Deploy Azure Virtual Desktop (WVD) | Svetek Documentation

Deploy Azure Virtual Desktop (WVD)

Estimated reading time: 9 minutes

Deploy Azure Virtual Desktop (WVD) HOSTPOOL

--- on moderation ---

Auto Start Virtual Machine on Connect

The Start Virtual Machine (VM) on Connect feature lets you save costs by allowing end users to turn on their VMs only when they need them. You can then turn off VMs when they’re not needed.

Create a custom role for Start VM on Connect

Before you can configure the Start VM on Connect feature, you’ll need to assign your VM a custom RBAC (role-based access control) role. This role will let Azure Virtual Desktop manage the VMs in your subscription.

  1. Open the Azure portal and go to Subscriptions.
  2. Go to Access control (IAM) and select Add a custom role.
  3. Next, name the custom role and add a description. We recommend you name it “start VM on connect.”
  4. On the Permissions tab, add one of the two following sets of permissions to the subscription you’re assigning the role to:
    Microsoft.Compute/virtualMachines/start/action
    Microsoft.Compute/virtualMachines/read
    Microsoft.Compute/virtualMachines/instanceView/read 
    

  5. When you’re finished, select Ok.

After that, you’ll need to assign the role to grant access to Azure Virtual Desktop. To assign the custom role:

  1. In the Access control (IAM) tab, select Add role assignments.

  2. Select the role you just created.

  3. In the search bar, enter and select Windows Virtual Desktop (this will soon be updated to “Azure Virtual Desktop”).

Configure the Start VM on Connect feature

Start VM on Connect is a host pool setting. If you only want a select group of users to use this feature, make sure you only assign the required role to the users you want to add.
To use the Azure portal to configure Start VM on Connect:

  1. Open your browser and go to the Azure portal.
  2. In the Azure portal, go to Azure Virtual Desktop.
  3. Select Host pools, then go to the host pool where you want to enable the setting.
  4. In the host pool, select Properties. Under Start VM on connect, select Yes, then select Save to instantly apply the setting.

REFERENCES

Microsoft Start Virtual Machine on Connect

Prepare AVD VM (WVD)

ENABLE Acelerated Network on VM D2sV4

To enable Acelerated network for AVD VMs, run the below powershell script on an Azure VM Domain controler for every AVD VM.
Don’t forget to change $VMWVDNAME before you run the script.

$VMResGroup="RG-US-WVD-VM-WEST"
$VMWVDNAME="vm-wvd-west-2111" 

 # Acelerator Network Enabled 
$nic = Get-AzNetworkInterface -ResourceGroupName $VMResGroup -Name $VMWVDNAME
$nic.EnableAcceleratedNetworking = $true
$nic | Set-AzNetworkInterface 

JOIN VMs AVD (WVD) TO AD

add-computer –domainname "mia****.local"  -restart

Create storage account on Azure for FSLogix user profile

Below is the script connecting AD to your Azure subscription, creating storage account and configuring Fslogix

#Create temp folder
New-Item -Path 'C:\temp' -ItemType Directory -Force | Out-Null

# Download AzFilesHybrid files for connect to Azure and extract them  
$wc = New-Object System.Net.WebClient
Write-Output $wc.DownloadFileTaskAsync("https://github.com/Azure-Samples/azure-files-samples/releases/download/v0.3.2/AzFilesHybrid.zip", "C:\temp\AzFilesHybrid.zip")

Expand-Archive -LiteralPath 'C:\temp\AzFilesHybrid.zip' -DestinationPath C:\temp\AzFilesHybrid
cd C:\temp\AzFilesHybrid 

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
#Install-PackageProvider -Name NuGet -Force
Import-Module -Name .\AzFilesHybrid.psd1

# Connect to Azure Subscription 
Connect-AzAccount

# Need edit params
$location = "eastus"
$SubscriptionId = "Subscription ID"
$ResourceGroupName = "RG-US-WVD-INFRA-EAST"
$StorageAccountName = "ch*****"
$DomainAccountType = "ServiceLogonAccount" # ComputerAccount or ServiceLogonAccount
$OrganizationalUnitDistinguishedName = "OU=azure,DC=ch******,DC=local"

Select-AzSubscription -SubscriptionName $SubscriptionId

# List current storage accounts  
Get-AzStorageAccount -ResourceGroupName $ResourceGroupName

# Create new storage account for FSLogix user profiles 
New-AzStorageAccount -ResourceGroupName $resourceGroupName `
  -Name $StorageAccountName `
  -Location $location `
  -SkuName Standard_LRS `
  -Kind StorageV2

# Join storage account to the Domain controller   
join-AzStorageaccountForAuth -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -DomainAccountType $DomainAccountType -OrganizationalUnitDistinguishedName $OrganizationalUnitDistinguishedName
$storageaccount = Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $StorageAccountName
$storageaccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions
$storageaccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties

Create SMB file share to store FSLogix profiles

Open portal.azure.com and goto storage account.
Press New fileshare and type name: fslogixpe

Create 2 Security Groups on DC on OU synced to Azure AD:

FSLogix Share Elevated Contributor
FSLogix Share Contributor

You can use only one Security Group “FSLogix Share Contributor” for provide access to FSLogix profiles.
If you want make changes NTFS permissions, create another group “FSLogix Share Elevated Contributor” for your admins.

Add AVD Users to the FSLogix Share Contributor Group and run a sync in Azure Connect!!!

