SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

azureaddsandwinvd

Use Azure AD DS and Window Virtual Desktop as a Test Environment

Note: This article was originally created in the first few months in 2020, before the Corona pandemic reached Europe and the US. Forced by the pandemic Microsoft made a lot of steps in this manual a lot more easy, and this article probably less relevant.

In this article the following services are being used:

  • Azure Subscriptions
  • Azure AD
  • Azure AD Domain Services
  • Azure Virtual Machines
  • Azure Bastion
  • Azure Cloud Shell
  • Windows Virtual Desktop
  • Security Defaults
  • Snapshots

Create a New Azure Subscription

As we want to test in completely separated and empty environment the best way forward is to create an new empty environment. Usually you could create a free account but I used one before and free accounts are limited to 1 per customer. So I decided to create a new subscription:

  • In the Azure portal, logged in as an administrator Add subscription Click subscriptions And then Add New
  • Select Pay-As-You-Go as the subscription Type
  • Fill in, if required Payment information, Technical Support (select no technical support if you want to save the costs associated with a support subscription)
  • Agree to subscription agreement, offer details and privacy statement and click Sign Up

This might take a while, but afterwards you'll be the proud owner of an additional subscription.

Azure AD

The first step we need to do now is to create a new tenant and associate that with this subscription.

  • Go to Azure Active Directory in the Azure Portal and click Create a directory
  • Select Azure Active Directory as directory type
  • Set “AAD Test 001 Getshifting” as the Organizaton name
  • Set “aadtest001getshifting” as the initial domain name
  • Set “Netherlands” as the country, this selects Europe as the datacenter location
  • Click create to create the dirctory.
Note that a subscription can only trust one directory, but a directory can trust multiple subscriptions

Now that we've created the directory we have to associate it with the new subscription:

  • Go to the azure subscriptions overview and select the new subscription.
  • Optional, click Rename first to rename the subscription to reflect the Azure AD name, for example “AAD Test 001”. Note that it can take up to 10 minutes for this name to reflect in the portal. Wait for this before continuing.
  • Click Change directory
  • Select the AAD Test 001 Getshifting directory in the To field and click Change.

Now, in the subscriptions overview, to see the new subscription, use “Switch Directories” to see the new subscription. The documentation mentioned it could take hours for everything to show correctly, so make sure everything looks ok before you continue.

Setup Azure Active Directory Domain Services

For now we'll create a basic instance. This will create an instance with the default configuration settings for networking and synchronization.

  • In the Azure Portal, make sure you're logged in using the test directory we just created. In the right top corner your login name is displayed and right below the directory name.
  • Search for “Azure AD Domain Services” and if correct you'll see there are no current Azure AD Domain Services
  • Click on “Create Azure AD Domain Services”. It might take a while for new page to load, which holds 5 tabs
    • Basics
    • Networking
      • Keep the default for a new Virtual Network: aadds-vnet
      • Keep the default for a new Subnet: aadds-subnet (10.0.0.0/24)
    • Administration
      • Add members to the AAD DC Administrators group
      • Leave the Notifications to the default to notify both “All Global Administrators of the Azure AD directory” and “ Members of the AAD DC Administrators group”. I also added my personal email address to be notified.
    • Synchronization
      • Leave the Synchronization type to the default “All”
    • Review + Create
      • Validation might take a while but if everything is correct click “Create”, and click OK to confirm all you non-changeable settings.
Note that provisioning a domain can take up to more than an hour. To check the progress click on the resource group (RG_AzureADDS) and then on the Azure AD Domain Services object (aadtest001getsh.onmicrosoft.com) in the list of resources.

Template

You can also download a template for automation. This will provide two files:

Template.json
template.json
  1. {
  2. "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  3. "contentVersion": "1.0.0.0",
  4. "parameters": {
  5. "apiVersion": {
  6. "type": "string"
  7. },
  8. "sku": {
  9. "type": "string"
  10. },
  11. "domainConfigurationType": {
  12. "type": "string"
  13. },
  14. "domainName": {
  15. "type": "string"
  16. },
  17. "filteredSync": {
  18. "type": "string"
  19. },
  20. "location": {
  21. "type": "string"
  22. },
  23. "notificationSettings": {
  24. "type": "object"
  25. },
  26. "subnetName": {
  27. "type": "string"
  28. },
  29. "vnetName": {
  30. "type": "string"
  31. },
  32. "vnetAddressPrefixes": {
  33. "type": "array"
  34. },
  35. "subnetAddressPrefix": {
  36. "type": "string"
  37. },
  38. "nsgName": {
  39. "type": "string"
  40. }
  41. },
  42. "resources": [
  43. {
  44. "apiVersion": "2017-06-01",
  45. "type": "Microsoft.AAD/DomainServices",
  46. "name": "[parameters('domainName')]",
  47. "location": "[parameters('location')]",
  48. "dependsOn": [
  49. "[concat('Microsoft.Network/virtualNetworks/', parameters('vnetName'))]"
  50. ],
  51. "properties": {
  52. "domainName": "[parameters('domainName')]",
  53. "subnetId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/virtualNetworks/', parameters('vnetName'), '/subnets/', parameters('subnetName'))]",
  54. "filteredSync": "[parameters('filteredSync')]",
  55. "domainConfigurationType": "[parameters('domainConfigurationType')]",
  56. "notificationSettings": "[parameters('notificationSettings')]",
  57. "sku": "[parameters('sku')]"
  58. }
  59. },
  60. {
  61. "type": "Microsoft.Network/NetworkSecurityGroups",
  62. "name": "[parameters('nsgName')]",
  63. "location": "[parameters('location')]",
  64. "properties": {
  65. "securityRules": [
  66. {
  67. "name": "AllowSyncWithAzureAD",
  68. "properties": {
  69. "access": "Allow",
  70. "priority": 101,
  71. "direction": "Inbound",
  72. "protocol": "Tcp",
  73. "sourceAddressPrefix": "AzureActiveDirectoryDomainServices",
  74. "sourcePortRange": "*",
  75. "destinationAddressPrefix": "*",
  76. "destinationPortRange": "443"
  77. }
  78. },
  79. {
  80. "name": "AllowPSRemoting",
  81. "properties": {
  82. "access": "Allow",
  83. "priority": 301,
  84. "direction": "Inbound",
  85. "protocol": "Tcp",
  86. "sourceAddressPrefix": "AzureActiveDirectoryDomainServices",
  87. "sourcePortRange": "*",
  88. "destinationAddressPrefix": "*",
  89. "destinationPortRange": "5986"
  90. }
  91. },
  92. {
  93. "name": "AllowRD",
  94. "properties": {
  95. "access": "Allow",
  96. "priority": 201,
  97. "direction": "Inbound",
  98. "protocol": "Tcp",
  99. "sourceAddressPrefix": "CorpNetSaw",
  100. "sourcePortRange": "*",
  101. "destinationAddressPrefix": "*",
  102. "destinationPortRange": "3389"
  103. }
  104. }
  105. ]
  106. },
  107. "apiVersion": "2019-09-01"
  108. },
  109. {
  110. "type": "Microsoft.Network/virtualNetworks",
  111. "name": "[parameters('vnetName')]",
  112. "location": "[parameters('location')]",
  113. "apiVersion": "2019-09-01",
  114. "dependsOn": [
  115. "[concat('Microsoft.Network/NetworkSecurityGroups/', parameters('nsgName'))]"
  116. ],
  117. "properties": {
  118. "addressSpace": {
  119. "addressPrefixes": "[parameters('vnetAddressPrefixes')]"
  120. },
  121. "subnets": [
  122. {
  123. "name": "[parameters('subnetName')]",
  124. "properties": {
  125. "addressPrefix": "[parameters('subnetAddressPrefix')]",
  126. "networkSecurityGroup": {
  127. "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/NetworkSecurityGroups/', parameters('nsgName'))]"
  128. }
  129. }
  130. }
  131. ]
  132. }
  133. }
  134. ],
  135. "outputs": {}
  136. }


