simple Step-by-Step Walktrough -PoloyPak VPN a RG_WVD_EASTUS2-met —P comect Advanced options Remove + Now dickConnect atthe sereen below, then dick continue on the message that pops up asking fr permission to update your routing table icra Virtual Network Geraint emtg Tenors + Asyour final askin this exerts ck Yes" on any UAC prompts presented emo el pdov ROUTE -eupieortgte [loorotshw uence fe ceri > Oe et ‘You're Now Connected to Azure! Congratulations you just connected to Azure wa the Point-o-Skte VPN. you are ke most networking professional, your fst Instne: wll be oping che VM you created inte previous instalment totes the connection Dont freak aut you can ping It You probably wot be able to due tothe default local frewall settings. You will however, be able to remote desktop to I Launch MSTSC from the run command on your cent machine and then enter the IP address ofthe VM you wish to connect to (2, 100.0. Then login with the local admin credentials you assigned earlier. you cannot remember the password, do not panic. You can reset the password under the properties ofthe Virtual Machine inthe Azure portal under the “Suppart + Troubleshooting thtcps:/w polypak.omsuppor-sharing/troubleshooting hl section, then the “Reset password option ‘You have now created a secure connection between you and your Azure environment. You are now fully engaged in cloud computing, Azure syle, Now that we can access the server we created, is time a configure as we need i, which happens what we do inthe next part » PRO TIP: Elevate Installation of Remote Desktop Apps in WVD (https://kb.policypak.com/kb/article/810-policypak-wvd-elevate-the- installation-of-the-remote-deskop-app/) Part 6: Completing Your Configuration Configuring and Connecting Your Domain Controller htps:hwww-palcypak comipp-blogindows-virtual-dosklop pas,‘nitsr2020 htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop ‘Windows Vial Desktop: Simple Step-by-Step Walktrough -PoloyPak [Now that you have your virtual server in a secure environfient now, we can make it a Domain Controller and then connect it te azure, ‘We ae almost inthe home stretch here, as this isthe next to lst nstallmentin the series. One more te go after this ene! ‘As a most things in life, there's more to implementing 2 WWD environment shan you inaly though probably, Weare almost ‘there, so keep plugging. Step 1: Connect to Domain Controller First, let's get connected tothe Domain Controller you created. Ifyou remember, you set up the Ponto VPN that allows yyouto access your Azure machines remotely. Before you can remote desktop te your DC in Azure, you need to launch the ‘ure VPN Client and wat for to connect successflly, Once the VPN Is connected, ou can use Remate Desktop to connect ‘to your DC in Azure via its P Address (10.0.0. in our exarnple Step 2: Perform Customizations Perform any addtional customizations tothe OS (Le, install undates, set correct Time Zone, launch Computer Management > Storage > Disk Management and add the available disk as"E* Step 3: Connect to Domain Controller Reminder: Drive & was the data dsk we created to store the Logs, Database, and Sysvel for Active Directory; this isthe ist {ime logging into the server, so we need to set up rive E: using Disk Manager in Step 2 above "IP: Azure implements write caching an the OS disk ofuitual machines. This procedure can cause lsues fr databases such as Active Directory, and lead to data corruption. To avoid this, use a data disk with write caching disabled onthe VM and use this erve to store the AD 0S database, Logs, and SYSVOL folders computer Mangement o¢| aim Go a Comper Nansgenert Lea Vole Tiassa pe i [st fh Sstentecs = Simple Biss NIPS Hey Dinay Peon 2 