Let me say it this way; You are the B E S T !!!!!!!! Azure Teacher in TH-cam my friend !!!!! I hope you keep it up, we all learning a lot !!..... Many thanksss
This really helped to get out of the dilemma for WVD videos on TH-cam and various processes. Few Quick doubts. 1. Pre Requisites for WVD 2. Any specific Licenses required for users to access WVD. Can a user with Business Basic have WVD 3. How to install custom software for users to access in WVD
1. Prerequisites for WVD - docs.microsoft.com/en-us/azure/virtual-desktop/overview#requirements 2. see the requirements doc for the WVD User license requirements 3. Installing software on WVD VMs is 100% the same as installing software on ANY VM...what do you mean "customer software" ?
@@AzureAcademy Can the product group answer the question on docs.microsoft.com/en-us/azure/virtual-desktop/set-up-customize-master-image ? how can we download and customise the Mutli-Session image? on a 1903 ISO the Mutli-Session SKU is listed but you cannot install it. Mutli-Session will help provide that true Windows 10 experience and still allow us to have a high enough user density per server to save costs compared to running single session VDI's in AWS.
@@PeteAUS1983 Interesting question Pete...I am not sure I totally know what you are asking so I will answer it in 2 ways In the Azure Marketplace you should be able to see windows 10 images. portal.azure.com/#blade/Microsoft_Azure_Marketplace/MarketplaceOffersBlade/selectedMenuItemId/home/dontDiscardJourney/true Inside there is a windows 10 Enterprise image for Virtual Desktops Preview, Version 1903 & with Office 365 ProPlus So, in Azure you can deploy the 1903 image and customize it, then save that as a custom managed image and deploy that in WVD. Or add the WVD Agent and boot loader to the VM and directly add it to your hostpool, like in our other WVD video here th-cam.com/video/ksgBPIEgU2A/w-d-xo.html However if you are asking how you can download the mult-user windows 10 1903 image to your OnPrem environment and use it outside of WVD, this will not work at this time. As I understand it, this feature will only work in Windows Virtual Desktop. I believe the reason you see it in the Image SKU is because it is in there...but only functional in WVD, which is one of the main WVD offerings. Also this multi-user Windows 10 needs to be licenced, and it will only respond to the Azure KMS please let me know if I answered your question, or if I have misunderstood Thanks!
When setting the GPO settings - the "Delete local profile when FSLogix Profile should apply" save you the need to manaually delete any pre-existing local profiles which is helpful, as you either have to delete manaually as per the video or FSLogix will not create a profile for the user: docs.fslogix.com/display/20170529/FSLogix+Profiles+Configuration+Settings
Helpful video's. One thing that I've noticed when setting up the file share in the storage account is that WVD users need to be in the Storage File Data SMB Share Contributor group as well, otherwise they don't have permission to access the file and FSLogix will not push the profiles to the file share. I did not see you do that, but that is what was needed to fix my issue.
Thanks for the feedback Olin! There are 2 permissions related to the file data SMB share. If you need both then please answer this... Are you able to have a user log in if they are NOT a member of the AA DC Administrators? Or are all your users members of that group in Azure AD?
@@AzureAcademy I have my administrator that is part of AA DC Administrators and i've created a azure AD group "WVD Users" which contain User A and B. My admin is part of the Share Contributor and Elevated Contributer. This admin is able to log in just fine. User A and B are also able to login to WVD hosts but without adding "WVD Users" to Share Contributor their profiles will not be written to the storageaccount File Share, thus only having local profiles.
OK...the Azure storage account permissions of SMB Share contributor / elevated contributor are only needed in the setup. Once you have the share mapped to your first VM log in with a user who is a member of the SMB Share Elevated Contributor group so you can modify NTFS Permissions. Add your WVD Users group give the WVD Users group FULL Control on the share. Now ANY user in the WVD Users group should have full access the share without providing credentials. you can see these steps in action starting at 6:52 - 12:56 in the video
@@AzureAcademy Yes i've rewatched and reread all the steps there are to supposedly make this work. It only works when my WVD users are part of the share contributor group for the file share. It doesn't matter if in NTFS they have full control via an azure group, doesn't matter if I add them 1 by 1 so without a group. But as soon as they are part of the contributor group it works. Then the users can parse the share and FSLogix will dump their profile there. One other thing I noticed while testing. When the user does not have a FSlogix profile yet, and he/she logs in via web instead of the app the FSLogix profile will not be created.
@@AzureAcademy @Olin Hendriks I can confirm the same regarding the role assignment; users do not receive fslogix profile containers (on the azure file share) unless they have been assigned the role 'Storage File Data SMB Share Contributor' (verified via web client & Windows client). After the profile container has been created the role (seemingly) can be removed and the profile container will still be modified upon logging on/off. Conclusion of my testing is that the user needs both NTFS Full Control permissions and to be assigned the role 'Storage File Data SMB Share Contributor'. Once the profile container has been generated the role assignment can be safely removed.
Hi Dean, this is a very good piece of work, well articulated and staright to the point. The only thing you didnt work on is syncing users across to the domain services. I have deployed a domain services folowing your steps here but need to know how to sync my users across
Dean I just would like to thank you for the content. I work for a Microsoft vendor providing support, always recomend customers your videos and to my peers. We do not fully support WVD but we do support AADDS. I have seen your videos and you linked one down below for the ADConnect installation of WVD but did not see ADConnect involved. 2 Questions: 1 - Can you have both AADDS & ADConnect? Or you only need one or the other - as far as I know only one. 2 - Can you do a full video of the ADConnect deployment with WVD? I have seen the documentation but it really is not clear on either of these componets. Again, thanks for the content, you are a beast.
