One of the models of Cloud governance and cost in Microsoft Azure is 'Pay As You Go', ie. Pay for what you need when you need it.

The Azure Resource Manager fabrics allow you to scale up and down resources when you need it, whether built-in to the Azure portal or through various other automation mechanisms.

For Azure Virtual Desktop, this means ensuring that session hosts (Virtual Machines) are available for users to connect to consume their services when they need it the most, whether first thing in the morning or late hours of the evening.

One of the technologies that can help with this is: Start VM on Connect(Start VM on Connect allows users to start the virtual machine from a deallocated state).

You no longer need to create a Custom Role for Start VM on Connect - a built-in role now exists named: Desktop Virtualization Power On Contributor - once that role is assigned to the Azure Virtual Desktop application, you can skip straight to Configure

• Imagine a 9 AM -> 5 PM Monday to Friday business; during the day, Azure Virtual Desktop is available, however anything out of these hours (through Scheduled Shutdowns or Azure Automation Runbooks etc.), the session hosts are shut down to reduce operational costs.
• A business user gets some urgent work on Saturday morning and then tries to connect to Azure Virtual Desktop resources to complete the work; because they were turned off outside of business hours, they can't connect and then have to ring IT support to get resources started (the alternative would be to leave Virtual Machines running, which may or may not be needed).
• Using 'Start Virtual Machine on Connect', the moment that the user attempts to connect a Virtual Machine is started.
• Then it allows the users to log in and do their work without a call to IT, overall saving money, as the hosts are only started when they are first needed. The feature will also only turn on additional VMs (if available) when the first VM reaches the session limit.

This is a host-level setting, so setting 'Start VM on Connect' will affect all session hosts in the host pool. Therefore, you cannot target specific Virtual Machines in a session host at this stage. This is now supported for both Personal and Pooled session hosts!

As of 03/07/21 (NZ date format - DD/MM/YY): The Start VM on Connect feature is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

Follow the guide below to implement; the Microsoft documentation is pretty good but hoping this might fill in a few gaps for people.

Create a Custom Role for "Windows Virtual Desktop"​

For the "Windows Virtual Desktop" service principal (this should already exist, it is an inbuilt SPN created by the Azure infrastructure, it is currently called Windows Virtual Desktop but expect this name to be updated in the future) to have the ability to Start a Virtual Machine, we first need to give it rights. You could give it Contributor or Virtual Machine Contributor rights but want to go with the least privileged to create a custom role.

1. Log in to the Azure Portal
2. Navigate to the Subscription (you can only currently create custom roles at a subscription level) that your session hosts exist in
3. Look for the Subscription ID (copy this, we will need it later on, usually found on the Overview window of the Subscription)
4. Download the AVD-StartVMOnConnect JSON file below and save it to a location you can edit.

{
    "properties": {
        "roleName": "AVD-StartVMOnConnect",
        "description": "Custom role, designed to allow 'Windows/Azure Virtual Desktop' rights to Start session hosts.",
        "assignableScopes": [
            "/subscriptions/<SubscriptionID>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Compute/virtualMachines/start/action",
                    "Microsoft.Compute/virtualMachines/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

6. Open up the JSON file (this is the Custom Role we are creating, as you can see, we are only allowing the ability to Read a Virtual Machine and Start it)

7. Replace the: with your subscription ID, created earlier and save the JSON file.

8. .

9. Click on Access Control (IAM) on the left-hand side blade

10. Click Add

11. Click Add Custom Role

12. 

13. Name your Custom Role Name something meaningful, for example, AVD-StartVMOnConnect.

14. Add a meaningful Description; for example, mine is:

    Created: 03/07/21

    Created by: Luke Murray

    Created for: Custom role, designed to allow 'Windows/Azure Virtual Desktop' rights to Start session hosts.

15. For: Baseline permissions, select Start from JSON

    Select the JSON file you downloaded and edited earlier

16. 

17. Click on Next

18. Verify the permissions are as below (if they aren't, you may need the redownload or check the JSON file for syntax issues - I recommend downloading Visual Studio Code):

19. 

20. Click Next

21. We used the subscription property to select the assignable scope (i.e. the scope is where this role will be available for you to assign access to), but now using the Azure Portal, we can select a specific Resource Group to limit the roles access, please be careful with doing this, especially if you are planning on expanding out your Azure Virtual Desktop infrastructure in the future as you may forget that this role may not be available in other resource groups. I am going to leave mine at the Subscription level and click Next

22. Here we can verify and save the changed JSON file (if you want for future reference) and click Next to review your configuration.

23. Click Create to create your Custom Role!

24. 

Assign your Custom Role​

Now that you have created your custom role for Azure Virtual Desktop, it is now time to assign it, and this is where you can assign and lock down the role; in my case, I only have one Resource Group where my session hosts sit in, so going to assign it a Resource Group level, but feel free to assign this at a subscription level.

1. Log in to the Azure Portal
2. Navigate to the Resource Group (or Subscription) that has your Azure Virtual Desktop session hosts
3. Click on Access Control (IAM) in the left-hand side blade
4. Click on + Add
5. Click on Add role assignment
6. Select the Role you created earlier (i.e. AVD-StartVMOnConnect)
7. Specify the 'Windows Virtual Desktop' service principal and select Save
8. 
9. If you want, you can click on Role Assignments to verify your role has been assigned:
10. 