Seen [= sptemReeved Simple Gooe NTIS Hoty Eye ve Pra A Winove Seve Bactup |—Tergerey Sage) Simple Base NTFS Hathy age Pray Pron hig Roscoe | Siisone(c) Simple Esse NES een lee Cah Jump Finny Pain} rine, Frey tent | Heat ont Ca Dap Pe et Temporary Storage Fede ape Fie rina Pain) PH Sime | Boocarms nine ey may Ptin) ‘Then take the te to daublecheck to make sure thatthe computer name is correct and tweak ay other setings you may ‘want. Then install the “Active Directory Domain Services ele’ and reboot. Step 4: Check VM Status ‘After rebooting, check the status ofthe VM inthe Azure portal te know when is avalible, as thatis the only realway since i Isin the cloud. Verity thatthe data disk shows up as drive E: then launch server manager to fnsh the process of promoting ‘the VM to 2 domain controler with one crucial caveat, make sur you use the E rive forthe folowing options. 04s:‘nitsr2020 Windows Viual Desktop’ Simple Step-by-Step Walktrough -PoloyPak Te sc icy Sona rs origin Wid =~ ax Paths at Sprit tin ft 05 en og sd SPO ae te ae [nO i he tee [rrancis —— Sh 150K 2 [eine SHOE oa ia) [Wat] More info ‘Azure implements write caching onthe OS disk of vtual machines. This pracedure can cause issues for databases such as ‘Active Directory, and lea to ata corruption. To avoid this, use a data disk with write caching cisabled on the VM and use this trve to store the AD DS database, Logs, and SYSVOL folders. Syncing Azure AD Step 1: Download and Syne AD Connector ‘once the Vit has Been promated successfully oa domain contra, its ime to dowload the AD Connector and set Up synetronzation rom your newly erated racial AD domain controler AZUe AD. This operation is alitle weird because you usualy would use the AD connector to sync your reson prem AD to Azure AD. ‘And in this case, inthis demanstation, we have aracttonal IC whieh sn on-prem, ifs in Azur. So.. yeah. Youre syncing “Traditional AD to Azure AD” eventhough the traditional ADIs already in azure, Mindbender. ‘Again, if you already have an on-prem AD that you want to sync to Azure AD, you can dot, but dont email us if something goes wrong. "You can find the download forthe AD Connector at ether ofthe links below + within your Azure Portal here: hps/perta azure comidblade/MarosofAAD_IAM/ActneDiretoryMenubade/AzureAD Connect (heepstipoal azure comoladerMicrosot_ AAD JAMIAtveDitecoryMenuBlade/RzureXDConnect) + Download directly a Merosre rom here: psu micrsof.comfen-usidownloadantrmation aspuidea7594 (tecpsnwn ierosoe comyen.s/downloadcontrmation aspxide87584) Step 2: Set Up New OU Before instaling the AD connector on your BC, | recommend that you fst set up a new OU with some user accounts that you would keto sync to Azure AD. Basen norte Tee EM adie Dacpon mer Bocuse ee enue) com va Boum ter weoueezg com Buvoures — uee weoueesg com Fordgnsecuiyrins Managed Seve ecu bee These are the accounts assigned Windows Viral Desktop resources later. For demonstration purposes, Ihave created an OU called "WWD" and a ub-OU called “WWD Users and added a few users under tis OU. Note:The email adéresses of the users above match the UPN of my Azure AD Domain Step 3: Install AD Connector ‘when ready, install the AD connector. + Accept thellcense agreement thence continue htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop ats,‘nitsr2020 Windows Vial Desktop’ Simple Step-by-Step Walktrough -PoloyPak Welcome to Azure AD Connect ‘un this instalation toa on the server here the syncronization sever component wil be Aur ate Oct Connect inate you on-premises snd pe, pasncrdhash stn or edetlon wah AD FS) + Ital enitysychrninton and ter Mioes store components requted or deployment + tnableappcton teemety and component heh ty deft. Youcan