Introduction
Technologies such as Intune and Endpoint Configuration Manager (used manage enterprise devices) are becoming more robust, and these tools can also now be used for virtual devices such as those used by Microsoft’s Windows Virtual Desktop service in Azure.
Windows Virtual Desktop (WVD)
Overview
As a desktop and app virtualization service in Azure, Windows Virtual Desktop allows administrators to set up a scalable, multi-session Windows 10 deployments using virtualized desktops as well as virtualized Microsoft 365 and other apps in multi-user virtual scenarios.
Deploying and managing WVDs in Azure can also be accomplished with multiple options for management of host pools, app groups, user assignment and resource publishing.
Requirements
The following requirements are needed to setup and connect WVDs and apps.
Requirements | Description |
Supported OS | · Window 10 Enterprise (including multi-session) · Windows 7 Enterprise · Windows Server 2012 R2, 2016, 2019 |
Azure Active Directory (AAD) | Tenant required |
Windows Server AD (in sync with AAD) | Only Hybrid Azure AD joins are supported |
Azure Subscription | Parented to same AAD tenant and connected to the Windows Server AD or Azure AD DS instance |
Users | · Users must be sourced from same AD connected to AAD · UPN to subscript to WVD must exist in the AD domain the VM is joined. NOTE: WVDs do not support Azure AD guest user accounts |
Azure WVDs (Intune prerequisites) | · Windows 10 (1809) or later · Hybrid AD-joined (no AAD-joined) · Configured as personal remote desktops in Azure · Enrolled in Intune using either AD group policy to auto-enroll hybrid-AAD joined devices, ECM co-management or user self-enrollment via Azure AD join. NOTE: Intune treats WVD personal VMs the same as physical Win10 Enterprise desktops. |
Supported RD clients | · Windows Desktop · Web · macOS and iOS · Android · Microsoft Store Client NOTE: RemoteApp, RADC or the Remote Desktop Connection (MSTSC) client are NOT supported |
Multi-session
Windows 10 Enterprise multi-session is a new Remote Desktop Session Host that allows multiple concurrent interactive sessions. Multi-session varieties of Windows 10 also:
- Cannot run in on-premises production environments
- Will not activate against on-premises Key Management Services (KMS)
- Only support hybrid Azure AD joined configurations
Microsoft recommends Endpoint Configuration Manager (Current Branch, 1906/newer releases) when managing deployed multi-session WVDs.
Hybrid Azure AD Join
One of the requirements for managing your Windows 10 WVD environment with Endpoint Manager is the use of Hybrid Azure AD join. When you configure your devices to Hybrid join Azure AD, these devices will be visible and manageable in both your on-premises AD as well in Azure AD.
Requirements, Support and Considerations
- Credentials of a global administrator for the Azure AD tenant and an Enterprise Administrator account for the on-prem forest are required.
- Domain Controller should be at least Windows Server 2008 R2
- Server 2016 or Server 2019 are recommended
- Server Core does NOT support any type of device registration
NOTE: A single forest should sync identities to only one Azure tenant. Single forest syncing of identity data to multiple Azure AD tenants is NOT supported.
- Client devices as old as Windows 8.1 are supported
- Latest release of Windows 10 is recommended
- Older operating systems (pre-Windows 10 and pre-Server 2016) using credential roaming, user profile roaming, or mandatory profiles are NOT supported
- When using Sysprep for pre-Windows 10 1809 reference images that are used for deployments, make sure the image isn’t from a device that is already registered in Hybrid Azure AD.
- Ensure that VM snapshots, used to create new VMs, are not from a virtual machine that is already registered with Hybrid Azure AD.
- Enabling Unified Write Filter and similar technologies prior to Hybrid Azure AD join will result in the device getting unjoined on every reboot, so do not apply them until after the device is joined.
- Windows 10 releases older than 1803, which are already Azure AD registered, must have this registration removed before enabling Hybrid Azure AD; otherwise, a dual state condition will exist.
- Support for FIPS-compliant TPM 2.0
- TPM 1.2 is not supported and considered not existent.
Hybrid Azure AD join requires devices have access to the following Microsoft resources inside your organization’s network:
https://enterpriseregistration.windows.nethttps://login.microsoftonline.comhttps://device.login.microsoftonline.comhttps://autologon.microsoftazuread-sso.com(seamless SSO)NOTE: Azure AD Connect provides a wizard to configure hybrid Azure AD join, which significantly simplifies the configuration process.
Managed vs. Federated Environments
In depth information for these two topics are out of the scope of this document; however, a few key components are worth mentioning, and exploring more for a full understanding of each.
