Microsoft Windows

Virtual Desktop
The best virtual desktop experience, delivered on Azure

Adam Whitlatch– Global Black Belt WVD

April 2020
Agenda
Topic Detail

Intros – Moderators
WVD Overview & Architecture Demo – User Experience
Q&A Demo Application Publishing
Partner Ecosystem

User Environment / User Data / Applications Demo Azure Files / FSLogix

Q&A
Networking, Host Pools
Image Management Demo – Simple Image Process
Q&A
Monitoring Demo – Azure Monitor – Sepago
Q&A
Spring Release Demo – Azure Portal ARM

Q&A – Wrap Up
Adam Whitlatch
https://www.linkedin.com/in/adamwhitlatch/
Twitter: @adam_whitlatch
Why does this matter to customers

Most desktop and Customers are Broader cloud

app virtualization running up against migration of
solutions are running End of Support for Windows Server and
Windows Server and Windows 7 and SQL Server as well as
are currently on- Windows Server modernization to
premises 2008/R2 Windows 10
Why virtualize Windows desktops and apps on Azure?

Mobility – users can access from any device, anywhere

Security – business data never leaves Azure
Scalability – adjust to fluctuations in workforce
Compatibility – older apps can run virtualized
Performance – apps remain close to the data
Management – single image for many users
Cost – utilize the elasticity of Azure
Customer challenges
Customer Challenges Windows Virtual Desktop customer promises

Deliver the only multi-session Windows 10 experience

End-user experience trade-off in multi-session environments • Windows 10 multi-session and single-session

• Free Windows 7 Extended Security Updates

Enable optimizations for Office 365 ProPlus

Poor O365 experience in non-persistent multi-session • FSLogix -> fast VHD load times
• Per machine Install – OneDrive, Teams
• Search, cache, indexing improvements

Migrate existing RDS deployments to Azure

Remote Desktop deployments can be expensive • CAPEX to OPEX

• Tools to utilize Azure elasticity/scalability

Deploy and scale in minutes

Deployment/Management experience is sub-optimal • ARM templates for simplified deployment

• Web GUIs for simplified management
• Partner ecosystem extensibility
Business demands…

Innovation Costs Agility Repeatability,

Predictability,
Availability

More innovation Take advantage of cloud Business agility and Fast and predictable
at a faster pace scale and economics flexibility response to change
and zero downtime
On-prem Desktop Virtualization Presents Challenges

Inconsistent User & Variable user experience across device types and clients
IT Administrator High effort to setup, configure, and monitor security
Experience Complex remote desktops management

Poor scalability and flexibility of on-prem infrastructure

High upfront Capex costs not aligned to business use
Unattractive
High cost of delivering true Windows 10 experience
Economics
High client and management licensing costs
High labor costs

Non-standard Variability across multi-site, global deployments

Deployments & High investment in security
Environments Non-standard deployments limit available talent to deploy/manage
 Difference between traditional VDI/RDS and DaaS

Traditional VDI/RDS Desktop-As-a-Service

Entitlement Entitlement
Managed by partner
Brokering Image Management
Image Management Brokering
Licensing Licensing
Maintenance Maintenance
Managed by Microsoft
Network Network
Servers/Storage Servers/Storage
Hosting Hosting

**Gartner, Inc., When Midsize Organizations Should Select Desktop as a Service, Nathan Hill, Refreshed: July 19, 2018
WVD Overview?
Windows Virtual Desktop
Windows Virtual Desktop is a comprehensive flexible
service built on Azure that allows you to virtualize both
desktop and applications then deliver those resources
seamlessly to your end users.

Key Features
Enables a new multi-session Windows 10 experience,
optimized for Office 365 ProPlus

Supports Server 2012R2, 2016 & 2019

Global Service with Scale up and scale out capabilities

Personal and Pooled Desktops, Published Apps

Windows 7 virtual desktop with free Extended Security

Updates (Single Session)

Integrates with the security and management

of Microsoft 365, and security/compliance features in Azure
Native Windows Virtual Desktop
Managed by Microsoft

High Level Architecture Web access Diagnostics Gateway

Use Azure Active Directory identity management Management Broker Load balancing
service
Your subscription – Your control
Provide virtualization infrastructure as a managed
service
Windows 10 Windows Server
Deploy and manage virtual machines in Azure Enterprise 2012 R2 and up

subscription Windows 7
Enterprise

Windows 10 Enterprise RemoteApp

Manage using existing tools like Configuration multi-session

Manager or Microsoft Intune Managed by Microsoft

Connect easily to on-premises resources

Compute Storage Network
Security and Compliance
The Windows Virtual Desktop service is built upon the industry leading security and compliance capabilities of Azure

• Authentication is based Azure Active Directory. Azure AD has numerous services to protect user
identities and access to the Windows Virtual Desktop service.
• Conditional access
• Multi-factor authentication
• Identity governance
• Identity protection
• Privileged identity management
• Advanced reports and monitoring

For the Windows Virtual Desktop service layer

• The Windows Virtual Desktop service retains minimal metadata which is encrypted.
• All traffic to/from the WVD service is encrypted.
• All traffic to/from clients uses port 443.
• WVD role-based access control enables delegation of admin rights at granular level.
• Reverse connect eliminates the need to open inbound ports, reducing the attack surface.