change whe tai shred stn roo updating jour pricy sen. Learn more pas i ei i a i a, 1 pctheExpessSetings Seren, choose Customize Express Settings red components | youhave angle Window Sener Acve hector wld the flo + congue pana ach se exo iin or at apres stings + aethe"Install required components screen, cc "nstal the User signi sree lik Nex the "Connect to Azure AD" screen, enter your Global Adminisator credential fr Azure and then lik Next the "Connect your directories" seren, ck the “Ada Diretory burton "Use an existing account” provide rter «the “AD forest account sereen see ise Admin credentials for your AD) domain, then cick “Ok” and then "Nex htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 324s‘nitsr2020 Windows Vial Desktop: Simple Step-by-Step Walktrough -PoloyPak + acthe Azure AD sigmin configuravon® sereen, use the drop-down ane select “mal” inten to use fo sranbute then check ching ll UPN suffiues to verted domains” then clek-Next Eo i) ner ‘configure Pega ot ha wo + Ac the "Uniquely ientiyng your users screen, ifyou nly have one AD directory to be synced te Azure AD, then stk with the defaults and lek Nex" Mate using: Mal attribute’ then lek Next htop 33s vise choose the second radio button “User identies exit aross mutiple directories, hitps:www-palcypak comipp-blogindows-vitwa‘nitsr2020 ‘Windows Vitual Desktop: Simple Step-by-Step Walktrough -PolcyPak 1 acthe-Titer users and devices" green, eek Next? 1 Acthe“Optional estes scren, ccc Next” 1 Acthe Ready to configure scree, dlc install* + axthe Configuration comet” sean cck=xt you are nw done wth the AD Connector stun, + walt a fen minutes, then checkin Azure AD to ensure your users synced trom the AD domain ———__ oe Wien eno @ wows wovwzeis com Meni Windows er AD a view Add VMs and Deploy to Azure Step 1: Add WVD VMS Set Up New OU So now, sally tne to add the Windows Virtual Desktop VMs There are atleast thee diferent ways odo this + choose the create a Window Vinal Desiton rovison shoe pool option rom the Azure Marketplace + UsePonerstl + Use the Are Recoure Manager tempat for provloing anew hos ook + inmy opinion, the thir option she bast soil focus onan expla how o delay WO VMs sing he Are Resurce Manage telat Step 2: Deploy to Azure Fist va tis ns htps:/gthub.comvAzure/ROS-Templatestree/masterive templatesrcreate20anati20provions2omvO%ZOhost20poelhtps/athub convAcure/ROS.Templates/emasterve templates/reateh20andh20provsont20WVDH20he=th?0p00) then srl tothe bottom of te page and click the Deploy to ure button atthe bottom eshand corer of he page. looks kes | =m Step 3: Deploy to Azure Clicking the ‘Deploy to Azure" button takes you to here: httosfportal aaure.conv#create/Microsoft. Terplate/ut/htpsS63AN2F%2Framgithubusercontent.coms2FAzUre%2FROS- ‘Templacesti2FmastersiFwvd-templatest2FCreate¥s20and 20provislon¥k2ONVO%ZOhost20po0IR2FmalnTemplatejson «heps//portalarure.comcreate/MicrosotTemplate/uriiespsiSABZFH2Frawgithubusercontent.comM62FAZUreM2FRDS: Templatesti2Fmaster%2Fwd-tmplates¥2FCreate¥420and¥20provision2ONVDKZDhost%20p0CRKzFmainTemplate json) More int htpsuidocs mirosoteconven.usfazurelvitualdesktopycreate-host-poos-a2ure-marketpace hitpsildocs microsoft.conven- Usfazurelvirualesktop/create-nost-pool-azure-marketplae) Step 4: Select Resource Group ‘At the "Custom Deployment screen under the “Bases section far Resource group” select the resource group you created Under step #23 above, or Step 5: Miscellaneous Configurations [At the "Custom Deployment screen under the “Settings” section ill ut the following items below: + Rdsh Name Prefix {Base rare of VMs you wish to use sinc these VMS are tobe Windows 10 ful desktops ~I used "wea? + Rdsh Number Of Instances (How