@Jean Thanks for your kind words...and for letting me know The Azure Academy has been so helpful for you. AADDS does NOT require Azure AD Connect. it is part of the service...with that said, YES you can still have it in your environment, depending on your configuration. If you have a traditional domain controller that you want to sync with Azure AD. However, AADDS will NOT sync with your AD directly...it only talks to Azure AD as I am sure you know. Since Azure AD Connect is a prerequisite for WVD and so many of my other things in my lab rely on it working I don't think I am going to be able to put them together in the same video...unless, you can get help me get The Azure Academy to 25,000 Subscribers before Thanks Giving 😁
No, seriously...help! LOL I want The Azure Academy to reach more people just like you and help them all. I do have another video I am working on that may fit into your ask in a better way. There is a feature called Azure AD Connect cloud provisioning, which is a newer take on Azure AD Connect...how would that be? oh yeah...and I want to get to 25,000 Subs 😁🤞👌😉😎😁
@@AzureAcademy Hey Dean, glad you responded, but not sure if I made myself clear. my point here is that, AADDS is one requirement but so is ADConnect. You have done and most of the deployments I've seen are with AADDS but I'd like to know; how to do the deployment with ADConnect only. It really is quite confusing when checking MSFT Docs. Because you have those 2 requirements. Is it that you only have ADConnect there and that's it or how do you connect it with WVD? BTW I do work for Tek-Experts here in Costa Rica - Sync & Account management vertical, hope one day I'll get to work directly to MSFT.
Weird.. was following this explicitly.. you got a nice CMD line phrase to cut paste.. mine gave me only Powershell, which failed "New-PSDrive : The specified network password is not correct".. but looked that up and some speculate it's a port 445 blockage somewhere..
Dean, Absolute awesome video, brilliant content and easy to follow - Apologies if I've missed it - but you mention that the link for your Git Hub Script is in the description, but I can't seem to find it: is it possible to the the link please :) thank you.
Great tutorial. I've tried a few in hopes of setting up FSLogix with Azure Files and none worked out. The step at 11:40 was what I was missing. On another note, in Windows 10 multi-session V 1903, the mapped drive does not show up in File Explorer when mapped from an Admin Console Window. I followed the steps in Solution 1 here: www.easeus.com/storage-media-recovery/mapped-network-drive-not-showing.html then remapped the share and it worked. Hopefully that helps anyone facing the same issue.
Great video series! Thank you. I still have on-prem AD and need to maintain some sort of hybrid cloud environment, legacy Windows auth apps, etc. What is my best option for domain join of WVD session hosts? AADDS with forest trust or my own DC?
@Azure Academy - thanks for these series of videos. I am trying to understand if this is possible? 1. Imagine 2 (or more) separate Azure Active Directories (2 separate Office 365/Azure Tenants - Tenant A and Tenant B) 2. Tenant C is where all WVD Resources need to be housed. 3. Users from Tenant A and Tenant B will connect to WVD host pools in Tenant C using their own Office 365 work work accounts. No physical/virtual DC setup. Can this be achieved with just 1 x ADDS in Tenant C?
Hm...interesting question. First off today, the WVD tenant is connected to 1 AzureAD Tenant. Now I am not sure of B2B/B2C scenarios that we might be able to leverage here or not so help me understand the scenario better. 1. Are all the AzureAD tenants here part of the same company? 2. If the 3 AzureAD tenants are not part of same company is your company a service provider and you are hoping to manage 1 WVD tenant environment for all your customers? 3. Who owns each AzureAD Tenant and will that same group own the WVD Tenant?
@@AzureAcademy Thanks for the reply! 1. All tenants are different companies. 2. A bit like that but yes - we want to centrally managed 1 WVD tenant that allows TenantA and TenantB Azure AD users to login using their Azure AD credentials. 3. I have admin rights to all 3 tenants. I am guessing we can leverage somehow using a Different Tenant Pool per Azure AD Tenant? Currently I see in the videos shows that "Default Tenant Pool" is used?
You can user multiple WVD Tenants, however they are all tied to 1 AzureAD Tenant...And With the 3 different AzureAD Tenants being different companies I have to ask how the users will get populated into the AzureAD Tenant where WVD is located?
Thanks for the video,would like to ask - Is AADS a requirement for fslogix to create the user profiles and store them in azure files? We have AD connect on an on-prem DC that synchronises user accounts to the cloud. It does a one way sync (On-prem to Azure). We currently have a WVD hostpool that is domain joined, but we are unable to get the user profiles created in the azure storage account even though we installed FsLogix and did the required registry changes.
yes and no... NO AADDS is NOT required for WVD or FSLogix but if you are using AADDS...then yes so in your case, since you have a domain controller already...no you do not need AADDS...and should not use it As for why it isn't working...make sure you have setup the permissions correctly. check out my video on Azure Files with AD Authentication for FSLogix th-cam.com/video/9S5A1IJqfOQ/w-d-xo.html
Great series.. not sure if this is a dumb question... but can Azure AD replace the need for a domain controller to host workstations?! 🤔 so like having WVD join Azure AD without needing a virtual server...
