Windows Virtual Desktop how-to | Step 1: Prepare

Windows Virtual Desktop how-to | Step 1: Prepare
    Watch the video

    click to begin

    Youtube

    (upbeat music) - Coming up, I'll walk you through everything you need to know about preparing a Windows Virtual Desktop deployment. Now, this is the first how-to in a series for preparing, deploying, and optimizing Windows Virtual Desktop. Over the next few minutes, I'll explain the prerequisite steps you'll need to take care of in the Azure Portal, along with connecting to your existing directory service, before you deploy your Windows Virtual Desktop virtual machines. And we'll go through the exact steps in PowerShell cmdlets that you're going to need to run for the Windows Virtual Desktop preview. Now, if you've ever built out a remote desktop services environment, you'll be familiar with all the components, complexity, and time required to get everything up and running, as well as the operational steps needed to right size the infrastructure. With Windows Virtual Desktop, this is much faster and easier since most of these steps go away, for both initial setup as well as day-to-day operations. You will only need to manage the OS images, apps, users, and also scale out the environment, but you won't have to manage the physical hardware. That said, there are still a few prerequisites now with services running in the cloud that you'll want to be aware of. Especially if you're historically running everything in your own data centers. First, you need an Azure Tenant running, and to set one up, you can sign up at azure.microsoft.com. And if you're already using any Office 365 services, you'll already have a tenant running, so you can sign in with those credentials and use that as a starting point. And you'll also need to set up an account in Azure, and you may even qualify for the free trial. Next, and once you're signed in, you'll need to set up Azure Active Directory. Now this will be the mechanism used to authenticate your users as they access remote desktop and remote app selection experiences, or log in with their client mobile apps. Again, if you're using any workload in Office 365, you already have this running. If not, you have several options to integrate and synchronize your Azure Active Directory with your on-premises Active Directory; or for testing, you can also set up a stand alone directory in the cloud and connect to it later. Ultimately, you're gonna wanna get a consistent sign on established for your users so they can access all their resources using the same credentials. And there are a few options to do this, including Password Hash Sync, where usernames and hashes of passwords are synced to Azure, Pass-through authentication, where your on-prem directory can perform simple authentication for Microsoft Cloud services, and it requires very little on-prem configuration, and Active Directory Federation services, where a more complex partner federation RSA token and Smart Card Auth can be used as well. Now, this option you'll need to provision additional on-premises servers and ensure that they're highly available. Next, and in most cases, your remote desktop sessions will use Active Directory Domain Services, like your current virtual and physical desktop environment will use on-prem for session log-ins at the VM layer. Now, here you'll need to do one of the following options. Now, you can build out a domain controller on a hosted VM running in Windows Server in Azure. This is probably the least expensive and most common method to set up, but requires you to manage the VM and ensure it stays highly available, and is connected to your session host. Optionally, you can connect the server to your local domain using a VPN or express route connection to Azure. Or you can prevision Azure Active Directory Domain Services. As you can see here, there are five steps you need to walk through, and a few minutes to set it up. Now, this is ADDS as a service, and as such it doesn't require you to maintain any domain controller VMs. You can connect this to the same virtual network as your WVD environment later, and you can use this with or without a local AD. Now, if you do connect it to your on-premises domain, it behaves like your current domain controllers do, without the management overhead. Another option here is to connect your network to Azure and establish a site to site virtual networker VNet between your data center and Azure to ensure that domain controllers that you operate are available securely to the virtual machines running in Azure. Here you can use a VPN connection or you can use Azure ExpressRoute for connectivity. And to get a complete overview of your networking options in Azure, you can watch our recent show at the link shown. And once your network and directory connections are established, you can provision the services required in Azure for your Windows Virtual Desktop virtual machines to run. Now, one note here, a best practice is to have all your resources in the same Azure region for WVD. Now, in Azure, you're gonna need to set up one or more resource groups as a foundation for grouping services in Azure, and this is gonna be used later for managing permissions as well. A storage account for storing virtual machine images that you're gonna be using. Now, there are multiple levels of storage and performance based on your needs. Next, you need to add admin and system roles to manage WVD-related resources. Now, in larger organizations, these are typically different people, but if you're starting out or maybe a small IT department, these can be the same person if needed. Now, we support the following roles: first, the Azure Subscription Admin, this can be a global admin. It's gonna be used to grant access to Azure portal and also resources used for WVD. Next, the Azure Active