Microsoft Windows Virtual Desktop

The best virtual desktop experience, delivered on Azure

M A Nakib
VIRTUALIZATION SCENARIOS

Security Elastic Specific Specialized

and regulation workforce employees workloads
Financial Services Mergers and acquisition BYOD and mobile Design and engineering
Healthcare Short term employees Call centers Legacy apps
Government Contractor Branch workers Software dev test
and partner access
Virtualization hosts today

Windows Server Windows 10

Desktop Experience Enterprise

Scalable multi – session legacy Native single – session modern

Windows environment Windows experience

Windows Server Windows 10

Multiple sessions Single session
Win32 Win32, UWP
Office Perpetual/Office ProPlus (Windows Server 2016, 2019) Office 365 ProPlus
Long-Term Servicing Channel Semi-Annual Channel
Windows Virtual Desktop Benefits

Enables a multi-session Windows 10 experience,

optimized for Office 365 ProPlus

Supports Windows Server (2012R2+)

Most flexible service allowing you to virtualize both

desktops and apps

Windows 7 virtual desktop with free Extended

Security Updates

Integrated with the security and management

of Microsoft 365
SUPPORTED
Supported OS OS
Windows 10 Enterprise Multi-session

Windows 10 Enterprise Single-Session

Windows 7 Single-Session

Windows Server 2019

Windows Server 2016

Windows Server 2012 R2

VMs in customer’s Azure subscription

PREREQUISITES

Requirements

Azure subscription Azure Active Determine your All associated Azure Required credentials
Directory identity strategy resources (image, (Azure AD, WVD
(AD, Azure AD DS) virtual network, tenant, Service
storage) in one principle, etc.)
region
Network requirements and considerations

Requirements Considerations

Network must route to a Windows Server Active Connectivity Type Special Considerations
Directory (AD)
Dedicated network through
ExpressRoute Hybrid
service provider
This AD must be in sync with Azure AD so users can be associated
between the two
Site-to-Site Hybrid Limited bandwidth
VPN compared to ExpressRoute
VMs must domain-join this AD
Azure AD
Must synchronize password
Domain Isolated
hashes to Azure AD
Services
Recommended identity setup for cloud-based organizations  

Azure AD

Azure AD Domain Services

• Windows Server AD run as a service by
Azure​
• Allows VMs to be domain-joined​
• Users recognized both in Azure AD
and Windows Server AD
Recommended identity setup for hybrid organizations 

Azure AD

Windows Server AD on-prem

connected to Azure
• ExpressRoute or site-to-site VPN
to Azure
• Azure AD Connect to synchronize
identities
Implementation Guidance – infrastructure management

Master image can be managed by Best practices Application masking

any already existing process and document will be technology to minimize
technologies including provided to assist in the number of golden
• Azure Update Management configuration of a images and simplify app
golden image image management
• System Center Configuration for WVD
Manager
• 3rd party
Device redirection
High-level redirection of built-in or attached
video camera
Less network bandwidth compared to USB
camera redirection
Increased video framerate, up to 30 fps
Redirect multiple cameras

Improved printing messages

Built-in Windows client first to adopt
Virtualizing Windows Server

• Supports 2012 R2, 2016, and 2019 Windows Server

– If an older version, suggest upgrade to newer version or RD Session Host
refactor app for Windows 10 multi-session
Scalable multi-user legacy
• Office 365 ProPlus support only in Windows Windows environment.
Windows Server
Server 2016 and 2019
– 2012 R2 only supports Office perpetual
Multiple users
– Use Windows 10 Enterprise multi-session for best experience
Win32
• Requires the use of Windows Server VMs on Azure but can Office Perpetual or Office 365
leverage Azure Hybrid Benefit for cost savings ProPlus (Windows Server 2016/2019)
Long-Term Servicing Channel
 Azure AD
AAD Sync (Over Internet) • contoso.com
• contoso.onmicrosoft.com
Domain Controller Replication (Over S2S VPN)

ADDC
(running AAD Connect)
contoso.local
VNET
ADDC Peering FS01 FS02
100.64.2.4 100.64.2.5
10.10.10.5
Mgmt Subnet: 10.10.10.0/24 Fileserver Subnet: 100.64.2.0/24 Default Tenant Group
Tenant Name: XXXX01
Hostpool Name: XXXXHP01
 App Groups:
Azure Firewall or NVA o Desktop AG 1
10.10.20.4 Win10  Remote Des.
(Public IP: X.X.X.X) (Persistent) Hostpool Name: XXXXHP02
S2S VPN over Internet Azure VPN Gateway Can be N-Series
On-Premise  App Groups:
Or ExpressRoute 10.10.0.4
gateway Win10 EVD + O365 o Desktop AG 2
(Public IP: X.X.X.X) (Pooled)  Remote Des.
o App AG 2
GW Subnet: 10.10.0.0/24  Word
[agent]  Excel

[Over MS Backbone]
FW Subnet: 10.10.20.0/24 Win2016 (Pooled) Hostpool Name: XXXXHP03
WVD Subnet: 100.64.1.0/24  App Groups:
o Desktop AG 3
 Remote Des.
VNET: (10.10.0.0/16) WVDVNET: (100.64.0.0/16) o App AG 3
West Europe West Europe  WordPad
DNS: 10.10.10.5 DNS: 10.10.10.5
WVD Clients

