With just six weeks left until our in-person, all-inclusive user conference and industry event – excitement and anticipation are at an all-time high. And for good reason! We are bringing attendees the best content, sponsors and speakers to provide a well-rounded learning experience when it comes to leveraging Microsoft Azure, Azure Virtual Desktop and Windows 365, and give partners the tips and strategies that will allow them to grow their businesses in 2022.
To share a taste of what you can learn at NerdioCon 2022, we’ve developed a new blog series to shine spotlights on our fantastic speakers. Kicking off the NerdioCon Nerd Icon series, we sat down with Jamie Moore, Director of Account Management at Blackpoint Cyber.
What has your career journey been like and how did you come to be in your current role?
I worked for an MSP in Cincinnati, Ohio for seven years. While there, I helped my clients develop strategic technology plans to provide strong foundations for their businesses. Over time, I began to appreciate the dramatic need for increased cyber security. Business leaders were struggling to understand how to keep their businesses safe from cyber criminals. Some overreacted and were afraid of everything; others seemed to completely dismiss concerns because they couldn’t see the impact on their own businesses. This interest in preventing cybercrime and specifically in educating business leaders about cyber security, brought me to Blackpoint Cyber. At Blackpoint Cyber I help managed service providers learn how to grow their revenue, secure their clients, and communicate the value of security.
Can you share more about what you will be speaking about at NerdioCon 2022 and why the topic is so relevant for partners right now?
It’s no question that cybercrime prevention is a massive motivator for businesses to invest in technology. And yet, MSPs are often hesitant to include managed security solutions in their base offerings because these solutions are perceived as complicated and expensive. As the cyber threat increases, the demands for practical solutions also increase. Join us to use managed security to increase your value and subsequently your revenue. Our breakout session will focus on the hacker timeline, the advantages of investing in a SOC, and how to sell the value of a SOC to your customers and how to make a profit while ensuring their security.
What is one trend impacting MSPs you think will be an even bigger focus / topic in 2022?
Based on what we’ve seen this year, Blackpoint recommends our partners to stay alert and watch out for the following cybersecurity trends:
A continued cycle of ransomware with a primary goal of data exfiltration for extortion
Increased offensive action from governments to take down threat groups regardless of borders
Increased supply chain vulnerabilities from both threat groups and nation-states
Remote working is here to stay. Individuals within their home network will continue to be at risk of spear phishing and becoming a key target used to gain footholds into larger organizations.
Thanks so much, Jamie! Where can our audiences find + follow you on social?
I own and lead an MSP in the greater Philadelphia area and have been providing custom IT support options for businesses of all types and sizes since 2008. We pride ourselves on customer loyalty and satisfaction, so much in fact that one of our trademark differentiators is our guaranteed one-hour response time.
Upholding this rule and being a trusted and committed partner to our clients has been a key to our success, but it’s one of many. To deliver on our guarantee while scaling our practice and adapting to offer the best services, choosing the right vendors and technologies has always been one of my biggest priorities as President.
While I could talk shop all day on this subject, I want to share with you three investments I’ve made into growing my Microsoft Azure practice that have paid off big time especially when it comes to time savings.
One common pain point MSPs encounter across client needs is navigating how to move large amounts of data, especially given the amount of digital transformation and cloud initiatives. After working in IT for nearly two decades, I understand this issue well. Which is why I was instantly hooked after using OneXafe, an easily managed backup and recovery solution which presents an incredibly easy way to move a large on-prem environment to the cloud.
To use a real-life example, my team and I had recent client request in which they wanted a brand-new and scalable environment with all their files and data. This all included the migration 50 users, SQL Server file server and their domain controller. This migration was prepped using the OneXafe Solo device one week in advance and we were able to move 3TB of data in one weekend and completed the migration. This tool helps eliminate labor during server migrations.