Configure Start VM on Connect​

1. Log in to the Azure Portal
2. Navigate to your Host Pool
3. Click on Properties
4. Select 'Yes' to Start VM on Connect
5. Click Save
6. 
7. Congratulations, you have now set up Azure Virtual Desktop - Start VM on Connect; next time someone connects to a turned-off Azure Virtual Desktop session host, the Virtual Machines will now automatically start the users will get a prompt like below:
8. 
9. 
10. Before finally prompting for their login credentials!

If you are running Azure Virtual Desktop, you want to get the most performance and stability out of them as possible, to reduce cost and increase user experience.

These are a few recommended policies and optimisations to apply to your Azure Virtual Desktop setup. These are in no particular order; they are just recommendations.

Configure Timezone Redirection​

Timezone redirection will allow you to pass through the time from the local device to the Azure Virtual Desktop host. This is useful to keep the consistent time between the device you are connecting from and the session host, and by default, the timezone in Azure is UTC.

1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
2. Expand your domain and Group Policy Objects.
3. Right-click the GPO that you created for the group policy settings and select Edit.
4. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection.
5. Enable the setting Allow time zone redirection.
6. Close the Group Policy Management console; as this is a Computer-based policy, it may take up to 90 minutes to take effect unless the session hosts are restarted to force it to pick up the policy sooner.

Configure Session Time Limit Policies​

You can use this policy to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. Unfortunately, this means that sessions users sessions may remain open for an extended period of time, taking up usable resources.

When configuring these, take into consideration a users normal work time, the time they have for lunch etc., the sweet spot to disconnect their session is not during their lunch break, but after they have finished for the day, usually 8-12 hours is recommended, but is dependant on how Azure Virtual Desktop is used.

1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
2. Expand your domain and Group Policy Objects.
3. Right-click the GPO that you created for the group policy settings and select Edit.
4. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits.
5. Configure the below settings per your organisation policies:

• Set time limit for active but idle Remote Desktop Services sessions
• This policy allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected.
• Set time limit for active Remote Desktop Services sessions
• This policy allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected.
• Set time limit for disconnected sessions
• This policy allows you to configure a time limit for disconnected Terminal Services sessions.
• End session when time limits are reached
• This policy allows you to specify whether to terminate a timed-out Terminal Services session instead of disconnecting it.
• Set a time limit for log off of RemoteApp sessions
• This policy allows you to specify how long a user's RemoteApp session will remain in a disconnected state after closing all RemoteApp programs before the session is logged off from the RD Session Host server.
• Close the Group Policy Management console; as this is a Computer-based policy, it may take up to 90 minutes to take effect unless the session hosts are restarted to force it to pick up the policy sooner.

Reference: Taken from: https://kb.parallels.com/en/123638

DeleteUserAppContainersOnLogoff​

Back in March 2019, there were issues with slow server performance caused by numerous Windows Firewall Rules getting created on user login. A patch was released; however, to enable this 'fix', a registry key needs to be set. You could eventually run into host performance/hang issues if this key is not configured. See: https://support.microsoft.com/en-us/help/4490481

1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
2. Expand your domain and Group Policy Objects.
3. Right-click the GPO that you created for the group policy settings and select Edit.
4. In the Group Policy Management Editor, navigate to Computer Configuration > Preferences> Windows Settings > Registry.
5. Right-click in the window and select New, Registry Item
6. Select Update as the Action
7. Make sure HKEY_LOCAL_MACHINE is set to Hive
8. Enter in the following for the Key Path: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
9. For the Value name type: DeleteUserAppContainersOnLogoff
10. Change the Value type to REG_DWORD
11. Put: '1' to enable the option and click Apply
12. Close the Group Policy Management console. As this is a Computer-based policy, it may take up to 90 minutes to take effect unless the session hosts are restarted to force it to pick up the policy sooner.

Configure RDP Shortpath​

RDP Shortpath is a feature of Azure Virtual Desktop that establishes a direct UDP-based transport between Remote Desktop Client and Session host. RDP uses this transport to deliver Remote Desktop and RemoteApp while offering better reliability and consistent latency. RDP Shortpath establishes the direct connectivity between Remote Desktop client and Session Host. Direct connectivity reduces the dependency on the Azure Virtual Desktop gateways, improves the connection's reliability, and increases the bandwidth available for each user session. You can read more about it here: Azure Virtual Desktop RDP Shortpath.

1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
2. Expand your domain and Group Policy Objects.
3. Right-click the GPO that you created for the group policy settings and select Edit.
4. In the Group Policy Management Editor, navigate to Computer Configuration > Preferences> Windows Settings > Registry.
5. Right-click in the window and select New, Registry Item
6. Select Update as the Action
7. Make sure HKEY_LOCAL_MACHINE is set to Hive
8. Enter in the following for the Key Path: SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations
9. For the Value name type: fUseUdpPortRedirector
10. Change the Value type to REG_DWORD
11. Put: '1' to enable the option and click Apply
12. Right-click in the window and select New, Registry Item
13. Select Update as the Action
14. Make sure HKEY_LOCAL_MACHINE is set to Hive
15. Enter in the following for the Key Path: SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations
16. For the Value name type: UdpPortNumber
17. Change the Value type to REG_DWORD
18. Put: '3390' as the UDP report and click Apply
19. Close the Group Policy Management console. Restart the session hosts.

