On March 21st, 2019, Microsoft announced their public preview of the highly anticipated Windows Virtual Desktop (WVD). We’ve collected everything a Managed Service Provider (MSP) needs to know about the new service below. We’ll continue to add to this article as we learn more, so check back if new information comes up.
Here is an overview of this new Azure-only service, coming soon to General Availability later this year.
Windows Operating System
Most hosted desktops today use a server OS, such as Windows Server 2016, with enabled desktop experience. This allows multiple users to share a single virtual machine (VM), resulting in a more economical and affordable deployment.
However, Microsoft is now releasing a brand-new version of Windows 10 which will support multiple user desktop sessions on a single VM. This is built specifically to enable hosted desktops that function in the same way as the desktops millions of Windows 10 users are familiar with.
Control Plane in Windows Virtual Desktop
The control plane is a collection of services that determine which user gets connected to what desktop VM.
Before WVD came along, Remote Desktop Services (RDM) infrastructure roles handled this. These server roles are installed on domain-joined Windows Server VMs and are managed by the MSP or customer.
With WVD, Microsoft eliminated the need for any domain-joined RDS roles, and they’ve instead created an Azure service that will eliminate the complexity of having to manage RDS roles and the need for costly VMs to power them.
Licensing Windows Virtual Desktop
Without WVD, you’d need a license for both RDS and Server OS to use RDS for hosted desktops. You’d also need to typically “rent” the server OS via Azure or license it through CSP Software Subscriptions.
With WVD, the use of these desktops will be included with any Windows 10 Enterprise subscription at no additional cost. You’ll no longer need to purchase a Server OS license or RDS and there is no additional license to purchase if the user has a subscription to Windows 10 Enterprise.
Profile Management in Windows Virtual Desktop
Profile management on virtual desktops has been a long-time challenge. The solutions on the market today have many tradeoffs associated with them. However, with WVD, these limitations no longer exist through their acquisition of FSLogix, which provides seamless profile management.
Virtual Desktops Through Microsoft
WVD is not a packaged virtual desktop offer from Microsoft. Instead, WVD is a combination of technologies that will allow MSPs and IT staff to build and manage virtual desktops in Microsoft Azure. Deploying these desktops with WVD will require planning, deployment, maintenance, and management of the virtual environment, though it’s much less complex than RDS.
Recommendation for MSPs & WVD
Prior to public preview, WVD was called Remote Desktop Modern Infrastructure (RDmi). Many partners, including Nerdio, have been working alongside Microsoft to test and develop every aspect of WVD over the last year. It is in public preview now and will go into General Availability (GA) later this year.
During this time, MSPs should grow familiar with WVD. Look into its terminology, architecture, deployment models, and how MSPs can leverage this technology to grow their Azure practice.
Windows Virtual Desktop and Nerdio for Azure
We plan to have full WVD functionality in Nerdio for Azure on the first day of General Availability. This means MSPs will be able to select an RDS deployment or WVD deployment when they create a new Nerdio for Azure account. We’ll also be offering an automated migration path for customers if they want to move from RDS to WVD!
We have a complete introduction to Windows Virtual Desktop for MSPs available here, but there’s more to learn on the subject. We will continue to collect all the relevant information for MSPs as we learn it, and we’ll keep this page updated with anything important we learn.
Technically speaking, there are many reasons to choose WVD over legacy Remote Desktop Services. Here are just a few of them:
- Windows Virtual Desktop is new and up-to-date.
- It allows for native Windows 10 desktop instead of a Windows 10 “desktop experience” with RDS.
- WVD includes profile management technology from FSLogix.
- The WVD management service is managed by Microsoft, and is a PaaS service.
- It supports OneDrive and indexed search in pooled desktops.
However, some MSPs may choose to continue using RDS over WVD due to one or more of the following reasons:
- RDS is a mature, well-understood and market-tested solution.
