Azure Virtual Desktop enterprise configuration options

Mechanics Team
8 min readApr 27, 2023

--

Configure Azure Virtual Desktop with the enterprise-grade configurations you’ll want in place for secure authentication, improved connectivity, flexible user data, and service resiliency. If you’re new to Azure Virtual Desktop, check out our overview and quick setup videos in the our playlist at https://aka.ms/AVDMechanicsSeries

In this show, we cover:

— Azure Active Directory options to achieve Single Sign On and passwordless authentication
— Web Authentication (WebAuthn) to redirect additional authentication factors to local devices
— RDP Shortpath to optimize connectivity to remote hosts
— FSLogix options to manage profile containers
— Architecting your Azure Virtual Desktop configuration for resiliency
— Confidential Computing virtual machines to meet even the highest security requirements

Single Sign On and passwordless authentication

For hybrid directory services on-prem or in the cloud — using the new Azure AD authentication for remote desktop. Check it out.

Highly responsive, low latency remote desktop experience.

Reliable and efficient connectivity using RDP Shortpath with Azure Virtual Desktop. See it here.

Extend encryption protections to sensitive data in use.

Set up your Azure Virtual Desktop environment using Confidential Computing VMs.

Watch our video here.

QUICK LINKS:

00:00 — Azure Virtual Desktop enterprise configurations

00:34 — Secure Authentication options in Azure Virtual Desktop

02:15 — Optimizing Connectivity to Azure Virtual Desktop hosts

03:12 — FSLogix user profile container options

05:12 — Architecting for high availability and service resiliency

06:58 — Confidential computing in Azure Virtual Desktop

Link References:

Azure Virtual Desktop playlist on Mechanics: https://aka.ms/AVDMechanicsSeries

Azure Virtual Desktop connectivity options: https://aka.ms/AVDConnectivity

FSLogix High Availability configuration guidance: https://aka.ms/FSLogixHA

Unfamiliar with Microsoft Mechanics?

As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

• Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries

• Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog

• Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast

Keep getting this insider knowledge, join us on social:

• Follow us on Twitter: https://twitter.com/MSFTMechanics

• Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/

• Enjoy us on Instagram: https://www.instagram.com/msftmechanics/

• Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics

Video Transcript:

-Today, I’ll walk you through all the steps to configure Azure Virtual Desktop with the enterprise-grade configurations you’ll want in place for secure authentication, improved connectivity, flexible user data, and service resiliency. This is part three in our series on the service. And if you’re watching this, we’ll assume you’ve got a basic deployment of Azure Virtual Desktop up and running already, or general knowledge of the Azure Virtual Desktop service. If not, I’d encourage you to check out the first two episodes in the series which introduce the service and walk you through basic setup at aka.ms/AVDMechanicsSeries.

-So, let’s start with your options for secure authentication. First, you can use on-prem directory services, with Azure Virtual Desktop, in environments with hybrid Azure Active Directory joined hosts. Alternatively, you can use Azure Active Directory joined hosts if your directory is running entirely in the cloud. Now, these options are configured when you set up new host pools in Azure Virtual Desktop. In either configuration, you can achieve Single Sign On and passwordless authentication to the host using the new Azure AD authentication for remote desktop. This means that, by simply signing into your device, you’ll already have the required authentication established. So, I’ll open Start, and connect to my Azure Virtual Desktop host. Now, if you’ve tried this before, notice here that I’m not prompted for a second sign-in, and it seamlessly establishes the connection to my remote desktop.

-Now, for this next part, while I’m in the session, if I need to connect to an app or service that requires multifactor authentication, Azure Virtual Desktop enables that using the new Web Authentication or WebAuthn redirection. So, I’ll open a site to test this, WebAuthen.io. And just to prove that the command is sent to my local computer, I’ll make the window to my remote desktop smaller — there we go, and now I’ll be able to overlap the authentication popup. So, I’ll hit Authenticate on the site, and you’ll see this even allows you to use passwordless authentication to access apps and sites. And this is the reason I resized the remote desktop window, because this pop-up could look like it’s in the remote host, but it’s not. And as I drag it to the right, you’ll see the window is from my local device. Now, in this case, I’ll enter my local device pin, and then I’ll use the FIDO key, I’ve enrolled with my fingerprint. And in a few seconds, I’m securely logged into the site with the authentication strength required by my organization.

