Scribd Logo
Upload

Welcome to Scribd!

  • Unleash The Power of Intune and Azure Virtual

    Uploaded by

    Ljmich Santos
    28 views38 pages
    intune and azure

    Original Title

    Unleash the power of Intune and Azure Virtual

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    intune and azure

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    28 views38 pages

    Unleash The Power of Intune and Azure Virtual

    Uploaded by

    Ljmich Santos
    intune and azure

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 38

    AZURE VIRTUAL DESKTOP

    UNLEASH THE POWER OF


    INTUNE AND AZURE VIRTUAL
    DESKTOP
    • FOCUS
    • AZURE VIRTUAL DESKTOP & LOG ANALYTICS
    • WVDADMIN & HYDRA FOR AVD

    • BLOG: BLOG.ITPROCLOUD.DE
    • CONTACT

    ABOUT ME • @MARCELMEURER
    • HTTPS://WWW.LINKEDIN.COM/IN/MARCELMEURER/
    • INTUNE AND AZURE VIRTUAL DESKTOP
    • LIMITATIONS
    • USING INTUNE TO PREPARE AN IMAGE
    AGENDA • CAPTURING AND DEPLOYMENT
    • DO IT MORE EASILY

    TAKEAWAYS:

    • WHAT WORKS AND WHAT IS NOT WORKING


    • DEPLOYMENT AND CONFIGURATION OF AVD WITH INTUNE
    • A SIMPLE APPROACH TO PACKAGE APPS

    • SCRIPTS AND WORKAROUNDS


    INTUNE AND AZURE VIRTUAL DESKTOP

    Intune Intune for deploying apps and


    configurations
    Apps Configuration

    👍Normal endpoints
    Intune Device Intune Device Intune Device

    👍Personal hosts
    👎Pooled hosts
    AVD AVD AVD
    Personal Personal Personal

    👎 AVD AVD AVD


    Multi-Session Multi-Session Multi-Session
    INTUNE AND AZURE VIRTUAL DESKTOP

    Intune Pooled hosts


    Apps Configuration

    - Deployment takes long


    Intune Device Intune Device Intune Device
    - Files are in use
    - Unpredictable of Intune actions

    AVD AVD AVD


    Personal Personal Personal

    👎 AVD AVD AVD


    Multi-Session Multi-Session Multi-Session
    INTUNE TIMING

    https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot
    GOLDEN MASTER APPROACH

    BUILD THE GOLDEN MASTER WITH INTUNE – MULTI-USER


    • DEPLOY APPLICATIONS WITH INTUNE
    • DEPLOY CONFIGURATION WITH INTUNE
    • CAPTURE THE GOLDEN MASTER INTO AN IMAGE
    • USE THE IMAGES TO DEPLOY READY-TO-USE SESSION
    HOSTS
    GOLDEN MASTER APPROACH

    Intune

    Configuration Apps

    Master VM Preparation Sysprep + Generalize Image


    Windows 10 / 11 Installation and configuration with Generalize Windows, often more Generate an image
    Intune difficult than expected
    GOLDEN MASTER APPROACH

    Intune

    Configuration Apps

    Master VM Preparation Temporary VM Sysprep + Generalize Image


    Windows 10 / 11 Installation and configuration with Exact copy of the Golden Master Generalize Windows, often more Generate an image
    Intune difficult than expected

    • Makes a copy from the Golden Master • Remove temporary VM


    • Works with the copy (temporary VM) • The Golden Master can be reused
    • Sysprep
    • Generalization & grab the image
    GOLDEN MASTER APPROACH

    WINDOWS 10 / 11 MULTI-SESSION

    Pitfalls • CANNOT DIRECTLY JOIN TO INTUNE


    • STRANGE ERROR MESSAGES

    • YOU NEED AN “INSTALLATION” HOST POOL => YOU CAN USE


    AN INSTALLATION HOST POOL FOR EASY ACCESS => NO!

    • REMOVE ORPHAN DEVICES

    • ONBOARD TO INTUNE WITH EXTENSION:


    “AADLOGINFORWINDOWSWITHINTUNE.”