14
Compliance & Latency Considerations
General
• Users can be anywhere on the Internet
• VMs can be in any Azure Region

Data Sovereignty
• Customer/user data locale is controlled by administrator based on VMs, File Shares etc
• Service metadata (e.g. which user is connected to which VM) is stored in US region. WVD
service not available in all regions

Connection Latency
Latency will vary based on the location of user, VM, and Windows Virtual Desktop services
Latency will continuously improve as Windows Virtual Desktop services are deployed to new
geographies
Web-based tool provided to estimate latency from user location to Azure region of VM

15
Improved Isolation: Reverse Connect

Bidirectional communications between VMs and RD infra over https (443)

RD clients Windows Virtual Desktop Windows 10 Enterprise multi-session

Customer-managed Microsoft-managed Azure services Customer-managed Azure VMs & services

Azure AD VMs

A A
4
FIREWALL

FIREWALL
0

Azure SQL DB
Data Flow
Flow index Purpose Protocol Encryption Port used Transmitted information (Data/ Auth).
If data, what?
1.1 User token between RD HTTPS TLS 1.2 443 AAD user UPN and auth token
Client and AAD

1.2 User token between RD HTTPS TLS1.2 443 Ping user creds and auth token
Client and Ping/Okta

2 XML Feed + user token HTTPS TLS 1.2 443 AAD Bearer token

3 RDP channel + user HTTPS TLS 1.2 443 AAD Bearer token
token
4 REST Calls HTTPS TLS 1.2 443 AAD Bearer token

5 443:Persistent channel HTTPS TLS 1.2 443 RDBroker Bearer Token, Host health,
session info
6 443:Persistent channel HTTPS TLS 1.2 443 RDBroker Bearer Token, Diagnostic info

7 RDP Channel HTTPS TLS 1.2 443 Reverse connect GUID

8 User Profile Access SMB Yes, if customer Standard VHD file content
uses SMB 3.0 SMB ports
WVD Authentication Flow
WVD Authentication Flow
Worldwide Azure Regions

WVD PaaS Current Deployment

WVD PaaS Early 2020

Azure
portal
WVD Object Model - Today
WVD PaaS Architecture - Example
CURRENT
REVERSE
RDWeb
CONNECT

1. Resource feed with gateway URL

4. Orchestration, provide
Connection Broker Gateway URL and other Agent
data to connect

3. inform broker of connection request 5. provide gateway URL, other data to connect

6. connect to gateway
providing additional data
2. pre-orchestration
Client Gateway that allows the gateway to Sxs stack in termsrv
request
match it the right client
connection

7. connect to gateway
Supported OS

Windows 10 Enterprise Multi-session

Windows 10 Enterprise Single-Session

Windows 7 Single-Session

Windows Server 2019

Windows Server 2016

Windows Server 2012 R2

Any Azure VM size in a customer’s subscription

Deploy and scale in minutes

Azure has datacenters available in

54 regions, and 140 countries

Azure management portal for

Windows Virtual Desktop

Built in security and compliance

(Windows and Azure)

Strong Partner ecosystem extensibility

Authentication workflow
• User opens RD Client and makes a feed request to RD Web.
• RD Web redirects the client Azure AD to receive a valid token for the service.
• If AAD is the authentication engine for the customer:
• user is asked to enter their creds and that is passed to AAD.
• If auth passes, then AAD issues a token to the RD Client.
• If AAD is not the final authentication engine (creds are not entered while interacting with AAD):
• AAD responds with a redirect to Ping/ Okta.
• RD Client communicates with Ping and user enters their creds.
• User opens a remote app or desktop on the client.
• RD Client establishes RDP connection with the RDGW
• RDGW passes info on the app/ desktop and user to the RD Broker.
• RD Broker identifies the host for the new user session to be established.
• RD Broker passes the UPN and the GW info (including port) to RD Agent on the host, which is handed over to the RD Stack on the host.
• RD Stack on the endpoint host, establishes reverse connect with RDGW.
• User is prompted for 2nd login—RDP login
• User enters creds and these are validated with local AD (can be a read-only instance synced from on-prem AD), that the host is joined to.
• If auth passes, the rest of the orchestration goes through and user can use the app/ desktop.
Data protection we will have at GA
• Network security and firewall settings – Customer has full freedom to implement their own network security and
firewall and only open the outbound 443 port on their session hosts.
• User authentication and fine grained user controls – AAD used for user authentication and delegated access
used for WVD resources.
• UserVHD – Mounting is via SMB V3
• Ability to replicate data globally for regional failures
• Ability to perform failovers from one region to another
• Protect and isolate sensitive data – All service meta-data are encrypted at rest.
• HTTPS by default/SSL encryption
 Client
Customers are eligible to access Windows 10 single and multi
session and Windows 7 with Windows Virtual Desktop (WVD) if
they have one of the following licenses*:
• Microsoft 365 E3/E5
• Microsoft 365 A3/A5/Student Use Benefits
• Microsoft 365 F1
• Microsoft 365 Business

Many customers • Windows 10 Enterprise E3/E5

are already eligible

• Windows 10 Education A3/A5
• Windows 10 VDA per user
for WVD
Server
WVD Licensing Requirements
Customers are eligible to access Server workloads with Windows
Virtual Desktop (WVD) if they have one of the following licenses:
• RDS CAL license with active Software Assurance (SA)

Customers. pay for the virtual machines (VMs), storage, and networking
consumed when the users are using the service

*Customers can access Windows Virtual Desktop from their non-Windows Pro endpoints if they have a Microsoft 365 E3/E5/F1, Microsoft 365 A3/A5 or
Windows 10 VDA per user license.
Pricing
Pay only for the virtual machines (VMs), storage,
and networking consumed when your users are
using the service.