At Managed Services IT we understand and tell our clients all the time that IT is any company’s most valuable asset, but it requires enormous amounts of time, money, and manpower to manage effectively. I found the same to be true with Microsoft Azure until I found the “easy button,” Nerdio.
In utilizing Nerdio’s multitenant Azure management platform for MSPs, my team has had three engineers doing the work of probably seven as we’ve scaled up our virtual desktop offerings to support the boom in remote work. We’ve got provisioning of Azure Virtual Desktop environments down to 27 minutes on average and have cut back significantly on the amount of nights and weekend hours logged because of Nerdio’s amazing support team and scripted actions.
Finding a strong distributor to partner with can often be one of the biggest advantages you can get over your competition. Pax8 has been an invaluable resource in helping us find the right technologies and vendors to support our growing Azure practice and provide timely and insightful advice for selling cloud solutions to our healthcare customers. Our team at Pax8 knows the Azure ecosystem, and its key players, so well and are tapped in across their network of amazing vendors like Nerdio and OneXafe.
If you are looking to expand or establish a cloud practice in Microsoft Azure in the year ahead, the three companies I’ve profiled here are fantastic resources to get you started.
Windows 365 Cloud PC and Azure Virtual Desktop are both virtual desktop services from Microsoft. However, the pricing models for these services are very different. Azure Virtual Desktop (AVD) is charged based on consumed Azure infrastructure, which allows optimization tools like Nerdio Manager for Enterprise to significantly reduce costs by closely matching the size of infrastructure to actual user demand in real-time. Windows 365, on the other hand, is a licensed service similar to other Microsoft 365 products like Office 365. This means that the cost of Cloud PC infrastructure is included in a monthly subscription regardless of actual usage.
Is the only option to purchase a Windows 365 Cloud PC license for every user who *may* need a virtual desktop and pay for it regardless of usage? Turns out that it’s possible to dramatically reduce Windows 365 license costs (up to 55%) given the unique way in which virtual desktops are used.
Nerdio software is used by thousands of organizations to manage close to two million Azure Virtual Desktop users. This gives us great perspective into the way virtual desktops are used in large production environments. By analyzing aggregated AVD usage data, we were able to identify usage patterns that can be optimized to reduce Windows 365 license costs.
Let’s start by defining some terminology:
Authorized users – potential users of a virtual desktop. They are sometimes referred to as “Named” or “Assigned” users. Each of these users will typically be assigned a Cloud PC license or be given access to an AVD host pool.
Active users – users who are actively using a virtual desktop during some period of time. For example, Monthly Active Users are ones who connect to a Cloud PC or AVD desktop at least once in a month. The number of active users is less than or equal to authorized users.
Concurrent users – users who are connected to their virtual desktop at the same time. The number of concurrent users is always less than or equal to active users.
Peak concurrency – the highest number of concurrent users during a period of time. For example, monthly peak concurrency would be the maximum number of users connected to the desktops at the same time during a month.
In our analysis, we found that in large virtual desktop environments the number of authorized users far exceeds active users and the number of monthly active users far exceeds the peak concurrency over the same period of time. Intuitively this makes sense. Not every user an administrator thinks will need a virtual desktop will actually use one and not everyone who uses a virtual desktop will do so at the same time.
Here are the findings normalized for a 1,000-user environment:
Authorized users = 1,000 (100%)
Average Active users = 600 (60% of total)
Average Peak concurrency = 350 (35% of total)
Note that these numbers are very environment-specific and represent averages across the data set we analyzed. Your mileage may vary.
The “License-based” pricing model challenge
Given the above numbers, if you’re deploying an AVD environment the amount of infrastructure needed should never exceed the peak concurrency, or 350 users in our example (it will actually be even lower with dynamic auto-scaling). However, with a license-based, rather than consumption-based pricing model you will need to purchase 1,000 Cloud PC licenses and assign them to all authorized users even though only 600 users will actively use their desktop and only up to 350 of them will be ever logged in at the same time.
