Transcription

Remote Desktop IO LabMarch 20th-22nd 2018Redmond, Washington

WVD Infrastructure ServicesStefan GeorgievPM

What is RDS?RD ClientRDPRemote hostHost Pool(s)RD ClientRD ClientRD ClientRDPRD InfraRDPRemote hostRemote hostRemote hostImageMicrosoft ConfidentialSMBUser profile

Virtualization Terms and Definitions

ConfidentialBackground: How does this work?Deployment models and sharePooled(non-Persistent VMs)Personal(persistent VMs)15%5%Single Session80%RareMulti-Session

Virtualization ScenariosSecurityand izedworkloadsFinancial ServicesMergers and acquisitionBYOD and mobileDesign and engineeringHealthcareShort term employeesCall centersLegacy appsGovernmentContractor and partner accessBranch workersSoftware dev test

Windows Virtual DesktopThe best virtual desktop experience, delivered on AzureThe only multi-user Windows 10 experienceWindows 10 Optimized for Office 365 ProPlusDeploy and scale in minutesOffice 365

What is WindowsVirtual DesktopMicrosoft service on Azure for VDI/RDSH management Enables a multi-user Windows 10 experience,optimized for Office 365 ProPlus Most scalable service to deploy and manage Most flexible service allowing you to virtualize bothdesktops and apps Windows 7 virtual desktop with free Extended SecurityUpdates Integrated with the security and management ofMicrosoft 365

High Level ArchitectureProvides virtualization infrastructure as a managedserviceUtilizes Azure Active Directory identity managementserviceDeploy and manage VMs in Azure subscriptionManage using existing tools like Configuration Manageror Microsoft IntuneMANAGED BY MICROSOFTWeb accessDiagnosticsGatewayManagementBrokerLoad balancingYOUR SUBSCRIPTION - YOUR CONTROLWindows 7EnterpriseWindows 10EnterpriseWindowsServer 2012R2 and upRemoteAppWindows 10Enterprise multisessionSimply connect to on-premise resourcesMANAGED BY MICROSOFTComputeStorageNetworking

Azure AD AuthenticationClients authenticate with Azure Active Directory (Azure AD) identitiesAzure AD allows usage of Conditional Access and Multi-factor AuthenticationWindows VMs are AD domain-joined for optimal app compatibilityRD clientsCustomer-managedWindows Virtual DesktopMicrosoft-managed Azure servicesCustomer-managed Azure VMs & services1VMsAzure ADFIREWALLFIREWALLAAzure SQL DBAzure AD ConnectA

User Connection FlowUser launches RD client which connects to Azure AD, user signs in, and Azure AD returns tokenRD client presents token to Web Access, Broker queries DB to determine resources authorized for userUser selects resource, RD client connects to GatewayBroker orchestrates connection from host agent to GatewayRDP traffic now flows between RD client and session host VM over connections 3 and 4RD clientsCustomer-managedWindows Virtual DesktopMicrosoft-managed Azure servicesCustomer-managed Azure VMs & services1VMsAzure AD2FIREWALLFIREWALL43Azure SQL DB0AA

Improved Isolation: Reverse ConnectOutbound WebSocket connections from VMs to Broker and GatewayBidirectional communications between VMs and RD infra over https (443)No inbound ports need be opened on the VM.RD clientsCustomer-managedWindows Virtual DesktopMicrosoft-managed Azure servicesCustomer-managed Azure VMs & servicesVMsAzure ADFIREWALLFIREWALL4Azure SQL DB0AA

MultitenancyCustomer-managed Azure VMs & servicesVMsAzure ADWindows Virtual DesktopMicrosoft-managed Azure servicesFIREWALLFIREWALLRD clientsCustomer-managedAzure SQL DBAAAzure ADDomain ServicesUser ProfileAzure FilesVMsAzure ADAAAzure ADDomain ServicesUser ProfileAzure Files

Extensible PlatformThird-party apps can use PowerShell or REST API to extend Windows Virtual Desktop platformExamples: Deployment automation, VM scaling & provisioning, Web UI to configure, monitor,and troubleshoot, etc.RD clientsCustomer-managedWindows Virtual DesktopMicrosoft-managed Azure servicesWindows 10 Enterprise multi-sessionCustomer-managed Azure VMs & servicesAzure ADVMsThird-partyappPowerShellFIREWALLFIREWALLAA

Virtualization Hosts TodayWindows ServerDesktop ExperienceWindows 10EnterpriseScalable multi-user legacyWindows environment.Native single-session modernWindows experience.Windows ServerWindows 10Multiple usersSingle userWin32Win32, UWPOffice 2019 PerpetualOffice 365 ProPlusLong-Term Servicing ChannelSemi-Annual Channel