Parameters.json * Changed the email address under additionalRecipients

parameters.json
  1. {
  2. "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
  3. "contentVersion": "1.0.0.0",
  4. "parameters": {
  5. "apiVersion": {
  6. "value": "2017-06-01"
  7. },
  8. "sku": {
  9. "value": "Standard"
  10. },
  11. "domainConfigurationType": {
  12. "value": "FullySynced"
  13. },
  14. "domainName": {
  15. "value": "aadtest001getsh.onmicrosoft.com"
  16. },
  17. "filteredSync": {
  18. "value": "Disabled"
  19. },
  20. "location": {
  21. "value": "westeurope"
  22. },
  23. "notificationSettings": {
  24. "value": {
  25. "notifyGlobalAdmins": "Enabled",
  26. "notifyDcAdmins": "Enabled",
  27. "additionalRecipients": [
  28. "test@test.com"
  29. ]
  30. }
  31. },
  32. "subnetName": {
  33. "value": "aadds-subnet"
  34. },
  35. "vnetName": {
  36. "value": "aadds-vnet"
  37. },
  38. "vnetAddressPrefixes": {
  39. "value": [
  40. "10.0.0.0/24"
  41. ]
  42. },
  43. "subnetAddressPrefix": {
  44. "value": "10.0.0.0/24"
  45. },
  46. "nsgName": {
  47. "value": "aadds-nsg"
  48. }
  49. }
  50. }

Update DNS

DNS is a key resource for an Active Directory Domain, and you need to configure the virtual network with the new DNS settings.

  • Click on the properties tab so view the IP addresses on which Azure AD Domain Services is available (10.0.0.4 10.0.0.5)
  • Under the overview tab, click on configure, this configures the network and displays the following warning:
    • DNS servers for the virtual network are now configured with IP addresses 10.0.0.4 and 10.0.0.5. Virtual machines in this virtual network must be restarted to use the updated DNS server settings.

Enable User Accounts for Azure AD Domain Services

In this setup, we only have one user so far. Usually you would have users change their passwords before they can use Azure AD Domain Services. We will now create users so we can use Azure AD Domain Services.

  • In the Azure Portal go to Azure Active Directory, and under Manage, click Users
  • Click “ + New User”
    • Create User with the following details
      • User name: sjoerdtest@aadtest001getshifting.com
      • Name: Sjoerd Test
      • First namel: Sjoerd
      • Password: AUto-generate password (click show password so you can note it: Raco4965)
      • Groups: no groups
      • Role: User
      • Block sign in: No
      • Usage location: Netherlands
      • Last name: Test
      • Job title: Test User
      • Department: User Department

Repeat the steps above for:

  • sjoerdadmin, who is a member or the AAD DC Administrators group (Pato3405)
  • sjoerdpower, who is a power user who will be made member of the AAD DC Administrators group later on (Zumu7697)

Use Cloud Shell to setup a permanent password:

  • Advanced Settings →
    • Resource Group: RG_AzureADDS
    • Storage Account: Create new: sacloudshellgetshifting
    • File Share: Create new: fs-cloudshell
$pass = ConvertTo-SecureString -String "NewPass123!!" -AsPlainText -Force
Connect-AzureAD
Set-AzureADUserPassword -ObjectId "4d6ea095-ec2b-491f-b785-ee68f32661be" -ForceChangePasswordNextLogin $false -Password $pass
 
#testuser:
Set-AzureADUserPassword -ObjectId "c4e719d6-d895-49d8-9d58-099c971f8770" -ForceChangePasswordNextLogin $false -Password $pass
 
#poweruser:
Set-AzureADUserPassword -ObjectId "0533f49d-5ffb-476c-8f8a-433b175f5be7" -ForceChangePasswordNextLogin $false -Password $pass