- Applications that were written for RDS on Server OS may not work in Windows 10 Enterprise multi-session right away.
- Customers and service providers may want to retain full ownership of not just the desktop VMs but also the control plane (i.e., RDS roles).
- RDS can be used both on-premise and in Azure while WVD is Azure-only.
If a customer is indifferent between the two options, it may come down to cost, which we’ve outlined in more detail in the section below. It could also depend on whether the customer already owns a subscription to Windows 10 Enterprise under any of the Microsoft licensing programs already.
How much will Windows Virtual Desktop cost? How will this impact my MSP business? To answer these questions, we’ll break down all the sub-components of WVD and compare them to competing solutions like Remote Desktop Services (RDS).
The three associated costs for WVD are as follows:
- Azure Infrastructure
Windows Virtual Desktops support two types of desktops: personal and pooled. The associated consumption cost for Azure resources depend on several factors. Nerdio’s Azure Cost Estimator will help you to better determine the exact associated costs and any potential “what-if” scenarios.
Keep in mind that the cost is largely the same as if you were using RDS to deliver Windows desktops using “desktop experience” instead of the native Windows 10 look from WVD.
- Windows Virtual Desktop Management Service
With WVD, it’s no longer a necessity to install and manage any RDS roles (i.e., RD License Server, RD Web, RD Webclient, RD Connection Broker, and RD Gateway), as they are now part of WVD Management Service hosted in Azure. This means that the previous associated costs are now eliminated, as Microsoft has now taken over the responsibility.
- Software Licensing
You can purchase a Windows 10 Enterprise license subscription via Microsoft 365 (E3, E5, A3, A5, Business), Windows (E3, A3, A5, Business), or Windows 10 Enterprise VDA.
Here‘s a table that better illustrates the associated costs with WVD versus RDS:
|Windows Virtual Desktop||RDS Virtual Desktops in Azure|
|Azure infrastructure to support desktop virtual machines (session hosts)||
Compute, storage and networking
Roughly the same in both deployment scenarios (assuming AHU)
WVD Management Service
RDS Roles (e.g. LS, Web, GW, etc.)
Windows 10 Enterprise subscription
Windows Server and RDS subscription
You’ll need the following five items to get started with WVD:
Subscription to Windows 10 Enterprise for each WVD user.
WVD Management Service and Windows 10 desktop OS are licensed via a subscription to Windows 10 Enterprise. Microsoft 365 (E3/E5/A3/A5/Business) and Windows (via CSP – E3/E5/A3/A5) licenses can be used for WVD, but Windows 10 Professional, OEM, or any non-subscription version of Windows cannot use WVD.
You can purchase a subscription to these products through any channel – CSP, EA, MCA, and so on – and the same per-user subscription license enables the assigned user to connect to multiple WVD desktops whether they’re Windows 10 Enterprise multi-session, single-session, or even Windows 7.
Azure Active Directory (AAD) tenant.
To deploy and manage WVD as an admin and assign users to applications and desktops, there must be an Azure AD (AAD) tenant.
AAD is Microsoft’s cloud directory service that is the highest-level object in the hierarchy when dealing with Microsoft Cloud services (O365, D365 and Azure). Everything ties to an AAD tenant and is generally associated to a unique domain name: tenant.onmicrosoft.com. It may also be referred to as “Directory” or “Account”.
If you are already using Office 365, then you have an Azure AD tenant. An AAD tenant gets created when you sign up for Office 365 and that’s the tenant you’ll need to deploy WVD. You’ll need a Global Administrator account that has access to the AAD tenant as well.
An AAD tenant is free and is a directory of users, groups, contacts, and other services. The members of an AAD tenant can be paid and there are paid add-ons for AAD. The good news is that as far as WVD is concerned, it’s quite simple: your Office 365 tenant is your Azure AD tenant in almost all scenarios since that’s where the user objects that will be assigned to desktops reside.
Active Directory Domain Services (AD DS) deployment.