You have the flexibility to pick any VM and

storage options to match your use cases.

Take advantage of options such as one-year or

three-year Azure Reserved Virtual Machine
Instances, which can save you up to 72 percent
versus pay-as-you-go pricing. Reserved Virtual
Machine Instances are flexible and can easily be
exchanged or returned.
Azure Calculator
Virtualization helps address specific business needs
Demo User Experience
Partner Ecosystem
SI and GSIs
Comprehensive
partner ecosystem

ISVs and
Global presence
value-
added
partners

Consistent standards
and IT architectures
Hardware
partners
Aka.ms/wvdpartner
3rd Party Tools? Sepago
 WVD Monitor – Community Edition

https://www.sepago.de/en/wvd-value-add-tools/#scale
Community Edition https://github.com/MarcelMeurer/Project-MySmartScale
 WVD Monitor – Community Edition

https://www.sepago.de/en/wvd-value-add-tools/#azure
 WVD Admin

https://blog.itprocloud.de/Windows-Virtual-Desktop-Admin/
 Azure Starter

https://github.com/MarcelMeurer/Azure-Starter-for-WVD
Partner ecosystem
Approved providers

Comprehensive
partner ecosystem

Global presence

Consistent standards
and IT architectures

Aka.ms/wvdpartner
Windows Virtual Desktop partnership with Citrix

With the partnership, Why Windows Virtual Desktop and Citrix makes sense
Citrix is authorized by together
Microsoft to provide Microsoft Azure is Citrix’s strategic and preferred public
the benefits of
cloud
Windows Virtual • Drive incremental M365 E3/5 : Land the value and innovation of
Desktop in their the M365 suite with WVD in Citrix offerings
value-added cloud • Drive incremental Azure Consumed Revenue: Help accelerate
services hosted on customers’ cloud initiatives and enable enterprise IT to
Azure. effectively streamline the migration from on-premises
infrastructure
to Azure
 PROVIDED BY CITRIX

High level architecture Workspace Director Gateway

Delivery
MCS Load balancing
Controllers

YOUR SUBSCRIPTION - YOUR CONTROL

Windows 10 Windows 10
Windows 7
Enterprise multi-
Enterprise Enterprise
session

Windows
Server 2008 FSLogix
R2 and up

PROVIDED BY MICROSOFT

Compute Storage Networking

 Embrace and extend Windows Virtual Desktop (WVD)
Hybrid Cloud User Experience Monitoring & Control Office Optimizations

Time to Value High-Def Experience Granular Policy Engine Teams

Image Management Workspace Intelligence Monitoring OneDrive & Outlook

Auto Scaling Broad Client Support Analytics Office 365 & SD-WAN
© 2019 Citrix | Confidential
Windows Virtual Desktop and Citrix: Architectural Guidance
Option 1: Use full Windows Virtual Desktop with Citrix Workspace to aggregate resource feeds from Windows Virtual
Desktop and Citrix on-premises and cloud deployments

Option 2: Use Windows Virtual Desktop with Windows 10 multi-session capabilities, Profile Container, and Office 365
Container with Citrix clients, agents, and management plane services

Windows 10 Enterprise multi-session, Windows 7,

Client’s
Management plane services Windows Server 2012R2+
Citrix Receivers
Azure virtual machines & services

Windows Virtual Desktop services Azure AD VMs

A A
Desktops Apps
Citrix Virtual AppsDiagnostics
Web Access &
Workspace Desktop services

Citrix
Broker + WindowsGateway
Virtual
Desktop Solution Active
Directory
User Profile
File Server

Azure SQL DB
 Citrix HDX
Technology Optimize
AutoScale Teams
Optimize
Workspace
Skype
Environment
Management Citrix SD-WAN
to optimize Office 365
Hybrid
Cloud

Machine Citrix App

Creation Services Protection

Session
Recording

Advanced
Citrix Performance
Monitoring
Analytics

Citrix Security
Citrix App Analytics
Layering

Citrix Workspace solutions value-add for Windows Virtual Desktop 3rd Party IdP
integration
Vmware?
High-level Components
VMware Horizon Cloud Control Plane

1 Monitoring
& Analytics
Horizon
Lifecycle
Mgmt
Image
Mgmt
Service
Simplified
App Mgmt
Image
Desktop & App
Management
Monitoring
Smart
Brokering
Policies
Management & Analytics

Horizon Pod
Access
Access Desktops
Gateway Desktops

2
Gateway AD Desktops

Desktop
Desktop
Mgr
Mgr File Servers Apps
Apps
WVD

Image
3
Apps
DB

AD

© 2019 Citrix | Confidential

Recent improvements Windows Virtual Desktop
User Environment and User Data?
End-user compute environment

3 main components
Operating system
Applications
User defined data
Physical workstation: all components closely coupled
Virtualized compute environments

In an optimized virtualization
environment,
a brokering service routes
a user to a virtual machine from
a host pool to a VM with the
resources available to host the
user's app or desktop workloads

The promise: completely dynamic environments

 FSLogix - Profiles

With FSLogix we’ve separated the

user profile layer from the virtual
machine
To the user it feels like you’re
saving and accessing files from a
local disk
FSLogix With the acquisition of FSLogix, eligible customers will get access to
Technologies three core pieces of technology

Profile Container
Replacement for roaming profiles and folder redirection. Dramatically speeds up
logon and application launch times.
• Includes Office 365 Container, which roams Office cache data (Outlook OST, OneDrive
cache, Skype for Business GAL, etc.) and Windows Search DB with user in virtual desktop
environments.

