mpsWORKS Transitions to Modern, Multi-tenant Azure Management 

As we continue to see a huge shift in MSPs (Managed Service Providers) moving toward cloud-based infrastructure and cloud-delivered Windows, we in tandem are seeing savvy MSPs who have been in the cloud for years and are now looking to optimize and toward “what’s next.”  

We sat down with Robert Bohacek, owner of mpsWORKS, a Florida-based MSP serving the Tampa Bay area, to better understand how transitioning to Nerdio Manager for MSP from Nerdio for Azure has helped him improve his Azure practice and operations.  

Tell Us about How You Initially Approached the Migration to Nerdio Manager  

At the time we moved to Nerdio Manager for MSP we already had six accounts, totaling just shy of 50 seats, managed using Nerdio for Azure.  So, we knew Nerdio’s team and products to be very innovative and helpful.  

The assets created to help partners transition between Nerdio’s MSP products, as opposed to from on-prem or another Azure or AVD (Azure Virtual Desktop) management tool, made the journey more streamlined. After all, migrations can be complex even if you have the most cutting-edge tech.  

There’s a spreadsheet the Partner Solutions team put together that we used to collect documents and the information we needed for the migration. We went one step further by adding a simple technician checklist to the end to ensure the tech who performs the migration for each of the accounts, or with future accounts, is not missing certain steps. This kind of thing is something I’m seeing from Nerdio too with Approvals Workflows and product features that help to eliminate human error.  

What Assets Have Helped You Streamline Your Transition to Nerdio Manager for MSP?  

The planning for a migration guide and the discovery document found on Nerdio’s MSP Knowledge Base not only allowed us to complete the migration successfully, but it also allowed us to take a step back and look at the setups of our different accounts. I’m proud to say that we have also experienced and utilized the migration to a point to actually realize some very important cost savings. 

I would encourage anyone embarking on the transition from Nerdio for Azure to Nerdio Manager for MSP to look at them because the guides allow you to peek inside of the migration process, and you will realize that the steps are not very complex. The guide is split up into detailed sections and each section has a certain number of tasks that you should perform – recommended practices for a successful migration. And some steps will feel very familiar and intuitive because of the day-to-day tasks that you perform in Nerdio for Azure already. 

Did You Encounter Any Specific Challenges During the Migration to Nerdio Manager?  

Some migrations had different identity sources. Some used domain federation identities, some dual tenant identities, and others standard AD DS.  

I do want to point out that I did not have the automation button that migrates Nerdio for Azure accounts directly to Nerdio Manager for MSP. I’ve heard a lot of great things, but we were a bit earlier in our migration and did so before the button was available.  

Which really wasn’t a problem, I just point it out as the lack of the button led us to go back and review each of our accounts. I was glad to do that because it allowed me to sort of sit back and evaluate if the different resources we had allocated in each were appropriate. 

From the Other Side of Migration, What Are Some of the Benefits You’re Seeing?  

Once you get through the migration, you now have a platform that requires even less maintenance and management. As I mentioned earlier, we’ve found important cost savings by standardizing our accounts managed by Nerdio.  

Nerdio Manager for MSP, an ARM-based system, seems to generate a lot less issues with users and FSLogix profiles. We’ve seen a decrease in help desk tickets since switching to the platform. The image templates and other templates seem to work so much better with the newest version of AVD which is ARM-based. The way Azure Files stores and reacts together with hosts seem to work very well, and the handshake between the entire ARM-based system is great.  

I also love the Nerdio Manager interface. The way things happen in the platform is much faster, much more fluid. You don’t have to wait for a certain task, tasks that before you had to go back and check on it. Overall, the interface is very neat, very organized, and there are a ton of features, and new features being added all the time.  

Things in Nerdio Manager are automated to a point where, for example, if you do a small update to a session host you can automatically terminate it after whatever time period you choose. Just as you are in control of the session host schedule and when they turn on, you can dictate whether session hosts be turned off in 30 minutes, an hour, two hours. You can schedule the powering off your desktop template. Because I’m sure that’s happened to everyone: that a tech may have unintentionally left the session running overnight. This creates extra costs and significant costs because, you know, the reserved instance (RI) was only applied to the existing host users are using. 

Take Me to the Migration Guides!

For any questions about Nerdio Manager for MSP or to get assistance with your migration away from Nerdio for Azure, please contact our team at nmm.support@getnerdio.com.   