Can anything be done to avoid paying for and “wasting” licenses for users who are not taking advantage of their Cloud PCs? The answer is Yes and the specifics of how this works is the topic of this article.
The first step is to assign licenses only to those authorized users who actually log into their Cloud PC. Now this is easier said than done because Windows 365 is architected in such a way that a Cloud PC will only be provisioned for a user if a license is already assigned. No license means no Cloud PC and users don’t have admin access to go into Microsoft 365 admin center and assign themselves a license, nor would admins want them to do that.
Nerdio Manager for Enterprise version 3.4 introduced the concept of License Auto-assignment. Here is how it works:
The administrator creates one or more security groups to contain authorized users. These users do not have licenses assigned to them.
The administrator creates a security group to contain licensed users. These are users to whom a Cloud PC license will be assigned upon first login.
The first time an authorized user logs into the Cloud PC, they navigate to an admin-provided URL. If the user is authorized, they will be added to the licensed group, a license will be assigned, and a Cloud PC will be provisioned. The user will automatically be redirected to the Windows 365 portal to log into their desktop.
The result is that only 600 licenses will be needed to support the 600 active users and those licenses will be assigned on-demand. This is a 40% savings and with a $50/user (2 vCPU, 8 GB, 256 GB) license it’s worth $20,000/month.
Click below for a video overview and demo of optimization strategy #1:
What happens if a user who once worked on a Cloud PC leaves the organization or changes their workflow in such a way that they no longer user their Cloud PC? The answer is nothing. The user’s Cloud PC will continue running, the license will continue to be assigned to the user, and you will continue paying for it even if no one is ever connecting to the Cloud PC.
This is where Unused License Reclamation feature of Nerdio Manager for Enterprise comes in. If users don’t connect to their desktop for 45, 60, 90 or any other number of days, the license will be unassigned, and the Cloud PC will go into a “Grace Period” for seven days. During this time the license can be restored, if needed, but if it’s not the Cloud PC will be automatically de-provisioned.
Here is how it works:
The administrator enables the Unused License Reclamation feature on a Cloud PC provisioning policy in Nerdio Manager and specifies the number of days that a Cloud PC can be inactive before the license is reclaimed.
Nerdio Manager monitors user login activity to the Cloud PC in the background and once the configured number of days passes without a login un-assigns the license from the user and notifies the administrator about this action.
Cloud PC goes into Grace Period for seven days. If the user logs in during these seven days, the license is re-assigned and the clock resets. If the user does not log in, then the Cloud PC is de-provisioned.
The result is that unused licenses, even if they were used in the past, aren’t being wasted. Once an unused license is reclaimed, it can be assigned to a new user or cancelled to avoid paying the subscription fee.
Click below for a video overview and demo of optimization strategy #2:
Optimization Strategy #3: Inactive User License Parking
Cloud PCs come in many different sizes ranging from 1 vCPU with 2 GB of RAM for $20/month to 8 vCPU with 32 GB of RAM and 512 GB storage for $158/month. While the user is connected to their Cloud PC, the specs make a big difference in performance and capabilities and are well worth the cost. However, when the user is not connected and the Cloud PC isn’t being used, wouldn’t it be great if the user’s Cloud PC could be “parked” with a cheaper license and assigned the original license when the user logs back in?
Nerdio Manager’s Inactive User License Parking feature does just that. Once users disconnect from their Cloud PC, their license is swapped out with a less expensive license (e.g. 1 vCPU, 2 GB, 64 GB – $20) and once they log back in the original license is re-assigned. This way, the number of licenses needed equals the peak concurrency while the remaining licenses could be less expensive, “parking” licenses.
Here is how it works:
The administrator creates an empty parking security group and assigns a set of parking licenses to it (e.g. 1 vCPU, 2 GB, 64 GB – $20).
Nerdio Manager monitors users’ Cloud PC activity and non-active users are moved from licensed security group to parking security group. This unassigns their primary license and assigns the parking license. The primary license can now be used by another active user.