I am glad you are asking the question...please watch my new video on Azure AD DS where I explain that AzureAD DS is NOT extending your domain into Azure...after you watch this if you still want to use it with WVD...then yes it will work. th-cam.com/video/OWGVoJMdIRc/w-d-xo.html
@@AzureAcademy Great thanks.. I watched that.. so that video presumes I will still use my on-prem existing DC, which is entirely possible.. but not ideal, given that it's getting old and looking to be retired soon. If I have, say for example.. 2-3 users that require WVDs... can I join those WVDs up to Azure AD.. perhaps while using Azure Connect and creating a separate forest (if I'm transitioning the old DC out for retirement) and looking to migrate, over a few months or so
you certainly can @@tonelab Azure AD DS is made to work with WVD. But most of the advantages you had with you own domain controller you will lose. If you are good with the restrictions of AzureAD DS, then it will work fine 😉
@@AzureAcademy Thanks very much. I only need to do light workflow routines.. open documents, email via web-browser. It's mostly required 'this way' so I can control users, roles and manage passwords 👍
hi do you recommend WVD and Apps located into the same VM or to use seperate VMs for each thing? Like WVD-01 only WVD sessions and APP-01 only with the programs with MSIX?
Good question. There are over 6,000 different WVD tenants that are active...so a ton of customers are using it in one way or another. I would suggest that the risks are minimal to any Public Preview Product/Service in Azure. They are generally close to completion and stable enough for Microsoft to open them up to the public...which for a hyper-scale public cloud, could be larger than a lot of enterprises. Reasons why I would be OK with using WVD in Preview. 1. WVD is build on Azure VMs...which are fully backed by SLAs, WVD is the service that connects you to the VMs securely 2. WVD connectivity is build on outgoing connections on port 443, so it is secure 3. WVD is a more secure platform for connecting to VMs than public IP addresses 4. WVD is feature complete and will be made GA in the near future (no, I don't know the exact date) 5. WVD is a cloud based VDI / Remote Application tool...there is a ton of interest, so we need to learn it to support customers As for reasons to hold off. 1. Since it is not GA there are no SLAs on the service 2. Support is best effort 3. The service is not in many regions yet If you understand, and are ok with those restrictions and do not have a mission critical service, I would totally use WVD. Even if you do have those restrictions, I would still use it as a tool to learn, start a POC or a broad scale test. Finally, I would use this time to learn all you can about WVD, because once it is GA there will be armies of customers who want to use it...so we all better be ready to help them!
@@AzureAcademy Thanks for the feedback! I don't know when you started testing, but would assume pretty soon after the public release. Have you had any issues with a build after Microsoft made tweaks, updates or added features? If yes, what were they and did you have to start over and rebuild any portion or all of a deployment? I have a small business client with eight users that utilize a 2012r2 server for QuickBooks Enterprise. It is mission critical, but would you feel safe migrating this to WVD now? Thanks again!
@@AzureAcademy A couple more questions if you don't mind... I have done some testing and love what WVD has to offer - as you listed above. Is there a secret to getting additional trial credits? With different email addresses, I have created a few, but now I am blocked from opening any new accounts that aren't Pay-as-you-go. The WVDs that I have tested used the wizard in the marketplace to build and it created the AADDS for me. The monthly cost for that service is about $110 I think? Would you recommend a different route to achieve this requirement for smaller clients with tighter budgets? Would you parse out WVD desktops in a multi tenant fashion to different small clients and still maintain best practice security? What is the best way to accurately calculate monthly cost for WVD? Any experience with AWS Workspaces? The thing I like most is the predictable flat cost for X-resources. No surprises. Thanks, Louis!
I have been using WVD since before it was in public preview and as far as I know...There have not been breaking changes in WVD since it became public, meaning that a update happened and then other features stopped working. While I am confident in the WVD service and am working with several customers to implement it for their environments in one way or another, I cannot officially tell you that you should put your mission critical applications on a service in Azure that is not GA because you do not have any SLA. and to be clear this is specifically on the WVD connection service, Azure VMs themselves do have SLAs If you are OK with not having SLA and want to use the WVD service I think it will work great for you, but that depends on if the business wants to make this decision.
@@AzureAcademy any help with getting a new Azure Trial? I've been able to get two, but now it says ineligible. I have cleared browser data, opened incognito window, used a different CC and started with a new 365 E3 trial with a totally different email address. I can't change my name or cell. IMHO they should offer the WVD as a trial until GA :)
Thanks for the amazing content. I m working on a POC, where I have Azure VM with DC installed, can I setup WVD join to DC which is on Azure 2019 Windows server box? If not, how does it actually works?
Yes you can setup WVD. Since you already have a domain controller in Azure that means you already have a network in Azure. Have you setup Azure AD Connect to sync your identities from AD to Azure AD? If you gave then follow my video to setup WVD - th-cam.com/video/DrkQFSVD9Ik/w-d-xo.html
I have done exactly the same steps but when I login into the other vm it is not setting up the FX logix profile and cant see any profile in azure file share..
Thanks for the question Sarah! With Azure ADDS with Azure files you would have had to setup AADDS first then Azure files Then you should test from the VM that you can hit the Azure files share If so then you need to check your FSLogix config Let me know how it goes.