Virtual-Desktop-Optimization-Tool​

Automatically apply a range of optimisations for pooled and personal Azure Desktop hosts, this is a good resource to add to your initial image creation builds.

Virtual-Desktop-Optimization-Tool

Implement Windows Defender FSLogix exclusions​

Make sure to configure antivirus exclusions for FSLogix Profiles.

For a list of exclusions, along with a PowerShell script to implement them, please refer to the following Microsoft documentation: FSLogix for the enterprise

Implement FSLogix Profile Exclusions​

By default, FSLogix will capture a lot of user profile data, including Teams Cache, Chrome cache and save it to the profile VHD/VHDX; this causes profile size bloat and can decrease the performance of your applications.

It is recommended to implement exclusions to reduce storing user profile data that you don't need.

1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
2. Expand your domain and Group Policy Objects.
3. Right-click the GPO that you created for the group policy settings and select Edit.
4. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > FSLogix > Profile Containers > Advanced
5. Enable the setting Provide RedirXML file to customize directions.
6. Point the path to a UNC path that is accessible to all session hosts that contains are 'redirections.xml' file. This just needs the folder; it will automatically pick up the redirections.xml file.
7. Close the Group Policy Management console. As this is a Computer-based policy, it may take up to 90 minutes to take effect unless the session hosts are restarted to force it to pick up the policy sooner.

An example redirections.xml can be found here:

<?xml version="1.0" encoding="UTF-8"?>
<FrxProfileFolderRedirection ExcludeCommonFolders="0">
 
<Excludes>
<Exclude>AppData\Local\Google\Chrome\User Data\Default\Cache\</Exclude>
<Exclude>AppData\Local\Google\Chrome\User Data\Default\Cached Theme Images\</Exclude>
<Exclude>AppData\Roaming\Google\Chrome\UserData\Default\Code Cache\js</Exclude>
<Exclude>AppData\Local\Google\Chrome\UserData\Default\Code Cache\js</Exclude>
<Exclude>AppData\Local\Mozilla\Firefox</Exclude>
<Exclude Copy="0">AppData\Local\Microsoft\Terminal Server Client</Exclude>
<Exclude Copy="0">AppData\Local\Microsoft\Edge SxS\User Data\Default\Cache</Exclude>
<Exclude>AppData\Roaming\Adobe\Flash Player\AssetCache</Exclude>
<Exclude>AppData\Roaming\Adobe\Flash Player\NativeCache</Exclude>
<Exclude>AppData\Roaming\Microsoft\Teams\Cache</Exclude>
<Exclude>AppData\Roaming\Microsoft\Teams\Service Worker\CacheStorage</Exclude>
<Exclude>Desktop</Exclude>
<Exclude>Documents</Exclude>
<Exclude>Downloads</Exclude>
<Exclude>Musics</Exclude>
<Exclude>Pictures</Exclude>
<Exclude>Videos</Exclude>
</Excludes>
 
<Includes>
<Include Copy="3">AppData\LocalLow\Sun\Java\Deployment\security</Include>
<Include>AppData\Roaming\Google\Chrome\User Data\Default\Extensions</Include>
</Includes>
 
</FrxProfileFolderRedirection>

Note: Make sure you test and adjust this for your own environment. The Desktop/Documents have been excluded as the assumption is these are redirected or covered by OneDrive.

DeleteUserAppContainersOnLogoff​

Back in March 2019, there were issues with slow server performance caused by numerous Windows Firewall Rules getting created on user login. A patch was released; however, to enable this 'fix', a registry key needs to be set. You could eventually run into host performance/hang issues if this key is not configured. See: https://support.microsoft.com/en-us/help/4490481

1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
2. Expand your domain and Group Policy Objects.

Implement Storage Sense​

On Windows 10, Storage sense is a built-in tool designed to free up space automatically. When it's enabled, the feature monitors your device. When it's running low on space, it deletes temporary files, empties the Recycle Bin, cleans up the Downloads folder, removes previous installation files, and more to make space to install new updates or store more important data. Storage Sense can also help dehydrate files that are available locally and do not need to be stored locally anymore, helping to reduce profile space and OneDrive processing.

Note: If you find that Storage Sense is missing, it is because it is mainly a client setting and may be missing from the Windows Server; you can copy the PolicyDefinitions folder from an Azure Virtual Desktop host to your domains Central Store, i.e. in my case \\luke.geek.nz\SYSVOL\luke.geek.nz\Policies\PolicyDefinitions. Or just look for StorageSense.admx and StorageSense.adml and copy it (the ADML goes in the language directory, i.e. en-US).

1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
2. Expand your domain and Group Policy Objects.
3. Right-click the GPO that you created for the group policy settings and select Edit.
4. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Administrative Templates > System > Storage Sense.
5. Enable the setting Allow Storage Sense.
6. Enable the setting Configure Storage Sense Cloud Content dehydration threshold
7. Now we can provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it back to Files on Demand, for example, 30 days since it was last accessed.
8. Enable the setting Configure Storage Storage Downloads cleanup threshold
9. Type in a minimum number of days, that files sit in the Downloads before before Storage sense will delete it.
10. Close the Group Policy Management console. As this is a Computer-based policy, it may take up to 90 minutes to take effect unless the session hosts are restarted to force it to pick up the policy sooner.