While Azure AD is a container of user objects, the actual WVD session hosts – the virtual machines running Windows 10 Enterprise multi-session – must join an Active Directory Domain Services (AD DS) forest.
The terminology can be somewhat confusing, so let’s clear it up.
- Active Directory Domain Services (AD DS) – what is often called “Active Directory.”
- Plain, vanilla Active Directory role on a traditional Windows Server machine that is managed with tools like Active Directory Users and Computer, Sites and Services, Domains, and Trusts.
- Contains user, group, contact, and computer objects.
- Traditional Windows desktops and servers join AD DS.
- Users and Groups can be synchronized with Azure AD using ADConnect.
- Azure Active Directory (AAD) – Microsoft Cloud Directory services.
- Despite its similar name to traditional Active Directory, this is a different service that is hosted by Microsoft and is the top-level object in Microsoft Cloud (O365, D365 and Azure).
- Contains user, group, and contact objects.
- Windows 10 computers can join AAD, but older operating system machines cannot.
- Can be synchronized with an AD DS via ADConnect tool so the same username and password can be used for both.
- Azure Active Directory Domain Services (AAD DS).
- An Azure-hosted, Microsoft-managed AD DS.
- Most of the same capabilities as traditional, on-premises AD DS with some limitations due to lack of administrative access to the actual domain controller–Microsoft manages that.
- Synchronizes with AAD, which is synchronized with on an on-premises AD DS, and allows VMs running in Azure to join it regardless of the type of Windows OS they’re running.
If a visual aid is more your style, we have a handy infographic that explains the whole Windows Virtual Desktop structure and how it interacts with Azure right here: Windows Virtual Desktop Architecture
WVD requires that the session host VMs (desktop VMs) is joined with either AD DS or AAD DS. This means that you must have an Active Directory deployment accessible to the WVD session host VMs, as you can’t use AAD alone for a WVD deployment.
In summary, with WVD you’ll need both AAD (contains user objects) and AD DS (contains computer objects). AD DS should be synchronized with AAD via ADConnect for best user experience.
You can find a much more in-depth article on Windows Server Active Directory, Azure AD, Azure AD DS, and Nerdio’s Hybrid AD here.
The next thing you’ll need is somewhere to create and run your WVD session-host VMs that will serve as a desktop in the Windows 10 Enterprise multi-session OS. This requires an Azure subscription.
An Azure subscription can be purchased via any channel: CSP, EA, MCA, etc. Typically, this Azure subscription will be inside of the Azure AD tenant mentioned above.
The subscription will contain the following:
- WVD Management Service
- WVD Tenant will be registered and added to the Azure subscription.
- Inside of the WVD Tenant you will create Host Pools.
- Inside of Host Pools you will have session hosts – Windows 10 VMs.
- During Public Preview, the WVD Management Service is available only in the East US 2 region. Once WVD is Generally Available, this service will be scaled out to other regions.
- WVD Tenant will be registered and added to the Azure subscription.
- Windows 10 VMs and infrastructure
- Session hosts are VMs with Windows 10 Enterprise multi-session OS installed.
- Each VM will have an OS and sometimes data disks. These disks can use any managed disk in Azure (Standard HDD, Standard SSD, Premium SSD).
- There will be a Virtual Network and subnets with VMs connected to those subnets.
- There will be internet connectivity and bandwidth transfer costs.
- Network ports don’t need to be open for inbound traffic like you need with RDS. WVD uses an agent installed on each session host VM that leverages Reverse Connect technology to establish connectivity without opening any inbound ports.
- Session hosts can be running in any Azure region.
- Since WVD desktop users originate at the WVD Management Service first and then get routed to the VM running the desktop, it’s important to keep the VMs and Management Services as close as possible – preferably in the same Azure region.