@@AzureAcademy yes i had setup AAADDS first and then i setup everything else...and everything is in the same the region...i had two vms in my hostpool and i had two users and for those two users i wanted yhe fxlogix profile and i am not getting any error ..same steps and everything but still when i log in i can't see the profile stored in azure files
@@AzureAcademy installed fslogix from the documentation and then i just installed it and set up the key in registery... before that i added my two users according to the steps you mentioned and then when i log in into the other vm with the user account that i have added..i can log in into the vm but can't see any profile getting stored in azure files . How will i get into the SMB share of the VM can u pls tell?
Hi Dean, I do have a question regarding WVD, do we need to set up some kind of NSG for the environment? or it is already secured? the reason why I am asking is that it seems when you go to Azure security center, we got a recommendation saying that wvd is exposed and required some NSG, but the weird thing is WVD doesn't have a public IP... any idea with this? thanks again!
That is an excellent question Hendi! The answer is yes & no...NSGs are 100% recommended as a free way to control traffic. That traffic source and/or destination can be internal or external. WVD is already a secure external front end which, as you point out does not need a public IP...so, no you don’t need it for public traffic...however it can still be useful for internal traffic. In a secure environment no system should be talking to any other system that they do not need to do their job so it is recommended to limit that traffic through NSG. Quick example: The WVD session host VMs need access to your domain controller and file server and a custom application front end...but it should never access the database server directly. So you can block the outgoing traffic from the WVD VMs with an NSG.
@@AzureAcademy makes sense! thank you! so the recommendation from azure security center is just a false alarm? not sure why the security center consider the wvd vm's have a public access even though there is no public ip's..
All WVD VMs are the same as all other Azure VMs. The only difference is that they have a Agent installed. the Security Center sees them as normal VMs, that is why you see those recommendations.
Good one...Is it possible to configure the fslogix profile settings on master VM and create VDIs from master VM instead of doing profile settings on each VM ?
Thank you for the feedback Mahammad. I think you are mixing concepts from VDI on prem, possibly Citrix to Azure. In Azure we can have images to create VMs from. Here is a video I did on custom images, and while I generally feel you don't need them in the cloud WVD is a very good use case for having your own custom images. th-cam.com/video/HGYXsf9IGOs/w-d-xo.html With that said, we can deploy WVD based off the custom image. However there is not a concept in WVD today to have a central server to manage a VM as an image with a profile. FSLogix manages the profile on top of the VM that is deployed from the image. Once the VM is deployed the VM is not directly connected to the image. So the VM can change and the image can change without impacting each other. However, if you can tell me why the way you are thinking of this solution would be better, or what advantages it would have I am happy to bring that feedback to the WVD Product Group as a potential improvement to WVD Thanks again!
Thanks Tom, for clarity you are referring to skipping the Registry configuration step and performing this with a GPO...correct? so you have a link you can share with everyone on where this is and how to implement. Thanks for contributing!
@@AzureAcademy Yes in the FSLogix installer there are the fslogix.adml and admx files. Just copy these to your Policy Definitions folder and then create a central GPO for configuring the FSLogix settings centrally. More details: docs.microsoft.com/en-us/fslogix/use-group-policy-templates-ht
I have one issue whenever i try to open up something like task manager or User account control setting, it is always asking me for administrators credentials as i am already the domain admin so why is it prompting me again and again
Can you clarify? You have an account like Sarah this is a domain admin. You created the VMs with an account named...local admin...which is the local admin You made the VMs part of WVD When you log in over WVD...what account are you logging in with? Is it Sarah, local admin or another account?
@@AzureAcademy i am logging in with my domain account which is a part of AADC ADMIN group so technically it should allow right? Why does it keep asking me for admin credentials
Want to learn everything about Azure AD FAST? *Start here!* th-cam.com/video/pN8o0owHfI0/w-d-xo.html
👍
Let me say it this way; You are the B E S T !!!!!!!! Azure Teacher in TH-cam my friend !!!!! I hope you keep it up, we all learning a lot !!..... Many thanksss
Thank you Yosmar, Happy Learning!
This really helped to get out of the dilemma for WVD videos on TH-cam and various processes. Few Quick doubts.
1. Pre Requisites for WVD
2. Any specific Licenses required for users to access WVD. Can a user with Business Basic have WVD
3. How to install custom software for users to access in WVD
1. Prerequisites for WVD - docs.microsoft.com/en-us/azure/virtual-desktop/overview#requirements
2. see the requirements doc for the WVD User license requirements
3. Installing software on WVD VMs is 100% the same as installing software on ANY VM...what do you mean "customer software" ?
Thanks
👍👍
all your videos are super excellent. I joined your Patreon. so much more value than what you are asking for. amazing!
Thanks for the feedback! Are there any topics you are looking for that we don’t have yet?
Friend referred me to your channel, you guys have some really great content. Thanks for sharing!
Thanks for the feedback!
Is there anything in particular you are interested in
@@AzureAcademy Can the product group answer the question on docs.microsoft.com/en-us/azure/virtual-desktop/set-up-customize-master-image ? how can we download and customise the Mutli-Session image? on a 1903 ISO the Mutli-Session SKU is listed but you cannot install it.
Mutli-Session will help provide that true Windows 10 experience and still allow us to have a high enough user density per server to save costs compared to running single session VDI's in AWS.