Configure Microsoft Teams Optimisations​

You can run Microsoft Teams in Azure Virtual Desktop. To do so, you need to install as a Machine installer and set the WVD environment variable.

Install as Machine:

msiexec /i Teams_windows_x64 /l*v teams_install.log ALLUSER=1

Set IsWVDEnvironment key:

1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
2. Expand your domain and Group Policy Objects.
3. Right-click the GPO that you created for the group policy settings and select Edit.
4. In the Group Policy Management Editor, navigate to Computer Configuration > Preferences> Windows Settings > Registry.
5. Right-click in the window and select New, Registry Item
6. Select Update as the Action
7. Make sure HKEY_LOCAL_MACHINE is set to Hive
8. Enter in the following for the Key Path: SOFTWARE\Microsoft\Teams
9. For the Value name type: IsWVDEnvironment
10. Change the Value type to REG_DWORD
11. Put: '1' to enable the option and click Apply
12. Close the Group Policy Management console. Restart the session hosts.

Install the Remote Desktop WebRTC Redirector

1. The Remote Desktop WebRTC Redirector onto the Sessions Hosts: https://learn.microsoft.com/en-us/azure/virtual-desktop/teams-on-AVD#install-the-teams-websocket-service

Configure Auto Close Apps on Logoff​

When users may go to logoff, open applications may halt or prolong the logoff process and prompts for users to close applications, this can leave to sessions being left connected, if a user hits logoff or shutdown and walks away. To stop the prompt about open Applications we need to set a registry key - this is not an 'optimisation' to be treated lightly, as it won't ask users to double check some of the apps they have open, as soon as they hit the logoff button - that it is, any open apps will be closed!

1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
2. Expand your domain and Group Policy Objects.
3. Right-click the GPO that you created for the group policy settings and select Edit.
4. In the Group Policy Management Editor, navigate to User Configuration > Preferences> Windows Settings > Registry.
5. Right-click in the window and select New, Registry Item
6. Select Update as the Action
7. Make sure HKEY_CURRENT_USER is set to Hive
8. Enter in the following for the Key Path: Control Panel\Desktop
9. For the Value name type: AutoEndTasks
10. Change the Value type to REG_SZ
11. Put: '1' to enable the option and click Apply
12. Close the Group Policy Management console. Restart the session hosts.

This is a user-based policy, so will take effect on next logon.

Hide the Shutdown button​

This is not so much of an optimization, but it is one of my favourite group policy configurations, something I implement in server base policies; it prevents that "Oops!" moment when someone clicks Shutdown on a server, especially with multi-session VDI machines, this just removes the shortcuts to shutdown and restart the server from the Start Menu.

Note: You can still restart and shut down the server from the Command Prompt with the 'shutdown' command.

1. On a server with the Group Policy Management Console is installed for managing your Azure Virtual Desktop farm, open the Group Policy Management Console.
2. Expand your domain and Group Policy Objects.
3. Right-click the GPO that you created for the group policy settings and select Edit.
4. In the Group Policy Management Editor, navigate to User Configuration > Policies > Administrative Templates > Start Menu and Taskbar
5. Enable the setting Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands.
6. Close the Group Policy Management console; as this is a User-based policy, it should take effect on the next user login.

If you have a few Azure Virtual Desktop machines, you need some way to keep user persistence's and application customisations, which would usually be stored in the user profile locally across multiple machines (or even the same machine if using Ephemeral OS), this is where FSLogix Profile Containers can assist.

We are going to implement FSLogix using an Azure File Share, to store the profiles.

I am going to assume you already have an Azure Virtual Desktop farm (and Azure ADDS), if not you can check out my guide here.

This article will be based on the Azure Virtual Desktop farm created in a previous article, however, you can just still along and replace the resource names and groups with your own.

Setup Storage Account​

1. Log in to the Azure Portal
2. Click on Create a resource
3. Type in Storage Account and press Enter to search
4. Select Storage account
5. 
6. Click Create
7. If you already have a Resource Group, then select it, if not you can create a new resource group. I am going to put my resources user profiles in the same resource group as my utility server: aad_infra (this is just personal preference, keeping the session hosts in their own resource groups).
8. Type in a Storage Account Name (the name needs to be globally unique across all of Azure, the field can contain only lowercase letters and numbers. Name must be between 3 and 24 characters.), in my case I have gone with: fslogixprofileslgnz.
9. Select your Region (the same region you have your Azure Virtual Desktop session hosts and Virtual Network)
10. Select Standard performance (Microsoft have recommendations, based on users on what Tier to select - https://learn.microsoft.com/en-us/azure/virtual-desktop/store-fslogix-profile)
11. For Redundancy, I am going to select LRS storage (I haven't built have any redundancy in my Azure Virtual Desktop farm).
12. Note: Just a heads up, don't select Geo-Redundant if you are looking to create File Shares on this Storage account over 100TiB, it is only supported in LRS. If you do need this kind of large file size, I recommend using a completely different storage account from the one you are using for user profiles. My screenshot below has GRS, just ignore it!
13. 
14. Click Next: Advanced
15. Leave everything as default and select Next: Networking
16. Now we need to configure a Private Endpoint for the Azure storage account to add onto the Virtual Network directly.
17. Select Private endpoint and click + Add Private endpoint
18. Verify that your Location is correct and type in a Name for your Private Endpoint service, in my case: fslogixprofileslgnzPE
19. Select the drop-down for Storage sub-resource and select file
20. Select your Virtual Network and subnet (I will be selecting my main resource subnet of aadds-subnet, where the Azure Virtual Desktop hosts are)
21. Click Ok
22. 
23. Select Next: Data Protection
24. Untick the Enable soft delete for Blogs and Container's (we will only be using Azure Files in this storage account)
25. Soft delete allows you to quickly recover a deleted file-share, even though we can backup the Azure Fileshare, my recommendation would be to leave this on for additional protection and '7' days is enough for me.
26. 
27. Select Review + Create
28. Validate your configuration and select Create

Configure Storage Account​

1. Once your storage account has been created, go to it.

2. Navigate down the left-hand side Blade and select: Networking

   Make sure: Selected networks are selected and the Private Endpoint connection is displaying.

