Remote Desktop IO Lab - interopevents.blob.core.windows.net · What is Windows Virtual Desktop Microsoft service on Azure for VDI/RDSH management • Enables a multi-user Windows

Remote Desktop IO LabMarch 20th-22nd 2018

Redmond, Washington

WVD Infrastructure Services

Stefan GeorgievPM

RD ClientRD Client

What is RDS?

RD Client RD Infra Remote hostRDP RDP

RD Client Remote hostRDP

Remote hostRemote host

User profileSMB

Image

Host Pool(s)

Microsoft Confidential

Virtualization Terms and Definitions

Background: How does this work?

5%

15%

Rare

80%

Personal (persistent VMs)

Pooled

(non-Persistent VMs)

Single Session Multi-Session

Deployment models and share

Microsoft Confidential

Virtualization Scenarios

Security

and regulation

Financial Services

Healthcare

Government

Elastic

workforce

Mergers and acquisition

Short term employees

Contractor and partner access

Specific

employees

BYOD and mobile

Call centers

Branch workers

Specialized

workloads

Design and engineering

Legacy apps

Software dev test

Windows Virtual DesktopThe best virtual desktop experience, delivered on Azure

Windows 10

Office 365+

Optimized for Office 365 ProPlus

Deploy and scale in minutes

The only multi-user Windows 10 experience

What is Windows Virtual DesktopMicrosoft service on Azure for VDI/RDSH management

• Enables a multi-user Windows 10 experience,

optimized for Office 365 ProPlus

• Most scalable service to deploy and manage

• Most flexible service allowing you to virtualize both

desktops and apps

• Windows 7 virtual desktop with free Extended Security

Updates

• Integrated with the security and management of

Microsoft 365

Provides virtualization infrastructure as a managed

service

Utilizes Azure Active Directory identity management

service

Deploy and manage VMs in Azure subscription

Manage using existing tools like Configuration Manager

or Microsoft Intune

Simply connect to on-premise resources

High Level Architecture

Y O U R S U B S C R I P T I O N - Y O U R C O N T R O L

Windows 7

Enterprise

RemoteApp

Web access

Management

Diagnostics Gateway

Broker

Windows 10

Enterprise

M A N A G E D B Y M I C R O S O F T

Windows

Server 2012

R2 and up

Windows 10

Enterprise multi-

session

Load balancing

M A N A G E D B Y M I C R O S O F T

Compute Storage Networking

Azure AD AuthenticationClients authenticate with Azure Active Directory (Azure AD) identities

Azure AD allows usage of Conditional Access and Multi-factor Authentication

Windows VMs are AD domain-joined for optimal app compatibility

Windows Virtual Desktop

Microsoft-managed Azure services

FIR

EW

ALL

FIR

EW

ALL

Customer-managed Azure VMs & services

RD clients

Customer-managed

Azure SQL DB

VMsAzure AD

1

A A

Azure AD Connect

User Connection FlowUser launches RD client which connects to Azure AD, user signs in, and Azure AD returns token

RD client presents token to Web Access, Broker queries DB to determine resources authorized for user

User selects resource, RD client connects to Gateway

Broker orchestrates connection from host agent to Gateway

RDP traffic now flows between RD client and session host VM over connections 3 and 4

Windows Virtual Desktop

Microsoft-managed Azure services

FIR

EW

ALL

FIR

EW

ALL

Customer-managed Azure VMs & services

RD clients

Customer-managed

A A

Azure SQL DB

VMsAzure AD

1

0

42

3

Improved Isolation: Reverse ConnectOutbound WebSocket connections from VMs to Broker and Gateway

Bidirectional communications between VMs and RD infra over https (443)

No inbound ports need be opened on the VM.

Windows Virtual Desktop

Microsoft-managed Azure services

FIR

EW

ALL

FIR

EW

ALL

Customer-managed Azure VMs & services

RD clients

Customer-managed

A A

Azure SQL DB

VMsAzure AD

0

4

Multitenancy

Windows Virtual Desktop

Microsoft-managed Azure servicesFIR

EW

ALL

FIR

EW

ALL

Customer-managed Azure VMs & services

RD clients

Customer-managedAzure ADDomain Services

User ProfileAzure Files

A A

Azure SQL DB

VMsAzure AD

Azure ADDomain Services

User ProfileAzure Files

A A

VMsAzure AD

Extensible PlatformThird-party apps can use PowerShell or REST API to extend Windows Virtual Desktop platform

Examples: Deployment automation, VM scaling & provisioning, Web UI to configure, monitor, and troubleshoot, etc.

Windows Virtual Desktop

Microsoft-managed Azure servicesFIR

EW

ALL

FIR

EW

ALL

Windows 10 Enterprise multi-session

Customer-managed Azure VMs & services

RD clients

Customer-managed

A A

VMs

Azure AD

PowerShell

Third-party

app

Windows Server

Desktop Experience

Scalable multi-user legacy

Windows environment.