How to Make Azure Virtual Desktop (AVD) Deployment More Resilient for Disaster Recovery Considerations

The usage of Azure Virtual Desktop (AVD) is growing fast and AVD has become a mission critical component of many IT environments. Making AVD resilient is an important design consideration when relying on the service for access to corporate data and applications. 

Since AVD deployments consist of several inter-dependent components, we will consider each one individually in the configuration of Business Continuity and Disaster Recovery (BCDR) for AVD. 

Azure Virtual Desktop Components 

The table below lists the various AVD components with their associated DR considerations.   

Disaster Recovery (DR) Scenarios 

When planning for AVD disaster recovery, it is important to identify the possible outage scenarios and decide on the ones to protect against.  Some DR strategies will cover multiple scenarios as we’ll see below. 

Scenario #1:  Corruption of data, metadata, or resources, but no underlying data center or region outage 

In this situation, restoring from backup or rebuilding session host VMs is the best approach.  Let’s review how this applies to each AVD environment component: 

  1. AVD service - because this service is hosted, managed, and backed up by Microsoft there is nothing for you to do.  The AVD service will fail over automatically and Microsoft is responsible for getting everything back up and running within the provided SLA. 
  1. Identity / Directory – If using native Azure AD joined VMs, no action is necessary. Microsoft is responsible for keeping this service operational within the provided SLA.  If using Active Directory, functional AD domain controllers must always be accessible. Azure AD DS operates two domain controllers, in separate availability zones if supported, by default.
    • Recommendation: Use Azure AD native, Azure AD DS, or if using Active Directory create multiple AD domain controllers.  Back up the AD system state and restore, if needed. 
  1. Desktop images - Changes are often made to desktop images during the normal course of AVD maintenance.  Maintaining backups of desktop images is important to be able to quickly recover from any corruption.
    • Recommendation: Use Shared Image Gallery with image versioning. Leverage Nerdio Manager’s built-in desktop image backup functionality to version the images prior to making any changes.   
  1. Session host VMs - Hosts can become unavailable or corrupted in the normal course of operation.
    • Recommendation: Enable Nerdio Manager’s Auto-Heal functionality to automatically repair broken session hosts. 
  1. FSLogix profiles - Corruption of profile containers can be resolved by restoring the corrupted VHD(X) files from backup.
    • Recommendation: Depending on your FSLogix storage technology choice – configure Azure Backup for Azure Files shares, Azure NetApp Files snapshots, or use any backup or versioning method for file server VMs (e.g. Volume Shadow Copies).  Restore corrupted profile containers, as needed. 

Scenario #2: Single datacenter or Availability Zone failure within an Azure region 

Availability Zones are unique physical locations within an Azure region. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking. To ensure resiliency, there’s a minimum of three separate zones in all enabled regions. The physical separation of Availability Zones within a region protects applications and data from datacenter failures. Zone-redundant services replicate your applications and data across Availability Zones to protect from single-points-of-failure. With Availability Zones, Azure offers an industry-best 99.99% VM uptime SLA.  Learn more here

In the case of datacenter or Availability Zone failure, most components of the AVD environment will automatically fail-over to another Availability Zone with no user intervention required.   

NOTE: Not all Azure regions support Availability Zones for all products.  Review the Regions that support Availability Zones before deploying your AVD environment to select the region that addresses your availability requirements.  Pay special attention to Premium Files Storage if using Azure Files for FSLogix profiles. 

To protect against Availability Zone failure, the initial AVD architecture and design must take zone redundancy into account.  Let’s review this on a component-by-component basis. 

  1. AVD service - because this service is hosted, managed, and backed up by Microsoft, there is nothing for you to do.  The AVD service will fail over automatically and Microsoft is responsible for getting everything back up and running within provided SLA. 
  1. Identity / Directory – If using native Azure AD joined VMs, no action is necessary. Microsoft is responsible for keeping this service operational within provided SLA.  If using Active Directory, functional AD domain controllers must be always accessible. Azure AD DS operates two domain controllers, in separate availability zones if supported, by default.
    • Recommendation: Use Azure AD native, Azure AD DS, or if using Active Directory create multiple AD domain controllers in different Availability Zones
  1. Desktop images – Desktop images stored using ZRS (Zone Redundant Storage) will be available during Availability Zone failure.
    • Recommendation: Store images with ZRS storage.
  1. Session host VMs – Session host VMs running in the datacenter where an outage occurs will go offline.
    • Recommendation: When deploying session hosts, distribute them across Azure region’s Availability Zones using Nerdio Manager’s automation.
  1. FSLogix profiles – FSLogix profiles stored on Azure Files Premium ZRS storage won’t be impact by an Availability Zone failure.
    • Recommendation: Use ZRS storage with Azure Files Premium to store FSLogix profiles 