One of the exciting new features of WVD is the profile management technology that came with the acquisition of FSLogix. WVD desktop users’ Windows profiles are held in VHD files and stored on a file server independent of the Windows 10 session-host VMs. This means that if a user is assigned to a non-persistent desktop, the profile – including the Windows Search cache – can follow the user no matter what virtual desktop VM they log into.
To use this new functionality, there must be a file server accessible to the session-host VMs to store these profile disks. It’s best to have the file server and desktop VMs in the same Azure region, so that the connectivity is fast and provides a good end-user performance. It will eventually be possible to use Azure Files instead of a file server, but for now, a Windows file server VM is recommended.
Keep these points in mind before diving into a deployment – it’ll save time and help make the process go smoothly. It’ll also allow for a properly architected infrastructure, directory, and licensing to ensure that your users will love the performance, usability and flexibility of their new virtual desktops in Azure.
Interested in exploring Windows Virtual Desktop for yourself?
If you’d like to deploy Windows Virtual Desktop into your existing Azure AD tenant for a test drive, you can do so in less than two hours using Nerdio for Azure. Even if you don’t have or want a Nerdio for Azure account, you can sign up for a free 30-day trial – no credit card required – to explore this Windows Virtual Desktop pilot.
The alternative is learning a lot of PowerShell scripting, spending days by hand, and doing a lot of technical reading.
Here’s what you’ll need to get started:
- Office 365 account with at least 1 unassigned E3 license
- Azure subscription within the same Azure AD tenant as the Office 365 account
- Admin user account with global administrator access to Office 365 and owner role on the Azure subscription
- A Nerdio account
- Deploy an NFA Core account into your Office 365 and Azure subscription
Ready? You can read our detailed guide on deploying a WVD pilot here.
Following this introduction will let you deploy Windows Virtual Desktop into your existing Azure AD tenant, but into a new Active Directory Domain Services (AD DS) deployment running in Azure to avoid issues. This will not cause any issues or conflict with your existing AD DS deployment. Once the pilot is deployed it’s possible to “plug” it into your existing AD DS and start using it, but because this is a pilot, we will not be touching your production AD DS.
There are two ways you can meet this 2-hour deployment benchmark: you can either learn lots of PowerShell scripting, spend days building things by hand, and do a lot of technical reading; or, you can use Nerdio for Azure Core. We’ll be showing how to do the latter.
Deploy a Nerdio for Azure Core account
You’ll need to create a new Nerdio for Azure account and connect to Azure using a global administrator account. Make sure you set AHU to ‘Yes’. You’ll also want to connect to Office 365 on the same administrator account. Specify your company name and continue.
While the Nerdio for Azure Core account is provisioning, you’ll want to gather some information. It should only take around ten minutes.
Here’s what you’ll need:
- Global administrator username
- NFA Account ID
- Resource Group Name
- Azure Region
- Azure Subscription ID
- AAD Tenant ID
Now that your new account has been provisioned, just login to your new account, find the user you want to grant the rights to and hit ‘Show Extended Attributes’, check the ‘Grant domain admin rights’ box, and hit ‘Save’.
Now you’ll need to grant WVD Consent to AAD. Head to the Windows Virtual Desktop consent page and under Server App in Consent Option, enter your AAD Tenant ID. Then sign in as your global administrator account, wait a few moments, and head back to the Windows Virtual Desktop consent page.
Under Client App in Consent Option, enter the same AAD Tenant ID, and continue. Then just log back in and accept and you’re done with this step.
Become a TenantCreator
Now you’ll need to assign the TenantCreator application role to your global administrator account. Head over to the Azure Active Directory portal and login once again.
Look for Windows Virtual Desktop in the Enterprise applications. Then you’ll want to add a new user under Users and groups. Go to Add Assignment, search for your global administrator account, and assign it.
Ready to Deploy
You’ll have to wait for Nerdio for Azure Core to finish provisioning before you can proceed here.
You’ll also need to have .Net framework downloaded at version 4.7.2 or later. Open Windows PowerShell ISE as an Administrator, download this PowerShell script and open it with PowerShell ISE.