App Masking
Minimize number of gold images by creating a single image with all applications.
Excellent app compatibility with no packaging, sequencing, backend
infrastructure, or virtualization.

Java Redirection
Helps protect the enterprise from vulnerabilities of multiple installed versions of
Java by mapping specific versions to individual apps or websites.
 Storage Considerations in WVD

Option Considerations

Managed PaaS Service.

Azure AD/.AAD DS Integration only*
Azure Files Up to 100K IOPS/Share. Higher Latency (~3ms)
Easy to Manage, cost effective
Service available broadly across regions
Customer Managed IaaS Service
ADDS Integration Only
Scale Out File Server
Up to 160K IOPS/disk with a latency of ~1ms using Ultra Disks
Minimum of 2 VMs (with Cloud Witness) or 3 Without CW + Cost of disks

Managed PaaS Service

ADDS Integration Only
Azure NetApp Files
Up to 320K IOPS with a latency of ~1ms
Region dependent
 Azure Files with AD DS
Steps to Configure

1. Enable Azure Files AD DS authentication on your storage account.

2. Assign access permissions for a share to the Azure AD identity (a user, group, or
service principal) that is in sync with the target AD identity.
3. Configure ACLs over SMB for directories and files.
4. Mount an Azure file share to a VM joined to your AD DS.
5. Update the password of your storage account identity in AD DS.
FSLogix entitlements
FSLogix technology, which improves the performance of Office 365 ProPlus in multi-user
virtual environments, is now available at no additional cost for Microsoft 365 and
Remote Desktop Services customers

Microsoft 365 E3/E5/F1/Business Windows 10 VDA per user

Microsoft 365 A3/A5/Student Use Benefits Remote Desktop Services (RDS) CAL

Windows 10 Enterprise E3/E5 Remote Desktop Services (RDS) SAL

Windows 10 Education A3/A5

© 2019 Citrix | Confidential

FSLogix cloud cache

Local Cache retains block-level data as it’s

accessed, ensures writes make it to remote
storage. Cloud Cache is available for both
Profile Containers and Office Containers.

Local Cache

Cloud Storage
Cloud Cache driver Remote storage locations can be
SMB Provider Page Blobs REST Azure SMB or via native cloud API for
Provider Page Blobs Azure PageBlobs.
SMB

On-prem Storage
Cloud Cache driver writes to all locations, reads from
Local Cache then in order of configuration. If first
SMB servers location is inaccessible, it will switch to the next location,
then re-sync when original comes back.

©Microsoft Corporation
Azure
Roaming user profiles get us half-way there

But—what about the apps?

 In a shared or pooled virtual
machine,
this is a challenge
 Each user might need a different
set of apps
 They can be assigned to a
different VM with each logon
Current options

OPTION 1 OPTION 2 OPTION 3

Multiple images by role Traditional App layering App streaming
 Manage numerous VM pools  Image can get bloated  Requires apps to get cached
customized for different users' roles  Additional policies into OS during user session
 These images would all need to be  App licensing could be challenging  Need to manage app
individually maintained and patched streaming infra
 High overhead  Possible need to repackage/
sequence the app
MSIX app attach

What is it? How it works

Rapidly attach applications just-in-time as users log on MSIX packages are expanded into
Leverages FSLogix concepts, but for applications VHD or other containers

Per user visibility – Only authorized users have access to Containers are attached to the
applications computer

No repackaging required for applications in MSIX Applications are made available on a

format per-user basis
Applications delivered via app attach
are indistinguishable from natively
Join the preview at http://aka.ms/msixandwvd
installed applications
What is MSIX?
1

8
Traditional Application Delivery vs. MSIX app attach
Traditional deployment Deployment with MSIX app attach

User profile User profile App attach

storage storage share

VM 1 VM 2 VM 3 VM 1 VM 2 VM 3

Image for Sales Image for HR Image for ENG Golden Image (Win 10 Multi-Session)

Common Common Common Common

Common Common Common
Apps Apps Apps Apps
Apps Apps Apps
HR App 1 HR App 1
Sales App 1 HR App 1 ENG App 1

HR App 2 HR App 2
Sales App 2 HR App 2 ENG App 2

Sales App 1 Sales App 1

Sales App 2 Sales App 2

ENG App 1 ENG App 1

ENG App 2 ENG App 2

Sales HR ENG Sales HR ENG

User User User User User User
 MSIX app attach

Native format is MSIX (no re-packaging)

Minimal performance impact

MSIX Apps can be stored off the windows disk

Remotely mount the apps to the VM on-demand

Apps groups are assigned to users, and they’re

available instantly on login

Looks and feels local to the user and to windows

https://docs.microsoft.com/en-us/azure/virtual-desktop/app-attach
App Assure
Microsoft’s application compatibility promise
Microsoft is committed to ensuring your apps work on the latest versions of our software. If you
encounter any issues, we will help you remediate them at no additional cost!