Scenario #3: Entire Azure region outage 

An Azure region is a set of datacenters deployed within a latency-defined perimeter and connected through a dedicated, regional low-latency network. Azure gives you the flexibility to deploy applications where you need to, including across multiple regions to deliver cross-region resiliency.  Failure of complete Azure regions is highly unlikely and rare.  For more information, see Overview of the resiliency pillar

Failure of an entire Azure region is the most severe scenario.  The best way to protect against this situation is by automatically distributing AVD session host VMs across two Azure regions and replicating FSLogix profile data, thereby creating an Active/Active DR configuration.  If one of the regions becomes unavailable, VMs in the second region can continue servicing users. Learn more about host pool DR in our video below and read further for considerations regarding the different components involved in Scenario 3.

  1. AVD service - because this service is hosted, managed, and backed up by Microsoft, there is nothing for you to do.  The AVD service will fail over automatically and Microsoft is responsible for getting everything back up and running within the provided SLA. 
  1. Identity / Directory – If using native Azure AD joined VMs, no action is necessary. Microsoft is responsible for keeping this service operational within provided SLA.  If using Active Directory, functional AD domain controllers must be always accessible. Azure AD DS operates two domain controllers, in separate availability zones if supported, by default.
    • Recommendation: Use Azure AD native, Azure AD DS replica sets, or if using Active Directory create multiple AD domain controllers in 2 Azure regions. 
  1. Desktop images – Desktop images stored in Shared Image Gallery and replicated to multiple regions will be available during a single region outage.
    • Recommendation: Geo-replicate desktop images with Nerdio Manager and Shared Image Gallery. 
  1. Session host VMs – Session host VMs running in the Azure region where an outage occurs will go offline.  If there are available session host VMs in a secondary region, users will be able to reconnect and continue working.
    • Recommendation: Leverage Nerdio Manager’s Active/Active host pool DR to automatically distribute session hosts across two selected Azure regions. 
  1. FSLogix profiles – Users won’t be able to work without access to the FSLogix user profiles.  Profiles must be continuously replicated in multiple regions.
    • Recommendation: Use Nerdio Manager’s FSLogix Cloud Cache functionality to replicate user profiles across two Azure regions. 

Configuring an AVD environment to be resilient to an Azure region failure (scenario #3) will also cover Azure Availability Zone failure (scenario #2).  The outlined approach works best for pooled AVD deployments.  Personal desktops can also be protected, but the approach is different.  Protecting personal desktops involves using Azure Site Recovery in an active/passive configuration. 

Summary Table 

For more information on Nerdio Manager for Enterprise, click here.

For more information on Nerdio Manager for MSP, click here.

Microsoft Intune 101: A Beginner’s Guide

Microsoft Endpoint Manager (MEM) is Microsoft’s cloud-based device management platform, which Nerdio Manager for MSP launched integrations with in February 2022. Within this, Microsoft Intune provides granular control of your physical and virtual desktops and laptops. Intune can manage mobile (iOS / Android) devices as well as Windows and Mac OS.   

The Challenge 

Historically, organizations have managed their end-user devices with a variety of products, most commonly Microsoft System Center Configuration Manager. These products work well when managing devices attached to internal networks, but managing external devices can be complex and challenging given today’s work landscape. A significant proportion of employees are working in a hybrid manner, moving devices between the office and the home, therefore a new device management solution is needed which better fits these requirements. 

Microsoft Intune

Intune is different from traditional solutions; the product was designed as a web-based device management solution. Moreover, it can manage the device enrollment lifecycle. By taking advantage of Intune’s “Windows Autopilot” feature, which you can learn more about here, end-users can have brand new devices delivered to their home from the manufacturer or reseller. These devices will then auto-provision themselves out of the box, deploying the settings and applications required for the user. There are many steps to achieving such an outcome, but the key point is – it’s possible! 

Key Features 

Autopilot is just one aspect of Intune. The service covers the full range of device management requirements. Let’s examine some of the key benefits.  