Configure Network Connectivity for Application Workload

Now that Azure AD Domain Services is correctly deployed it would actually be nice that we can manage it. During the deployment we configured the default settings, which created a separate virtual network and subnet for the Azure AD Domain Services. It is recommended to use this subnet only for the Azure AD Domain Services, which means we can create additional subnets or create additional networks and peer the networks. We will create a virtual subnet:

  • In the Azure Portal, go to the Resource Group RG_AzureADDS and click the virtual network (aadds-vnet) we create from the list
  • Click Address Space to see a list of the address spaces currently available (10.0.0.0/24)
  • To add an address space, click on the input form and enter a new address space, in this case we use 10.0.1.0/24, which is the nect Class C network available
  • Click on Subnets and click “+ Subnet”
    • Name: Management
    • Address Range: 10.0.1.0/24
    • Keep all other settings to the default and click OK

Create and Configure a Management Server

Now that we've created a management network we can create a management server and join the server to the domain.

  • In the Azure Portal, from the menu click on “+ Create a resource”
  • Search and select for Windows Server and select Windows Server 2019 Datacenter from the Windows Server page
  • Click Create which opens the Create a virtual machine wizard
    • Basics
      • Subscription: AAD Test 001
      • Resource Group: RG_AzureADDS
      • Virtual machine name: vm-we-w19-mgm01 (Virtual Machine-West Europe-Windows Server 2019-Management Server 01)
      • Size: Standard B2s
      • Administrator account username: la_mgm01
      • Administrator account password: *
      • Public inbound ports: None
    • Disks
      • OS Disk Type: Standard HDD
    • Networking:
      • Virtual Network: aadds-vnet
      • Subnet: Management (10.0.1.0/24)
      • Public IP: None
    • Management
      • Enable the free basic plan
      • Disable all other options
    • Review + Create
      • Click Create once the validation is passed

This might take a few minutes, once the deployment is done you can click “Setup auto-shutdown” to configure automatic shutdown of the VM, in case you might ever forget:

  • Enabled: On
  • Scheduled shutdown: 5:00:00 PM
  • Time Zone: UTC + 1
  • Send notification to my email address

TEMPLATE

TEMPLATE INFO?

Connect To Management VM using Azure Bastion

To connect to the Management VM we'll use Azure Bastion, which you could see as a gateway or stepping stone server between the internet and your private network in Azure. Do note that this is https://azure.microsoft.com/en-us/pricing/details/azure-bastion/

  • Go to the Management VM we just created in the Azure Portal, and under settings, click on Connect
  • Click on the Bastion tab, and click “Use Bastion”
    • You can now immediately configure Azure Bastion
    • Name: aad001-bastion
    • Click on Manage Subnet Configuration to create a subnet called “AzureBastionSubnet” with network address range 10.0.2.0/24. Note that you first need to create an address space.
    • Public IP Address: Create new
    • Public IP address name: aad001-bastion-ip
    • Resource Group: RG_AzureADDS
    • Click Create

Once the Bastion Host is created it is possible to connect to the VM using only your browser.

  • Again, go to the connect section for the Management VM
  • Click on the Bastion tab
  • Select the “Open in new window” option and fill in the local administrator username and password we configured during creation

Join the VM to the Azure AD DS Managed Domain

Once you've logged in to the VM, you can start to join it to the domain and install management tools

  • Log on to the Management VM if you haven't already, and start Server Manager if this is not done automatically yet
  • Go to Local Server and click on “WORKGROUP”
  • In the system properties window, click Change
    • Domain: aadtest001getsh.onmicrosoft.com
    • Username: sjoerdadmin
    • Password: Use the password you set for sjoerdadmin using the cloudshell.

Now the Management VM will reboot, and afterwards you can login using Bastion and the sjoerdadmin credentials. We will now install the Remote Server Administration Tools.

  • Log on to the Management VM if you haven't already, and start Server Manager if this is not done automatically yet
  • Click on Manage and click “Add Roles and Features”
  • Installation Type: Role-based or feature-based installation
  • Server Selection: Select the local server (vm-we-w19-mgm01)
  • Server Roles: Next
  • Features:
    • Group Policy Management
    • Select the following RSAT Tools under Remote Server Administration Tools → Role Administration Tools
      • AD DS and AD LDS Tools
      • DNS Server Tools
  • Confirmation: Install

Now you can use the Active Directory, DNS and Group Policy Management administration tools from the Server Manager → Tools section.

Note that before you can manage DNS you need to connect to a DNS server. You can fill in the domain name (aadtest001getsh.onmicrosoft.com) to automatically connect to one.

Create Windows Virtual Desktop Tenant

Now that we have a working Active Directory environment in the cloud we also want to provide applications to users. We will use Windows Virtual Desktop for that. This is, right now, quite a new service, and a lot of individual steps are required. We start with creating a tenant in Windows Virtual Desktop. We need a Global administrator for this, but we can't use the original global administrator because that one is part of a different directory. This shows in Azure Active Directory which shows the account as from an External Azure Active Directory.

  • In the Azure Portal go to Azure Active Directory, and under Manage, click Users
  • Click on the sjoerdadmin user
  • Click on the Assigned roles
  • Click on “+ Add assignments” and select the Global Administrator role. Click on Add to assign the role.

Now open a browser as the specified user. To do so, login to the Management VM, and start by disabling “IE Enhanced Security Configuration” for administrators under the Local Server properties in Server Manager. Then start Internet Explorer.

