This article is contributed. See the original author and article here.
Global contingency has brought back the projects of desktop virtualization of an entire company. It is possible to centralize the management of desktops and save costs when you think on Virtual Desktops. However, despite remote work being a couple of years old for IT folks, enabling it for an entire business could be more challenging.
If you are facing a similar challenge now, please consider the following experience and simple recommendations. This is not a step-by-step deployment guide; it just focuses on some adventures to deploy an urgent project of Windows Virtual Desktop for more than 2000 users in two weeks. It tries to highlight some key points that were identified during the deploy in a production environment.
Windows Virtual Desktop (WVD) is a cloud-based virtualization solution running on the Microsoft Platform, which is an elastically scalable service that delivers remote desktop and remote app experiences without having to manage the underlying server infrastructure.
Before to continue, let’s get familiarized with some concepts:
- Host Pool is a collection of Azure virtual machines that register to Windows Virtual Desktop as session hosts. It can be Pooled where each session host is assigned to individual users or Persona, where session hosts can accept connections from any user authorized to an app group within the host pool.
- Application groups, an application group is a logical grouping of applications installed on session hosts in the host pool. An app group can be RemoteApp, where users access the RemoteApps you individually select and publish to the app group or Desktop, where users access the full desktop
- Profile Management enables a profile to follow the user regardless on which device they log on.
- A workspace is a logical grouping of application groups in Windows Virtual Desktop. Each Windows Virtual Desktop application group must be associated with a workspace for users to see the remote apps and desktops published to them.
- A session host is the Remote Desktop Service worker that provides the service to end users, it is based on operating system used to build the master image
In addition to the Azure Prerequisites and licensing, we highly recommend thinking on the following topics to understand possible inconvenience during the deployment into production.
Managing the requirements
Ensure different user from all business units and operating systems are involved during initial project conversations. Define which users require a dedicated single-session and which ones can accommodate in a sharing sessions. Also consider users accessing just a remote application and, why not, users with a physical machine.
On top of that, we recommend analyzing total users, concurrency, and estimate hours per week and possible compute available for the project.
Those definitions allow us to plan the right infrastructure that will give the best experience identifying the workload type: Power, Heavy, Medium, or Light users.
Also consider understand the security controls that need your company for remote users, related to Networking, there are several ways you can limit traffic, including using Azure Firewall and Network Virtual Appliances or Proxy, but this is another project.
Analyze the level of management you want to administer for the solution, this project required automated deployment and autoscaling and monitoring. Nerdio manager for WVD was chosen for this project due to the simplification of these activities. Updating of OS images as well as user control was streamlined.
Considering that Windows 7 single-session and Windows Server 2012 R2 and higher are supported, If your WVD scenario is multi-session you need to understand which applications works on those environments because multi-session is based on Windows10, allowing to use one worker to host several users. Companies tend to think about WVD as a response to legacy systems. Yes, it is the alternative to address Windows 7 End of Support, but we need to check status of legacy applications and policies about image distributions. Validate with your Operative Systems Team which percentage of applications has been tested to works with Windows 10. Hopefully, those are many today, but you should feel comfortable asking: “Hey, SO guys, can we deploy Windows 10 considering that our standard is Windows 7 as corporate Desktop?” If you are going for a deployment in a shared scenario, it’s important to know what happen if you want to publish client-server applications and must check the behavior of them in a multi-session (pooled) environment.
How can we size the environment?
You can run an estimation by defining total users, peak concurrency, usage hours and the scenario: multi-session or single-session. Costs are mainly driven by VM instances, where numbers of instances and instance size are the main parameters to pick up.
Depending on your industry, you may know which hardware footprint/configuration tends to work well with a typical user. But do you know how much memory consume a typical user in their notebooks? How many browser tabs they keep opened along the day?
To give the same experience in a Virtual Desktop, it is necessary to add this variable to our sizing to define users with personal desktop and other sharing sessions. To make it easier, in our case we grouped users into 4 zones and hence 4 Host pools and 4 File Shares to manage the profile. This allowed us to manage different maintenance windows, impacting a small number of users. You can also use such zones to differentiate users, for example those with more compute than others.
We considered a sizing with Standard D8s v3 VMs for Host Pools with premium disks. We had an average of 20 concurrent users. To size the profile, we considered a size range of 5-10GB (which averages around 8GB) and 5 IOPS per user profile to select the VM with correct IOPS.