Directory Admin, aka: User Administrator to provision users and manage user and admin access. A Windows Virtual Desktop Tenant Admin, also known as the Tenant Creator, to provision and maintain WVD specific settings, and I'll show you how to configure this role in a moment. And a Virtual Machine Admin to provision virtual machines once the WVD tenant is set up. Now, one consideration when using Azure AD domain services is to make sure that your VM Admin is also in the Azure AD domain services admin group. Now, with that, you can domain join more objects than you can as a standard user. Next, and importantly, before you start building out your virtual machines, you'll need to make sure that the initial users that you target are licensed for Windows Virtual Desktop. This is done within the Microsoft 365 Admin Portal or using the Azure Active Directory Powershell module. Now we're ready for the final four steps to create our Windows Virtual Desktop Tenant. Now, you're gonna do this using an Azure AD global admin account. Note that the experience I'm gonna show you is part of the preview and it's going to evolve after Windows Virtual Desktop is released. First, within Azure AD, you're gonna wanna grab from properties, your directory ID. Copy that into the clipboard and we're gonna use that here to basically give permissions for WVD to access our Azure Active Directory. So, now what we do is, we type in the browser rdweb.wvd.microsoft.com. That's gonna take us to the Windows Virtual Desktop Consent Page. Now, here, we have to give consent both for the Server App, as well as the Client App. Now, from the clipboard, I'm gonna paste in my directory ID and click submit. Now, once I do that, it's gonna make me log in using my credentials, and it's gonna tell me all the different things that we need to access with this app, all the things that we're gonna read in this case. I'll click accept, and now I'm done on one of the apps for Server. Now I'm going to do that for the client side as well, so I'm gonna go ahead and paste in the same directory ID from my clipboard, click submit, and it's gonna tell me what will be required for the client side to access. Now, once I've done that, I actually have permissions set up as an application in the Azure Active Directory. So now, once we're in Azure Active Directory, we can click on All applications, then we can go down to Windows Virtual Desktop and you'll see what we just gave ourselves permission to do. Now, when I click into that, Ill see that I have the user who provisioned the account, in this case, Megan, set up as a user. But I need to add a Tenant Creator to this environment as well. So, in our case, Megan is already a Tenant Creator, but we can add another user in that role as well. So, we're gonna go ahead and add an assignment, we'll find our member, and we're gonna look at Adele in this case, and find Adele Vance. Now, she's going to be another Tenant Creator on this account. And now once we assign Adele, you'll see that we have two Tenant Creator sets of credentials in order to provision services or create our tenant. Alright, so now, this is where actually the good part comes in. This is where you're gonna start provisioning your tenant. So, if you go into Azure Active Directory, the first thing you wanna do is grab our directory ID once more into our clipboard. And now we're gonna switch into PowerShell ISE. I've got a pretty simple set of cmdlets here. First, we're gonna paste in our tenant ID, and then we're gonna go and grab the subscription ID from our tenant as well. And to do that, we're gonna search for subscription, and look at our subscriptions, and then click in to the one that we're using to run our WVD environment. Now, I'm gonna copy the subscription ID here, and I'm gonna paste that in. Now, all these cmdlets are the same ones that you'll use, as well as the same URLs that you see here. Next, I wanna import our module for remote desktop, and you can see here, the module will import. Now, I'm gonna install the module, and just a note here, you're gonna need the NuGetProvider in PowerShell to work, and that will actually load automatically if you don't have it installed. So now I want to add the RDS account. I'm going to go ahead and sign in with my credentials again, and this is going to be the Global Admin Account again that's going to create the WVD tenant. So, once I've added my email address, I'll click next, then I'll enter a password. I'll type in my password, and now I'm going to click sign in, and you'll see that now I've actually added the RDS account with this deployment URL used for any tenant. Now, I actually wanna create a new tenant name of Windows Virtual Desktop 3 with the different IDs that we copied in earlier. So now, once I've done that, I've got my WVD tenant created. So, one last tip: if you saw here the PowerShell ISE windows were done under the context of administrators, you're gonna need to do that to run all those steps I just showed. So that was a quick overview of the prerequisite steps for setting up Windows Virtual Desktop along with a few options. Now, on our next episode, we're gonna show you how to provision your first Windows Virtual Desktop VMs. Also, keep watching this playlist to continue, or go to aka.ms/WVDDeployment and we'll see you there. Thanks for watching. (upbeat music)
    How to use Microsoft Teams, a demo tutorial (2019) Azure Monitor | Bridge to DevOps Microsoft Teams: Code free ways to optimize your experience Monitor inappropriate communication through Microsoft 365 What is Azure SQL Database Hyperscale? What is the Surface Hub 2S? Windows Autopilot: white glove & updates since 1809 Knowledge mining with Azure Search Azure DevOps updates (Pre-Build 2019) System Center Configuration Manager SCCM updates for Windows and Office deployment (2019)