3. 

4. 

5. Now its time to join the Storage account to Microsoft Entra ID Domain Services, on the left-hand side Blade, click on Configuration (under Settings)

6. Navigate to: Identity-based access for file shares

7. Select Enabled

8. Click Save

9. 

10. Now its time to create the File Share, On the left-hand side Blade, navigate to File Shares (under Data Storage)

11. Select + File Share

12. Give this File share a name: fslogixprofiles

13. Even though you don't need to have a Quota (the Fileshare will grow), I will add one in stop any surprises and make sure that I have an ongoing task to review and optimize the profiles

14. Because user profiles are generally a lot of read/write activity, select Transaction Optimized (take a look at the https://azure.microsoft.com/en-us/pricing/details/storage/files/ )

15. Click Create

16. 

17. One last thing we can do on the Storage Account is enable backups for your Azure File Share - https://learn.microsoft.com/en-us/azure/backup/backup-afs?WT.mc_id=AZ-MVP-5004796

Configure File Share​

Now that the Microsoft Entra ID rights have been assigned and the File Share has been created, we now need to set up the NTFS permissions on the FSLogix share.

1. Navigate to File Shares (under Data Storage)

2. Click on your file-share

3. Click on Properties

4. Copy the URL

5. 

6. Remove http and replace the forward slashes with backslashes so it looks like this: \\fslogixprofileslgnz.file.core.windows.net\fslogixprofiles

7. Using a user that is a member of the 'AVD Admins' group and can log into the Azure Virtual Desktop farm (it’s a good chance to test connectivity to the Storage account through the private endpoint from your Azure Virtual Desktop session host)

8. Open Computer

9. Select the Computer Tab and select Map network drive

10. 

11. Select a drive letter that isn't in use and paste in the UNC path created earlier (step 6).

12. 

13. Hopefully, you should successfully have mapped a drive!

14. Once the drive is mapped, open up a Command Prompt

    Note: Don't run the Command Prompt as Administrator, as this runs in a separate context and doesn't have permissions to the mapped drive.

15. Run the following command to set the necessary NTFS permissions (change the Drive mapping and AVD Users group to your own group):

    icacls z: /grant "AVD Users":(M)
    
    icacls z: /grant "Creator Owner":(OI)(CI)(IO)(M)
    
    icacls z: /remove "Authenticated Users"
    
    icacls z: /remove "Builtin\Users"
    

16. 

17. The permissions should look similar to:

18. 

Configure FSLogix policies​

Now that you have successfully created a Storage Account and granted it the proper permissions, we now need to configure Group Policy for FSLogix.

1. Connect to your Microsoft Entra ID Utility server, that has Group Policy management installed using an account in the: AAD DC Administrators group
2. Download the latest FSLogix Agent - https://aka.ms/fslogix_download onto the Utility server
3. Extract the FSLogix agent zip file to a folder
4. Now we will create a Central Store to manage the Group Policy consistently
5. On your Utility server, browse to C:\Windows (If you are primarily using Azure Virtual Desktop, it may be best to copy the PolicyDefinitions folder from an Azure Virtual Desktop session host to make sure you can edit all the latest Windows 10 policies)
6. Copy the PolicyDefinitions folder
7. Copy the PolicyDefinitions folder to your Policies folder on your domain: \luke.geek.nz\SYSVOL\luke.geek.nz\Policies
   (replace luke.geek.nz, with your ADDS DNS name)
8. 
9. Go to your extracted FSLogix folder and copy:
   • fslogix.admx to: \luke.geek.nz\SYSVOL\luke.geek.nz\Policies\PolicyDefinitions\
   • fslogix.adml to: \luke.geek.nz\SYSVOL\luke.geek.nz\Policies\PolicyDefinitions\en-US\
10. This will allow us to use Group Policy to manage FSLogix using Group Policy, Open Group Policy Management
11. Navigate to your Hosts OU
12. Right-click the OU and select: Create a GPO in this domain, and Link it here…
13. Name it according to your naming standards (this is a Computer-based policy) - in my example, I am using: AVD_ComputerPolicy
14. Click Ok
15. 
16. Right-click the GPO you have just created and select Edit…
17. Because this is a Computer-based policy, to speed up processing, right-click the Policy heading and select Properties
18. Tick: Disable User Configuration Settings
19. Confirm that you want to do it and select Yes
20. Click Apply
21. While you have the screen open, click on Comment, and add in some details about the GPO for future reference then click Apply and Ok
22. 
23. Now it's time to actually configure the FSLogix Group Policy settings.
24. Navigate to: Computer Configuration\Policies\Administrative Templates\FSLogix\Profile Containers
25. Open up Enabled and select: Enabled and Apply
26. Open: VHD Location and copy in your Profiles UNC share (for example, mine is: [\\fslogixprofileslgnz.file.core.windows.net\fslogixprofiles) click Ok
27. Select: Delete local profile when FSLofix profile should apply, click Enabled and check to Delete local profile when FSLogix Profile should apply (don't blindly follow this, I am making the assumption this is a new farm, with no user-based profile stored on it. You may need to create a separate GPO to test this setting on, or you could lose valuable data).
28. Open: Set Outlook cached mode on successful container attach to Enabled.
29. Now in Group Policy Management console, click on Container and Directory Naming and select Virtual Disk type
30. Click Enabled and change the Option to VHDX, click Ok
31. Click on: Swap directory name components setting and click Enabled, check the swap directory name components and click Apply
32. Restart the Azure Virtual Desktop session hosts to pick up the new policies.
33. You have now set up FSLogix profiles! If you map the drive you should see your user profile folders!
34. 

