Azure Virtual Desktop (AVD) is a Microsoft solution that allows you to access a secure remote desktop from anywhere. What are its components? Its use cases? The user profiles? There are many questions about this tool, so in today’s post, let’s look at what Azure Virtual Desktop is and what it can do for you.

 

The History of Azure Virtual Desktop

 

First, let’s look at some history to help us understand why Azure Virtual Desktop was created.

Microsoft released Windows NT 4.0 Terminal Server Edition in 1998. It was the first version of the company’s famous OS that enabled you to connect to a Windows session remotely.

Then, in 2008, Microsoft continued its development by improving and renaming its product with the release of Windows Server 2008: Terminal Server (TS) then became RDS (Remote Desktop Services).

Ten years later, RDMI (Remote Desktop Modern Infrastructure) was born.

The arrival of the Azure public cloud sped up adoption of the Platform as a Service (PaaS) mode. The solution first appeared as WVD (Windows Virtual Desktop), but Microsoft changed its name in 2019. WVD evolved into AVD (Azure Virtual Desktop), its current name.

To complement this Virtual Desktop Infrastructure (VDI) solution, Microsoft launched Windows 365 in 2021. This solution is different from AVD and completes the Microsoft product family. We will also consider the benefits of this new product.

Of course, you can still use the on-premise RDS solution on Windows Server.

 

The Principle Behind Azure Virtual Desktop

 

As you may have gathered, Azure Virtual Desktop is Microsoft’s VDI solution in Azure.

It lets you delegate management of the control plane, its components, and its security to Microsoft, leaving you to focus on configuring and customizing the desktops and applications you publish for your end users.

The goal is to give users the same experience they are familiar with from Windows 10, 11, and Windows Server 2016, 2019, or 2022. This is done by optimizing them through the native integration of Microsoft 365 applications.

Similar to the other abbreviations, IaaS (Infrastructure as a Service), PaaS, or Containers as a Service (CaaS), AVD also has its own: DaaS (Desktop as a Service).

 

AVD Compared With the Old RDS Solution

 

Before you can fully understand the basic principle of AVD, you need to know about the various components of the old RDS solution.

 

Remote Desktop Session Host

 

This is the server that runs the applications through the desktops you share with your users.

 

Remote Desktop Gateway

 

The Remote Desktop Gateway provides users with access to Windows desktops and published applications. It is the RDS point of entry.

It is responsible for encrypting communications between the clients and the server.

 

Remote Desktop Connection Broker

 

The Remote Desktop Connection Broker is the component that handles session connection requests from the Remote Desktop Gateway to the Remote Desktop Session Host groups.

It also ensures load balancing between the various session hosts.

 

Remote Desktop Web Access

 

With Remote Desktop Web Access, end users can access desktops and applications via the web portal using a thick client browser.

 

Remote Desktop Licensing

 

Remote Desktop Licensing is just the server on which all end user licenses are activated. This can be done per user or per device. This service is requested as soon as a user logs in to ensure they have permissions to use it.

 

RDS in Azure

 

If we apply the elements above within the Azure Virtual Desktop solution, you will only need to manage the Remote Desktop Session Hosts.

Graphically, Microsoft will handle:

 

These elements are also called the “control plane.”

Azure will also take care of the following, which are part of the standard managed services:

 

 

But what’s left for you to manage? Only those elements that are directly related to the value you want to add to the product, for example:

• Publications: Will you be providing full desktops or just applications?
• Images: Do you want to use the stock images from the marketplace or create your own?
• Identities: Who will need to access the service? How? Under what conditions?
• Rules: How should load balancing work? Will you use a scaling plan?
• Policies: You need to define the policies that work for you for both network access and the computer. Should the VMs be able to access the Internet? How about other internal networks? Should storage spaces also be accessible from the Internet? You can also continue using Group Policy Objects (GPOs) if you are using AD Domain Service. If you choose Azure AD joined, Intune will help you maintain control over your session hosts. Teams that have already deployed RDS on-premise don’t have to worry either. You can migrate your RDS workloads to AVD.

 

Azure Virtual Desktop Components

 

You now know where Azure Virtual Desktop came from and what elements you need to consider. Let’s move on to some Azure Virtual Desktop terms:

 

Host Pool

 

A host pool is a group of virtual machines registered to Azure Virtual Desktop as session hosts. There are two kinds of host pools:

• Personal, where each session host is assigned to individual users.
• Pooled, where session hosts can accept connections from any user authorized to an applications group within the host pool.

When running the Azure Virtual Desktop agent, all session host virtual machines in a host pool should be sourced from the same image for a consistent user experience.