  • Login using the UPN name: sjoerdadmin@aadtest001getshifting.onmicrosoft.com and the corresponding password
  • MFA options are standard now, eithet set up MFA or select Skip for now
  • A list with all required permissions is shown, click accept. You should wait for a minute before continuing, even when a thank you message is displayed
  • Again, login and accept the required permissions.
  • Now, still as the sjoerdadmin (Global Administrator) user login to the Azure Portal and search and select Enterprise Applications
  • You'll see the two applications for which you provided consent, select the Windows Virtual Desktop
  • Select users and groups, and note the sjoerdadmin user already in the list. We will now also assign the TenantCreator role to this user
  • Click “Add user” and select the sjoerdadmin user under the users section in the Add assignment blade. As the TenantCreator role is already selected and can't be changed click Assign
  • Once done, and back in the Users and groups section of the Enterprise Application you'll now see two listings for the sjoerdadmin user, one with the role Default Access and one with the TenantCreator role.
  • Now gather the following information:
    • Azure Active Directory ID (Tenant ID): 569b3e72-89ce-4115-9858-ce53d8e5c490
    • Subscription ID: c18b1986-f82f-4809-838a-39cfe062f21b

Now that we've performed all required steps we can actually create a Windows Virtual Desktop client. Unfortunately that is done with a legacy powershell module, which means we can't use the previously configured cloud shell. Windows Server 2019 still comes with PowerShell 5.1 so we will do these steps from the Management VM. Start PowerShell as administrator as we will first install the required module.

Install-Module -Name Microsoft.RDInfra.RDPowerShell
Import-Module -Name Microsoft.RDInfra.RDPowerShell
Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" 
# use the sjoerdadmin@aadtest001getshifting.onmicrosoft.com account to log in
New-RdsTenant -Name virtualdesktoptest001 -AadTenantId 569b3e72-89ce-4115-9858-ce53d8e5c490 -AzureSubscriptionId c18b1986-f82f-4809-838a-39cfe062f21b 
# Optionally you could assign administrative access to a second user
New-RdsRoleAssignment -TenantName <TenantName> -SignInName <Upn> -RoleDefinitionName "RDS Owner"
Note that once installed, you can perform the succeeding steps in a non-administrative powershell session

Windows Virtual Desktop Service Principals

Service principals are identities that you can create in Azure Active Directory to assign roles and permissions for a specific purpose. In Windows Virtual Desktop, you can create a service principal to “Automate specific Windows Virtual Desktop management tasks” and “Use as credentials in place of MFA-required users when running any Azure Resource Manager template for Windows Virtual Desktop”.

We start by installing the AzureAD powershell module in an administrative powershell session

Install-Module AzureAD

Then run the following commands:

import-module Microsoft.RDInfra.RDPowershell
import-module AzureAD
$aadContext = Connect-AzureAD
# use the sjoerdadmin@aadtest001getshifting.onmicrosoft.com account to log in
$svcPrincipal = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName "Windows Virtual Desktop Svc Principal"
$svcPrincipalCreds = New-AzureADApplicationPasswordCredential -ObjectId $svcPrincipal.ObjectId
# Now you need three essential pieces of information
# The Password
$svcPrincipalCreds.Value
R0SeCl0PevMnhbyHBcvinlTuc9WHlsSNL7E2iqfHtSU=
# Tenant ID
$aadContext.TenantId.Guid
569b3e72-89ce-4115-9858-ce53d8e5c490
# Application ID
$svcPrincipal.AppId
1bbce553-9951-41a8-b527-b6a0d2d30479
# Now we create the role assignments
Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"
# use the sjoerdadmin@aadtest001getshifting.onmicrosoft.com account to log in
Get-RdsTenant
# This displayes the TenantName (among other information), please note it: virtualdesktoptest001
$myTenantName = "virtualdesktoptest001"
New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantName $myTenantName
$creds = New-Object System.Management.Automation.PSCredential($svcPrincipal.AppId, (ConvertTo-SecureString $svcPrincipalCreds.Value -AsPlainText -Force))
Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" -Credential $creds -ServicePrincipal -AadTenantId $aadContext.TenantId.Guid

Create a Host Pool for Windows Virtual Desktop

Before we can create the hostpool we first need to disable MFA for the account that will perform the domain join. For new tenants, the security defaults now include MFA, which is not supported for accounts that are used for the domain join of Windows Virtual Desktop hosts.

  • In the Azure Portal, go to Azure Active Directory → Properties → Manage Security Defaults
  • Enable Security defaults: No
  • Check by logging into portal.azure.com. I do not get any MFA related challenges.

Create a hostpool to host the VMs that will be acting as the Windows Virtual Desktop.

  • In the Azure Portal, create a resource and search for Windows Virtual Desktop
  • From the results, click on “Windows Virtual Desktop - Provision a host pool”
  • Click Create, which opens the “Create Windows Virtual Desktop - Provision a host pool” wizard
    • Basics
      • Subscription: AAD Test 001
      • Resource group: RG_AzureADDS
      • Region: West Europe
      • Hostpool name: HostPool_Desktop01
      • Desktop type: Pooled
      • Default desktop users: sjoerdtest@aadtest001getshifting.onmicrosoft.com,sjoerdpower@aadtest001getshifting.onmicrosoft.com
      • Service metadata location: United States (note that this stores just the https://docs.microsoft.com/en-us/azure/virtual-desktop/data-locations)
    • Configure Virtual Machines
      • Usage Profile: Custom
      • Number of Virtual Machines: 1
      • Virtual machine size: B2ms
      • Virtual machine name prefix: VDI-Desk01
    • Virtual Machine Settings
      • Image source: Gallery
      • Windows 10 Enterprise multi-session with Office 365 ProPlus
      • Disktype: Standard HDD
      • AD Domain join UPN: sjoerdadmin@aadtest001getshifting.onmicrosoft.com
      • Specify domain or OU: Yes
      • Domain to Join: aadtest001getsh.onmicrosoft.com
      • OU path: OU=VDI,DC=aadtest001getsh,DC=onmicrosoft,DC=com
      • Virtual Network: aads-vnet
      • vmSubnet: Click Mange subnet configuration and create a new subnet VDI with address space 10.0.3.0/24
    • Windows Virtual Desktop Information
      • Windows Virtual Desktop tenant group name: Keep the default of “Default Tenant Group” unless you've setup another name. You can check the name using the Get-RdsTenant powershell command.
      • Windows Virtual Desktop tenant name: virtualdesktoptest001
      • Windows Virtual Desktop tenant RDS Owner: Service Principal
      • Application ID: 1bbce553-9951-41a8-b527-b6a0d2d30479
      • Password: R0SeCl0PevMnhbyHBcvinlTuc9WHlsSNL7E2iqfHtSU=
      • Azure AD Tenant ID: 569b3e72-89ce-4115-9858-ce53d8e5c490
    • Review + Create
      • Click Create when the validation is passed
Note that if you want to add additional users to the desktop application group you need to do so using powershell:
Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"
Add-RdsAppGroupUser <tenantname> <hostpoolname> "Desktop Application Group" -UserPrincipalName <userupn>