@@PeteAUS1983 Interesting question Pete...I am not sure I totally know what you are asking so I will answer it in 2 ways
In the Azure Marketplace you should be able to see windows 10 images.
portal.azure.com/#blade/Microsoft_Azure_Marketplace/MarketplaceOffersBlade/selectedMenuItemId/home/dontDiscardJourney/true
Inside there is a windows 10 Enterprise image for Virtual Desktops Preview, Version 1903 & with Office 365 ProPlus
So, in Azure you can deploy the 1903 image and customize it, then save that as a custom managed image and deploy that in WVD.
Or add the WVD Agent and boot loader to the VM and directly add it to your hostpool, like in our other WVD video here
th-cam.com/video/ksgBPIEgU2A/w-d-xo.html
However if you are asking how you can download the mult-user windows 10 1903 image to your OnPrem environment and use it outside of WVD, this will not work at this time.
As I understand it, this feature will only work in Windows Virtual Desktop.
I believe the reason you see it in the Image SKU is because it is in there...but only functional in WVD, which is one of the main WVD offerings.
Also this multi-user Windows 10 needs to be licenced, and it will only respond to the Azure KMS
please let me know if I answered your question, or if I have misunderstood
Thanks!
Many thanks!! This video so helpfully. Keep create another tutorial, I will watch all of your videos
Thanks for the feedback Muhammad!
We have many...many more videos planned, stay tuned!
When setting the GPO settings - the "Delete local profile when FSLogix Profile should apply" save you the need to manaually delete any pre-existing local profiles which is helpful, as you either have to delete manaually as per the video or FSLogix will not create a profile for the user: docs.fslogix.com/display/20170529/FSLogix+Profiles+Configuration+Settings
Thanks for the comment, this is awesome Tom!
I will also add the FSLogix docs link to this and my other WVD videos for everyone's future reference
The link you had no longer works...but this one does
docs.microsoft.com/en-us/fslogix/profile-container-configuration-reference
Thanks again!
Helpful video's. One thing that I've noticed when setting up the file share in the storage account is that WVD users need to be in the Storage File Data SMB Share Contributor group as well, otherwise they don't have permission to access the file and FSLogix will not push the profiles to the file share. I did not see you do that, but that is what was needed to fix my issue.
Thanks for the feedback Olin! There are 2 permissions related to the file data SMB share. If you need both then please answer this...
Are you able to have a user log in if they are NOT a member of the AA DC Administrators?
Or are all your users members of that group in Azure AD?
@@AzureAcademy I have my administrator that is part of AA DC Administrators and i've created a azure AD group "WVD Users" which contain User A and B. My admin is part of the Share Contributor and Elevated Contributer. This admin is able to log in just fine. User A and B are also able to login to WVD hosts but without adding "WVD Users" to Share Contributor their profiles will not be written to the storageaccount File Share, thus only having local profiles.
OK...the Azure storage account permissions of SMB Share contributor / elevated contributor are only needed in the setup.
Once you have the share mapped to your first VM log in with a user who is a member of the SMB Share Elevated Contributor group so you can modify NTFS Permissions.
Add your WVD Users group
give the WVD Users group FULL Control on the share.
Now ANY user in the WVD Users group should have full access the share without providing credentials.
you can see these steps in action starting at 6:52 - 12:56 in the video
@@AzureAcademy Yes i've rewatched and reread all the steps there are to supposedly make this work. It only works when my WVD users are part of the share contributor group for the file share. It doesn't matter if in NTFS they have full control via an azure group, doesn't matter if I add them 1 by 1 so without a group. But as soon as they are part of the contributor group it works. Then the users can parse the share and FSLogix will dump their profile there. One other thing I noticed while testing. When the user does not have a FSlogix profile yet, and he/she logs in via web instead of the app the FSLogix profile will not be created.
@@AzureAcademy @Olin Hendriks I can confirm the same regarding the role assignment; users do not receive fslogix profile containers (on the azure file share) unless they have been assigned the role 'Storage File Data SMB Share Contributor' (verified via web client & Windows client). After the profile container has been created the role (seemingly) can be removed and the profile container will still be modified upon logging on/off. Conclusion of my testing is that the user needs both NTFS Full Control permissions and to be assigned the role 'Storage File Data SMB Share Contributor'. Once the profile container has been generated the role assignment can be safely removed.
Hi Dean, this is a very good piece of work, well articulated and staright to the point. The only thing you didnt work on is syncing users across to the domain services. I have deployed a domain services folowing your steps here but need to know how to sync my users across
Check out my new video on AADDS for that info -
th-cam.com/video/OWGVoJMdIRc/w-d-xo.html
Dean I just would like to thank you for the content. I work for a Microsoft vendor providing support, always recomend customers your videos and to my peers. We do not fully support WVD but we do support AADDS. I have seen your videos and you linked one down below for the ADConnect installation of WVD but did not see ADConnect involved.
2 Questions:
1 - Can you have both AADDS & ADConnect? Or you only need one or the other - as far as I know only one.
2 - Can you do a full video of the ADConnect deployment with WVD?
I have seen the documentation but it really is not clear on either of these componets.
Again, thanks for the content, you are a beast.
@Jean Thanks for your kind words...and for letting me know The Azure Academy has been so helpful for you.
AADDS does NOT require Azure AD Connect. it is part of the service...with that said, YES you can still have it in your environment, depending on your configuration.
If you have a traditional domain controller that you want to sync with Azure AD.
However, AADDS will NOT sync with your AD directly...it only talks to Azure AD as I am sure you know.