When connecting to Azure Virtual Desktop, you may get a "We couldn't connect because there are currently no available resources. Try again later or contact tech support for help if this keeps happening."

Check your Max Session Count​

On your Azure Virtual Desktop Host Pool, check your Max Session Count, which hasn't been exceeded.

In my screenshot below, even one connection to my Azure Virtual Desktop farm couldn't connect; this was fixed when I raised this.

Check your Host Pool sessions are available​

Check your Azure Virtual Desktop Host pool; Session Hosts are:

• Available
• Not in Drain Mode

Previously known as Windows Virtual Desktop, Azure Virtual Desktop is the successor of Microsoft Remote Desktop; although compatible with Server OS (Operating System), it is the first to support Windows 10_(and soon Windows 11)_ multisession, reducing application compatibility issues and giving consistent user experience.

In this guide, I will run you through creating Azure Virtual Desktop from scratch, along with some prerequisites that will help you manage AVD after you create it.

Before I begin, I recommend reading the Azure Virtual Desktop Azure product page "here" to understand the pricing model, features and additional resources that could help you in your journey.

When selecting a region for your Session Hosts (Virtual Machines), I recommend you have a look at the: Azure Virtual Desktop Experience Estimator to help validate the proper region for your Session Hosts and the round trip time (I am in New Zealand, so my recommended region is: Australia East, which is what I will be using for this guide).

If you don't already have a Microsoft Azure subscription, you can sign up for a Free subscription "here".

Assuming you already have an Azure subscription and the appropriate access to create resources in that subscription, gets begin!

Create Microsoft Entra ID Domain Services​

1. Log in to the Azure Portal
2. Click on Create a resource
3. Search for: Azure AD Domain Services. You can change the Publisher Type to Microsoft, so it doesn't display any other marketplace offerings.
4. Click Create
5. If you already have a Resource Group, select it - in this Demo, we are going to create one: aad_prod
6. Type in the DNS domain name - this is the FQDN of your domain; in my demo, I will choose internal.luke.geek.nz.
7. Because I am in New Zealand, the closest region to me is Australia East, so that’s the region I will select. Make sure you select the appropriate region for where your Azure Virtual Desktop workloads are.
8. Select the SKU and Resource Type; you can see the Pricing Calculator and the "Help Me choose.." links to verify your SKU and Forest type (however, in most cases, such as Azure Virtual Desktop, your Forest Type will be 'User').
9. Click Next
10. We will set up the Networking; if you have an already existing Virtual Network, select it. Azure AD Domain Services uses a dedicated subnet within a virtual network to hold all of its resources. If using an existing network, ensure that the network configuration does not block the ports required for Azure AD Domain Services to run. Learn more
11. I will let it create a Virtual Network and its Subnet (/24); click Next.
12. Azure AD Domain Services will create a new Azure AD Group called: AAD DC Administrators - this group will be used for Administrator level permissions on the Azure AD Domain Services domain (it automatically adds the account you are using to create Azure AD Domain Services into this group).
13. You can configure Membership of this group now and configure who gets alerted if there are issues with Azure AD Domain Services.
14. When you are ready, select Next.
15. Depending on the amount of Microsoft Entra ID users you have in your organisation, and whether they will need Azure AD Domain Services, you can choose to synchronise ALL Azure AD Groups and Users, or specific groups of users (this can be changed later), because my Azure AD Organisation is fairly low, I am going to Sync everything, click Next.
16. One thing to note here is the recommendation on the number of Objects (Users, Groups) that will get synced to Azure AD Domain Services; for the Standard SKU, the suggested Object Count is 0 to 25,000 - for the Enterprise SKU, it is 25,000 to 100,000. So although there is no hard limit, it might be worth upgrading the SKU you are running for the additional backups and authentication if fit in the Enterprise space.
17. We can now configure the Security Settings, the only setting I am going to change here is TLS 1.2 Only Mode to Enable
18. Enter any applicable Tags and click Review & Create to validate your configuration.
19. Review your configuration, and if you are happy with it: Select Create.
20. Confirm that you are happy with the following and click Ok Note: Azure AD Domain Services can take up to an hour to provision.
21. Once your Azure AD Domain Services has been configured, we must make some final configuration changes to point the Virtual Network DNS to use the Azure AD Domain Services. So first, open your newly created Azure AD Domain Services.
22. Click on Overview and: Configuration issues for your managed domain were detected. Run configuration Diagnostics
23. Click on Run
24. It should find a DNS record issue; click Fix to set the DNS settings of the Virtual Network to use the Azure AD Domain Services. Please be careful here, especially if you have already existing DNS settings; you might have to add it manually.