Other choice is using NetApp Files if you need to deploy a complete PaaS scenario to manage the profiles. It´s a better option if you don´t want to manage Windows File Sharing in an IaaS environment.
Use Azure Calculator, remember to use saving options with reserved instances, but we recommend waiting until the project is in production and understand the operation. If you reserve the instances and then you figure out that the quantity of VMs is lower than needed, you can cancel an Azure Reserved VM Instance at any time.
Ensure spending enough time until your image baseline works well.
Recommended Settings for WVD Master Image:
- Setup User Profiles Containers (FSLogix)
- Configure Windows Defender
- Disable Automatic Updates
- Time Zone Redirection
- Add language support
- Configure OneDrive
- Install Office
If you will use multi-session, you must use shared computer activation to install Office, this lets you to deploy Microsoft 365 Apps to this image that will be accessed by multiple users. Check the Office operation several more times after installed. Consider attention to understand how shared computer activation works.
How many browsers will be installed on the image? Do they need some particular security configuration? Or you do control everything by corporate policies? Ask all these questions with your team and make sure Help Desk will not have receive cases due to application malfunctions.
Follow this article to customize a master image.
Profile Management enables a profile to follow the user regardless on which device they log on. Typically, every user logging on to an operative system has a locally stored user profile. A user profile is a collection of settings and information associated with a user (e.g. individual theme, background, OneDrive sign-in).
FSlogix is a next-generation app-provisioning platform recommended that reduces the resources, time and labor required to support virtualization.
Either if you are building the image by yourself or by using a 3rd party tool like Nerdio, Citrix or VMware, FSLogix Agent needs to be configured defining a central fileshare (SMB, NetApp Files or Azure Files). Optionally, you can manage it with the available ADMX Templates, but only implement the items which are absolutely necessary.
In this case, SMB fileshare were used to store the profiles so for securing access it is required to check weather WVD users have read/write permissions on that File Share. Several times it happens that a new user complained to Help Desk saying: “I have an error and it say “FSlogix, the user profile failed to attach.”.
FSlogix – Profiles
Deploy & Monitoring
Before the production deployment it is recommended to configure a Host Pool with a few of Workers: two or three. The idea is to see the behavior of your image and test all the applications again with a user granted to use WVD. Typically, you will look after how Office applications work, language, time zone, etc.
Sepago is a cloud-native solution to monitor WVD environments at very low level of the host pools, users, sessions, and applications. We configured Sepago to use an agent looking after events, performance consumption, network activities and more regarding each user experience in our WVD environment. The agent combine data from different sources and send them to your Log Analytics workspace in Azure.
How to enable Sepago in your deployment? here is a high level of the steps
- Install ITPC-LogAnalyticsAgent Sepago.zip available at http://loganalytics.sepago.com/download.html
- Once downloaded, you must edit the config file to point to your specific workspace with primary key to access your workspace
- The agent will need to be downloaded and installed on each Windows Virtual Desktop session host. Because we have already deployed our session hosts, we are going to install the agent directly on each host. However, you could install the agent onto your master image, or use automation to deploy the agent.
Dashboards looks like this:
WVD also offers a diagnostics feature that allows the administrator to identify issues through a single interface. This feature logs diagnostics information whenever the Windows Virtual Desktop role is used. Each log contains information about which Windows Virtual Desktop role was involved in the activity, any error messages that appear during the session, tenant, and user information. The diagnostics feature creates activity logs for both user and administrative actions.
However, getting more detailed information may need to dive into the logs to find the answer: “Can I know what time a user logged in? How to identify where is the user connected from?”.
In those cases you need to use the Kusto query language to create your own Log Analytics queries. Here you can find some examples. In our case we saved those query in Log Analytics to use in a Logic App that allows send everyday information about user’s connections.
- There are vast activities related to the users, so having this connection with Help Desk team enables to accelerate changes and decisions during the first part of the deployment.
- Try to assess all the end user’s needs to define all the actions to put into the image; there are users needing different configurations and some requirements may come after implementation.
- Continue monitoring performance to optimize your deployment and save costs
- Work on right sizing of VMs based on new user & usage profiles before to buy Reserved Instances
- Implement Scale up or Scale down to meet peak usage demands if you are not using tools like Nerdio.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.