Since Azure AD Connect is a prerequisite for WVD and so many of my other things in my lab rely on it working I don't think I am going to be able to put them together in the same video...unless, you can get help me get The Azure Academy to 25,000 Subscribers before Thanks Giving 😁
No, seriously...help! LOL I want The Azure Academy to reach more people just like you and help them all.
I do have another video I am working on that may fit into your ask in a better way.
There is a feature called Azure AD Connect cloud provisioning, which is a newer take on Azure AD Connect...how would that be?
oh yeah...and I want to get to 25,000 Subs 😁🤞👌😉😎😁
@@AzureAcademy Hey Dean, glad you responded, but not sure if I made myself clear. my point here is that, AADDS is one requirement but so is ADConnect. You have done and most of the deployments I've seen are with AADDS but I'd like to know; how to do the deployment with ADConnect only. It really is quite confusing when checking MSFT Docs. Because you have those 2 requirements. Is it that you only have ADConnect there and that's it or how do you connect it with WVD?
BTW I do work for Tek-Experts here in Costa Rica - Sync & Account management vertical, hope one day I'll get to work directly to MSFT.
AADDS does not need Azure AD Connect…Because it already has one under the covers.
That is how it syncs users from Azure AD into AADDS
The video is very good, can you show the creation of the Vnet implemented from scratch please
I suggest watching my latest video on AADDS for that info. th-cam.com/video/OWGVoJMdIRc/w-d-xo.html after that let know if you still have questions.
Weird.. was following this explicitly.. you got a nice CMD line phrase to cut paste.. mine gave me only Powershell, which failed "New-PSDrive : The specified network password is not correct".. but looked that up and some speculate it's a port 445 blockage somewhere..
check your network security groups on the AzureAD DS subnet allow port 445
Dean, Absolute awesome video, brilliant content and easy to follow - Apologies if I've missed it - but you mention that the link for your Git Hub Script is in the description, but I can't seem to find it: is it possible to the the link please :) thank you.
Here is the link, I have uploaded it to the video description as well - github.com/DeanCefola/Azure-WVD/tree/master/WVDTemplates/WVD-NewHost
@@AzureAcademy Thank you kindly :)
@@michaelraisbeck5217 👍👍
Great tutorial. I've tried a few in hopes of setting up FSLogix with Azure Files and none worked out. The step at 11:40 was what I was missing. On another note, in Windows 10 multi-session V 1903, the mapped drive does not show up in File Explorer when mapped from an Admin Console Window. I followed the steps in Solution 1 here: www.easeus.com/storage-media-recovery/mapped-network-drive-not-showing.html then remapped the share and it worked. Hopefully that helps anyone facing the same issue.
Good to hear and thanks for the feedback.
It is comments like this that help to build a community were people can find answers!
Great video series! Thank you. I still have on-prem AD and need to maintain some sort of hybrid cloud environment, legacy Windows auth apps, etc. What is my best option for domain join of WVD session hosts? AADDS with forest trust or my own DC?
You can use your OnPrem AD with WVD...but it is recommended to have a DC in Azure just like any other site or location.
@Azure Academy - thanks for these series of videos. I am trying to understand if this is possible?
1. Imagine 2 (or more) separate Azure Active Directories (2 separate Office 365/Azure Tenants - Tenant A and Tenant B)
2. Tenant C is where all WVD Resources need to be housed.
3. Users from Tenant A and Tenant B will connect to WVD host pools in Tenant C using their own Office 365 work work accounts.
No physical/virtual DC setup. Can this be achieved with just 1 x ADDS in Tenant C?
Hm...interesting question. First off today, the WVD tenant is connected to 1 AzureAD Tenant. Now I am not sure of B2B/B2C scenarios that we might be able to leverage here or not so help me understand the scenario better.
1. Are all the AzureAD tenants here part of the same company?
2. If the 3 AzureAD tenants are not part of same company is your company a service provider and you are hoping to manage 1 WVD tenant environment for all your customers?
3. Who owns each AzureAD Tenant and will that same group own the WVD Tenant?
@@AzureAcademy Thanks for the reply!
1. All tenants are different companies.
2. A bit like that but yes - we want to centrally managed 1 WVD tenant that allows TenantA and TenantB Azure AD users to login using their Azure AD credentials.
3. I have admin rights to all 3 tenants.
I am guessing we can leverage somehow using a Different Tenant Pool per Azure AD Tenant? Currently I see in the videos shows that "Default Tenant Pool" is used?
You can user multiple WVD Tenants, however they are all tied to 1 AzureAD Tenant...And With the 3 different AzureAD Tenants being different companies I have to ask how the users will get populated into the AzureAD Tenant where WVD is located?
Thanks for the video,would like to ask - Is AADS a requirement for fslogix to create the user profiles and store them in azure files? We have AD connect on an on-prem DC that synchronises user accounts to the cloud. It does a one way sync (On-prem to Azure). We currently have a WVD hostpool that is domain joined, but we are unable to get the user profiles created in the azure storage account even though we installed FsLogix and did the required registry changes.
yes and no...
NO AADDS is NOT required for WVD or FSLogix
but if you are using AADDS...then yes
so in your case, since you have a domain controller already...no you do not need AADDS...and should not use it
As for why it isn't working...make sure you have setup the permissions correctly. check out my video on Azure Files with AD Authentication for FSLogix
th-cam.com/video/9S5A1IJqfOQ/w-d-xo.html
Great series.. not sure if this is a dumb question... but can Azure AD replace the need for a domain controller to host workstations?! 🤔 so like having WVD join Azure AD without needing a virtual server...