    • APPLICATIONS MUST BE ASSIGNED TO A GROUP OF HOSTS


    (DEVICES) – NO PER-USER ASSIGNMENTS

    • DO SOME PREPARATIONS BEFORE RUNNING SYSPREP AND


    CAPTURING THE IMAGE

    • NOT EVERY SETTING IN CONFIGURATION POLICIES IS SUPPORTED


    Photo by Marc-Olivier Jodoin on Unsplash
    LET’S GET STARTED
    PREPARE AN INSTALLATION HOST POOL …
    CREATE AN INSTALLATION HOST POOL

    - Multi-User (pooled)

    - AAD authentication
    - targetisaadjoined:i:1
    - enablerdsaadauth:i:1
    - enablecredsspsupport:i:1

    - Configure the role “Virtual Machine


    Administrator Login” for your admin
    account on the resource group for your
    VM
    CREATE AN INSTALLATION HOST POOL

    - Create a desktop application group


    (DAG)

    - Assign your admin to the DAG

    - Link DAG to a workspace

    - Opt.: Configure diagnostic settings of


    the pool and store data to log
    analytics
    CREATE THE GOLDEN MASTER

    - Security type: Standard

    - Identity: On

    - Login with Azure AD

    - Install extension:
    “AADLoginForWindowsWithIntune”
    CREATE THE GOLDEN MASTER

    $extensionName = "AADLoginForWindowsWithIntune"
    $extensionPublisher = "Microsoft.Azure.ActiveDirectory"
    $extensionType = "AADLoginForWindows"
    $extensionVersion = "1.0"
    $extensionSettings = @{mdmId = "0000000a-0000-0000-c000-000000000000"}

    $vm = Get-AzVM -VMName "T-Intune-01" -ResourceGroupName "AVD.TEMPLATES"


    Set-AzVMExtension -VMName $vm.Name -ResourceGroupName $vm.ResourceGroupName -Location $vm.Location -
    TypeHandlerVersion $extensionVersion -Publisher $extensionPublisher -ExtensionType $extensionType -Name
    $extensionName -Settings $extensionSettings
    CREATE THE GOLDEN MASTER
    DEMO TIME ☺
    CREATE THE GOLDEN MASTER

    • Login to VM with RDP


    and local admin

    • Install AVD Agent on VM with registration


    token of the pool
    • https://query.prod.cms.rt.microsoft.com/cms/
    api/am/binary/RWrmXv
    • https://query.prod.cms.rt.microsoft.com/cms/
    api/am/binary/RWrxrH

    • Reboot & Logon with AAD Account via


    Remote Desktop client (AVD)

    • Don’t forget to put the VM in a deployment


    group
    DEMO TIME ☺
    CREATE THE GOLDEN MASTER

    DEBUGGING ON THE VM:

    • EVENT LOG: MICROSOFT-WINDOWS-DEVICEMANAGEMENT-


    ENTERPRISE-DIAGNOSTICS-PROVIDER/ADMIN
    • TASK SCHEDULER: MICROSOFT/WINDOWS/ENTERPRISEMGMT
    (CONTENT IS GONE AFTER SUCCESS)

    • DSREGCMD /STATUS
    CREATE THE GOLDEN MASTER

    Short path with WVDAdmin:

    Creates a new VM and joins


    it to host pool, AAD, and
    Intune

    - AAD-only
    - Join MEM

    One-Shoot-Solution

    Alternatively, deploy a VM (not host)


    directly into Intune (multi-session)
    DEMO TIME ☺
    ADD APPLICATIONS

    • USING PSAPPDEPLOYTOOLKIT
    HTTPS://PSAPPDEPLOYTOOLKIT.COM/

    • PLACE THE FILES

    • MODIFY OR CREATE A DEPLOYMENT SCRIPT

    • CREATE PACKAGE
    INTUNEWINAPPUTIL –C C:\TESTAPP\V1.0 –S C:\TESTAPP\V1.0\SETUP.EXE –O C:\TESTAPPOUTPUT\V1.0 –Q

    • UPLOAD PACKAGE AS “WINDOWS APP (WIN32)” (INTUNEWIN FILE)