Grant security groups access to fileshare fslogixpe

Open portal.azure.com and goto storage account.
Goto “Access Control (IAM)” -> “Role assignments”
Add groups FSLogix Share Elevated Contributor with the “Storage File Data SMB Share Elevated Contributor” role and FSLogix Share Contributor with the “Storage File Data SMB Share Contributor” role

Mount a share on a DC and AVD VMs

Try mounting a share on a DC and AVD VMs and make sure users have access to the share without typing a username and a password.

net use W: \\ch*****.file.core.windows.net\fslogixpe /user:Azure\wvdusername

Install DUO MFA Agent, AVD Agent, FSLogix Agent on AVD (WVD) VMs

Below script will download msi packages DUO MFA agent, FSLogix Agent, AVD Agent. When downloading is done, all software will be installed automaticaly with settings found in variables. Also this script will setup RDP session settings.
Before running the script be sure to edit all variables.

$registryPath = "HKLM:\SOFTWARE\FSLogix\Profiles"
$FslogixSharePath =  "\\storageaccountwvd.file.core.windows.net\fslogixpe"

$DouIKEY = "DIXXXXXXXXXXXXXXXXXXXX"
$DuoSKEY = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$DouHostAPI = "api-xxxxxxxx.duosecurity.com"
$DouArguments = @('/S', '/V"', '/qn', "IKEY=$DouIKEY", "SKEY=$DuoSKEY", "HOST=$DouHostAPI", 'AUTOPUSH="#1"', 'FAILOPEN="#1"', 'SMARTCARD="#0"', 'RDPONLY="#0"', 'UAC_PROTECTMODE=#2')


$scriptStartTime = get-date

#Create temp folder
New-Item -Path 'C:\temp\apps' -ItemType Directory -Force | Out-Null

#Download all source file async and wait for completion
$scriptActionStartTime = get-date
Write-host ('*** STEP 0 : Download all sources [ '+(get-date) + ' ]')
$files = @(
    @{url = "https://dl.duosecurity.com/duo-win-login-latest.exe"; path = "c:\temp\apps\duo-win-login-latest.exe"}
    @{url = "https://download.microsoft.com/download/4/8/2/4828e1c7-176a-45bf-bc6b-cce0f54ce04c/FSLogix_Apps_2.9.7654.46150.zip"; path = "c:\temp\apps\fslogix.zip"}
    @{url=  "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWrmXv"; path = "c:\temp\apps\Microsoft.RDInfra.RDAgent.Installer-x64-1.0.3050.2500.msi"}
    @{url=  "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWrxrH"; path = "c:\temp\apps\Microsoft.RDInfra.RDAgentBootLoader.Installer-x64.msi"}
)

foreach ($f in $files)
{
    Write-Output "DOWNLOAD $f"
    $wc = New-Object System.Net.WebClient
    Write-Output $wc.DownloadFileTaskAsync($f.url, $f.path)
}

$scriptActionDuration = (get-date) - $scriptActionStartTime
Write-Host "Total source Download time: "$scriptActionDuration.Minutes "Minute(s), " $scriptActionDuration.seconds "Seconds and " $scriptActionDuration.Milliseconds "Milleseconds"

#Install FSLogix
$scriptActionStartTime = get-date
Write-host ('*** STEP 1 : Install FSLogix Apps [ '+(get-date) + ' ]')
Expand-Archive -Path 'C:\temp\apps\fslogix.zip' -DestinationPath 'C:\temp\apps\fslogix\'  -Force
Start-Sleep -Seconds 10
Start-Process -FilePath 'C:\temp\apps\fslogix\x64\Release\FSLogixAppsSetup.exe' -ArgumentList '/install /quiet /norestart' -Wait
$scriptActionDuration = (get-date) - $scriptActionStartTime
Write-Host "*** FSLogix Install time: "$scriptActionDuration.Minutes "Minute(s), " $scriptActionDuration.seconds "Seconds and " $scriptActionDuration.Milliseconds "Milleseconds"


#Configure FSLogix
New-ItemProperty -Path $registryPath -Name "Enabled" -Value 1 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $registryPath -Name "DeleteLocalProfileWhenVHDShouldApply" -Value 1 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $registryPath -Name "PreventLoginWithFailure" -Value 1 -PropertyType DWORD -Force | Out-Null

# MULTIPLY SESSIONS
New-ItemProperty -Path $registryPath -Name "ConcurrentUserSessions" -Value 1 -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\FSLogix\ODFC" -Name "ConcurrentUserSessions" -Value 1 -PropertyType DWORD -Force | Out-Null

New-ItemProperty -Path $registryPath -Name "VHDLocations" -Value $FslogixSharePath -PropertyType MultiString -Force | Out-Null
 ######################
# Install DUO Login https://help.duo.com/s/article/1090?language=en_US

echo $DouArguments

$scriptActionStartTime = get-date
Write-host ('*** STEP 1 : Install DOU Apps [ '+(get-date) + ' ]')
Start-Process -FilePath 'c:\temp\apps\duo-win-login-latest.exe' -ArgumentList $DouArguments -Wait
$scriptActionDuration = (get-date) - $scriptActionStartTime
Write-Host "*** DOU Install time: "$scriptActionDuration.Minutes "Minute(s), " $scriptActionDuration.seconds "Seconds and " $scriptActionDuration.Milliseconds "Milleseconds"

# Set params for RDP sessions timers
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fResetBroken /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxIdleTime /t REG_DWORD /d 43200000 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxConnectionTime /t REG_DWORD /d 43200000 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxDisconnectionTime /t REG_DWORD /d 600000 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v RemoteAppLogoffTimeLimit /t REG_DWORD /d 0 /f

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v NoWarningNoElevationOnInstall /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v UpdatePromptSettings /t REG_DWORD /d 1 /f

Read logs: %ProgramData%\FSLogix\Logs


REFERENCES

Original Microsoft Policies TerminalServer-Server

azure, avd, wvd, deploy