Windows Virtual Desktop

WINDOWS 10 ENTERPRISE
WINDOWS 1O ENTERPRISE
MULTI-SESSION

Apps running in any Win7

Virtualized apps that run on /Win10 VDI environment
will run on Win7/Win10
Windows Server RDSH will
Enterprise as part of WVD*
run on Windows 10
and
Enterprise multi-session as
Apps running on Win7
part of WVD /Win10 client devices will
run on Win7/Win10
Enterprise as part of WVD*

*See our service description at https://aka.ms/DesktopAppAssure/

Demo Azure Files & FSLogix
Links to FSLogix, Azure Files & MSIX
• FSLogix
• Agent
• Profile Container Configuration
• Office Container Configuration
• Cloud Cache Configuration
• App Masking

• Azure Files with AD DS

• NetApp Files

• MSIX App Attach

Networking
Example Network Design
Host Pool Design
Deployment Models
Host Pool Design Principals
Image Management
 Azure Managed Images with WVD

What are Azure Managed Images?

• Customized Windows image that are captured and
stored in Azure that can be used to create VMs / WVD
Session hosts.
• Quickly create WVD hostpools with consistent
user experiences

How are WVD managed images created?

• Create a Windows VM with customized applications
and settings.
• Generalize a Windows VM Using Sysprep
• Create an Image in the Portal or
• Create an Image using PowerShell
Managed Images flow chart

Create Windows 10 Modify Image, Install

MS Image from Apps, Security Tools, Reboot Add Registry Entries
Azure Marketplace Customizations

Install Azure Agents:

Run Install
Run Microsoft WVD Monitor, Take Azure VM
command for
best practice script Dependency, Snapshot
Sepago Agent
Sepago

Create Run Once Capture VM Image

Sysprep & shut
Command for Azure as managed Deploy WVD Hosts
down
Monitor (Delete VM)
Managed Images flow chart

Create a managed Make changes,

Create a VM from
disk from a Power On New VM Windows updates,
the managed disk
previous snapshot new scripts, etc

Run Microsoft Create Run Once Run Install

Take Azure VM
WVD best practice Command for command for
Snapshot
script Azure Monitor Sepago Agent

Capture VM Image
Sysprep & shut
as managed Deploy WVD Hosts
down
(Delete VM)
Optimizing WVD Master Images
Recommended Settings for WVD Master Image:
• Setup User Profiles Containers (FSLogix)
• Configure Windows Defender
• Disable Automatic Updates
• Start Layout
• Time Zone Redirection
• Disable Storage Sense
• Add language support

Optional Configurations:
• Configure OneDrive
• Install Office
• Install additional software

https://docs.microsoft.com/en-us/azure/virtual-desktop/set-up-customize-master-image
https://docs.microsoft.com/en-us/azure/virtual-desktop/install-office-on-wvd-master-image
PowerShell Script available to automate these tasks:
• https://github.com/markhooks81/Winter-Ready-2020/blob/master/SysPrepScript.ps1
 Azure VM Image Builder

Azure VM Image Builder

VHD

VM
Managed VM
Image
Azure Base
Images Linux & Source Customize Distribute
Windows
VM
Shared VM
Image
Gallery

Existing Custom
Images

https://aka.ms/azvmimagebuilder
Example Customer Scenario: WVD Economic Benefits
Example Migration Scenario
• User Group 1: 800 medium workload users (session running 170 hrs/month): From Windows Server on-prem to Windows 10 multi-session in WVD
• User Group 2: 200 medium workload users (session running 110 hrs/month): From Windows 10 single-session on-prem to Windows 10 multi-session in WVD

Virtual Desktop Cost ($ per month) Infrastructure Cost Savings

License Cost Savings
$38.6 ~65%*
pupm Savings
8,600
17,400
5,650
850 2,400 $13.1
8,000 13,100 pupm
21,200

On-prem Cost Multi-session2 Linux Rate1 Pay for Actual Usage1, 2 Mgnt Svc Included1, 2 RDS CAL Elimination1 WVD Cost
Windows 10 Session host VMs Most actual usage Free** WVD RDS CAL not required
multi-session reduces charged at Linux charged at PAYG rate management service by W10 MS in WVD**
Drivers
number of compute rate (vs. fixed on-prem incl. associated infra
for Saving VMs required (vs. Windows Server investment) (vs. mgnt services and
(vs. single-session) compute rate) infra on-prem)
Note: Chart shows the overall on-prem and WVD cost and associated cost savings for User Group 1 and 2 combined
Note: Given on-prem costs are highly variable, Azure reserved instance cost is used as the proxy for average on-prem cost; on-prem cost is likely underestimated
Note: Results generated by WVD Solution Configurator, an excel-based tool for sizing WVD opportunities; figures are rounded for simplicity
1 – Savings for User Group 1; 2 – Savings for User Group 2
*~70% Savings on infrastructure cost and ~60% on license cost, respectively; labor cost excluded
**Many customers already own licenses that qualify them for WVD (e.g. Win10 E3/E5, M365 E3/E5, VDA) and incur no additional cost for WVD
 Cost-optimized infrastructure

Windows 10 Experience at Multi-session Cost

Customer Scenario – From Windows 10 single session on-prem to Windows 10 Multi-Session in WVD
• Trade many small dedicated VMs for few large shared VMs with higher utilization