Policy and Security 

Compliance policies allow you to control which devices are allowed to access services based on their compliance. This allows devices to be checked and either barred from using corporate services or flagged within the console until they meet the specific requirements, such as having antivirus enabled. These policies are fully configurable. 

Configuration profiles are analogous to group policies, and you can even import existing group policy objects into your configuration profiles in order to manage device configuration settings. 

Intune also allows the creation of various security policies and features, including DLP policies. Enrolled devices can also be rebuilt, blocked or wiped at the discretion of an administrator.  

Application Deployment 

Intune can be used to manage application deployment to your devices, including Win32, MSI and Windows Store applications. The corporate iOS App Store and Google Play stores can also be linked, allowing application management for mobile devices.  

Patching and Updates 

Windows quality and feature updates can be managed from the console, and the status of devices can be recorded in a log analytics workspace for reporting purposes. 

Mobile Device Management (MDM) vs Mobile Application Management (MAM)

MDM is generally used to manage corporate devices, where all aspects of the devices should be managed and controlled by the organization. MAM is generally used for lighter touch management on personal devices, where you need to control specific corporate applications or data, but you do not want to compromise the sovereignty of the user’s personal device. 

Where to Start?

It’s important to recognize that a move to Intune-based device management does not require a “big bang” or “all in” approach. We recommend that you identify a small subset of devices – maybe 5-10 – for initial testing. Defining your management objectives and device types prior to piloting the service is beneficial. There are five key questions you should ask before starting out, and Microsoft has plenty of guides (linked below) to help: 

  • Application Delivery 
  • Patching & updates 
  • Device restrictions or policies 
  • AutoPilot Deployment 
  • Security & DLP 

Still need help getting started? Check out Microsoft’s documentation for setting up Intune here or schedule some time to chat about your Intune needs + questions with our experts.  

NerdioCon Day 3 Recap

On the final day of #NerdioCon23, we had lots of amazing presentations and content! Thank you to all our speakers and sponsors for making NerdioCon23 as amazing as possible. Thank you for the great day, the amazing closing party, and an overall unbelievable week!

Keynotes  

We had a few fantastic keynotes from some channel superstars and industry vets that you didn’t want to miss!

Jay Mcbain – Build a Modern Cloud MSP – Keynote
Datto’s Global State of the MSP Report – Amelia Paro – Keynote
Why It’s a Great Time to be an MSP – Rob Rae – Keynote
Nerdio’s “Ask Us Anything” Presentation to wrap up the amazing week

Breakout Sessions and Roundtables

Our Breakout track continued. We also had a second round of our new and popular Partner Roundtables. Tons of opportunities and learnings available for both MSPs and Enterprise partners alike.

AVD Use-Cases and Partner Win Stories
How to Run a Suiccessfull Virtual Desktop Demo
Delivering a Killer Azure Discovery Call
Partner Roundtables – Day 3

Closing Party!

The Band
The Setup

Thank you for NerdioCon23

Once again, a huge thank you to all those who attended NerdioCon this year. And a second huge thank you to our staff and sponsors – without all of you, this wouldn’t be possible. NerdioCon23 was a blast, and we can’t wait to see what’s in store for NerdioCon24.

Vadim Vladimirskiy & Scott Manchester Discuss Nerdio Evolution

In this video, you’ll learn from Nerdio’s Vadim Vladimirskiy and Microsoft’s Scott Manchester how the companies’ collaboration is driving innovation in cloud technology. Learn how Nerdio and Microsoft are enabling businesses of all sizes to harness the power of the cloud. Watch their discussion below.

NerdioCon Day 2 Recap

Day 2 of NerdioCon! Today was a “half day”, so to speak, with the morning sessions comprising exciting keynotes and an afternoon open for sponsored activities such as a catamaran ride to Isla Mujeres and a jungle tour. Here is a few photos of some happenings!

Keynotes  

DEI – Building for Inclusion Panel
Purpose of Endpoint Security – Danny Jenkins
Preparing for the Next Big Identity Risk

Sponsor Activities + Excursions

Tequila Tasting
Cave Exploration

Partner Roundtables

Partner Roundtables or…
“Speedating” w/ Partners, Staff, etc!

What We’re Looking forward to on NerdioCon Day 3!  

We got lots left on the final day of NerdioCon23 including amazing presentations (Kaseya, Jay McBain, Rob Rae to name a few!) and the big final party!