-Now, beyond authentication, reliable and efficient connectivity to the service is important to ensure the user experience is highly responsive with low latency, so the remote desktop or app feels local. Now, for that, we recommend RDP Shortpath. And let me explain why. Normally, when you access VMs in Azure over RDP, the connection goes through a gateway. RDP Shortpath uses the more reliable UDP protocol. This establishes a direct network connection between the client device and the destination VM host in Azure, bypassing the gateway. RDP Shortpath is the connection type used by Azure Virtual Desktop, and this is by default. Now, something really important to point out here is that you need your devices to allow UDP connections, so don’t block them. Equally, your network and firewalls should also allow UDP connections and should permit traffic from STUN servers or can use TURN traffic. We’ve got more details on this at aka.ms/AVDconnectivity.

-Now, with your authentication and connectivity options sorted, let’s move on to another core aspect commonly deployed with enterprise configurations, which is connecting users to their profile data seamlessly, using FSLogix profile containers. Here, user profiles are stored in Azure as virtual hard disc files, and then are mounted when a user signs in and unmounted when they sign out.

-So, let me walk you through how you’ll set up FSLogix profiles to get everything working. Now, for detailed step by step guidance, check out aka.ms/FSLogix, but I’m going to walk you through the high level steps. First, FSLogix profiles use SMB file shares to store profile containers with the appropriate permissions configured For Azure Virtual Desktop, you can use either Azure files or Azure NetApp files. And using either option, these services need to be configured to work with the same active directory domain service’s authentication, which can be run on premises or in Azure, used by your host VMs. Additionally, Azure files can also use Azure Active Directory Kerberos authentication for hybrid identities for Azure AD joined hosts. The FSLogix app needs to be installed or present in the host image. And to configure FSLogix, you’ll need to add a few registry settings in HKEY_LOCAL_MACHINE for FSLogix profiles to enable it, set its behavior, size in megabytes, location in the file share, and volume type.

-Now, this can be done using scripts, group policy, or using Microsoft Intune, and we have configuration service provider support coming soon. Now, cloud cache is an optional configuration which is used to mitigate short-term or intermittent connectivity problems with the remote storage providers. So, here, you’ll add registry settings in the same location for CCD locations, along with recommended settings for clear-cache-on-logoff and healthy providers required for register. In this case, you’re replacing the VHD location settings path with the CCD locations, which supports both SMB and Azure Page Blog paths, allowing updates to both.

-Now, as you configure FSLogix profile containers, our recommendation is to keep your settings as simple as possible to avoid complexity and operational overhead. Now, another important topic we’re managing in an enterprise grade desktop virtualization service is resiliency, to ensure users can access fully functional desktops and apps, even in cases when a zone is unavailable. Now, you can use the same Azure availability zone options for your session hosts as you would for your business-critical VMs in Azure Virtual Desktop host pools.

-For cases where you can’t risk users losing access to pooled session host VMs, you can use Azure Availability Zones combined with a calculated over-provisioning strategy for resilience. So, for example, if you are using three availability zones with host VMs equally distributed across them, normally, you’d have a few host VMs in reserve. So, by adding an over-provisioning strategy, you would intentionally add to the total number of host VMs by a third or more. Then, in the event that one zone’s unavailable, users can be redirected to available host VMs in the remaining two zones. And this is also an advantage of using stateless shared host VMs over personal dedicated host VMs. The high levels of resilience for personal hosts are also configurable using Azure Site Recovery, where you can have a replica for selected host VMs in a separate data center. Then, in the event of an outage, you can failover to the replica host VM.

-Now, beyond the session host VMs, this is also important when configuring your FSLogix containers in the service. So, here, you’ll want to configure Zone Redundant Storage so that FSLogix user profile containers can be reached if a zone is unavailable. Now, as you provision storage in Azure files, you’ll select the zone-redundant storage option so that replica profile containers stay in sync across zones. And you can learn more about your available configuration options at aka.ms/FSLogixHA.

-Azure Virtual Desktop offers significant flexibility and control to set up your environment based on your organization’s needs. For instance, if your organization or a subset of your users require highly secure virtual desktops, you can use Confidential Computing VMs in Azure, which uses a trusted execution environment to extend encryption protections to your sensitive data while it’s in use. And this also ensures that no one outside of your trust boundary, not even Microsoft datacenter personnel, can access any information stored or running in these VMs. Now, in order to use Confidential Compute when provisioning your host pools in Azure Virtual Desktop, for the security type, you’ll choose confidential virtual machines with secure boot enabled. And for the virtual machine size, you’ll select DC or EDC series virtual machines with AMD Secure Encrypted Virtualization support.

-So, with that, I’ve highlighted a few of the most common and recommended configuration options for an enterprise deployment to help provide a secure low latency, flexible, and resilient experience with Azure Virtual Desktop. And again, this is the third in our series on Mechanics for Azure Virtual Desktop. So, check out the complete playlist at aka.ms/AVDMechanicsSeries. Be sure to subscribe to our channel for future updates, and thanks for watching.

--

--