Windows 10 single session Example Economic Benefit

Windows 10 Multi-Session in WVD
on-prem $ per user per month

-85%
$40*

$7

Windows 10 Windows 10
Many users per 1 larger VM Single Session Multi-session
1 user to 1 smaller VM with low utilization
with high utilization 1 user per D2s v3
Utilization Utilization 32 users per D8s v3
(2 vCPUs, 8 GiB RAM) (8 vCPUs, 32 Gib RAM)
Note: WVD is the only way to run Windows 10 Multi-Session
Note: Figures are illustrative and based on pre-configured assumptions; actual savings vary by user requirements and infrastructure configuration
*The $40 PUPM for single session cost is modeled for a common configuration: Windows 10 single-session in WVD starts at ~$15 per user per month for 1 vCPU, 2 GiB RAM configuration
Demo Azure Image Process
Monitoring
WVD and Azure Monitor

https://azure.microsoft.com/en-us/services/monitor/
WVD with Service Map Extension
Service Map

With Service Map

Service Map
WVD with Log Analytics
Sepago

$LogAnalyticsWorkspaceId = ""
$LogAnalyticsPrimaryKey = ""
Set-RdsTenant -Name $tenant -LogAnalyticsWorkspaceId $LogAnalyticsWorkspaceId -LogAnalyticsPrimaryKey $LogAnalyticsPrimaryKey
Demo Azure Sepago & Monitor
Migration
Azure Migrate – hub for all your migration needs

NEW! Deeper application discovery (incl.

application roles, features, and versions)

NEW! Physical server discovery

NEW! Agentless dependency visualization &

migration for VMware environments

NEW! .NET app migration to Azure App Service

NEW! VDI migration to Windows Virtual Desktop

Integrated with Carbonite, Cloudamize, Corent

Tech, Device42, Turbonomic, and UnifyCloud

VMware, Hyper-V, Physical server migration

SQL / Non-SQL data migration

Migration from on-premises, AWS, & GCP https://docs.microsoft.com/en-us/azure/migrate/migrate-services-overview

Continuously optimize resources during and after migration

As you move
• Right-size Azure resources based on assessment
guidance
• Use Azure Hybrid Benefit and Azure Reserved
Instances to save money

After you move

• Unified experience to optimize cloud spends:
Azure Cost Management
• Azure Advisor: Built-in best practice
recommendations (e.g., turn off idle VMs)

Modernize for longer term value

Scaling
WVD VM Scaling Logic App Designer view
Select the component
WVD VM Scale Logic App Diagnostics

With Log Analytics\Monitor

If you use Azure Monitor and Log

Analytics you can export this data and
have a single pane of glass to look at.
https://docs.microsoft.com/en-
us/azure/automation/automation-
manage-send-joblogs-log-analytics
Pre-requisites to using
Windows Virtual Desktop
Prerequisites

Requirements

Azure subscription Azure Active Determine your All associated Required credentials
Directory identity strategy Azure resources (Azure AD, WVD
(AD, ADDS) (image, virtual tenant, Service
network, storage) principle, etc.)
in one region

Link to prepare Demo bench (coming soon)

Prerequisites
Pre-Req Description Owner / Stakeholders
1-2 use cases Choose 1-2 standard or typical target use case(s) for POC. Include Customer Virtual Desktop Team or Business Owners
standard apps installed and any security or internal management tools
you use.

Azure AD Tenant Most customers already have this set up through their O365 Tenant. A Admin or Security Team
separate free account can also be used but nor recommended for POC
or Prod Trial.

GA account to the AAD Tenant.

At least one admin account with MFA turned off or ability to create
service principal

Azure Subscription Deployed subscription connected to the Azure AD Tenant Above Cloud Team, Billing Owner

Owner or Contributor Rights to the Subscription

Quota and/or policy rights to create network, security, VMs, etc

Prerequisites
Pre-Req Description Owner / Stakeholders
Security Controls Info about FW and/or Proxy required by Internal Security or access to Network / Security Team
security team during deployment

If FW or Proxy is used, the whitelist URLs should be submitted 1-2

weeks ahead of deployment

Info about MFA or SSO tools used internally – Admin accounts if this
must be configured

Networking Access to VNET or ability to create a VNET, if necessary Network / Security Team

Networking/on-premises connectivity via express route, VPN, etc. –

Access to domain controller either in Azure or on prem and access to on prem
apps. If the domain controller is isolated in Azure, and no on-prem access is
needed this can be skipped.

Licensing Entitlement check (licensing) - M365 E3/E5, etc. See slide below Microsoft Team / Cloud Team, Billing Owner

Domain Controller Needed for traditional AD join of VM hosts Admin, Cloud Team
Can be in Azure or On-prem – see Networking requirements above for
On-prem
Domain Admin Rights or GPO policy to allow a user to add VMs to
domain – Non MFA account

Windows Domain Users sync’d to Azure AD through AD Connect

OR
Azure AD Domain Services deployed
 Client
Customers are eligible to access Windows 10 single and multi
session and Windows 7 with Windows Virtual Desktop (WVD) if
they have one of the following licenses*:
• Microsoft 365 E3/E5
• Microsoft 365 A3/A5/Student Use Benefits
• Microsoft 365 F1
• Microsoft 365 Business
Many customers • Windows 10 Enterprise E3/E5

are already • Windows 10 Education A3/A5

• Windows 10 VDA per user
eligible for WVD
Server
WVD Licensing Requirements
Customers are eligible to access Server workloads with Windows
Virtual Desktop (WVD) if they have one of the following licenses:
• RDS CAL license with active Software Assurance (SA)