To remove users:

Get-RdsAppGroup Virtualdesktoptest001 HostPool_Desktop01
#Remove-RdsAppGroupUser -TenantName "contoso" -HostPoolName "contosoHostPool" -AppGroupName "officeApps" -UserPrincipalName "user1@contoso.com"
 
Remove-RdsAppGroupUser -TenantName Virtualdesktoptest001 -HostPoolName HostPool_Desktop01 -AppGroupName "Desktop Application Group" -UserPrincipalName "sjoerdpower@aadtest001getshifting.onmicrosoft.com"

Connect to the Desktop

There are several options to connect to the virtual desktop, but, some work better than others. You have the https://docs.microsoft.com/en-us/azure/virtual-desktop/connect-windows-7-and-10 but it requires a few firewall urls to be opened, which is not always convenient when doing tests. I found the best solution was to use the https://docs.microsoft.com/en-us/azure/virtual-desktop/connect-web, which involved to startup a private chrome broweser window, connect to https://rdweb.wvd.microsoft.com/webclient and login using the sjoerdtest@aadtest001getshifting.onmicrosoft.com account.

After logging in you first see the Virtual Desktop Tenant: Virtualdesktoptest001, and when clicking through you'll be presented with the HostPool: HostPool_Desktop01 which will connect you with the actual desktop. Note that you also need to logon to the desktop itself, again using the sjoerdtest account.

Publish a RemoteApp

Now that we have a working desktop I also want to be able to publish a single application. To do so, we will work again with the Windows Virtual Desktop PowerShell module which is installed on the management server

import-module Microsoft.RDInfra.RDPowershell
# Login with your sjoerdadmin account: sjoerdadmin@aadtest001getshifting.onmicrosoft.com
Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"
# Create a new empty RemoteApp app group
# New-RdsAppGroup <tenantname> <hostpoolname> <appgroupname> -ResourceType "RemoteApp"
New-RdsAppGroup Virtualdesktoptest001 HostPool_Desktop01 WindowsApps -ResourceType "RemoteApp"
# Verify
# Get-RdsAppGroup <tenantname> <hostpoolname>
Get-RdsAppGroup Virtualdesktoptest001 HostPool_Desktop01
#  Get a list of Start menu apps on the host pool's virtual machine image. Write down the values for FilePath, IconPath, IconIndex and the AppAlias. 
# Get-RdsStartMenuApp <tenantname> <hostpoolname> <appgroupname>
Get-RdsStartMenuApp Virtualdesktoptest001 HostPool_Desktop01 WindowsApps
<#
TenantGroupName      : Default Tenant Group
TenantName           : Virtualdesktoptest001
HostPoolName         : HostPool_Desktop01
AppGroupName         : WindowsApps
AppAlias             : snippingtool
FriendlyName         : Snipping Tool
FilePath             : C:\windows\system32\SnippingTool.exe
CommandLineArguments :
IconPath             : C:\windows\system32\SnippingTool.exe
IconIndex            : 0
 
TenantGroupName      : Default Tenant Group
TenantName           : Virtualdesktoptest001
HostPoolName         : HostPool_Desktop01
AppGroupName         : WindowsApps
AppAlias             : taskmanager
FriendlyName         : Task Manager
FilePath             : C:\windows\system32\taskmgr.exe
CommandLineArguments : /7
IconPath             : C:\windows\system32\Taskmgr.exe
IconIndex            : -30651
 
TenantGroupName      : Default Tenant Group
TenantName           : Virtualdesktoptest001
HostPoolName         : HostPool_Desktop01
AppGroupName         : WindowsApps
AppAlias             : wordpad
FriendlyName         : Wordpad
FilePath             : C:\Program Files\Windows NT\Accessories\wordpad.exe
CommandLineArguments :
IconPath             : C:\Program Files\Windows NT\Accessories\wordpad.exe
IconIndex            : 0
#>
#  Run the following cmdlet to install the application based on AppAlias
# New-RdsRemoteApp <tenantname> <hostpoolname> <appgroupname> -Name <remoteappname> -AppAlias <appalias>
New-RdsRemoteApp Virtualdesktoptest001 HostPool_Desktop01 WindowsApps -Name "Snipping Tool" -AppAlias snippingtool
New-RdsRemoteApp Virtualdesktoptest001 HostPool_Desktop01 WindowsApps -Name "Task Manager" -AppAlias taskmanager
New-RdsRemoteApp Virtualdesktoptest001 HostPool_Desktop01 WindowsApps -Name Wordpad -AppAlias wordpad
# Verify
# Get-RdsRemoteApp <tenantname> <hostpoolname> <appgroupname>
Get-RdsRemoteApp Virtualdesktoptest001 HostPool_Desktop01 WindowsApps
# Grant users access. Note that within a hostgroup you can't assign users to both desktop and remote app groups. 
#Add-RdsAppGroupUser <tenantname> <hostpoolname> <appgroupname> -UserPrincipalName <userupn>
Add-RdsAppGroupUser Virtualdesktoptest001 HostPool_Desktop01 WindowsApps -UserPrincipalName "sjoerdpower@aadtest001getshifting.onmicrosoft.com"

Now you can user the poweruser to login through the https://rdweb.wvd.microsoft.com/webclient and access the published apps.

