Contents

Desktop virtualization - Microsoft Cloud Adoption Framework for Azure

Strategic impact
Technical planning
Prepare your environments
Azure landing zones
Design areas
Enterprise enrollment
Identity and access management
Network topology and connectivity
Resource organization
Governance disciplines
Management baseline
Business continuity and disaster recovery
Platform automation and DevOps
Implementation options
Enterprise-scale landing zone for Azure Virtual Desktop
Azure Architecture Center - Azure Virtual Desktop
Migrate your virtual desktop platform
Proof of concept
Assess
Migrate (or deploy)
Release
Innovate in the cloud
Govern your portfolio
Manage your portfolio
Best practices
Azure Virtual Desktop security best practices
Azure security baseline for Azure Virtual Desktop
Virtual desktop machine sizing
 Configure device redirections
Scale session hosts
Microsoft products
Azure Virtual Desktop
Azure Files
Learn modules
Introduction to Azure Virtual Desktop in Microsoft Azure
Prepare for Azure Virtual Desktop in Microsoft Azure
Deploy Azure Virtual Desktop in Microsoft Azure
Deliver remote desktops and applications from Azure with Azure Virtual Desktop
Optimize Azure Virtual Desktop in Microsoft Azure
Deploy applications by using MSIX app attach for Azure Virtual Desktop
Secure an Azure Virtual Desktop deployment
 Migrate or deploy Azure Virtual Desktop instances
to Azure
8/9/2021 • 2 minutes to read • Edit Online

Migrating an organization's end-user desktops to the cloud is a common scenario in cloud migrations. Doing so
helps improve employee productivity and accelerate the migration of various workloads to support the
organization's user experience.

Components of the scenario

This scenario is designed to guide the end-to-end customer journey, throughout the cloud adoption lifecycle.
Completing the journey requires a few key guidance sets:
Cloud Adoption Framework : These articles walk through the considerations and recommendations of
each CAF methodology. Use these articles to prepare decision makers, central IT, and the cloud center of
excellence for adoption of Azure Virtual Desktop as a central part of your technology strategy.
Reference architectures: These reference solutions aid in accelerating deployment of Azure Virtual
Desktop.
Featured Azure products: Learn more about the products that support your virtual desktop strategy in
Azure.
Microsoft Learn modules: Gain the hands-on skills required to implement, maintain, and support a virtual
desktop environment.

Common customer journeys

Azure Vir tual Desktop reference architecture: The reference architecture listed in the left pane
demonstrates how to deploy a proven architecture for Azure Virtual Desktop in your environment. This
architecture is a suggested starting point for Azure Virtual Desktop.
Migrate existing vir tual desktops to Azure: A common use case for Azure Virtual Desktop is to
modernize and existing virtual desktop environment. While the process can vary, there are several
components to a successful migration, such as session hosts, user profiles, images and applications. If
you're migrating existing VMs, articles on migration outline how tools such as Movere and Azure Migrate
can accelerate the migration as part of a standard migration process. However your migration may
consist of bringing your golden image into Azure and provisioning a new Azure Virtual Desktop host
pool with new session hosts. Additionally you may migrate your existing user profiles into Azure and
build new host pools and session hosts as well. A final migration scenario may also include migrating
your applications into MSIX app attach format. In all these migration scenarios, customers need to
provision a new host pool since there is currently no direct migration of other VDI solutions into Azure
Virtual Desktop.
Prepare for governance and operations at scale: Enterprise-scale support for Azure Virtual
Desktop demonstrates how you can use enterprise-scale landing zones to ensure consistent governance,
security, and operations across multiple landing zones for centralized management of virtual desktop
environments.
Implement specific Azure products: Accelerate and improve virtual desktop capabilities using
different kinds of Azure products outlined in the featured products section.
Next steps
The following list of articles will take you to guidance at specific points in the cloud adoption journey to help you
be successful in the cloud adoption scenario.
Strategy for Azure Virtual Desktop
Plan for Azure Virtual Desktop
Migrate to Azure Virtual Desktop
Manage an Azure Virtual Desktop environment
Govern an Azure Virtual Desktop environment
 Strategic benefits of an Azure Virtual Desktop
environment
8/16/2021 • 6 minutes to read • Edit Online

Best practice guidance encourages customers to create a single centralized cloud adoption strategy, using the
Cloud Adoption Framework's Strategy methodology. If you haven't already, use the strategy and plan template
to record your cloud adoption strategy.
This guidance will help expose several considerations about virtual desktops that will have an impact on your
strategy.

Virtual desktop outcomes

Virtual desktop migrations are motivated by a few common target outcomes, as shown and listed here:

Organizations want to extend productivity to PCs, phones, tablets, or browsers that might not be under the
direct control of the IT team.
Employees need to access corporate data and applications from their devices.
As workloads are migrated to the cloud, employees need more support for a low-latency, more optimized
experience.
The costs of current or proposed virtual desktop experiences need to be optimized to help organizations
scale their remote work more effectively.
The IT team wants to transform the workplace, which often starts with transforming employees' user
experience.
Virtualization of your end users' desktops in the cloud can help your team realize these outcomes.