    • CONFIGURE APPS IN INTUNE PORTAL AND ASSIGN THEM TO A GROUP OF DEVICES


    ADD APPLICATIONS

    • USING PSAPPDEPLOYTOOLKIT
    W
    HTTPS://PSAPPDEPLOYTOOLKIT.COM/
    (us ith
    Co
    ing
    Ni
    ck
    ola
    • PLACE THE FILES jA
    nd
    nv
    er
    er
    se
    n Int
    • MODIFY OR CREATE A DEPLOYMENT SCRIPT
    un
    e W
    in3 t.p
    2A
    pp
    sp
    ac
    kag
    s1
    • USE CONVERT.PS1 FOR PACKAGING AND UPLOAD e)

    • ASSIGN TO A GROUP OF DEVICES


    DEMO TIME ☺
    WORKING IN INTUNE - CONFIGURATION

    • In Intune
    Devices -> Configuration profiles

    • Create a profile (like a GPO)

    • Configure the settings to your needs


    • Terminal server settings (tz-red, …)

    • Assign the profile to the Golden Master


    group

    • Wait for apply

    • Note: Know built-in (FSLogix)


    WORKING IN INTUNE - CONFIGURATION

    Unfortunately – not
    supported on multi-user
    OS 😥

    So, we have to do some


    settings in another way
    WORKING IN INTUNE - CONFIGURATION

    Run a PowerShell script to


    configure the host
    additionally

    Yes, that works 😉


    WORKING IN INTUNE - CONFIGURATION

    Clean-up before running sysprep


    - Remove AAD extension:
    - HKLM:\SOFTWARE\Microsoft\Windows
    Azure\CurrentVersion\AADLoginForWindowsExtension
    - HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin
    - Certificate: CN=MS-Organization-P2P-Access*
    - Remove Intune configuration:
    - HKLM:\SOFTWARE\Microsoft\IntuneManagementExtension
    - HKLM:\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement
    - HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device

    - And others (removing AVD client, …)


    - Handle policies re-apply
    WORKING IN INTUNE - CONFIGURATION

    Note:

    • FSLogix was an example


    of importing ADMX/ADML files.
    • FSLogix is natively in
    Intune since a few weeks:
    CAPTURING AN IMAGE

    Clean-up before running sysprep


    - Remove AAD extension:
    - HKLM:\SOFTWARE\Microsoft\Windows
    Azure\CurrentVersion\AADLoginForWindowsExtension
    - HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin
    - Certificate: CN=MS-Organization-P2P-Access*
    - Remove Intune configuration:
    - HKLM:\SOFTWARE\Microsoft\IntuneManagementExtension
    - HKLM:\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement
    - HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device

    - And others (removing AVD client, …)


    - Handle policies re-apply
    CAPTURING AN IMAGE

    ITPC-WVD-Image-Processing.ps1
    CAPTURING AN IMAGE

    Using WVDAdmin or Hydra


    - Includes clean-up
    - Doesn’t destroy the maser

    Note: Start the master after imaging in the Azure Portal to recreate the “link” to
    the host pool

    Master VM Preparation Temporary VM Sysprep + Generalize Image


    Windows 10 / 11 Installation and configuration with Exact copy of the Golden Master Generalize Windows, often more Generate an image
    Intune difficult than expected
    DEMO TIME ☺
    ROLLOUT

    Creates a (or more) new


    VM and joins it to host
    pool, AAD, and Intune

    - AAD-only
    - Join MEM (optional)

    One-Shoot-Solution
    DON‘T FORGET

    If you delete a host:


    - Remove device in AAD
    - Remove device in Intune (optional)

    Hydra can remove devices on-delete


    automatically
    • SUMMARY

    - For personal pools with Win10/11 Enterprise: ✅

    - Not everything works in multi-user with Intune

    - Use the extension “AADLoginForWindowsWithIntune”

    - Use PowerShell or tools to capture an image without losing the data (WVDAdmin, Hydra)

    - Not every configuration survives Sysprep (workaround or tools like Hydra)

    - Clean-up:
    - Azure AD Device
    - Intune Device (optional, but looks better)
    THANKS A LOT
    QUESTIONS?

    You might also like