Add Custom App

You can also add an application which is not listed as publishable in the Get-RdsStartMenuApp command. Notepad is not listed, but you can add it like this:

#New-RdsRemoteApp <tenantname> <hostpoolname> <appgroupname> -Name <remoteappname> -Filepath <filepath>  -IconPath <iconpath> -IconIndex <iconindex>
New-RdsRemoteApp Virtualdesktoptest001 HostPool_Desktop01 WindowsApps -Name Notepad -Filepath "C:\WINDOWS\system32\notepad.exe"  -IconPath "C:\WINDOWS\system32\notepad.exe" -IconIndex 0

Create a Master Image for Line of Business Applications

We will now create a Master Image with a business application. For this test we will use VSCode with a few extensions.

Create the VM

  • In the Azure Portal, from the menu, click “+ Create a resource” and search for Windows 10
  • Select Microsoft Windows 10 + Office 365 ProPlus from the results
  • Make sure you have the latest version selected from the dropdown list and click create
    • Basics
      • Subscription: AAD Test 001
      • Resource Group: RG_AzureADDS
      • Virtual Machine Name: vm-we-w10-img01
      • Size: Standard B2s
      • Administrator account username: la_img01
      • Administrator account password:
      • Public inbound ports: None
    • Disks
      • OS Disk Type: Standard HDD
    • Networking:
      • Virtual Network: aadds-vnet
      • Subnet: Management (10.0.1.0/24)
      • Public IP: None
    • Management
      • Enable the free basic plan
      • Disable all other options
    • Review + Create
      • Click Create once the validation is passed

Once the VM is created you can login using Bastion and the credentials provided during VM creation.

Prepare the VM and Applications as a Windows Virtual Desktop

Follow the steps as explained https://docs.microsoft.com/en-us/azure/virtual-desktop/set-up-customize-master-image and https://docs.microsoft.com/en-us/azure/virtual-desktop/install-office-on-wvd-master-image and https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-user-profile#configure-the-fslogix-profile-container

<Configuration>
  <Add OfficeClientEdition="64" Channel="Monthly">
    <Product ID="O365ProPlusRetail">
      <Language ID="en-US" />
      <Language ID="MatchOS" />
      <ExcludeApp ID="Groove" />
      <ExcludeApp ID="Lync" />
      <ExcludeApp ID="OneDrive" />
      <ExcludeApp ID="Teams" />
    </Product>
  </Add>
  <RemoveMSI/>
  <Updates Enabled="FALSE"/>
  <Display Level="None" AcceptEULA="TRUE" />
  <Logging Level=" Standard" Path="%temp%\WVDOfficeInstall" />
  <Property Name="FORCEAPPSHUTDOWN" Value="TRUE"/>
  <Property Name="SharedComputerLicensing" Value="1"/>
</Configuration>

* Note this takes around 10 minutes Run these commands to change the default office behavior:

rem Mount the default user registry hive
reg load HKU\TempDefault C:\Users\Default\NTUSER.DAT
rem Must be executed with default registry hive mounted.
reg add HKU\TempDefault\SOFTWARE\Policies\Microsoft\office\16.0\common /v InsiderSlabBehavior /t REG_DWORD /d 2 /f
rem Set Outlook's Cached Exchange Mode behavior
rem Must be executed with default registry hive mounted.
reg add "HKU\TempDefault\software\policies\microsoft\office\16.0\outlook\cached mode" /v enable /t REG_DWORD /d 1 /f
reg add "HKU\TempDefault\software\policies\microsoft\office\16.0\outlook\cached mode" /v syncwindowsetting /t REG_DWORD /d 1 /f
reg add "HKU\TempDefault\software\policies\microsoft\office\16.0\outlook\cached mode" /v CalendarSyncWindowSetting /t REG_DWORD /d 1 /f
reg add "HKU\TempDefault\software\policies\microsoft\office\16.0\outlook\cached mode" /v CalendarSyncWindowSettingMonths  /t REG_DWORD /d 1 /f
rem Unmount the default user registry hive
reg unload HKU\TempDefault

rem Set the Office Update UI behavior.
reg add HKLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate /v hideupdatenotifications /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate /v hideenabledisableupdates /t REG_DWORD /d 1 /f
  • Onedrive
    • Download the onedrive setup: https://aka.ms/OneDriveWVD-Installer to c:\stage
    • "C:\stage\OneDriveSetup.exe" /uninstall or through the Apps and Features
    • Run REG ADD "HKLM\Software\Microsoft\OneDrive" /v "AllUsersInstall" /t REG_DWORD /d 1 /reg:64
    • Run "C:\stage\OneDriveSetup.exe" /allusers
    • Enable startup: REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v OneDrive /t REG_SZ /d "C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe /background" /f
    • Enable silent configure: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\OneDrive" /v "SilentAccountConfig" /t REG_DWORD /d 1 /f
    • Redirect Windows folders: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\OneDrive" /v "KFMSilentOptIn" /t REG_SZ /d "<your-AzureAdTenantId>" /f
      • REG ADD "HKLM\SOFTWARE\Policies\Microsoft\OneDrive" /v "KFMSilentOptIn" /t REG_SZ /d "569b3e72-89ce-4115-9858-ce53d8e5c490" /f

* FSLogix profile container Downlaod and extract the https://go.microsoft.com/fwlink/?linkid=2084562 Run FSLogixAppsSetup from the x64\release folder Start regedit as an administrator and in HKEY_LOCAL_MACHINE\software\FSLogix add a key “Profiles”. In the profiles key add: * a multi-string value called “ VHDLocations” with a value of “ “Network path for file share” * a DWORD called “Enabled” with a value of 1