Create a Utility server to help Administer Azure Virtual Desktop​

We need to create a Virtual Machine to help manage the AAD Domain and deploy Group Policies to help manage and configure the Azure Virtual Desktop farm.

1. Log in to the Azure Portal
2. Click on Create a resource.
3. Search for: Windows Server 2019 Datacenter and select Create
4. If you already have a Resource Group, select it - in this Demo, we are going to create one: aad_infra
5. Specify a name for the Virtual Machine (I am going to use: UTILITY-P01)
6. Select a Region (use the same Region as the Azure AD Domain Services and Azure Virtual Desktop resources)
7. For the Image, you can select either Windows Server 2019 Datacenter -Gen 1 or Gen 2; in my case, I am going with Gen2 (although it doesn't matter).
8. I am a firm believer in selecting the smallest size possible for the size, then scaling up when/where needed; I am going to go with a Standard_B2ms.
9. Now we need to enter in the Administrator (local account) Username and Password.
10. Select 'None' for Public inbound ports
11. If you have existing Windows Server licenses, you can select Hybrid Use Benefit; if not, select Next: Disks.
12. For the disks, I only need the OS disk, so I don't need to add a Data Disk (although you could use this to store your Application install files etc.); however, to reduce cost, I am going to change the Disk type to Standard SSD (locally-redundant storage) and select Next: Networking.
13. For the Virtual Network, make sure you select the same Virtual Network that the Azure AD Domain Services has been installed to; I will select the: aadds-subnet created earlier for my Utility server.
14. Set 'None' for the Public IP and select Next: Management
15. Feel free to leave this all as Default
16. Just be wary of the Auto-shutdown settings, which will automatically shut down the VM daily (I will keep mine selected as this is just a demo, and I only need the UTILITY server for initial configuration, it doesn't need to be running 24.7).
17. If you have a Recovery Services Vault, now is a good time to add the Utility server to Backups, so you don't forget it later, select Review & Create
18. Verify the configuration is correct and select Create

Create Azure Bastion to connect to the Utility server​

Once the VM has been created, we now need to connect to it securely, so we will create a Bastion instance, which will allow us to connect to it without publishing the RDP (Remote Desktop Protocol) over the internet.

1. Log in to the Azure Portal
2. Click on Create a resource
3. Search for: Bastion
4. Click Create
5. This is a Networking resource to place it in the same Resource Group as my Virtual Network.
6. Please type in a Name for the Bastion instance; I will call mine: Bastion
7. Select the Region that matches the Virtual Network region
8. Select the Virtual Network
9. It now warns you about creating an: AzureBastionSubnet with a prefix of at least /27, so we need to create one; click on Manage Subnet Configuration.
10. Click + Subnet
11. For the Name type in: AzureBastionSubnet
12. For the Subnet address range: 10.0.1.0/27 If you get an error that indicates the address is overlapping with the aadds-subnet, it may be because the Address space is only a /24; click Cancel and click on Address Space in the Virtual Network and change the /24 to/16 to increase the address range.
13. Click Save to create the subnet
14. Up the Top, click Create a Bastion. To go back to the Bastion setup, your Subnet should be selected automatically.
15. You do need a Public IP for Bastion, so confirm the name is appropriate, then click Review + Create
16. Click on Create to create your Bastion instance!

Note: Bastion may take 10-20 minutes to provision.

Configure the Utility server​

Now that we have a Bastion instance, it is time to connect and configure the Utility server and create a new Azure AD user for Azure Virtual Desktop configuration.

1. First thing I am going to create a separate Azure AD account to manage the Utility server and join the Azure Virtual Desktop session hosts to the domain; this is to separate my own account. Azure AD Domain Services relies on password hash. So you won't be able to log in using Azure AD Domain Services unless you and the people using it have reset their passwords AFTER Azure AD Domain Services has been created.

2. Navigate to the Azure Portal and open Microsoft Entra ID

3. Click on Users

4. Click on + New User

5. Type in the username of a user, I am going to use: 'avdjoin'

6. Type in an easily identifiable name

7. Generate or put in a secure password

8. Add to the AAD DC Administrators group

9. Click Ok to create the user

10. Once the account has been created, make sure to login with it to the Azure Portal or Office portal to force a final password reset, or you won't be able to use it in the next steps as it will be waiting for a password reset.

11. Once that account has been created, it's time to join your utility server to the Microsoft Entra ID Domain, navigate to your Utility server and click Connect.

12. Select Bastion

13. Select Use Bastion

14. Type in the username and password of the LOCAL account created when the Virtual Machine was created and click Connect Note: If you are running a popup blocker, you need to allow it to open, as Bastion opens up the connection in a new window.

15. You should now be logged in to the server successfully.

16. Now it's time to join the server to the domain (make sure that DNS is configured for AD Domain Services on the Virtual Network, see the last step in the AD Domain Services section, or you won't be able to domain join anything).