When users become active again and connect back to their Cloud PC, Nerdio Manager moves the users from parking group to licensed group re-assigning the primary license.
The result is you need fewer primary (more expensive) licenses. In our example, if 600 users are active but peak concurrency is 350 then you only need 350 primary licenses. The remaining 250 are less expensive, parking licenses. If the primary license is 2 vCPU, 8 GB, 256 GB, $50/month and the parking license is 1 vCPU, 2 GB, 64 GB, $20/month then the resulting savings is 15% ($12,500/month), which is on top of the license auto-assignment savings of 40% for a total of 55% in savings or $27,500/month.
A few technical notes:
Inactive User License Parking does not actually resize the user’s VM, it simply temporarily replaces the user’s license while the user is not connected.
For license compliance reasons, it is not possible to un-assign the primary license and leave the user without any license while not connected. Therefore, a minimal parking license is required to stay compliant with licensing requirements.
Changing a user’s Windows 365 license is excluded from short-term license reassignment restrictions that exist for other Microsoft 365 products.
Click below for a video overview and demo of optimization strategy #3:
Putting It All Together
In our example of 1,000 authorized users with a 2 vCPU, 8 GB, 256 GB Cloud PC, license savings are $27,500/month. These savings of 55% relative to an “unoptimized” scenarios are possible by leveraging License Auto-Assignmentand Unused License Reclamation to ensure that you only pay for licenses that are utilized and by using Inactive User License Parking to save on the cost of expensive licenses
The purpose of a virtual desktop deployment is to provide users access to applications. Application and data access is the reason to build a virtual desktop, like Azure Virtual Desktop (AVD), in the first place. Therefore, installing, updating, and delivering applications to end users is a critical component of a desktop virtualization strategy.
Azure Virtual Desktop host pools can be deployed as “personal” or “pooled”. In single-session, personal environments, each user is permanently assigned a dedicated VM as their desktop. In pooled environments, both single-session and multi-session, multiple users are connected to a “random” VM for the duration of their session and may be connected to a completely different VM the following day. The methods of managing applications on personal desktops are very different than those used with pooled desktops. Personal desktops (and Windows 365 Cloud PCs) behave exactly like a physical endpoint device and can be managed using traditional application delivery tools like Microsoft Endpoint Manager (SCCM and Intune).
Pooled desktops provide several advantages over personal desktops such as cost efficiency and ability to standardize the IT environment. However, they also come with unique application management challenges since most existing tools are built for a one-to-one user-to-desktop assignment, which is not the case with pooled desktops.
In this article, we’ll focus on the strategies available to manage applications in pooled AVD deployments.
The challenge with app management in pooled desktop environment can be boiled down to this – multiple users are sharing VMs, any installed app is available to all users. This “all or nothing” approach creates many challenges in situations where specific apps must be available to certain groups of users, but not to others. How can we selectively assign applications to individual users or groups of users?
Delivering apps to AVD users on pooled desktops requires two steps:
Installing the application on either the image or session host VM
Delivering the app to some or all users
Let’s take a look at the available options for each of these steps.
List of Azure Virtual Desktop Installation Applications
Installing applications in a pooled AVD environment can be accomplished in one of five ways: Manual install on image, scripted action install on image, Microsoft Endpoint Manager (MEM) install on image, scripted action install on session hosts, or MEM install on session hosts.
1. Manual Install On Image
The easiest way to install applications is by loading each app on the base image VM one at a time. Once all apps are installed, the image is “sealed” and can be used to build new session hosts or update existing ones. All installed apps will be available to all users who connect to these session hosts.
This method is easy to start with but becomes difficult and time consuming to maintain over time.
2. Scripted Action Install On Image
Script the installation of applications with Powershell, save these scripted actions in the Nerdio Manager Scripted Action library, and run the scripted actions on the image during creation or monthly patch cycle. Once the updated image is deployed to session hosts, all users can access all apps.
