Part of:Basic management practices for Azure Virtual Desktop
How to set up and use Azure Virtual Desktop
Azure Virtual Desktop helps organizations deliver virtual desktops and applications to users, while keeping management within the Microsoft ecosystem. Learn how to get started.
With numerous changes to both Citrix and VMware and the growth of Azure adoption across the enterprise, many organizations are looking toward Azure Virtual Desktop to deliver virtual applications and desktops to their end users.
For IT departments, a transition to AVD can feel daunting, especially for those accustomed to Citrix and VMware's end-user computing division -- now known as Omnissa. However, the simplified management, access to scale and integration with other Microsoft services make AVD a more attractive option.
New administrators should learn what exactly AVD offers and how they can initiate a new environment with this technology.
Why use Azure Virtual Desktop?
Azure Virtual Desktop is an Azure service from Microsoft that provides access to virtual apps and desktops. For those who are familiar with the traditional Remote Desktop Services (RDS) features in Windows Server, it is quite similar. But, with AVD, Microsoft provides these roles as a managed multi-tenant service. The only things that admins need to worry about are the VMs or session hosts that host the applications.
Figure 1. How the Azure service delivers Azure Virtual Desktop
Some compelling benefits come with using this service.
Licenses
Using AVD also enables customers to use Windows 10 and 11 multisession, reducing the need for Windows Server and RDS client access licenses. The service itself and components are free for customers that have one of the existing licenses assigned to their users:
Microsoft 365 E3, E5, A3, A5, F3 and Business Premium.
Windows Enterprise E3 and E5.
Windows Education A3 and A5.
This means that organizations don't have to pay for the management components or the underlying OS -- the only additional costs are the hosting of VMs and other Azure services admins might use. Customers can combine this with the autoscaling feature, where the admin can scale the service up and down depending on usage needs. This reduces the cost of the service when organizations scale down.
Native Azure services
Being a native service means that admins can use all the benefits of Azure to manage the components. More and more organizations are now using infrastructure as code (IaC) and DevOps as they enable admins to deploy services faster with automation. Another benefit is that IT can integrate the service with other services, such as Azure Monitor and Microsoft Sentinel, to provide infrastructure and security monitoring.
Security
One often-overlooked benefit of AVD is security. While most VDI or desktop-as-a-service tools today have their services directly published to the internet, AVD is a bit different. The back-end machines are never directly accessible from the internet, and all communication is proxied through the AVD gateway service using a reverse TCP tunnel.
Prerequisites for creating a new Azure Virtual Desktop environment
Creating an Azure Virtual Desktop environment only requires customers to have an Azure subscription with a virtual network. In most cases, organizations have an existing virtual network topology with a centralized firewall using Microsoft reference architecture or a hub-and-spoke topology.
If AVD is deployed as part of an existing network topology, admins should ensure that the firewall is configured to allow the traffic listed in Microsoft's documentation. Organizations that want to provide the best possible experience for their users need a feature called Remote Desktop Protocol Shortpath.
Shortpath uses User Datagram Protocol transport instead of TCP and provides much higher-bandwidth and lower-latency connections. It is enabled by default, and it requires the correct firewall openings to be in place. Admins must ensure that they have opened up for Azure Communication Services.
Also, make sure that the necessary licenses are assigned to the users who need the service and that those users are in the Entra ID tenant. This is required regardless of whether the environment uses domain-joined or Entra ID-joined machines.
Additionally, IT needs an AVD workspace, which deploys the customer-managed services for the tenant. Then, deploy a host pool, which functions as a logical container to deploy session hosts.
Host pools group together multiple VMs that have the same set of configuration and applications installed. For example, an organization might have two large corporate applications that need to be installed on different machines. In that case, it needs two host pools. One host pool consists of VMs that have one of the corporate applications installed, and another host pool is for the second application.
IT can host the session hosts by either using a native image from Microsoft or using a custom golden image. Secondly, these machines can either be joined to Active Directory and become domain-joined or they can be joined directly to Entra ID. IT must verify that the virtual network has network access to the domain controllers to use the domain-joined method. For Entra ID-joined, the only requirement is internet access.
Once IT has deployed the VMs and installed the AVD agent, admins can assign them to users with assignment groups. This is where IT professionals can assign host pools to either Entra ID users or Entra ID groups.
At its core, AVD is just an agent that admins install on the OS, which is then responsible for communicating with the central Microsoft services.
The big picture of an AVD deployment
At its core, AVD is just an agent that admins install on the OS, which is then responsible for communicating with the central Microsoft services. However, IT does still need to install the different applications on the machines, and doing that manually takes a lot of time.
It saves administrators a lot of time and minimizes inconsistencies between machines if they deploy session hosts using a golden image. Using a golden image reduces the time it takes to deploy new session hosts by ensuring that all required applications, configurations and settings are preinstalled before the VMs are provisioned.
In Azure, IT can use tools such as Azure VM Image Builder in combination with IaC to create golden images and then deploy them into a set of different VMs.
Figure 2. The steps in building up and deploying a new Azure Virtual Desktop environment
Azure VM Image Builder uses a simple configuration file that describes all aspects of the image. Once the build process is done, the image should be placed into an Azure Compute Gallery shared image, which is a library for machine images.
Golden image deployment overview
While Azure VM Image Builder is one way to automate this process, there are also other tools, such as HashiCorp Packer, and other management products, including Intune, that can automate this process.
Regardless of which service admins use, the deployment should ensure that the necessary agents and OS components are in place. That should include the following:
Azure Virtual Desktop Agent.
FSLogix -- a profile management platform.
Security product agents, such as Microsoft Defender.
Installation of the latest Windows updates and disabling of automatic updates.
Installation of line-of-business applications and other prerequisites.
When it comes to updating the image of existing session hosts with a new version of the image, Microsoft recently introduced a new session host update feature. It enables admins to update a set of machines in a host pool using a new image in the Azure Compute Gallery shared image library. This provides ease of management and does not require building a custom update script or DevOps pipeline to handle the update process.
Marius Sandbu is a cloud evangelist for Sopra Steria in Norway who mainly focuses on end-user computing and cloud-native technology.