Customers. pay for the virtual machines (VMs), storage, and networking
consumed when the users are using the service

*Customers can access Windows Virtual Desktop from their non-Windows Pro endpoints if they have a Microsoft 365 E3/E5/F1, Microsoft 365 A3/A5 or
Windows 10 VDA per user license.
Credentials Required – Customer Environment

RD clients Windows Virtual Desktop

Azure AD Tenant & Subscription
Customer – managed PaaS – WVD Tennent/Workspace
WVD Tennent Tied to User Tenant
WVD Tenant Owner WVD Creator Rights AD Connect Sync Tenant
Azure AD & Tenant Creator Rights
(User From AD Tenant) (From AD Tenant) Account GA Account
Subscription (Suggest GA User)

VMs
A A
Web Access Diagnostics Desktops Apps
FIREWALL

FIREWALL
Active User Profile
Gateway Broker Directory File Services

Azure AD Connect
Azure SQL DB Owner /Contributor
(From AD Tenant) Subscription
Whitelist URLs
Outbound
Address Purpose Service Tag
TCP port
*.wvd.microsoft.com 443 Service traffic WindowsVirtualDesktop

mrsglobalsteus2prod.blob.core.windows.net 443 Agent, SXS stack updates, and Agent traffic AzureCloud

*.core.windows.net 443 Agent traffic AzureCloud

*.servicebus.windows.net 443 Agent traffic AzureCloud

prod.warmpath.msftcloudes.com 443 Agent traffic AzureCloud

catalogartifact.azureedge.net 443 Azure Marketplace AzureCloud

kms.core.windows.net 1688 Windows activation

*.microsoftonline.com 443 Authentication to MS Online Services

*.events.data.microsoft.com 443 Telemetry Service

Address Outbound Purpose Service Tag

TCP port
licensing.mp.microsoft.com
*.sls.microsoft.com
activation-v2.sls.microsoft.com
*.microsoftonline.com 443 Authentication to MS Online Services
*.events.data.microsoft.com 443 Telemetry Service
www.msftconnecttest.com 443 Detects if the OS is connected to the internet
*.prod.do.dsp.mp.microsoft.com 443 Delivery Optimization Service, used for
Windows Update in Windows 10
login.windows.net 443 Login to MS Online Services, Office 365
*.sfx.ms 443 --> Updates for OneDrive client software
*.digicert.com 443 Certificate revocation check

For Office related URL’s , visit https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges . This documentation also covers required AAD related URL’s.
Secure user access: Administrators

1 Integrating with Azure portal means Azure role-based access control (RBAC)

2 Extend the same policies and restrictions you have today

3 View and give permissions to individual Virtual Desktop objects

4 Create your own custom RBAC roles for designated access

©Microsoft Corporation
Azure
Secure user access: End-users

Azure RBAC also applies to end-users

Assign access based on Azure AD groups

Combine resource access with Azure AD Conditional Access for more control

©Microsoft Corporation
Azure
End User Clients
Spring Release
Best Virtualized End-user Experience Best User

Teams Enhancements (Coming soon)

Experience

Teams provides end users with better conferencing and media experience

Teams on WVD – With Enhancement User Experience Benefits

Azure Backbone Less network bandwidth compared to USB camera
Windows 10 Windows 10 redirection
Enterprise Enterprise
multi-session multi-session
Increased video framerates,
up to 30 fps
Call Control Call Control

Enhanced UI for ease of use

Call A/V in virtualized environments
User 1 User 2
Ability to redirect multiple cameras
P2P
LOCATION 1 Connection LOCATION 2
High-performance, low latency
Multimedia redirection Multimedia redirection audio & video calling

Per machine installation Per machine installation

WVD Management Experience

What is it?
New Azure Portal Deployment and Management
Experience
First-party service functionality
Support for AD Groups
Integrated PowerShell with Azure Module
Integration into Azure Monitor and Log Analytics
Uses Azure RBAC and Lighthouse
Azure portal support for creation, management and
diagnostics
Store your service data in any supported region Coming soon

with distributed databases

Currently available
Coming soon
Best Virtualized End-user Experience
Platform of your choice Windows differentiation Enhanced protocol

• Connect from any device of your choice • Like-local Windows experience • Support for Windows Hello for Business
(Windows, MacOS / iOS, HTML5, Android, • Extensive support for devices • Dynamically adapting bandwidth utilization
Linux*)
* Coming soon

Outlook, OneDrive &

Containerized User Profiles Teams Enhancements
Desktop Search Improvements

• Containerized User Profiles (FSLogix) with fast • Faster startup experience, improved syncing • Multimedia redirection capability, high-
VHD load times, Azure NetApp Files optimized for virtual environment, and per-user performance, low latency audio & video calling
Desktop Search

Office 365 ProPlus also supported on Windows Server 2019 (with OneDrive Files-on-Demand capabilities)
Windows Virtual Desktop Mobile Android
https://www.samsung.com/global/galaxy/apps/samsung-dex/
Windows Virtual Desktop 3 ways
Windows Virtual Desktop
with Samsung DeX

Full screen Windows 10 and Office 365 ProPlus experience

from Samsung DeX-enabled mobile devices, providing the
Windows Virtual Desktop experience on an Android
endpoint