  • Other
    • Windows Security → Virus & threat protection → Manage Settings → Add or remove exclusions → add exclusion for file types *.vhd and *.vhdx
    • Disable automatic updates reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 1 /f
    • Time zone redirection: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableTimeZoneRedirection /t REG_DWORD /d 1 /f
    • Disable storage sense: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy" /v 01 /t REG_DWORD /d 0 /f
    • Settings → Privacy → Diagnostics & Feedback → Feedback frequency → Never
    • Fix 5k support:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MaxMonitors /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MaxXResolution /t REG_DWORD /d 5120 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MaxYResolution /t REG_DWORD /d 2880 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\rdp-sxs" /v MaxMonitors /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\rdp-sxs" /v MaxXResolution /t REG_DWORD /d 5120 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\rdp-sxs" /v MaxYResolution /t REG_DWORD /d 2880 /f

Remote Desktop Session Host - Session Time limits:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v RemoteAppLogoffTimeLimit /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fResetBroken /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxConnectionTime /t REG_DWORD /d 10800000 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v RemoteAppLogoffTimeLimit /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxDisconnectionTime /t REG_DWORD /d 5000 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxIdleTime /t REG_DWORD /d 10800000 /f

Optional (NOT DONE NOW, added for completeness): Create a custom start menu layout: https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs * reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SpecialRoamingOverrideAllowed /t REG_DWORD /d 1 /f

Install Business Apps

In this case we will just install Visual Studio Code with the powershell extension:

  • Download the system installer package from https://code.visualstudio.com/
  • Run the VSCodeSetup-x64-xxxx.exe file, note that is you downloaded VSCodeUserSetup-x64-xxxx.exe you need to download the sytem installation package
    • Run the installation with the settings your prefer
    • Once the installation is done, launch Visual Studio Code and go to extensions
    • Search for powershell and install the powershell extension from microsoft (ms-vscode.powershell)

Cleanup

Now clean up (also empty the recycle bin) all downloaded files, and optionally reboot the vm if you like to.

Create a SnapShot

In case you might want to go back to this point to install additional software you can create a https://docs.microsoft.com/en-us/azure/virtual-machines/windows/snapshot-copy-managed-disk

  • Shutdown the VM and make sure the VM is deallocated by stopping
  • Go to the Resource Group and then the disk you want to create a snapshot from: vm-we-w10-img01_OsDisk_1_<id>
  • Click Create snapshot
    • Instance Name: 20200312-PreSysPrep
    • Account type: Standard HDD
  • Create the snapshot
Not that you can view a list of snaphost in the Azure Potal by searching and selecting for snapshot. It also shows in the

SysPrep the Golden Image VM

  • In the Azure Portal start the Virtual Machine again and login once it's started up
  • Run c:\Windows\System32\Sysprep\sysprep.exe
    • System Cleanup Action: System Out-of-Box Experience (OOBE)
    • Generalize: Enabled
    • Shutdown options: Shutdown
  • Once the VM is shutdown deallocate the VM using the STOP option in the azure portal

Create an Image

Now we can create an image from the Golden Image VM. Note that this can not be undone and makes the VM unusable

  • In the Azure Portal, on the overview page of the VM, click the Capture button
    • Name: vm-we-w10-img01-image-20200313110904
    • Resource Group: RG_AzureADDS
    • Zone resiliency: Off
    • Type the Virtual machine's name to acknowledge the impact of the action and click create

Deploy a Windows Virtual Desktop HostPool with the Master Image

We can now create a hostpool based on the VM. This is almost identical to the hostpool we create before. See below for the steps, and note that the differences are in bold.

Create a hostpool to host the VMs that will be acting as the Windows Virtual Desktop.

  • In the Azure Portal, create a resource and search for Windows Virtual Desktop
  • From the results, click on “Windows Virtual Desktop - Provision a host pool”
  • Click Create, which opens the “Create Windows Virtual Desktop - Provision a host pool” wizard
    • Basics
    • Configure Virtual Machines
      • Usage Profile: Custom
      • Number of Virtual Machines: 1
      • Virtual machine size: B2ms
      • Virtual machine name prefix: VDI-VSCode
    • Virtual Machine Settings
      • Image source: Managed Image
      • Image name: vm-we-w10-img01-image-20200313110904
      • Image resource group name: RG_AzureADDS
      • Disktype: Standard HDD
      • AD Domain join UPN: sjoerdadmin@aadtest001getshifting.onmicrosoft.com
      • Specify domain or OU: Yes
      • Domain to Join: aadtest001getsh.onmicrosoft.com
      • OU path: OU=VDI,DC=aadtest001getsh,DC=onmicrosoft,DC=com
      • Virtual Network: aads-vnet
      • vmSubnet: Select the previous created VDI subnet
    • Windows Virtual Desktop Information
      • Windows Virtual Desktop tenant group name: Keep the default of “Default Tenant Group” unless you've setup another name. You can check the name using the Get-RdsTenant powershell command.
      • Windows Virtual Desktop tenant name: virtualdesktoptest001
      • Windows Virtual Desktop tenant RDS Owner: Service Principal
      • Application ID: 1bbce553-9951-41a8-b527-b6a0d2d30479
      • Password: R0SeCl0PevMnhbyHBcvinlTuc9WHlsSNL7E2iqfHtSU=
      • Azure AD Tenant ID: 569b3e72-89ce-4115-9858-ce53d8e5c490
    • Review + Create
      • Click Create when the validation is passed

Connect to the Custom Desktop

Startup a private chrome broweser window, connect to https://rdweb.wvd.microsoft.com/webclient and login using the sjoerdtest@aadtest001getshifting.onmicrosoft.com account.

After logging in you first see the Virtual Desktop Tenant: Virtualdesktoptest001, which now holds the Published Remote Apps and the Desktop VSCode-Desktop.

The powershell extension is not available in Visual Studio Code, so this might a per user installation.

Use SnapShot to Revert VM to VM

Unfortunately, you can't use the azure portal to restore a VM from the snapshot. And you also can't just reuse the VM. You can use powershell to create a new VM using the snapshot. You can use the powershell script below in Cloud Shell, as we have used before.