many VMs you wish to have created 01-02-03 and so on will beaded tthe name) htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop as,‘nitsr2020 ‘Windows Vitual Desktop: Simple Step-by-Step Walktrough -PolcyPak ‘+ dan VM Size (Recommend going with someting not to pricy -Standard_DS1_¥2 ete) + Domain To join (FQDN ofthe domain that VMs ar tobe Jone te) + Exeong Domain UPN (Useramein the domain that ean jan machines tthe domain n UPN format) + song Domain Password Password forthe username above should bea est 12 characters long) + 04 path (optional speci the OU where you want the newly ceated VBS ove} + sting net Name (he name ofthe vitual network you created ealer for the VME) ‘+ sting Subnet Name (The name of the suonet the YM wil be placed in} + vreual Network Resource Group Name (the name ofthe resource group conaning the wrtual network) + Eneing Tenant Name (The name you gave your WD tenane) ‘+ ost pal name vss host pool hat you want your VMs tobe asignat since these are ull desktops, we use WWD-Hos Poole + Default Desktop Users (Any use(s] that you wish ta be able to access desitapsin tis att poo! UPN should mate Arure domain UPN sur + Tenant Admin UPN or Applicaton dhs need oe an account in UPN format that has RDS Owner ole assigned) + Tenant Admin Password (Password forthe Tenant Admin account should be a east 12 characters lang) Step 6: Agree to Terms and Conditions When ready, check the box next to" agree tothe terms and conditions above then click Purchase” Step 7: Repeat Steps 913 ‘weiter the deployment to finish ittakesa while After the deployments successful, repeat steps #9-13 above, bu this time Use “wudhapps" for “Rash Name Prefix’ and “WVD-Hlost-Po0l02" forthe “Hest pool name." This 2nd run creates the wo adattional VMs used for deploying apps. Once this 2nd deployment is complete, you should have S VMs ttalifyou have been following along precisely with my steps. One Windows Server 2016 or 2019 domain controller and 4 Windows 10 session hosts. ocr 198, cum cemaiesenessisoeee wes-appso 108, deren oa het Fa? Bere apps 00. APPUCATIONS ONY: Hoe Pet 2 Beewoo 120 UL cEScors oN: Hetoalt A ews 120, uu cescorsonHettalt Step 8: Connect the Point-to-Site VPN [ALthis point you should connect the Point-to-Site VEN for your Azure environment. Use Remote Desktop (MSTSC.EXE) from your machine to connect to each VM by its “Private IP Address"to fine-tune any setengs. You can install any applications you lke, which you wantin the VMS. We recommend installing the PaliyPak Adin Console sion the Domain Controller and instaling the PolcyPak Client Side Extension (CSE) MSIon each ofthe four cent VM. If youre an existing PolicyPak customer, you wil find the PlicyPak download at htps//partal.poicypak.com/downloads htps:hwww-palcypak comipp-blogindows-vitwa-dosklop 355,‘nitsr2020 Windows Vial Desktop: Simple Step-by-Step Walktrough -PoloyPak (heipsvtportalpeeypakcom/downloads "You can hand.nstall or use MS SCCM, PDQ Deploy, or any software distribution method to et the applications installed on yur Azure VMs. ‘You are almost there! ust one mare instalment ofthis series to go. Don stop now. Rollup your sleeves, and let fish this implementation out now. PolicyPak. What most IT Admins don’t know about VDI... And why they need PolicyPak. (hts pelypak.comvtepaparstbatmascitadminedoncknawaboutve) Think You Know VDI? Think Again Vols a powerful way of ensuring you can deliver a normal Windows image ‘o your BVOD users. Butt requires careful Irmplementation to ensure that the user experience is optimal, eicent and secure. The whitepaper shows you some ofthe key points to watch for in seting and delivering your VOI Image ta your users, and haw adding PolyPak to your