- A managed environment can be deployed either throughPassword Hash Sync (PHS)orPass Through Authentication (PTA)withSeamless Single Sign On. These configurations don't require a federation server for authentication.
Note:
Azure AD does not support smartcards or certificates in managed domains - Federated Environments should have an identity provider that supports the following requirements, which are already supported by Active Directory Federated Services (AD FS).
- WIAORMULTIAUTHN claim:Needed for hybrid Azure AD join for Windows down-level devices.
- Down-level devices are pre-Windows 10 and pre Windows Server 2016
- WS-Trust protocol:Needed authentication between Windows current hybrid Azure AD joined devices and Azure AD. AD FS environments must enable the following WS-Trust endpoints:
- /adfs/services/trust/2005/windowstransport
- /adfs/services/trust/13/windowstransport
- /adfs/services/trust/2005/usernamemixed
- /adfs/services/trust/13/usernamemixed
- /adfs/services/trust/2005/certificatemixed
- /adfs/services/trust/13/certificatemixed
Example: Using AAD Connect to Perform Hybrid join
Step | Description |
1) | Start Azure AD Connect and click the Configure button |
2) | Click Configure Device Options from the list of Additional Tasks |
3) | Review the Overview page and click Next |
4) | Enter the credentials for an Azure AD global administrator account, and click Next |
5) | SelectConfigure Hybrid Azure AD joinand clickNext. |
6) | Select the Device OS configuration (current Windows 10 or older “down-level” operating systems) which will be supported and clickNext. |
7) | Service Connection Points (SCP) are used by devices to discover their Azure AD tenant information, and one must be configured for EACH forest. Click on theEditbutton and fill in your Enterprise Administrator credentials and click onNext. NOTE: As stated in the Wizard, a configuration PowerShell script (ConfigureSCP.ps1) can be provided to, and run manually by, an Enterprise Administrator in the organization in the event that the person using AD Connect does not have the permissions. |
8 | Click onConfigureto begin the process. |
9) | When the Configuration Complete message displays, the Wizard can be exited. |
Synchronizing Session Hosts and Confirming Status
Computer accounts from the local Active Directory must synchronize with Azure AD before registration can be completed
Using the dsregcmd /status command line on a client is a quick way of verifying registration status. The AzureAdJoined attribute of Device State should be YES
NOTE: It can usually take 15 minutes or more for the registration process to complete.
Intune Enrollment
When a device is enrolled, it is issued an MDM certificate. This certificate is used to communicate with the Intune service.
NOTE: Licenses must be assigned to an administrator's account before that administrator can enroll devices to Intune.(more information)
Enable Automatic Enrollment
Automatic enrollment allows users to enroll their Windows 10 devices in Intune by adding their work account to their personally owned devices, or join corporate-owned devices to Azure Active Directory. The device then registers, joins Azure AD and becomes managed with Intune.
Step | Description |
1) | From the Azure Portal, navigate toAzure Active Directory>Mobility (MDM and MDM). |
2) | Open theMicrosoft Intuneitem NOTE: Some tenants might have bothMicrosoft IntuneandMicrosoft Intune EnrollmentunderMobility. Make sure that your auto-enrollment settings are configured underMicrosoft Intune(notMicrosoft Intune Enrollment). |
3) | Verify MDM discovery URL during auto-enrollment · https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc (Home > Mobility (MDM and MAM)) |
4) | Ensure automatic enrollment is enabled forthe users (AllorSome(group membership)) who will self-enroll devices into Intune. |
5) | Make any other desired changes and then apply the new settings. |
Auto-enroll Using Group Policy
Starting in Windows 10, version 1607, once the enterprise has registered its local Active Directory with Azure AD, a domain-joined Windows device will be automatically registered in Azure AD.
Once the group policy is created and enabled on the local Active Directory, a task is created in the background that initiates the enrollment using the existing MDM service configuration from the Azure AD information of the user, and without their interaction.
NOTE:
If multi-factor authentication is enabled, the user will be prompted for additional authentication.
Example Group Policy Configuration (Single Device)
Complete the steps below to configure a group policy to enroll a single device into Intune.
Step | Description |
1) | Enter gpedit into the Windows Search bar to open the Group Policy Editor (Edit group policy) |
2) | Navigate to Administrative Templates>Windows Components>MDM in the Editor. |
3) | Open Enable automatic MDM enrollment using default Azure AD credentials(previously calledAuto MDM Enrollment with AAD Tokenin Windows 10, version 1709). |
4) | ClickEnable and selectUser Credentialfrom the dropdownSelect Credential Type to Use, then clickOK. Note: The MDM.admx file was updated in Windows 10 (1903) to include the Device Credential option, which only affects Windows 10, version 1903 clients. Older Windows releases revert toUser Credential, and Device Credentialis not supported for enrollment type when you have an Endpoint Configuration Manager agent on the device. |
After a group policy refresh, a scheduled task (Schedule created by enrollment client for automatically enrolling in MDM from AAD) will be created, and run every 5 minutes for the duration of one day.