Set the values in the variables section to the ones we set earlier and run your script. Note that this will upgrade the Azure and WVD PowerShell module to their latest available versions.
It will take the script some time to run – maybe up to 30 minutes. Just one more step to go!
Now, you just need to install a Remote Desktop client and connect it up. Subscribe to your newly-created desktop and select any of the four demo accounts. The default password is “AwesomeNerdioXXXX” (where XXXX is the NFA Core account ID from step 2).
You’ll find a published desktop called ‘Session Desktop.’ Launch it and enter the same credentials as before if it asks you to log in.
That’s it – you’re done! This pilot deployment should give you a feel for the experience, but once Windows Virtual Desktop enters general availability, Nerdio will be able to automate the entire deployment process for you.
Want to give it a try yourself? No need to keep this tab open: you can download this section as a PDF guide right here: Guide – How to Deploy WVD in Two Hours with Nerdio
Full integration with Azure Multi-Factor Authentication and CA is going to allow administrators to create highly secure and user-friendly virtual desktop environment in Azure. Start Menu integration for RemoteApps, persistent subscriptions, and automatic updates of the client app all limit the amount of actions an end-user must take, improving their overall experience.
Unlike previous versions of Remote Desktop Connection that were included in every version of Windows MS, this version must be downloaded and installed. The new client also requires .NET framework 4.7.2 or later to be downloaded and installed on a Windows machine before installing the client.
Once in General Availability (GA), client apps will be available for MacOS, iOS, Android and HTML 5. Nothing is confirmed, but it would be safe to assume that WVD will be accessible from almost any modern internet-connected device.
Windows Virtual Desktop has many advantages over RDS implementations, and one of them is that Azure AD is natively supported – and required – for WVD to work. A handful of benefits come along with this:
- A consistent set of credentials for local Active Directory, Office 365 and other Azure AD services, and Windows Virtual Desktop.
- Native support for Azure multi-factor authentication (MFA).
- Support for Azure Conditional Access (CA).
Azure MFA is part of the Azure AD Premium license, and included as part of E3/E5 Office 365 and Microsoft 365 products.
Most users with Office 365 accounts should be able to start taking advantage of MFA with WVD right away. To take advantage of Conditional Access policies, users will need Azure AD Premium licenses.
Remote Desktop App
The WVD Remote Desktop app replaces the RemoteApp and Desktop Connections (RADC) and the Remote Desktop Connection (MSTSC) clients built into Windows. After downloading and installing the .NET framework and the new Remote Desktop app, the first step is to subscribe to virtual desktops and RemoteApps using your Azure AD credentials.
This subscription is persistent, meaning that even if you close a Remote Desktop app or reboot the PC, the user will not be required the re-subscribe—and will not be prompted for their password and MFA credentials.
If a user is entitled to RemoteApps, they will automatically integrate with the Start Menu and will appear like regular apps that are locally installed, even though they’re running in Azure WVD. The icon in the task bar will have an indicator that the app is a RemoteApp. Otherwise, it will appear like a native, locally-installed application.
If a user is entitled to a full, published WVD desktop then double-clicking on the desktop icon will open it using a familiar Remote Desktop Connection (MSTSC) interface in full screen, spanning multiple monitors. Currently, it’s not possible to configure this from the client, but it will be in the future.
Remote Desktop App Update
When a new client version is available, the user will be notified by the client and the Windows Action Center. Selecting the notification will start the update process. This feature allows administrators to install the app only once and rely on Microsoft to keep it up to date. However, keep in mind that for the update to run, the user must have local administrator rights on the PC where the app is installed.
Nerdio empowers MSPs to build successful cloud practices in Azure. We’ll continue to keep up on the latest Windows Virtual Desktop news and will keep this document updated.
If you have any questions or comments, feel free to leave them below. Or you can get in touch with us directly!