toolbox _rants you increased control ever bath the VOI image andthe applications within it htps:hwww-palcypak comipp-blogvindows-vitwa-dosklop 345‘nitsr2020 Windows Viual Desktop: Simple Step-by-Step Walktrough -PoloyPak 1 hors (tpsufw policypak comMvhitepapersihat-mastt-2dmins-den-knoveabout) Verify VMs and Assign Users Completing the WWD Confguration Setup Pre-Congratulations, you are almast atthe finish line! just 14 more steps to push through. There is just one thing. We haveto| {Bo back to PowerShell ofnish this out. But no wories, take your time, and well have your brand new WVD up and ready for production Step 1: Login to Azure ‘Our nes step isto start up another elevated PowerShell (or Powershell IS) session, Run the command below to login to ‘Azure with your Tenant Creator account. Be sure to log in using UPN format like user@domain.com, Note: Once you log in you can run “Get ROSTenan to make sure you are connected successfuly and to the righ tenant, Step 2: Verify Each VM Now we are going to verify that each ofthe vitual machines we deployed above got added to the correct host pools, wa 110-0, and wnd.w0-1 shouldbe in WVO-Host-PoolOt, and wue-apps-0 and wvd-apps-1 shouldbe in WVD-Host-Padl02. To verity this, we need to un the commands below in our elevated PowerShell session. For Example cot-néssestoniast Conanyhvotenant MiO-ost-900181 Get-hdsessionrest Conpanpnv0tenant MIDst-900182 “The result foreach command should look similar to below. When you see the correct hast pool name, alongwith “Status ‘Avallable" and “Updatestae: Succeeded then you knaw the VM (Session Host linked tothe correct host poal, and everything should work going forward, everything is correct, fel free to skip the text below and move on to the next step. If for same reason, a VM (Session Host Is missing entirely ror any hest pool then you can use the following process below to getthe machine added tothe correct host poo. Fo instance ets say that wvd-apps-Os missing from WD-Host-PoolO2. In that case, we frst nee to create a registration token to use for adding wvd-apps-0 to WVD-Host-Paol02, To generate the ‘token, run the command below in your elevated Powershell session, NeucRéshogistrationtnfa -Tenarthare Conpen/pierant ~tstPoolNane WD-Wort-Pale2 | Select-object -EnpandPropenty Token htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop amas,‘nitsr2020 ‘Windows Vitual Desktop: Simple Step-by-Step Walktrough -PolcyPak ‘The result should look simibr to below. Note All ofthe text within the red box the token, you nee to copy that textand save somewhere safely (.e, use Notepad) so we can se it ater to ink the VM (ave. apps-0) to WND-Host-Pool02. By devaut, the token is good fer 72 hous. Note: llth spaces need tobe removed from the taken tex for it to work you copy the faker tex o Notepad and enable word varap you see that there ore a et of mply spaces between te lnes of text. such as shown below. Note that this CANNOT work a eyonecciousinnaMistet 2151 ION IoRSAisHuERNOXRSAFE SKIS Pacwninrayieversnyueoems oRScIStep IVES. e/SDMIpCSR/ RESIST OOOT} eam eto jean iatgs te cy 6LTIE Snel d a h DAL ChAMQLOL Sap nD PEYI SHED taicasjrxt dueriban locrvafaisen te Kofs3iu7"SPAaHo VSeqboe foe ated ginny cE C4 rMaHSAS) gnc aoe yA REX tebtony Howat aoekaalysnt nt leesoZ)svigAlIVedssiSiand-echTCHR2D y= ‘oka -0VeDx KOM IOTGRAeSarotra, GNec2eFos0-PalQBAttsBA}FONQhcinCI9s eteRN “Tips you tur off word CANNOT wrap al the text should be on one line with no empty spaces and lok like this below. ame ey IN0G04 5) LMC T6 InN 52SRIFRURNNOL2FEMASRUEDL2y ar ACCT NVCID. cp 1STHEpc HRY MARNDDSIECLSTIOADL Now chat you have your token you should use a remote desktop to connect tothe VM (wws-apps-) te