Web Access Diagnostics

WVD Web/Downloadable Client (Over Internet)

Gateway Broker
Mgmt.

wvdadmin@contoso.onmicrosoft.com(Tenant Creator)
Rest API Azure SQL DB
PowerShell WVD PaaS Service: EastUS2/CentralUS (during preview)
On-premises network
 Azure AD
• contoso.onmicrosoft.com
• contoso.com
AAD Sync

adVM - 10.0.0.4 fs01 - 10.2.0.4

(running AAD Connect)
Contoso.local
adSubnet: 10.0.0.0/24 fsSubnet: 10.2.0.0/24 Default Tenant Group
Tenant Name: Contoso-WVD-Tenant
Hostpool Name: ContosoHP01
 App Groups:
user01@
o HP01-AG01
Win10  Remote Des.
(Persistent) Hostpool Name: ContosoHP02
Can be N-Series  App Groups:
Win10 EVD + O365 o HP02-AG01
(Pooled)  Remote Des.
o HP02-AG02
 Word user2@
[agent]  Excel

[Over MS Backbone]
Win2016 (Pooled) Hostpool Name: ContosoHP03
wvdSubnet: 10.0.1.0/24  App Groups:
o HP03-AG01
 Remote Des.
adVNET: 10.0.0.0/16 o HP03-AG02
EastUS2  WordPad
user03@
DNS: 10.0.0.4
WVD Clients

Web Access Diagnostics

WVD Web/Downloadable Client (Over Internet)

Gateway Broker
Mgmt.

admin@contoso.com (Tenant Creator)

Rest API Azure SQL DB
PowerShell WVD PaaS Service: EastUS2/CentralUS (during preview) Note: AADDS can also be used instead of AD
Full desktop vs. RemoteApp
Based on what your users need to do.

Full desktop Use RemoteApp

Power Users / Developers that need to install Clients vary widely and application consistency is
their own apps or admin privileges impacted
Clients lack computing power / outdated Different version of the same app from different
OS
Benefits Uses native Windows
VHD capabilities–no hypervisor.

Container Very easy to deploy and manage.

Completely seamless end-user

experience.
Profile Container
Works with other application
SMB Storage
management platforms.
Office 365 Container
Easy to test, implement,
and manage.
App Masking
Reduces network and
filesystem load.
Java Redirection
Benefits

Container Places entire user profile in network-

based container.

Profile Container Extremely fast logon times.

Virtually eliminates profile corruption.

Office 365 Container SMB Storage
Works alongside existing User
Environment Management platforms.
App Masking

Java Redirection
Benefits
Places Office 365 cache data in
Container network-based container.

Enables roaming of Outlook OST,

OneDrive cache, Windows Search,
Profile Container
and more…

SMB Storage
Office apps have native performance
Office 365 Container and behavior.

Works alongside other profile

App Masking management platforms.

Java Redirection
Benefits Application Management without
sequencing, snapshotting, packaging,
or virtualization.

Container All apps installed in base image.

• Only apps a user is entitled to are
revealed.
Profile Container
• App entitlements can be changed
in real time.
Office 365 Container • Works with fonts, plugins, and
more…

App Masking • Excellent app compatibility

Massively reduce the number of gold

Java Redirection images that must be maintained
Benefits

Container Securely collocate multiple version

of Java on same base image

Run each app or website with specific

Profile Container
version of Java required for full
functionality
Office 365 Container Uses FSLogix App Masking to hide
unused versions of Java when not
needed
App Masking

Java Redirection
Most customers are already eligible for WVD
Client Server
Customers are eligible to access Windows 10 single Customers are eligible to access Server workloads
and multi session and Windows 7 with Windows with Windows Virtual Desktop (WVD) if they have one
Virtual Desktop (WVD) if they have one of the of the following licenses:
following licenses*:
• RDS CAL license with active Software Assurance
• Microsoft 365 E3/E5 (SA)
• Microsoft 365 A3/A5/Student Use Benefits
• Microsoft 365 F1 .

• Microsoft 365 Business

• Windows 10 Enterprise E3/E5
• Windows 10 Education A3/A5
• Windows 10 VDA per user
*Customers can access Windows Virtual Desktop from their non-Windows Pro endpoints if they
have a Microsoft 365 E3/E5/F1, Microsoft 365 A3/A5 or Windows 10 VDA per user license.

Pay only for the virtual machines (VMs), storage, and networking consumed when the users are using the service

Take advantage of options such as one-year or three-year Azure Reserved Virtual Machine Instances, which can save up to
72 percent versus pay-as-you-go pricing. Now with monthly payment options!
See if Windows Virtual Desktop is right for your customers
Take the self-assessment:
 You need the ability to add users quickly and easily

 You need to scale efficiently on demand

 Your end-users need a seamless rich client experience with Outlook, Search, Cortana, OneDrive, and Skype

 You need to manage different deployment types across different deployment planes

 You need to bring Remote Desktop Services (RDS) to your users

 You need to support both persistent and non-persistent environments

 You need integrated security and management e.g. Microsoft 365, AAD

 You need to run Windows 7 legacy applications post upcoming Win 7 EOL

 You are in a regulated industry and need to meet strict compliance requirements

 Your virtual desktop journey requires reuse of existing investments (e.g. Citrix)

 You want to reduce management and deployment costs for Windows Server
Thank you