 

Application Groups

 

An application group is a logical grouping of applications installed on session hosts in the host pool. There are two kinds of application groups:

• RemoteApp, where users access the RemoteApps you individually select and publish to the application group.
• Remote Desktop, where users access the full desktop.

To publish resources for the users, you must assign them to application groups.

 

Workspace

 

A workspace is a logical grouping of application groups in Azure Virtual Desktop. Each Azure Virtual Desktop application group must be associated with a workspace for users to see the applications and remote desktops published to them.

 

AVD End Users

Once you have assigned users to their application groups, they can use any Azure Virtual Desktop client to connect to an Azure Virtual Desktop deployment.

Here is a graph showing the various AVD components and their relationship:

 

Azure Virtual Desktop Use Cases

 

As mentioned earlier, Azure Virtual Desktop is a virtual desktop infrastructure (VDI) solution first and foremost. It is based on existing Microsoft technologies, but the publisher has added cloud computing-specific functionalities. This makes it a flexible and cost-effective solution to today’s IT challenges.

Let’s look at the main existing and new use cases.

 

Data Security

 

With AVD, you can choose the geographical storage location (virtual machine disks and user profiles) and the virtual machine execution zone. This means you can:

• maintain control of the regions in which your data is stored
• adhere to any regulatory constraints
• limit the number of outgoing IP addresses

 

High Computing Capacity

 

Hosting IaaS workloads in any public cloud gives you access to extremely powerful computing resources. The AVD solution also benefits from this power. Storage and computing resources can take advantage of the latest graphics processing unit (GPU) hardware for developers and CAD designers.

The limits are set by you, not by the available resources.

 

Bring your own device

 

One of the first and most common use cases is the ability to provide secure virtual environments that can be accessed from personal and/or public computers.

In other words, how to maintain control over your professional work environment while letting the user choose how to access it?

 

Business Continuity Planning

 

Hosting your workloads in Azure makes sure that your business can keep running even if one of your sites is unavailable.

AVD lets you maintain access to your workstations and data even during incidents.

 

Flexibility

 

You can adapt AVD resources to your needs if the number of developers and designers on your team suddenly increases or decreases.

 

Merger & Acquisition

 

AVD can provide secure and easy access to your information system (IS) when a company is acquired.

 

Personalize Your Image

 

Firstly, it’s extremely common to customize the environment provided to users, although not compulsory. This involves creating a personalized image of the operating system. This is known as image customization.

Microsoft provides several versions of Windows:

• Server
• Client

Existing versions of Windows Server (2016, 2019, 2022) are available.

Keep in mind, though, that AVD has also brought some new OS features. In fact, Microsoft has developed a dedicated version of Windows client. This is Windows Enterprise multi-session, available in versions 10 and 11.

This version, which you can only get in AVD, has a multi-session mode on a Windows Client OS. This means it allows more than two simultaneous sessions.

 

Windows user experience

 

With this version, your users will still be able to enjoy the same experience they had with Windows 10 and 11.

 

Application compatibility

 

All the Win32 and UWP apps you already use will still be compatible with Windows Enterprise multi-session.

 

Native compatibility and integration with Microsoft 365

 

Windows Enterprise multi-session already has the Microsoft 365 suite applications installed and tested.

 

Twice-yearly feature updates

 

New features, or updates, are released on the Enterprise channel every six months, on the second Tuesday of January and July.

 

Native compatibility with AVD and FSLogix

 

Compatibility with AVD

 

For a virtual machine to be integrated into a virtual desktop environment as a session host, it must have an agent installed on it to communicate with the AVD control plane.

This is not an issue with the OS versions offered by Azure. This agent is natively integrated.

 

Compatibility with FSLogix

 

Let’s look at what FSLogix is first before we go any further.

FSLogix is a company that was founded in 2012 and offers services to complement Microsoft’s RDS solution, FSLogix apps and FSLogix Profile Container. These services “were designed to address critical needs that have long existed in virtualization.” In other words, they were made to improve the Microsoft Office 365 experience within virtual desktop environments (Outlook and OneDrive, in particular).

Microsoft acquired FSLogix in November 2018. Its aim is to adopt its products within its desktop virtualization service to make managing user profiles easier and cut down on the time it takes for profiles to load.

Technically, the profiles are stored in a file known as a container. This container is a virtual hard disk (VHD) file that stores profiles and optimizes their management (loading and security).

This means that profiles are stored and centralized in an external storage space (Azure storage account), so the user always has access to the same user context, regardless of which machine they use to log in. Storage of the user profile data is separate from the operating system.