WVD-Host-Poold2 ‘nce you log into the VM as an administrator, vs the two links below. Then, download each ofthe files tothe VMs desktop. You can also create a text leon the desktop Ifyou wsh to stare the reglstraion token untl you are ready to use Download these avo files below + Windows via Desktop Agent =htpsoueryprodems. microsoft comlems/apifam/binary/RWemXY (teepsztquery prod ems rt microso.comfemslaplamyeinary/Rtirm| + Windows virtual Desktop Agent Bootloader = etps//query pros.ems.r-mierosft comvemslapamyeinaryRWrarH (teepsviquery prod ems re micros. comvemslaplamybinary/RWrarH "More info: htpsi/docsmirosoft.com/ensus/azurevinual desktop/create-host-pooks-powershellrepster-thesit ‘machinesto-the-windows-vitual desktop-preview-hostpool(ntps/idecs.mlcrasoftcom/en-us/azurevrcualdesktop/ereate host-pools-powershellregistershewrtual machines o-the-vindowe-irtualdesktop-preview-host-poa) Install the agent when you gto the screen below, replace the “INVALID_TOKEN” text with the text from your regstratlon token, lease enter configuration values for the Remate Desktop Services Infrastrucure Agent retton te htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop sas,‘nitsr2020 Windows Viual Desktop: Simple Step-by-Step Walktrough -PoloyPak “Tips Look at the lst 5 characters ofthe string do they ters in Notepad? ‘Bem Deen Sets eaucue Age Sev9 “ x Please enter configuration values fr the Remote Desktop Services Infrastructure Agent = oe pew ey2kaces0s2sUetnstatnepZCE6TAI QW aks ORI nOg5-2FE SUES Ty Ta TORSeCTCTHg ACIS 1SDAdpe MYA 2ST2CIST/QAOLS rgstuvenorenarvsesion One DEEZ Ih pele VyasIsIe th be nvausganroucnenasesean Norah getndsey161eskementUb 2d hn nNLSLChsM045ALo Ing PEVZaND Usk eTIDUeZD [e-RootedtarfPatanevSeqh00-rayOFwt suse gQarndnn?y3EE fo aESNS) Py SA TeaScimnyReMBOCeSexesKy Seti loctohSvAgNGEVAONLNSHandcoMEDTCIRLZINFyGaVF os odr ovaPoecnkgiiio3engsaroteg. cue ?agreso-p-s7RnqiQsvSa0tele}eONghICINCLE SS gS NOMSIG ee, Ihe registration token string looks correct, then go ahead ane finish the instal taking allthe de‘auls. Then install :he boot loader as wellas taking allthe defaults Lastly, reboot the VM Woakca few minutes before checking the status ofthe Vi (session host) by running the command below in your elevated PowerShell esson. Got-Rdssesstontast CopanyvOtenant MD-ot-?ool62 Irallwentwel then the result shouldbe similar to below, the Vis is now avallable inthe correct host pool. If needed, repeat the steps above as needed to add any other missing VMs (session hosts) to WWD-Host-Poold2 before moving onta the next step, Step 3: Assign Users Elie, we created the Desktop and Remoce Applcation group host pools, ‘WO-HestPoolD1*for desktops and “WD-Host. PPaclo2"for remete applications. Now we are going to assign a user to be able to access the resources in each pool. See below for examples, and remember to change "CompanyWVDtenant tothe correct tenant name for your organization. whatever you specied in #17 above), and change “username@YaurCampany.COM" tothe correct user name UPN for the user as they show in your Azure portal ada-Résaoroupuser Terarthane Canpanyaiterant -tortoslNane W-Host-PoclA -Aogcrouplae “Desktop AgplicationGroua”™ ‘icrnésnopoapiser “Tovarthave Cnpanyniteant vsortPeoitane miOsost-Pocl82 Aoptrouptone “Renate App ication roap” ~ DRbrem AB environment. ston ve in Azure AD ko Applicaton Groups, use accou wei htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 39145‘nitsr2020 Windows Viual Desktop’ Simple Step-by-Step Walktrough -PoloyPak = Sve I Step 4: Subscribe User Account “The nex step is to vie https frdweb. el microsof.com/webclient/index htm! (hetpsvirdweb.wn.icrosott.conwebcllentindex hum) (or use the Remote Desktop Client