Connect-AzureAD
#Provide the subscription Id
$subscriptionId = 'c18b1986-f82f-4809-838a-39cfe062f21b'
#Provide the name of your resource group
$resourceGroupName ='RG_AzureADDS'
#Provide the name of the snapshot that will be used to create OS disk
$snapshotName = '20200312-PreSysPrep'
#Provide the name of the OS disk that will be created using the snapshot
$osDiskName = 'vm-we-w10-img02_OsDisk_1'
#Provide the name of an existing virtual network where virtual machine will be created
$virtualNetworkName = 'aadds-vnet'
#Provide the name of the virtual machine
$virtualMachineName = 'vm-we-w10-img02'
#Provide the size of the virtual machine
# get-azvmsize -location westeurope
$virtualMachineSize = 'Standard_B2s'
#Set the context to the subscription Id where Managed Disk will be created
Select-AzSubscription -SubscriptionId $SubscriptionId
$snapshot = Get-AzSnapshot -ResourceGroupName $resourceGroupName -SnapshotName $snapshotName
$diskConfig = New-AzDiskConfig -Location $snapshot.Location -SourceResourceId $snapshot.Id -CreateOption Copy
$disk = New-AzDisk -Disk $diskConfig -ResourceGroupName $resourceGroupName -DiskName $osDiskName
#Initialize virtual machine configuration
$VirtualMachine = New-AzVMConfig -VMName $virtualMachineName -VMSize $virtualMachineSize
#Use the Managed Disk Resource Id to attach it to the virtual machine. 
$VirtualMachine = Set-AzVMOSDisk -VM $VirtualMachine -ManagedDiskId $disk.Id -CreateOption Attach -Windows
#Get the virtual network where virtual machine will be hosted
$vnet = Get-AzVirtualNetwork -Name $virtualNetworkName -ResourceGroupName $resourceGroupName
# Create NIC in the first subnet of the virtual network
$nic = New-AzNetworkInterface -Name ($VirtualMachineName.ToLower()+'_nic') -ResourceGroupName $resourceGroupName -Location $snapshot.Location -SubnetId $vnet.Subnets[0].Id 
# Add the nic to the virtual machine
$VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $nic.Id
#Create the virtual machine with Managed Disk
New-AzVM -VM $VirtualMachine -ResourceGroupName $resourceGroupName -Location $snapshot.Location
Note that this connects the VM to the first subnet: $vnet.Subnets[0].Id . You could check with $vnet what the id is of the VDI subnet and use that, or change the subnet afterwards.

Then when the machine is done creating, you can test the VM by starting it and logging in (through Bastion). Note that the original local credentials are in use that were originally were used to install the VM vm-we-w10-img01. This means that the powershell extension in VSCode is also back!

Clean up Resources

  • As we kept everything in one resourcegroup RG_AzureADDS we can delete the resourcegroup. Note this can take a considerable amount of time.
  • One of the steps also created a NetworkWatcherRG Resource group. You can delete this one as well.
  • Delete the directory AAD Test 001 Getshifting. This shows a list of steps you need to create, with links to do that.
    • Delete all users, note that you can't delete the user used to create the directory as it is actually from another directory
    • Subscription → Cancel subscription → it could be that you have to wait for 90 days before everything in the subscription is deleted permanently. You might have to wait for this.
    • Set Access Management to yes in the Properties of the Directory

Total Costs

The total costs of creating this over the course of about 10 days was 37,84 euro:

  • Costs Analysis:
    • Azure AD DS: 24,74
    • Azure Bastion: 8,65
    • Storage: 2,34
    • Virtual Machines: 1,35
    • Virtual Network: 0,76

Follow these guidelines to minimize the costs, especially for test environments.

  • Azure Bastion is by far the most convenient way to connect to your VMs. You only need one service and all of your VMs are accessible with a click through the browser. However, as it is a service, it costs money all of the time, even if you are not using it. I found it worth the trouble to simply delete the Bastion at the end of the day and recreate it when needed. You can re-use the subnet and the public IP address, and it takes about a minute to deploy.
  • Setup auto-shutdown of all VMs you have. Starting up only takes a few minutes but the costs saved are considerate. And as a bonus you can configure the service to send an email 30 minutes before shutdown so you can postpone by an hour, two hours or indefinitely. Very convenient and it works.
  • Azure Active Directory Domain Services is very convenient, but for test environments not worth the costs if you just need authentication. When working with for example Windows Virtual Desktop you need a integration with Azure AD, and to create that manually it would cost a few VMs for Domain Controllers and Sync. In that case, for short test periods you might be better off with Azure AD DS.

Lessons Learned

  • Keep your domain name limited to 15 chars.
  • Use 12 characters passwords
  • Disable Default Security Settings (MFA) from the start for test environments
  • Design desktop and Remote Applications to be in different Host Groups as a user can only be assigned to a desktop group or multiple RemoteApps groups
  • Azure Active Directory Domain Services is far from production ready as long as you can't, for example, unlock a user's account: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/35657083-allow-administrators-to-unlock-locked-out-users-in
    • If an account gets locked, you have to wait for 30 minutes, and I also had to
      • Disable account in Azure AD
      • Enable account in Azure AD
      • Password reset in Azure AD
      • Set the password through the AzureAD Powershell commandlet
      • Wait a while for the changes to sync
  • Windows Virtual Desktop does not support Skype for Business and Teams: https://docs.microsoft.com/en-us/azure/virtual-desktop/install-office-on-wvd-master-image
    • But does it work?
  • Use a normal WIndows 10 image as a golden image as you will be reinstalling office and several parts anyway.
  • Enable Boot diagnostics for VMs, going to Support → Troubleshooting → Boot diagnostics will provide a screenshot of the screen in case you can't connect.

Reources

You could leave a comment if you were logged in.
azureaddsandwinvd.txt · Last modified: 2021/09/24 00:24 (external edit)