 

Back to AVD:

You can, of course, manage user profiles in the conventional way. However, if you want to use FSLogix to manage your profiles, you also need an agent on the machine locally.

This is not an issue with the OS versions offered by Azure. This agent is natively integrated. All you need to do is configure it.

Next, you should know that setting up AVD involves deploying your host session, the virtual machines where you’ll share the desktop and/or the published apps.

 

From experience, your company is bound to have certain internal requirements (limiting user rights, customizing the GUI, installing security components, etc.) that must be met. You will need to use customized images that respect these constraints.

You can customize these images in a number of ways. These are the four most common customization methods.

 

Use the Marketplace Image for Every Deployment

 

This is the easiest way, and I recommend it first and foremost. The aim is to deploy the session host based on an image from the Azure Marketplace. This could be Windows Enterprise multi-session or Windows Server, with or without the Microsoft 365 applications already installed.

Then, you customize it by running a PowerShell script you developed at the end of the creation process.

 

Pros:

• You use the latest version of Microsoft’s OS
• You don’t need to worry about finding space to store a fully customized image

 

Cons:

• You need to check that the deployed image is still functional (does a new feature impact my script or apps?)
• All of the customization steps need to be possible in PowerShell

 

Create a Golden Image

 

With this method, you create a conventional virtual machine and customize it by installing all your applications and configuring the settings you need. Then, you run the old and well-known Sysprep tool, shut down the machine, and deallocate it.

You then have your golden image.

 

Pros:

• Your image is frozen, and you have control over these changes
• You can version the images you create

 

Cons:

• You need to set up a shared image gallery to host your images
• There will be a charge for storage space

 

Using Azure VM Image Builder

 

With Azure Image Builder, you can create an image based on a Windows or Linux OS and add your own customizations to it. You can then store the image in an Azure shared images gallery and manage its versioning.

 

Pros:

• Supports operating systems other than AVD This means it can be used outside AVD
• Declarative syntax (ARM)

 

Cons:

• Not available in all Azure regions

 

Using HashiCorp Packer

 

This is HashiCorp’s open-source tool for creating virtual machine images. The image from their Terraform product involves a declarative approach.

To achieve this, you will need to make sure your AVD environment meets the requirements, create a HashiCorp Configuration Language (HCL) file with all the instructions for the image to be created, and then run this file in Azure.

 

Pros:

• It is easy to customize a Marketplace image
• Packer is a cross-platform tool
• Declarative syntax (HCL)

 

Cons:

• You need to know how to use the HashiCorp Packer tool (https://www.packer.io/)

 

Choose your method based on your requirements and skills

Infrastructure-as-Code (IaC) can be used to deploy your sessions in all scenarios

 

User Profiles

 

A user has a profile when they log in to a Windows or Linux machine. This personal storage space is for one user only and is commonly called the user profile. In the Windows environment, this includes the My Documents, My Pictures, and My Music folders and all M365 family product configurations, including Outlook.

As you may have guessed, in AVD, users connect to a host pool made up of VMs called session hosts. When they log in, the load-balancing algorithm directs the user to one of the session hosts. The session host may differ each time they log in.

Without a mechanism to ensure a “roaming” profile, the user would have a profile for each session host. This would be counterproductive and extremely detrimental to the user experience.

The FSLogix solution from Microsoft counters this. The aim is simply to externalize the user profile within a storage space (a blob in a storage account) that can be accessed by each session host. Then, all you need to do is configure the session hosts to tell them where to find the user profile (via registry, PowerShell or Group Policy Object – GPO).

Keep in mind that using FSLogix requires a license (see below). In addition, an agent needs to be installed on the session hosts locally. This agent is already installed by default on Marketplace images for AVD.

I strongly recommend using user profiles by FSLogix, even though it is not required.

 

Azure Virtual Desktop Licensing

 

What Licenses Are Needed to Use Azure Virtual Desktop?

 

For the operating systems:

• Windows 11 Enterprise multi-session
• Windows 11 Enterprise
• Windows 10 Enterprise multi-session
• Windows 10 Enterprise

You need one of the following licenses:

• Microsoft 365 E3/E5
• Microsoft 365 A3/A5/Student Use Benefits
• Microsoft 365 F3
• Microsoft 365 Business Premium
• Windows 11 and Windows 10 Enterprise E3/E5
• Windows 11 and Windows 10 Education A3/A5
• Windows 11 and Windows 10 VDA E3/E5

 

For the operating systems:

• Windows Server 2022
• Windows Server 2019
• Windows Server 2016
• Windows Server 2012 R2

You need an RDS client access license (CAL) with Software Assurance (per user or per device) or RDS User Subscription Licenses.