Enhanced mobility and productivity with small and big

screen experience, allowing customers to seamlessly
switch from one application to another

Faster speeds and reduced latency with the new

Samsung Galaxy S10 support for 5G and Wi-Fi 6
Samsung DeX

PC-like experience entirely powered by Galaxy device

• Software that’s built-into Galaxy device that

provides PC-like experience (optimized UI)

• Connects Galaxy device to a bigger screen,

keyboard and mouse

• Unifies the mobile and desktop with optimized user

experience

• Knox security built-in, granular management

controls and customizable for your business via
Intune

More information on Samsung DeX can be found here

DeX Ready Devices

Galaxy S Series Galaxy Note Series Galaxy Tab S Series

Galaxy S10 Galaxy Note 9 Galaxy Tab S4

Most Advanced Network Optimized for Productivity Optimized for Customer
Capability (5G, Wi-Fi 6) (Connected S Pen, engagement (Immersive
12MP+8MP Cameras) display, 16hr battery) Connection
Ultimate Performance thru USB-C
(Improved CPU and GPU, Firstline Worker ready (Water Productivity on the go (S-Pen,
reduced power consumption) & Dust Resistance (IP68), All Pogo Keyboard)
Day Battery)
Video and graphics improvements

Average Encoding Time (ms) Video playback always uses hardware

1500

1000
acceleration
500

0
Session (60 seconds)

4kDownSampled 4kNative
Smooth playback when moving the
video window
Output Frames / Second (fps)
15

10

0
Session (60 seconds) 4K downsampling
4kDownSampled 4kNative
Device redirection
High-level redirection of built-in or
attached video camera
Less network bandwidth compared to USB
camera redirection
Increased video framerate, up to 30 fps
Redirect multiple cameras

Improved printing messages

Built-in Windows client first to adopt
Enabling Teams on WVD
Full-featured, high-performance M365 integration is critical to Current: Teams Calling with device redirection
WVD.
However, UC apps like Teams aren’t well-supported in VDI
environments:
• Latency, glitching, and A/V sync challenges when streams redirect Multi-hop
through VM Connectio
n
• Difficulties associated with traditional in-app Acoustic Echo
Cancellation implementations result in unacceptable audio quality
• Increased vCPU usage during peak reduces user/core density

WebRTC Enabled: Peer-to-peer Teams on WVD

We are delivering WebRTC-based P2P conferencing for Teams:
• Modular design can support new remote protocols and OS
environments with less rework while retaining a common core.
• Design decision: We have scoped out support for Win7 clients. Support
for Win7 clients will be based on customer feedback.
• High-performance peer-to-peer streaming facilitated by WebRTC
• On Win10 clients, all the benefits of the modern media stack
including HW video decoding
P2P
Connection
 Hybrid cloud management Citrix HDX technology
• Have a single interface for • Access any device, any
Top ten Citrix value adds workloads on-premises or in
Azure.*
connection.
• Optimize for Microsoft Teams,
to Windows Virtual Desktop • Migrate, capacity burst, or
load balance.
Skype, and more.

*Windows 10 Enterprise support

available only in Azure.

Performance and Workspace environment Session recording Citrix app protection

security analytics management and watermarking
• Record and play back sessions
• Gain visibility into user behavior • Optimize user density and logon for issue diagnosis, compliance, • Protect against accidental
and session responsiveness. performance. and security audits. and malicious data leaks.
• Catch small issues before they • Improve user experience.
become big ones. • Maximize IT spend value.

Advanced monitoring AutoScale Citrix provisioning Citrix app layering

• Use tools built for enterprise • Scale environments and • Simplify administration. • Access flexible technology.
scale. cloud workloads. • Enhance reliability. • Enhance user experience.
• Monitor health, user sessions, • Leverage existing investments • Rapidly deploy at any scale. • Leverage nonpersistent
and more. and ramp sessions into environments.
the cloud.
Appendix
Futures

Feature Target Availability Environment

MSIX – App Attach Q1’20 Private Preview
AAD Join (No DC) Q4’19 Public Preview
Azure Files with Domain Q1’20 Public Preview
Personal Desktop Assignments Q4’19 GA
Portal Management ARM Integration Q2’20 Preview
AD Group Add Q1’20 GA
Intune Support for Win 10 Multi Session H1’20 Preview
Security Center/ Sentinal Integration H1’20 Preview
Additional Resources – How to Videos
1. WVD Deployment 13. WVD Bandwidth Recommendations
2. WVD Management 14. WVD Latency & Experience Estimator
3. WVD User Profiles 15. WVD Partners
4. WVD High Availability of User Profiles 16. WVD Windows 7 / 10 Client
5. WVD User Experiences 17. WVD Android Client
6. WVD Web Management UX 18. WVD MacOS Client
7. WVD Scaling Out (Building new session hosts 19. WVD ios Client
in existing host pools manually)
8. WVD with Azure AD Domain Services
9. WVD Web Diagnostics tool
10. WVD Automation (Build new session hosts in
existing host pools with a custom PowerShell
script extension)
11. WVD Monitoring (Sepago)
12. WVD Updates (Build new, throw away the old
with my custom ARM Template to build new
Session hosts in existing host pools, joining to
domain and adding to WVD automatically)
https://aka.ms/rdposter
Thank you.

© Copyright Microsoft Corporation. All rights reserved.