Windows Server

Multiple users

Win32

Office 2019 Perpetual

Long-Term Servicing Channel

Windows 10

Enterprise

Native single-session modern

Windows experience.

Windows 10

Single user

Win32, UWP

Office 365 ProPlus

Semi-Annual Channel

Virtualization Hosts Today

Windows Server

RD Session Host

Scalable multi-user legacy

Windows environment.

Windows Server

Multiple users

Win32

Office 2019 Perpetual

Long-Term Servicing Channel

Windows 10

Enterprise

Native single-session modern

Windows experience.

Windows 10

Single user

Win32, UWP

Office 365 ProPlus

Semi-Annual Channel

Virtualization Hosts of the Future

Windows 10

Enterprise Multi-session

Scalable multi-session modern

Windows user experience with

Windows 10 Enterprise security

Windows 10

Multiple users

Win32, UWP

Office 365 ProPlus

Semi-Annual Channel

FSLogix Improvements Low integrity application support

Faster load times for user profiles

Improves Outlook and OneDrive performance

Address book caching

Search index per user with Windows Server 2016 / 2012 R2

Integration with Azure Files (preview feature with AD Domain Services)

Cloud cache

FSLogix & WVD Integration Road Map

• Deploy as any other

independent product.

• Configure via FSLogix UI.

Public Preview

• Deploy as any other

independent product.

• Configure via FSLogix UI.

• We want to provide scripts

/ ARM templates.

GA

• Fully integrated with WVD

• Configurable and

Management via WVD UI

and RDS PowerShell

Post GA

Secure by DesignService:

Reverse connect isolates the customer environment

AAD integration, enables Conditional Access and MFA

All connections to the service are encrypted

Windows 10 Enterprise multi-session:

Windows Defender ATP optimized for virtualization

Network Requirements and Considerations

Requirements• Network must route to a Windows Server Active Directory (AD)

• This AD must be in sync with Azure AD so users can be associated between the two

• VMs must domain-join this AD

ConsiderationsConnectivity Type Special considerations

ExpressRoute Hybrid Dedicated network through service provider.

Site-to-Site VPN Hybrid Limited bandwidth compared to

ExpressRoute.

Azure AD Domain Services Isolated Must synchronize password hashes to Azure

AD

Deployment and Management OptionsDeployment:Through templates – Onboarding will be through Azure Marketplace or through Github using

ARM templates.

• Deploy new session host pools

• Update existing host pool

Management Using REST API’s

Capability to set and manage WVD setting directly

Can build complex workflows when partnered with WVD Rest APIs

Sample management UI (code and usable bits) will be provided PowerShell

Best option for repeatable deployment

Options to integrate with Azure Automation

Take advantage of DSC

Other options

Terraform

Working with partners and their management solutions.

Migration

• Migration will be allowed for Azure VMs that are part of other

virtualization environments (including RDS on Azure)

• Migration steps will be published as part of the WVD docs.

• Migration recommendations from AWS to WVD will also be published as

part of WVD docs.

• We will have partners (CloudJumper, Aspex) will also work with their

customers in automating migration from other clouds and technologies to

WVD.

Master Image Management

• Master image can be managed by any already existing process /

technologies. WVD does not introduce limitations.

• Azure Update Management

• SCCM

• 3rd party

• We are going to publish best practices document on how to configure a

golden image for WVD.

Patch Management

• It is recommended to designate a host pool as a pilot group that receives

the updates before all host pools are updated. This makes it possible to

test updates before mass deployment.

• Updates for VMs should also be managed by existing Update

Management solutions available for Azure. It is strongly recommended to

update all VMs within a host pool to keep a consistent user experience.

• The update can be staged in the maintenance window to always keep

systems available for user logon. After the maintenance window is

completed, all VMs within a collection must be at the same update-level.

Application Layering

For public preview and GA application layering is via 3rd party partners Liquidware

Application deployment PowerShell DSC / Extensions

Chocolatey

Full desktop vs. RemoteApp

• Based on what your users need to do.

• Full desktop

• Power Users / Developers that need to install their own apps

• Clients lack computing power / outdated

• Use RemoteApp

• Clients vary widely and application consistency is impacted

• Different version of the same app from different OS

VM management - SCCM

• SCCM can be used for applying VM-based policies and for keeping apps

and OS up-to-date

• Supported OS:

• Windows Server SKUs

• Windows 10

• Evaluating Win10EVD support for GA – this is not yet confirmed.

VM management - Intune

• Evaluating support for Win10 EVD through Intune.

• Right now there are gaps and we are pushing for this to be fixed by GA.

© Copyright Microsoft Corporation. All rights reserved.