• RDS CAL license with active Software Assurance (SA) or
• RDS User Subscription Licenses

 

Licenses required for FSLogix

 

FSLogix runs on all Microsoft-supported operating systems, including:

• Windows 10 and Windows 11
• Windows Server 2012 R2, 2016, 2019, 2022

 

You can use FSLogix if you have one of the following licenses:

• Microsoft 365 E3/E5
• Microsoft 365 A3/A5/ Student Use Benefits
• Microsoft 365 F1/F3
• Microsoft 365 Business
• Windows 10 Enterprise E3/E5
• Windows 10 Education A3/A5
• Windows 10 VDA per user
• Remote Desktop Services (RDS) Client Access License (CAL)
• Remote Desktop Services (RDS) Subscriber Access License (SAL)
• Azure Virtual Desktop per-user access license

 

Flow Matrix

 

Before you can deploy and use Azure Virtual Desktop, you need to make sure certain URLs are not blocked. This is so your session hosts can always access them.

These are listed below:

 

These flows must be authorized in your filtering solutions.

 

Landing zone

 

Microsoft provides resources to help you set up the landing zone for AVD to help you get started with Azure Virtual Desktop.

This “accelerator” guarantees that you will be able to handle all parts of the AVD ecosystem.

 

Have a look at the landing zone for AVD architecture document in the Microsoft documentation.

 

And what about Windows 365?

 

You’ve no doubt heard of Windows 365. But what’s the difference between AVD and Windows 365? Why use one solution over the other?

Firstly, in a nutshell, Windows 365 is a full software-as-a-service (SaaS) solution that lets you securely publish your customized Windows desktop, applications, settings, and content in the Microsoft cloud to any device.

That’s very similar to AVD, you might say. That’s precisely why you need to look more closely and compare.

Firstly, AVD is a PaaS solution, while Windows 365 is a SaaS solution. This first difference is important because it tells you that your level of responsibility will differ depending on the solution. It is already clear that AVD will give you greater flexibility and control.

 

Windows 365: The Cloud PC

 

• Customized Windows 10 or Windows 11 desktop
• Complete end-to-end Microsoft service
• One-stop administration in Microsoft Endpoint Manager (Enterprise edition)
• Direct self-service model (Business edition)
• Predictable user pricing

 

Azure Virtual Desktop: The VDI Cloud

 

• Windows 10, Windows 11, or Windows Server multi-session or personal desktops
• Remote application delivery
• Full control over configuration and management
• Citrix and VMware support
• Pay for what you use/consume.

 

Both will give your end users a customized, persistent desktop, but with Windows 365, you won’t need any special virtual desktop infrastructure (VDI) skills. On the other hand, AVD lets you publish only applications if you want to, and you can pick the VM family that runs them (optimized for GPU, memory, and virtual centralized processing unit (vCPU)).

 

Responsibility Model Comparison

 

As for the responsibility model, here is a table showing how the different solutions compare:

 

Windows 365 editions

 

With Windows 365, you can choose from several editions.

 

Windows 365 Business

 

For small businesses that don’t have or need Microsoft Endpoint Manager. This edition gives you rapid access to a ready-to-use PC in the cloud, and administration concentrates on a few core tasks.

• Easy hosting and administration via windows365.microsoft.com
• No license requirements
• Azure AD Join support
• Individual user management
• Limited to companies with < 300 users

 

Windows 365 Enterprise

 

For organizations of all sizes that want in-depth integration with Microsoft Endpoint Manager. You can easily add more endpoints with Windows 365 Enterprise. It also gives you the tools and information you need to move to the cloud.

• Deployment and management via Microsoft Endpoint Manager
• Requires a Windows 11 or 10 Enterprise, Microsoft Endpoint Manager, and Azure Active Directory P1 license
• Choose between Azure AD Join and Hybrid Azure AD Join
• User group management
• Choose an image from the Microsoft gallery or a customer-supplied image
• Detailed reports and usable information
• Unlimited number of users

 

Azure Virtual Desktop: Key Takeaways

 

Azure Virtual Desktop has become hugely popular in recent years. This is because of customers who are already familiar with the product and understand the benefits of not having to manage the control plane part and also due to the lockdowns and rise in remote working we experienced. AVD made it possible for us to provide secure remote access to our information systems (IS) from a personal workstation.

See you in the next post, where we’ll be talking about the different ways:

• to implement the solution in a hybrid world
• to make it secure (firewall and private endpoint)
• to limit access to it with conditional access

plus an explanation of

• load balancing and
• reverse connect technologies

which are built-in mechanisms to keep AVD secure.

 

Would you like to learn more or get some expert help? Contact us!