If two-factor authentication is required, you will be prompted to complete the process.
Example Group Policy Configuration (Group)
Complete the steps below to configure a group policy for enrolling a group of devices into Intune.
Step | Description |
1) | Download Administrative Templates (.admx) for Windows 10:
|
2) | Install the package on the Domain Controller. |
3) | Navigate to folder (depends on version): C:\Program Files (x86)\Microsoft Group Policy\Windows 10…
|
4) | Rename the extracted Policy Definitions folder toPolicyDefinitions. |
5) | Copy PolicyDefinitions folder toC:\Windows\SYSVOL\domain\Policies |
6) | Restart the Domain Controller to make the policy available. |
7) | 1. Create a Group Policy Object (GPO) and enable the Group PolicyComputer Configuration>Policies>Administrative Templates>Windows Components>MDM>Enable automatic MDM enrollment using default Azure AD credentials. |
8 | 2. Create a Security Group for the PCs. |
9) | 3. Link the GPO and filter using security groups |
Bulk Enrollment
Create a provisioning package to bulk enroll devices for the Azure AD tenant using the Windows Configuration Designer (WCD) app. When the package is applied to corporate-owned devices they join to the Azure AD tenant and enroll into Intune for management.
Create Provisioning Package
Step | Description |
1) | Open the Windows Configuration Designer (can be downloaded from the Microsoft Store), and select Provision desktop devices |
2) | Specify the following in theNew projectwindow: · Name- A name for your project
|
3) | Enter unique names for devices. · Names can include a serial number (%SERIAL%) or a random set of characters. Other configuration options include: · Product key if upgrading the edition of Windows · Configure the device for shared use · Remove pre-installed software. |
4) | Optionally, you can configure the Wi-Fi network devices connect to when they first start. If the network devices aren't configured, a wired network connection is required when the device is first started. |
5) | SelectEnroll in Azure AD, enter aBulk Token Expirydate, and then selectGet Bulk Token. |
6) | Provide your Azure AD credentials to get a bulk token. |
7) | In theStay signed in to all your appspage, selectNo, sign in to this app only. |
8 | ClickNextwhenBulk Tokenis fetched successfully. |
9) | Optionally, you can Add applications and Add certificates. These apps and certificates are provisioned on the device. |
10) | Optionally, you can password protect your provisioning package. ClickCreate. |
Provision Devices
The steps below will help provision devices using the bulk enrollment provisioning package. Detailed step-by-step instructions for applying these packages are out of the scope of this document, but can be found here (Apply a provisioning package)
Step | Description |
1) | Access the provisioning package in the location specified inProject folderspecified in the app. |
2) | Choose how to apply the provisioning package to the device, which can be done one of the following ways:
|
3) | After you apply the package, the device will automatically restart in one minute. |
4) | When the device restarts, it connects to the Azure Active Directory and enrolls in Microsoft Intune. |
Publishing the Remote Desktop Client Package
Creating the WVD Package
Complete the steps below to create the wrapper package that will be deployed to the necessary devices.
Step | Description |
1) | Download and unzip the Win32 Content Prep Tool from GitHub · (https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) |
2) | Download the latest Windows Desktop Client · (https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windowsdeskto...) |
3) | · Run the Win32 Content Prep tool to create the Win32 .Intunewin Package o <Win32ContentPrepDirectory\IntuneWinAppUtil.exe o Source and Output folders = The directory/path containing the contents of the Win32 Content Prep tool Zip. o Setup File = The directory/path to the RDC .msi file downloaded earlier o Specify Catalog Folder? = N |
NOTE: If successful, there will be a .intunewin file with the contents of the Win32 Content Prep tool.
Configuring App Policy Using the MEM Admin Center
Complete the steps below to create the app policy for the new WVD wrapper package created in the previous section.
Step | Description |
1) | From the MEM Admin Center, navigate to Apps > Windows |
2) | Click +Add button and select Windows app (Win32) |
3) | Click Select app package file, and browse to the .intunewin package created above. |
4) | Customize the App Information (name, desc., logo) as needed. |
5) | Configure the Program installation command lines and restart behavior |
6) | Configure the Requirements (architecture, OS). |
7) | Configure Detection Rules |
8 | Skip Dependencies |
9) | Assign the app to the necessary AAD group(s) |
10) | Review the configuration and then Create the App policy |
© 2021 Microsoft Corporation. All rights reserved. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes.
