Features of AVD Admin!
Bleeding Edge Features!
Create and restore snapshots of a VM (right click the VM in the Azure node)
Function to shrink a disk of a VM to 64 GByte to rollout cheaper instances and/or use smaller instances with ephemeral disks
Azure Disk Encryption
Option to directly roll-out new session hosts with active Azure Disk Encryption (ADE) – See “secret features” below
Easy to Install!
Easier to Manage!
Check out some great out-of-the-box features!
Option to switch on “Power on connect” for pooled (and assigned) host pools (preview feature)
Script to enable screen capture protection per session host
Message box before logging users off
Delete session hosts and the VMs in Azure, including disks and nics
Service principal (functional account)
To work with the GUI, you need a service principal (function account) with permission to administrate access to the WVD/AVD and Azure resources. I decide to use a service principal to avoid confusion if my Azure AD user is only a guest account in the WVD/AVD tenant I have to administrate and easily switch between different tenants.
To create a service principal, go to your Azure AD -> App registration -> New registration and type a name for your principal like “ svc_WVDAdmin” and press “register”.
Click on “certificates & secrets”. Click “new client secret”, select a validity period and a description (like “Key01”). Press “add”.
Copy the generated key directly – it will never be displayed again. Note the key for later.
To assign users to app groups, the service principal needs two API permissions to get the users and groups from Azure AD:
API Permissions: Add the permission “Azure Active Directory Graph” -> Application Permission -> Directory.Read.All
Add the permission “Microsoft Graph” -> Application Permission -> Directory.Read.All
To consent, the permission and administrator of Azure AD have to grant this:
Go to “Overview”. Note the “Application (client) ID” and the “Directory (tenant) ID” as well.
You now have all data for your service principal:
Service principal id (application id)
Service principal key
WVD permissions (Classic / Fall Version)
This chapter is for WVD Classic / Fall. Skip this chapter if you only work with WVD/AVD ARM (Spring).
To use WVDAdmin you need at least an existing WVD/AVD tenant. If you new to WVD/AVD follow this article to create a WVD/AVD tenant: [https://docs.microsoft.com/en-us/azure/virtual-desktop/virtual-desktop-fall-2019/tenant-setup-azure-active-directory)
You have to use PowerShell to give the WVD/AVD the appropriated permission:
Import-Module -Name Microsoft.RDInfra.RDPowerShell # log on with an administrative user account to your Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" # list rds tenants Get-RdsTenant # give your service principal the right permission New-RdsRoleAssignment -TenantName "Builder City" -RoleDefinitionName "RDS Owner" -ApplicationId 89050a12-xxxx-xxxx-xxxx-000000000000
WVD/AVD permissions (ARM / Spring Version)
This chapter is for WVD/AVD ARM / Spring. Skip this chapter if you only work with WVD Classic (Fall).
The service principal needs permission to add and modify WVD/AVD resource objects (host pools, workspaces, app groups). To assign users and groups to app groups, the service principal needs the owner role on the resource groups you want to use for your WVD/AVD environment. Add the service principal in the next step and use the owner role.
Register Resource Provider (ARM / Spring Version)
This chapter is for WVD/AVD ARM / Spring. Skip this chapter if you only work with WVD/AVD Classic (Fall).
If you have never worked with WVD, you have to register the WVD/AVD resource provider once. To do that, go to the Azure portal -> subscriptions -> select your subscription -> Resource providers
Search for “Microsoft.DesktopVirtualization” and click on “Register”.
Azure resource permissions
The service principal needs permission to subscriptions or resource groups to manage your WVD/AVD resources, imaging template VM and rollout session hosts.
Open the Azure portal and go to the resource groups you want to use or to the subscriptions. In each resource group/subscription, click “Access control (IAM)” -> select “Add” -> Add role assignment. Select “owner” and search in “Select” for your service principal name. Click on the principal and save the settings.
Note: Owner is needed to assign users to app groups. For other resources, “contributor” is fine.
The service principal must have permissions to your virtual network (vnet) to assign new VMs to the right subnet. Go to your vnet, click “Access control (IAM)” -> select “Add” -> Add role assignment. Select “contributor” and search in “select” for your service principal name. Click the principal and save the settings. You could skip this step if you assigned the service principal to the subscription or to the resource group containing your vnet.
Prepare your “native” Active Directory
Today each session host must be part of a “native” active directory domain (or have to use the domain services). To add new session hosts unattended, we need an administrative user account to add a computer object to the active directory domain. You can use an existing one, or you can create a new service user:
Open “Active Directory Users and Computers” and create a user object with a complex password, and set a password to “never expire” (if you fine with this). I added the user srv_WVD-Join@itprocloud.de.
Delegate permission for the user to an OU. I found a really good blog post from Prajwal Desai. Check out hist post on (external web site): Method 2 – Delegate rights to user/group using Active Directory Users and Computers
In my case I added my function account to: “OU=WVD,OU=Azure,OU=Site,OU=Servers,OU=Sys,OU=Organisation,DC=ITProCloud,DC=test”
Optional: Create a file share
In earlier versions (<1.6.40), you had to provide the deployment script and the WVD/AVD agent binaries on a custom file share or blob storage. With WVDAdmin 1.6.40 or newer, this no longer mandatory. In some cases, where virtual machines don’t have access to the internet to download the WVD/AVD agent binaries, you can use a custom file share.
Please start WVDAdmin. Before you load WVD/AVD and Azure data, copy the Azure tenant id, service principal id, and service principal key into the welcome tab. Press save and load the data by clicking “Reload all”.
You are now able to administrate WVD, create images from template VMs and rollout new session hosts.
The first time you want to roll out new session hosts, you have to enter some information from your Active Directory and file share configuration from above:
Local Admin and local pw. are the local administrator account credentials which you can enter at this time.
Build an image
You can rollout VMs and VM Scale Set with images created by WVDAdmin. These images contain the logic to join the AD domain and WVD.
You can simple create an image from a template VM. The template VM must part of your AD like a standard client. You have not to sysprep or to normalize this template VM. Use the same template VM for Windows and application updates.
Following these steps to build your template:
- Install a VM in the Azure portal. Select the right OS (like Windows 10 Enterprise for Virtual Desktops)
- Make all Windows updates
- Join the VM to your AD
- Install your application
- Make your customizing (like installing language packages)
- Shutdown the template VM
To create the image, open WVDAdmin and
- Navigate to the Azure template VM (Azure -> Virtual Machines -> RG -> VM)
- Right-click -> “Create a template image”
- Select the resource group to store the image
- Press “Capture”
You can and should reuse the template VM for new updates and applications. After these changes, shut down the template VM and create a new image.
Tipps & Tricks
VM Scale Sets
First node: VM Scale Sets cannot autoscale WVD/AVD session hosts. Auto-scaling only works for stateless services like a web server. But if you need hundreds of session hosts, then VM Scale Set allows you to work with these numbers efficiently.
Ephemeral disks are awesome. They give you a high performance free of charge. Especially in a WVD/AVD multiuser environment where no data a stored permanently on the session hosts, this kind of disk can give you some value add.
WVDAdmin has some features not directly visible but configurable via registry keys. All settings in the registry are in the current user part under HKEY_CURRENT_USER\SOFTWARE\ITProCloud\WVDAdmin. Keep in mind to restart WVDAdmin after changing the registry settings.