I am glad you are asking the question...please watch my new video on Azure AD DS where I explain that AzureAD DS is NOT extending your domain into Azure...after you watch this if you still want to use it with WVD...then yes it will work.
th-cam.com/video/OWGVoJMdIRc/w-d-xo.html
@@AzureAcademy Great thanks.. I watched that.. so that video presumes I will still use my on-prem existing DC, which is entirely possible.. but not ideal, given that it's getting old and looking to be retired soon. If I have, say for example.. 2-3 users that require WVDs... can I join those WVDs up to Azure AD.. perhaps while using Azure Connect and creating a separate forest (if I'm transitioning the old DC out for retirement) and looking to migrate, over a few months or so
you certainly can @@tonelab
Azure AD DS is made to work with WVD. But most of the advantages you had with you own domain controller you will lose.
If you are good with the restrictions of AzureAD DS, then it will work fine 😉
@@AzureAcademy Thanks very much. I only need to do light workflow routines.. open documents, email via web-browser. It's mostly required 'this way' so I can control users, roles and manage passwords 👍
@@tonelab sounds good
hi do you recommend WVD and Apps located into the same VM or to use seperate VMs for each thing? Like WVD-01 only WVD sessions and APP-01 only with the programs with MSIX?
Depends on the size, density and requirements of your environment. If the number of users you have justifies the segmenting of desktop and apps
So you are going live with WVD even though it isn't GA release yet? What are the risks in doing so?
Good question.
There are over 6,000 different WVD tenants that are active...so a ton of customers are using it in one way or another.
I would suggest that the risks are minimal to any Public Preview Product/Service in Azure.
They are generally close to completion and stable enough for Microsoft to open them up to the public...which for a hyper-scale public cloud, could be larger than a lot of enterprises.
Reasons why I would be OK with using WVD in Preview.
1. WVD is build on Azure VMs...which are fully backed by SLAs, WVD is the service that connects you to the VMs securely
2. WVD connectivity is build on outgoing connections on port 443, so it is secure
3. WVD is a more secure platform for connecting to VMs than public IP addresses
4. WVD is feature complete and will be made GA in the near future (no, I don't know the exact date)
5. WVD is a cloud based VDI / Remote Application tool...there is a ton of interest, so we need to learn it to support customers
As for reasons to hold off.
1. Since it is not GA there are no SLAs on the service
2. Support is best effort
3. The service is not in many regions yet
If you understand, and are ok with those restrictions and do not have a mission critical service, I would totally use WVD.
Even if you do have those restrictions, I would still use it as a tool to learn, start a POC or a broad scale test.
Finally, I would use this time to learn all you can about WVD, because once it is GA there will be armies of customers who want to use it...so we all better be ready to help them!
@@AzureAcademy Thanks for the feedback! I don't know when you started testing, but would assume pretty soon after the public release. Have you had any issues with a build after Microsoft made tweaks, updates or added features? If yes, what were they and did you have to start over and rebuild any portion or all of a deployment?
I have a small business client with eight users that utilize a 2012r2 server for QuickBooks Enterprise. It is mission critical, but would you feel safe migrating this to WVD now?
Thanks again!
@@AzureAcademy A couple more questions if you don't mind... I have done some testing and love what WVD has to offer - as you listed above. Is there a secret to getting additional trial credits? With different email addresses, I have created a few, but now I am blocked from opening any new accounts that aren't Pay-as-you-go.
The WVDs that I have tested used the wizard in the marketplace to build and it created the AADDS for me. The monthly cost for that service is about $110 I think? Would you recommend a different route to achieve this requirement for smaller clients with tighter budgets? Would you parse out WVD desktops in a multi tenant fashion to different small clients and still maintain best practice security? What is the best way to accurately calculate monthly cost for WVD?
Any experience with AWS Workspaces? The thing I like most is the predictable flat cost for X-resources. No surprises.
Thanks, Louis!
I have been using WVD since before it was in public preview and as far as I know...There have not been breaking changes in WVD since it became public, meaning that a update happened and then other features stopped working.
While I am confident in the WVD service and am working with several customers to implement it for their environments in one way or another, I cannot officially tell you that you should put your mission critical applications on a service in Azure that is not GA because you do not have any SLA.
and to be clear this is specifically on the WVD connection service, Azure VMs themselves do have SLAs
If you are OK with not having SLA and want to use the WVD service I think it will work great for you, but that depends on if the business wants to make this decision.
@@AzureAcademy any help with getting a new Azure Trial? I've been able to get two, but now it says ineligible. I have cleared browser data, opened incognito window, used a different CC and started with a new 365 E3 trial with a totally different email address. I can't change my name or cell. IMHO they should offer the WVD as a trial until GA :)
Thanks for the amazing content. I m working on a POC, where I have Azure VM with DC installed, can I setup WVD join to DC which is on Azure 2019 Windows server box? If not, how does it actually works?
Yes you can setup WVD. Since you already have a domain controller in Azure that means you already have a network in Azure.
Have you setup Azure AD Connect to sync your identities from AD to Azure AD?
If you gave then follow my video to setup WVD - th-cam.com/video/DrkQFSVD9Ik/w-d-xo.html
+Abraham Dhanyaraj yes that works check out any of my AVD videos for more info
+Abraham Dhanyaraj yes you can
I have done exactly the same steps but when I login into the other vm it is not setting up the FX logix profile and cant see any profile in azure file share..