This method requires a bit of work to script the installation of each app but makes ongoing image and application updates easy and automated.
3. MEM Install On Image
Leverage existing MEM workflows to install and update applications on the base image. Once all apps are installed, the image is “sealed” and can be used to build new session hosts or update existing ones. All installed apps will be available to all users who connect to these session hosts.
This method required some upfront work to get all applications imported and configured in MEM.
4. Scripted Action Install On Session Hosts
Instead of pre-installing application on the image, deploy apps to session host VMs with Nerdio Manager using scripted actions while the VMs are being created. The latest base image can be pulled from the Azure Marketplace and all apps can be automatically installed during session host VM creation.
This method required a bit of work to script installation of each app but makes ongoing host updates easy and automated. All installed apps are available to all desktop users.
5. MEM Install On Session Hosts
Instead of pre-installing applications on the base image, deploy apps to session host VMs with MEM after the VMs are created. The most recent image can be pulled from the Azure Marketplace and all apps will be automatically installed once the session host VMs are created.
This method required some upfront work to get all applications imported and configured in MEM.
Azure Virtual Desktop User Delivery
Once applications are installed, they need to be delivered to users. This is where the challenge of pooled desktops comes in. Regardless of which of the 5 methods above was used to install the apps, once installed, all users will have access to all apps. This may be OK in some scenarios but, often, this is not ideal.
The following methods can be used to selectively deliver specific apps to specific users or groups: Multiple images and host pools, RemoteApps, MSIX app attach, or Nerdio’s installed apps management.
1. Multiple Images and Host Pools
Since all installed apps on the image are available to all users assigned to a host pool based on this image, one way to selectively assign groups of apps to groups of users is by creating and maintaining multiple desktop images, each associated with its own host pool. Different groups of users are assigned to separate host pools that only have the apps that the users need.
Although this method can achieve the objective of selective app assignment in a pooled desktop environment, it is difficult to manage at scale. The number of images with unique configurations tends to be high and the effort required to maintain each individual image with its own set of apps is extremely time consuming.
If users don’t need access to a full desktop, RemoteApps can be selectively published to individual users or groups. Instead of launching a full desktop session, users will open individual apps published to them by the administrator.
3. MSIX App Attach
MSIX app attach is a relatively new technology available in AVD. Administrators can assign individual MSIX apps to specific users or groups. The application gets mounted when the user logs in and only entitled users can access the app. One session host VM can have multiple connected users with different apps available in their sessions.
MSIX app attach is great in concept and works well in practice. However, today very few applications are available in the new MSIX format and converting existing apps to MSIX is a challenging and time-consuming process. As a result, until the MSIX format becomes more widespread among software publishers, app attach is not very commonly used.
4. Nerdio’s Installed Apps Management
This is the most flexible and easy method to manage app assignment. It leverages a technology built into FSLogix called “Application Masking”. The concept is very simple: install a superset of apps on the image and use application masking to only reveal the apps an individual user need. App masking doesn’t just hide the application shortcut, it makes all components of the app (e.g. files, registry entries, shortcuts, etc.) completely invisible to users who have no access. There is nothing even a very sophisticated user can do to access an application that has been masked from them. Unfortunately, with out-of-the-box FSLogix tools, implementing app masking is challenging and extremely complex. It is difficult to initially configure and even more difficult to maintain at scale.
This is where Nerdio’s Installed Apps Management feature comes in. Nerdio Manager simplifies and automates the app masking configuration process down to 3 steps: Discover installed apps, create app-to-users assignment rules, and apply rules to hosts.
Let’s look at each of these steps in more detail.
1. Discover Installed Apps
Whenever a new host pool is created or an existing host pool is re-imaged, Nerdio Manager will automatically discover all installed applications on the host pool and create an inventory. This inventory of discovered apps will include all apps installed on the base image and directly on the session host VMs. Each discovered application will have several “paths” associated with it. These paths are locations of files and registry entries that belong to a specific application.