brtpv/aka.msiwudelentswindows (htpi/aka ms?wdlclents windows) from your cent machine then subscribe the user unt you assigned resources ton the previous stp. Pee ac) Step 5: Select Options During the subscription process, you can. ‘organization to manage my device” and then click This app only.” ‘whichever options you ke on the page below. chose to uncheck the “Allow my Use this account everywhere on your device Windows will remember your account and make it easier to sign into apps and websites. You went have to enter your password each ime you access your ‘organaaton’s resources You may need to alow thet to manage certain settings on your dew Ey tou my organization manage my deve his pp only Application Group," you only see one Ihough our account gets assignes 3» Application Group" and “Rema! Icon labeled “Session Desktop." is because we have not published ary remote applications, so there's nothing to see onthe cathe "Desk "Remote Application Group" side Publishing Apps hitps:www-palcypak comipp-blogindows-virtwa 401s‘nitsr2020 Windows Vial Desktop: Simple Step-by-Step Walktrough -PoloyPak Step 1: Remote Application Group Before we can publish any apps, we fist need to See which apps are available and common to all machines inthe "Remote ‘plication Group.’ Todo this, run the following command in an elevated Powershel (or Powershell SE) session, lstarttentgp Comeanjivotenant WD-Host-Palda “Renate Aoplication Gras” all goes wel, then you recive alist of applications that can be published sir to below. Hepat + cciroran Files (85)Morta Ftrefonttneton.o¥e eonpath 1 Codroqran Files Qsyortba Flrefoxttnefonene opts + gooplechone epath + cctroran Files (85)GrogLaCiranatgptcsHonchrona oe econpath 1 CDrogran FAL (186)60 Step 7: Run Commands ‘Asan example, to publish the apps above (Chrome and Firefox, you would run th fllowing commands in your elevated PowerShell session ater changing “Company Wt ena to the corr nant name for your organization ewcRéstenotetps ConpanyDtenant Mp-Host-ool82 “Rete App ic Newchashewotenps ConpannDtenant MWD-ost-o0182 "Rene Applicat en Group Rave “Chrome” -Applias eoseecrone Rinse and repeat for any addtional applications you wish to publlsh using the above as a guide, Step 2: Update Remote Desktop Session ‘ter running the commands above, you can return tothe Remate Desktop session window and walt for ito update, You can also manually update the feed by clicking the second ellipsis inthe top righthand corner af the window and hen click on “Details” For your last ste, lick on “Update Now." Note: Ifyou are using the Remote Desktop Web dient site instead, the {yu can refresh the page to see the new icons, Yeu should now see new icons present fer any apps you published. hitps:www-palcypak comipp-blogindows-vitua ans,‘nitsr2020 ‘Windows Viual Desktop’ Simple Step-by-Step Walktrough -PoloyPak {QUICK TIP: Some Application cons May Not Show Up Correctly! Occasionally, some application icons may not show up correctly. You can work around the issue by pointing the icon at any nage file present on all VMs in the particular host pool you are publishing appliations to, ass shown in the example using Chrome, NNote:In my example below, the icon path | used changes as Chrome updates, so probably not the best choice fr this icon Firs you need to unpublish the application with the missing con. tenove-testerotetop ConpanyWotenant WD Host-Fool82“Renote Rplication Gross" tone "Crone Second, you need to republish the application using custom con settings Nowtdstentatpo ConpanitStenant lab-host-Pol02 "Renate Application Group” “Nave “throne” Sophias gaoglechrone -Tean?e Step 3: Pull up Window 10 Desktop Iv you double-click on the “Session Desk 3p. hich Is