Virtualization Hosts of the FutureWindows ServerRD Session HostWindows 10Enterprise Multi-sessionWindows 10EnterpriseScalable multi-user legacyWindows environment.Scalable multi-session modernWindows user experience withWindows 10 Enterprise securityNative single-session modernWindows experience.Windows ServerWindows 10Windows 10Multiple usersMultiple usersSingle userWin32Win32, UWPWin32, UWPOffice 2019 PerpetualOffice 365 ProPlusOffice 365 ProPlusLong-Term Servicing ChannelSemi-Annual ChannelSemi-Annual Channel

FSLogix Improvements Low integrity application supportFaster load times for user profilesImproves Outlook and OneDrive performanceAddress book cachingSearch index per user with Windows Server 2016 / 2012 R2Integration with Azure Files (preview feature with AD Domain Services)Cloud cache

FSLogix & WVD Integration Road MapPublic Preview Deploy as any otherindependent product. Configure via FSLogix UI.GA Deploy as any otherindependent product. Configure via FSLogix UI. We want to provide scripts/ ARM templates.Post GA Fully integrated with WVD Configurable andManagement via WVD UIand RDS PowerShell

Secure by DesignService: Reverse connect isolates the customer environment AAD integration, enables Conditional Access and MFA All connections to the service are encryptedWindows 10 Enterprise multi-session: Windows Defender ATP optimized for virtualization

Network Requirements and ConsiderationsRequirements Network must route to a Windows Server Active Directory (AD) This AD must be in sync with Azure AD so users can be associated between thetwo VMs must domain-join this ADConsiderationsConnectivity TypeSpecial considerationsExpressRouteHybridDedicated network through service provider.Site-to-Site VPNHybridLimited bandwidth compared toExpressRoute.Azure AD Domain ServicesIsolatedMust synchronize password hashes to AzureAD

Deployment and Management OptionsDeployment:Through templates – Onboarding will be through Azure Marketplace or through Github usingARM templates. Deploy new session host pools Update existing host poolManagement Using REST API’s Capability to set and manage WVD setting directly Can build complex workflows when partnered with WVD Rest APIs Sample management UI (code and usable bits) will be provided PowerShell Best option for repeatable deployment Options to integrate with Azure Automation Take advantage of DSC Other options Terraform Working with partners and their management solutions.

Migration Migration will be allowed for Azure VMs that are part of othervirtualization environments (including RDS on Azure) Migration steps will be published as part of the WVD docs. Migration recommendations from AWS to WVD will also be published aspart of WVD docs. We will have partners (CloudJumper, Aspex) will also work with theircustomers in automating migration from other clouds and technologies toWVD.

Master Image Management Master image can be managed by any already existing process /technologies. WVD does not introduce limitations. Azure Update Management SCCM 3rd party We are going to publish best practices document on how to configure agolden image for WVD.

Patch Management It is recommended to designate a host pool as a pilot group that receivesthe updates before all host pools are updated. This makes it possible totest updates before mass deployment. Updates for VMs should also be managed by existing UpdateManagement solutions available for Azure. It is strongly recommended toupdate all VMs within a host pool to keep a consistent user experience. The update can be staged in the maintenance window to always keepsystems available for user logon. After the maintenance window iscompleted, all VMs within a collection must be at the same update-level.

Application Layering For public preview and GA application layering is via3rd party partners Liquidware Application deployment PowerShell DSC / Extensions Chocolatey

Full desktop vs. RemoteApp Based on what your users need to do. Full desktop Power Users / Developers that need to install their own apps Clients lack computing power / outdated Use RemoteApp Clients vary widely and application consistency is impacted Different version of the same app from different OS

VM management - SCCM SCCM can be used for applying VM-based policies and for keeping appsand OS up-to-date Supported OS: Windows Server SKUs Windows 10 Evaluating Win10EVD support for GA – this is not yet confirmed.

VM management - Intune Evaluating support for Win10 EVD through Intune. Right now there are gaps and we are pushing for this to be fixed by GA.

Copyright Microsoft Corporation. All rights reserved.

Remote Desktop IO Lab March 20th-22nd 2018 Redmond, Washington. WVD Infrastructure Services Stefan Georgiev PM. RD Client RD Client What is RDS? RD Client RD Infra Remote host RDP RDP RD Client Remote host RDP Remote host Remote host User profile SMB Image Host Pool(s) Microsoft Confidential. .