Thanks for the question Sarah!
With Azure ADDS with Azure files you would have had to setup AADDS first then Azure files
Then you should test from the VM that you can hit the Azure files share
If so then you need to check your FSLogix config
Let me know how it goes.
@@AzureAcademy yes i had setup AAADDS first and then i setup everything else...and everything is in the same the region...i had two vms in my hostpool and i had two users and for those two users i wanted yhe fxlogix profile and i am not getting any error ..same steps and everything but still when i log in i can't see the profile stored in azure files
Understood
How did you configure FSLogix?
Also can you get to the SMB share from the VM without logging in or providing a password?
@@AzureAcademy installed fslogix from the documentation and then i just installed it and set up the key in registery... before that i added my two users according to the steps you mentioned and then when i log in into the other vm with the user account that i have added..i can log in into the vm but can't see any profile getting stored in azure files .
How will i get into the SMB share of the VM can u pls tell?
After you installed FSLogix which registry keys did you add?
There should have been at least 2
Hi Dean, I do have a question regarding WVD, do we need to set up some kind of NSG for the environment? or it is already secured? the reason why I am asking is that it seems when you go to Azure security center, we got a recommendation saying that wvd is exposed and required some NSG, but the weird thing is WVD doesn't have a public IP... any idea with this? thanks again!
That is an excellent question Hendi! The answer is yes & no...NSGs are 100% recommended as a free way to control traffic. That traffic source and/or destination can be internal or external.
WVD is already a secure external front end which, as you point out does not need a public IP...so, no you don’t need it for public traffic...however it can still be useful for internal traffic.
In a secure environment no system should be talking to any other system that they do not need to do their job so it is recommended to limit that traffic through NSG.
Quick example:
The WVD session host VMs need access to your domain controller and file server and a custom application front end...but it should never access the database server directly.
So you can block the outgoing traffic from the WVD VMs with an NSG.
@@AzureAcademy makes sense! thank you! so the recommendation from azure security center is just a false alarm? not sure why the security center consider the wvd vm's have a public access even though there is no public ip's..
All WVD VMs are the same as all other Azure VMs. The only difference is that they have a Agent installed. the Security Center sees them as normal VMs, that is why you see those recommendations.
Good one...Is it possible to configure the fslogix profile settings on master VM and create VDIs from master VM instead of doing profile settings on each VM ?
Thank you for the feedback Mahammad.
I think you are mixing concepts from VDI on prem, possibly Citrix to Azure.
In Azure we can have images to create VMs from.
Here is a video I did on custom images, and while I generally feel you don't need them in the cloud WVD is a very good use case for having your own custom images.
th-cam.com/video/HGYXsf9IGOs/w-d-xo.html
With that said, we can deploy WVD based off the custom image.
However there is not a concept in WVD today to have a central server to manage a VM as an image with a profile.
FSLogix manages the profile on top of the VM that is deployed from the image.
Once the VM is deployed the VM is not directly connected to the image.
So the VM can change and the image can change without impacting each other.
However, if you can tell me why the way you are thinking of this solution would be better, or what advantages it would have I am happy to bring that feedback to the WVD Product Group as a potential improvement to WVD
Thanks again!
@@AzureAcademy You can also do the FSLogix config from a single central GPO, you dont have to do it locally on each one.
Thanks Tom,
for clarity you are referring to skipping the Registry configuration step and performing this with a GPO...correct?
so you have a link you can share with everyone on where this is and how to implement.
Thanks for contributing!
@@AzureAcademy Yes in the FSLogix installer there are the fslogix.adml and admx files. Just copy these to your Policy Definitions folder and then create a central GPO for configuring the FSLogix settings centrally. More details: docs.microsoft.com/en-us/fslogix/use-group-policy-templates-ht
👍😁👍
Hi, what is the cost for that you build here? Thank you.
AzureAD Domain Services cost is just over $100.00 per month.
I have one issue whenever i try to open up something like task manager or User account control setting, it is always asking me for administrators credentials as i am already the domain admin so why is it prompting me again and again
Can you clarify? You have an account like Sarah this is a domain admin.
You created the VMs with an account named...local admin...which is the local admin
You made the VMs part of WVD
When you log in over WVD...what account are you logging in with?
Is it Sarah, local admin or another account?
@@AzureAcademy i am logging in with my domain account which is a part of AADC ADMIN group so technically it should allow right? Why does it keep asking me for admin credentials
I am domain admin as well as local admin but when my some other user who are domain admins cannot open up and I don't want that l
I need more info to help on this...
When you log in with the domain admin account or with local admin are you connecting over RDP or WVD?
So the AADC Admin group is related to AzureAD Domain Services.
Can you verify that you are using AADDS as your domain controller?
Have you set this up with privatelink? It just keeps prompting a login.
Hey Tim, I have not tried to setup AADDS with privatelink
Or were you talking about WVD?
Azure Academy Sorry, was talking about the file storage. Setting up private link on it and I can’t connect. Works when I open to everything though.
Ah...when you connect to the storage account how are you doing that?
\\.file.core.windows.net\\
\\.privatelink.file.core.windows.net\\
\\\\
Azure Academy I created a DNS record in AADS for the privatelink ip.
ok, can you map to it from the Private IP as well?