ether wel 10-0 or wudnt 0-1, "con, you gta full Windows 10 desk FO ivr Boe asces a | Note: you want to rename Session Desktop" to something more desrition, see the example below. QUICK TIP: Make Sure to click only “Session Desktop” If you double-click on an application (anything other than “Session Desktop", you get that application only Note the icon on the taskbar has the remote desktop client iconletting you know that itis 3 remote desktop application sktop 424s, ra polleypak.comipp-blogwindows-virtual-‘nitsr2020 Windows Viual Desktop: Simple Step-by-Step Walktrough -PoloyPak PolicyPak. What most IT Admins don’t know about VDI... And why they need PolicyPak. (rcipsinmnpolypak comutepapersiuhat-mestitadmins doncknow-aboutva) Think You Know VDI? Think Again Dis a powerful way of ensuring you can deliver a normal Windows image to your BYOD users. Butt requires carefl Implementation to ensure tat the user experience is optimal efficient and secure, The whitepaper shows you some ofthe key points to watch forin setting and delivering your VDI imageto your users, and how adding PliyPak to your toolbox _rants you increased control over bath the VOI image andthe applications within + hors (tepsufww policypak comfvhitepapersiwhat-mosti-admins-den-knoweaboutva) Congrats, We're Done! htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop asus,‘nitsr2020 Windows Vial Desktop: Simple Step-by-Step Walktrough -PoloyPak ‘And that’ Wel there was aft to-do to gett this point, but you have done I The WD solution thatyou ust implemented provides users with mult-session Windows 10 vtuaized experiences, ecause itis cloud service driven, tis highly scalable and always uptodate, Once you complet the legwork to create the supporting infrasr rmadern and legacy desktop app experiences using the unified Azure management porta re for WD, you can quickly deploy Wehope you have enjoyed the journey. More importantly, we hope you have learned something along the way. fyou found ‘this blog series to be valuable, then we encourage you to refer others to this site. Thanks (hetpszw:policypak.com/purchasingythanks huni for siting yemgoogie com Google SS Final Thoughts Iryouwant te learn more about WWD, here ae some quick win Firs Microsoft’ training on it. htpadocs:micrasft.com/en-uslearn/paths/ma6S-wvd/(htips//docs microsoft.cmven: Usileamypachsim365-wva) Second, heres all the sesions at ignite 2019; hesps//techcommunty microsoft comtS/Windows1T-Pr0-Blog/A-gude-o- Windows Virual-Desktop-at Mirosofe-ignite-2019/ba-p/976831 (https:ftechcommunty microsoft comtS/Windows-T-Pro Blog/A-guide-to:Windows-Vituak Desktop-at Microsoft igniv-2019/ba-p/976831) Last, heres WD's documentation hitpsffdocs microsoft comen-us/azurevetua- desktop (ipsi/docsmiroson. conven Usfazurelvirualdesktops) and a link to the WD partners, of which PolcyPak is proud tobe inthe fist dozen, httosufdocs microsoft. comvenusfacurelvitualsesktop/partners (htias//docs microsoft. comferruslazure/vitual- sesktop/oariners) Acknowledgements Telike to thank David Miler of PoicyPak for documenting and praduced such a comprehensive walkthrough without is efforts. Hl also like to thank Bra Rudsalfor helping to edit andl co- sting the entie process end-to-end, We couldnt have hitps:www-palcypak comipp-blogindows-vitua 4a,‘nitsr2020 Windows Vial Desktop: Simple Step-by-Step Walktrough -PoloyPak Jeremy Moskowitz Founder & TO, Mresft Pin Group Poi, Eterprise Mobili, ad MOM Jeremy Moskowit founded PolcyPok Softwar ote working with hundreds of customers withthe some problem they couldot manage their applications browsers and operating ystems using the technology they already utile. htps:hwww-palcypak.comipp-blogvindows-vitwa-dosklop 455