17. In Server Management, click on Local Server

18. Select WORKGROUP

19. Click Change…

20. Select Domain

21. Please type in the DNS name of your domain; in my demo, it is: luke.geek.nz

22. Type in the username and password of the account we created earlier and clicked Ok

23. Once you see, Welcome to the domain, click Ok a few times to restart the server.

24. Once the server has been restarted, you can now close your bastion window and reconnect using your Azure AD credentials (in my case, avdjoin), a member of the ADDC Administrators group.

25. You have now successfully connected using an Azure AD account to the AD Services domain.

26. Now it's time to install some base Active Directory tools

27. Open Windows PowerShell as Administrator

28. Type in the following PowerShell commands:

    Add-WindowsFeature RSAT-Role-Tools
    
    Install-WindowsFeature –Name GPMC
    

Note: You can use the little arrows on the left-hand side of your Remote Desktop window to copy and paste text to and from your Bastion connection.

1. This will now install the base Active Directory remote management tools, including Group Policy Management, so you can now create and manage the Group Policy objects for your Azure Virtual Desktop hosts.
2. We will now set up some base configurations to create a custom OU for the Azure Virtual Desktops hosts to go into:

• Open Active Directory Users & Computers
• Expand out the Domain and right-click (at the Top Level)
• Select New, Organisational Unit

• Type in: AVD
• In the AVD OU, create a new OU called: Hosts
• Now that we have an OU for the hosts, we will need to tell Azure what OU the hosts go into, so while we have Active Directory Users and Computers open, click on View.
• Select Advanced Features
• Right-click the Hosts OU
• Select Properties
• Click on Attribute Editor
• Find the distinguishedName attribute

• Open and Copy the Value for future (in my case: OU=Hosts,OU=AVD,DC=luke,DC=geek,DC=nz) for future reference.
• Now that we have the AVD Hosts OU, you can also open Group Policy Management and create your Computer policies.

Deploy Azure Virtual Desktop​

Now we are ready to deploy Azure Virtual Desktop finally!

1. Log in to the Azure Portal
2. Click on Create a resource
3. Find and select Host pool
4. Click Create
5. Please create a new Resource Group to help resources separately, and I am going to name mine: avd_prod
6. Type in a Host Pool Name, I will call mine: avd-pooled
7. Please select the location of the Metadata (this is NOT the location of your session hosts, it’s the gateway, select the Region closet to you as possible)
8. For Host Pool Type, if you want everyone to have a Virtual Machine each, you can select Personal; however, I want people to be shared across my servers, so I will select Pooled.
9. For the Load balancing algorithm, we can choose to spread people over available hosts or fill up one host before moving connections to the next; we are going with Breadth-first.
10. Click Next: Virtual Machines
11. Now we can add your Session hosts to the Pool.
12. By default, it has defaulted the Resource Group to the same Resource Group as the Host pool; however, you can separate them.
13. Please select a Name prefix for your session hosts, and it must be unique. Azure will automatically add a number to it as you build out more sessions hosts. I will put avdhost.
14. As I am based in New Zealand, I will be using the Australia East region.
15. We are going to use a Gallery Image of Windows 10 Enterprise multi-session, Version 20H2 + M365 Apps (select the newest image at the time of your deployment)
16. Select your Virtual machine size
17. Select the number of Virtual Machines you need
18. Select the OS disk type
19. Select your Virtual Machine and subnet
20. Select Yes to specify your domain or unit
21. Type in your AD Domain Services domain name
22. If you don't specify an OU, it will create it in the: AADDC Computers OU. I had previously created a separate OU for my hosts so that I will enter the OU information.
23. For the Domain Administrator account, I will use the AVDJoin account I created earlier.
24. When the Virtual Machines get created, a local Administrator account will be created for each machine, and you can specify the username and password of what you want this account to be.
25. Click Next: WorkSpace
26. Select Yes to Register Desktop App Group
27. We haven’t created an Azure Virtual Desktop Workspace yet, so select Create New.
28. Create a name for your Workspace; my example is: avd_workspace
29. Click Ok
30. Click on Review + Create
31. Confirm everything looks ok and click Create Note: This may take 10-20 minutes to create your Azure Virtual Desktop resources:

• Host Pool
• Workspace
• Session hosts

1. Once the resources have been created, you should now have an Application group for the Session Desktop.
2. Open the Application Group and click Applications; you should confirm the SessionDesktop application is listed.
3. Click on the SessionDesktop to change the Display name (this is the resource people will see when they go to your Azure Virtual Desktop), and I changed mine to AVD Desktop.
4. Click on Assignments
5. These are the Users & Groups that are allowed to access your Azure Virtual Desktop.
6. My recommendation would be to add a Group that contains your users, but in my demo, I will add in my: 'avdjoin' account.
7. Using an assigned account, you can now navigate to**:** https://rdweb.wvd.microsoft.com/arm/webclient/index.html
8. You can now launch your Desktop.
9. Congratulations, you have now created and connected to Azure Virtual Desktop!

Additional Configuration​

• You can Navigate to your Host Pool; under Settings, you can restrict or allow RDP settings, Device redirections and configure Display sessions.
• Configure Start VM On Connect to help reduce your spend.
• If you click on Session hosts, you can add additional hosts to your pool or Drain them to prevent logins.
• If you click Application Groups, you can add RemoteApp groups to allow users to connect directly to an Application versus a Full Desktop.
• Configure FSLogix profiles for user persistance.
• Set Disconnected Session Time limits in Group Policy, to automatically log off Disconnected sessions after 'x' period of time.