Windows Virtual Desktop Deep Dive

2. Windows Virtual Desktop Deep Dive Windows desktops and applications hosted in Azure BRK3312 Clark Nicholson, Principal Program Manager Stefan Georgiev, Program Manager

3. Windows Virtual Desktop Consists of: Azure service to manage connections between RD clients and Windows 10 Enterprise multi-session VMs IT admins can: • Publish remote desktops and apps to end users from pools of single or multi-session Windows 10 Enterprise VMs in Azure • Manage and troubleshoot connections between RD Clients and Windows virtual machines End users can: • Connect to Windows desktops and applications from their favorite client device from anywhere on the internet Active Directory Desktops Apps User Profile File Server  RD clients Customer-managed Windows Virtual Desktop Microsoft-managed Azure services FIREWALL Windows 10 Enterprise multi-session Customer-managed Azure VMs & services A A FIREWALL VMs Azure AD Web Access Diagnostics Gateway Broker Azure SQL DB

4. Azure AD Authentication RD clients authenticate with Azure Active Directory (AD) Enables Azure AD security features, such as Conditional Access, Multi-factor Authentication, and Intelligent Security Graph Maintains app compatibility in the customer’s environment where Windows VMs are AD domain-joined Active Directory Desktops Apps User Profile File Server RD clients Customer-managed Windows Virtual Desktop Microsoft-managed Azure services FIREWALL Windows 10 Enterprise multi-session Customer-managed Azure VMs & services A A 1 FIREWALL VMs Azure AD Web Access Diagnostics Gateway Broker Azure SQL DB

5. User Connection Flow 1. User launches RD client which connects to Azure AD, user signs in, and Azure AD returns token 2. RD client presents token to Web Access, Broker queries DB to determine resources authorized for user 3. User selects resource, RD client connects to Gateway 4. Broker orchestrates connection from host agent to Gateway >>> RDP traffic now flowing between RD client and session host VM over connections 3 and 4 Active Directory Desktops User Profile File Server Apps RD clients Customer-managed Windows Virtual Desktop Microsoft-managed Azure services FIREWALL Windows 10 Enterprise multi-session Customer-managed Azure VMs & services A A 1 FIREWALL VMs Azure AD Web Access Diagnostics 2 3 4 0 Gateway Broker Azure SQL DB

6. Demo:End user experience Stefan Georgiev

7. Improved Isolation: Reverse Connect Outbound WebSocket connections from customer VMs to Broker and Gateway Bidirectional communications between VMs and RD infra over https (443) No inbound ports need be opened to the customer environment Active Directory Desktops Apps User Profile File Server RD clients Customer-managed Windows Virtual Desktop Microsoft-managed Azure services FIREWALL Windows 10 Enterprise multi-session Customer-managed Azure VMs & services A A FIREWALL VMs Azure AD Web Access Diagnostics 4 0 Gateway Broker Azure SQL DB

8. Multitenancy Windows 10 Enterprise multi-session Customer-managed Azure VMs & services Customer environments are highly isolated Different AD configurations in each customer environment VPN from tenant environments to on-prem VMs Azure AD Active Directory Desktops Desktops Apps Apps User Profile File Server RD clients Customer-managed Windows Virtual Desktop Microsoft-managed Azure services FIREWALL A A A A Azure AD Domain Services User Profile Azure Files FIREWALL Web Access Diagnostics VMs Azure AD Gateway Broker Azure SQL DB Azure AD Domain Services User Profile Azure Files VPN

9. Rest API Extensible Platform Third-party apps can use PowerShell or REST API to extend Windows Virtual Desktop platform Examples: Deployment automation, VM scaling & provisioning, Web UI to configure, monitor, and troubleshoot, etc. RD clients Customer-managed Windows Virtual Desktop Microsoft-managed Azure services Windows 10 Enterprise multi-session Customer-managed Azure VMs & services Active Directory Desktops Apps User Profile File Server VMs FIREWALL A Azure AD A FIREWALL Web Access Diagnostics Gateway Broker PowerShell Third-party app

10. Example: Dynamic Scaling of Virtual Machines • PowerShell script sample • Runs as scheduled task  • Reads XML file: start-, end-of-day, VM min, threshold, … • End-of-day • Set VMs (except VM min) to drain mode (don’t allow new connections) • Notify and sign users out • Start-of-day • Set all VMs to fill-mode (allow new connections) • Start VM when user sessions/vCPU threshold is passed

11. New deployment steps Prerequisites: Azure AD tenant, subscription, vnet with AD or AAD-DS One-time step: 1. Create WVD tenant mapped to Azure AD tenant N-time steps: 2. Create a host pool in WVD and export registration token 3. Assign Azure AD users to the desktop app group 4. Create VMs in Azure subscription joined to AD domain 5. Install WVD Agent & registration token on VM from step 2 >>>Users can now run RD client, sign in, & connect to desktops in Azure! Alternatively, run the WVD Azure Marketplace offers or ARM templates VARIATIONS • Create a custom image for the VMs • Create RemoteApp app group & publish apps • Create personal desktophost pool (future)

12. Demo:Create a new tenant and host poolUpdate host pool image Stefan Georgiev

13. PowerShell interface

14. WVD Object Model External World * Implicitly created object

15. WVD PowerShell

16. HostPool flexibility • RemoteApp and desktop app groups • Set different load balancing algorithms • Single or multi-session session host VMs • Pooled or personal (future) session host VMs

17. Demo:PowerShell to publish RemoteApp and troubleshoot using diagnostics Stefan Georgiev

18. Delegated Access

19. Role-Based AccessControl concepts Principal Azure AD user, group, or app(Example: user1@contoso.onmicrosoft.com) Role Set of capabilities(Example: RDS Owner) Scope Object instance(Example: Tenant1) Assignment Principal+Role+Scope(Example: user1+RDS Owner+Tenant1) Microsoft Confidential

20. Built-in RDS roles Microsoft Confidential

21. Inheritance Rules 1 2 3 Objects inherit role assignments from hierarchy of container objects. No blocking of inheritance. Role assignment must be removed from the top level container object. If you create it, you inherit either RDS Owner orRDS Contributor.

22. WVD PowerShell – Delegated Access

23. WVD Object Model admin RDS Owner stefan RDS Reader stefan RDS Owner * Implicitly created object

24. Demo: Delegated access and sample web UI Stefan Georgiev

25. Simplifies management of Azure-hosted Windows Azure AD authentication enables new security features Reverse-connect isolates customer environments Multi-tenancy reduces cost while increasing flexibility Extensible platform enables rich partner ecosystem Summary: Windows Virtual Desktop

26. Call to action Continue deploying RDS on Azure! Register for the preview at https://aka.ms/wvdpreview Related sessions: Watch online: THR2316 Desktop Virtualization updates with Windows 10 and Microsoft 365 BRK2300 What’s new and what’s next in Windows virtualization BRK3312 Windows Virtual Desktop Deep Dive BRK3087 Office in Virtual Desktop environments THR2302 Virtualization for modern desktops Attend live: Fri 9:00 AM – BRK2242 What's new in Remote Desktop Services on Windows Server 2019 Fri 10:15 AM – BRK2424 New multi-session virtualization capabilities in Windows Fri 11:30 AM – BRK2243 Migrate your virtualized client application to Azure Visit us in the Expo Hall – Modern Desktop section

27. Please evaluate this sessionYour feedback is important to us! Please evaluate this session through MyEvaluations on the mobile appor website. Download the app:https://aka.ms/ignite.mobileApp Go to the website: https://myignite.techcommunity.microsoft.com/evaluations