2. Create App-to-Users Assignment Rules
Once all apps are discovered, one or more rule sets can be created to define which apps are available to which users and groups. By default, all installed apps are available to all users. However, once an application is added to a rule set it can be made available to all users with exceptions (blacklist) or be made unavailable to all users with exceptions (whitelist).
Apps-to-users assignment rules can be used for individual apps or groups of applications. For example, there may be a rule set for Browsers that includes Microsoft Edge, Google Chrome, and Mozilla Firefox that is made available to all users except for certain group of task workers. And there could also be a rule set for Accounting Apps that includes various accounting and finance applications that are available only to members of Accounting and Finance security groups.
3. Apply Rules to Hosts
Once apps are automatically discovered and rule sets are created, Nerdio Manager applies these rule sets to all existing hosts and all newly created VMs in the host pool. The process of applying rule sets does not require a reboot of the VMs and can be done in production. Within a few minutes, users will notice apps appear or disappear depending on rule set configuration.
With these the simple steps, admins gain full control over users’ access to specific apps without creating and managing multiple images and host pools.
Application management is a critical component of AVD administration strategy and Nerdio Manager provides a complete suite of tools to install applications via images and scripted actions and to deliver apps to specific users with RemoteApps, MSIX app attach, and Installed Apps management.
Last May we launched the Nerdio Partnerd program to give our MSP and channel partners access to a full arsenal of resources including our NMM-200 certification, discounted pricing, and an asset library with case studies, content white labelling capabilities, testimonials, product demo videos, and more. Today, we are excited to announce the launch of our newest certification program, NMM-100!
NMM-100 is designed to build partner proficiencies in Microsoft Azure and Nerdio Manager for MSP. Specifically, we are using this certification to give partners that first leg up when it comes to understanding the terminology, technology and best practices needed to be successful in deploying and managing Azure Virtual Desktop via Nerdio Manager.
Below we’ve shared details around what the exam covers, resources you can use to prepare for it, and an explanation of how NMM-100 and NMM-200 relate to each other.
What Does the NMM-100 Exam Entail, and How Should I Prepare?
Our study curriculum is outlined below. It is a combination of articles and videos intended to give you a comprehensive understanding of Microsoft Azure, Nerdio Manager for MSP, Azure Virtual Desktop and Microsoft 365.
Lesson One – Azure Fundamentals
Lesson Two – Identity Management
Lesson Three – Microsoft 365
Lesson Four – Azure Virtual Desktop
Lesson Five – NMM Fundamentals
Lesson Six – NMM Account Deployment Paths
The exam contains 60 questions related to the above lessons. We highly recommend you pay close attention when consuming the curriculum material as it closely overlaps with content that will appear in the exam.
How Does This Relate to the NMM-200 Certification?
Completion of the NMM-100 exam will ensure you are fluent in the underlying fundamentals needed to succeed with your AVD deployments. NMM-200 is more technically sophisticated than NMM-100, and those prepared to take the level 200 exam need a fair amount of Azure experience and knowledge to be successful in passing.
NMM-100 is offered FREE to Partnerd members. Partners who pass the exam will be eligible for a 50% discount on the NMM-200 certification. To claim the discount, they must sign up and pay within 90 days of passing NMM-100.
How Do I Register to Get Certified?
Head to our MSP Certifications page, scroll down and click the “Get Certified” button to start the process. To find the MSP Certifications page manually on the website, look for the ‘For Partners’ tab found at the top of the website (picture below), hover over the tab and select “Get Certified.”
Our certification programs have been carefully crafted to provide partners with the knowledge needed to build a successful (and profitable) cloud practice in Microsoft Azure using Nerdio. We look forward to seeing how the addition of NMM-100 helps accelerate your business and would love to hear any feedback you may have on the exam! Send any feedback (or questions) to firstname.lastname@example.org – and best of luck!