The strategic impact of Azure Virtual Desktop in the cloud

Azure Virtual Desktop products form a mission-critical platform for many organizations. When these products
are foundational to an organization's business processes, the dependencies on Azure Virtual Desktop can be
seen throughout the portfolio. The cloud adoption plan for this platform can directly and indirectly impact cloud
adoption for all related workloads. While Azure Virtual Desktop isn't typically the first platform that an
organization moves to the cloud, it can be the most important. To understand the strategy for an Azure Virtual
Desktop cloud migration and the future-state innovation targets is critical to the success of all other cloud
adoption plans.
This article uses the strategy and plan template and other resources from the Cloud Adoption Framework to
capture the strategic impact of Azure Virtual Desktop cloud adoption.
Reasons to move to an Azure Virtual Desktop platform in the cloud
Azure Virtual Desktop is an influential platform, and organizations have several motivations to adopt Azure
Virtual Desktop in the cloud. When an organization considers a cloud strategy for Azure Virtual Desktop, the
following motivations tend to shape cloud adoption plans:
Critical business events: Customers often adopt Azure Virtual Desktop in the cloud to mitigate
contractual, regulatory, compliance, or sovereignty risks.
Migration motivations: If other assets depend on Azure Virtual Desktop to migrate successfully, then
customers tend to focus on reducing costs, complexities, or operational overhead.
Innovation motivations: The cloud unlocks new opportunities for Azure Virtual Desktop to expand and
deliver transformative products and services.
Infrastructure scale flexibility requirements: The cloud offers the ability to seamlessly scale up and
down with infrastructure as part of business transformation with Azure Virtual Desktop.
Choice and flexibility: Customers now have the choice and flexibility to choose from any of the
available virtual machine families and sizes, all optimized for different usage requirements. They can
provide these virtual machines seamlessly to their user estate, all of which will likely have different
compute requirements based on their application portfolio.
Potential cost savings: Customers can take advantage of Azure as an operational cost rather than
upfront cost, because it's a consumption-based service. For example, virtual machines charge costs only
for the time they are powered on, providing the capability to realize cost savings back to their
organizations.
Azure Virtual Desktop customers are often motivated by all six categories above. To successfully implement an
Azure Virtual Desktop platform in the cloud, it's imperative for a cloud strategy team, including business and IT
leaders, to review and prioritize the motivations listed in Cloud motivations. This input will help the cloud
adoption team make informed decisions throughout the implementation process.
Motivations to adopt an Azure Virtual Desktop platform in the cloud are often based on an organization's
strategic objectives. The following topics are applicable for your organization if your team is reviewing this
adoption scenario:
1. Cycles to refresh on-premises virtual desktop infrastructure require significant capital expenditures. If
your virtual desktop infrastructure is due for a refresh, the benefits of cloud adoption can unlock timely
strategies to reduce costs.
2. Infrastructure hosting contracts lock in vendors for multiple years. If your hosting, managed service, or
maintenance contracts are coming up for renewal, some cloud adoption opportunities and benefits are
agility, new innovations opportunities, and streamlined operations for your most mission-critical
platforms.
3. Refresh and contract renewals can be triggered by on-premises virtual desktop upgrade cycles or a
business driver to expand into Azure Virtual Desktop. If your organization is seeking to expand Azure
Virtual Desktop capabilities, cloud adoption will provide opportunities to reduce costs, innovate, optimize,
and be more agile.

How to build a business justification for cloud migration

Building a business justification for cloud migration can dispel many common myths for your team's financial
plan. However, your finance team might need to develop a detailed financial model to account for all parts
associated with Azure Virtual Desktop cloud adoption.
The Forrester study on the total economic impact of Microsoft Azure for Azure Virtual Desktop offers an analysis
where the following justifications are typically defendable:
Time to market benefits exceed $3 million USD
Cost avoidance exceeds $7 million USD
102 percent return on investment
Pay back in nine months
Actual returns are likely to vary for individual customers. However, the tables in the Forrester study can capture
your organization's financial data for validation and business justification activities.
Understand that your initial business justification is a directional estimate that can help to drive strategic
alignment. Your organization can create transparency between the cloud strategy team and other stakeholders
by affirming that this justification can change significantly throughout planning activities. Look for consensus
that there's enough value to gather inventory and develop a plan. Once your digital estate is cataloged and
assessed, you can refine your business case and present clear plans for financial returns.

Approach: Azure Virtual Desktop refactor and modernization

In the approach outlined in this article series, the existing Citrix, VMware, or Remote Desktop Services farms are
modernized and replaced with a platform as a service (PaaS) solution called Azure Virtual Desktop.
In this scenario, desktop images are either migrated to Azure or new images are generated. Similarly, user
profiles are either migrated to Azure or new profiles are created. Usually, the client solution is enabled and
largely unchanged by this migration effort.

When the migration to the cloud is finished, the overhead and costs of managing a virtual desktop farm are
replaced with a cloud-native solution that manages the virtual desktop experience for your team. The team will
only be responsible for support of the desktop images, available applications, Azure Active Directory, and user
profiles.

How to measure progress during an Azure Virtual Desktop adoption

Once you understand the top motivations for this scenario, the cloud strategy team can define measurable
outcomes to further guide adoption activities. Examples of business outcomes commonly seen during cloud
adoption can be reviewed in Business outcomes.
Given the impact of an Azure Virtual Desktop platform, you need to create many defined objectives and
measurable key results. Commonly known as OKRs, objectives and key results can help you break down Azure
Virtual Desktop adoption into manageable efforts. For more information, see Objectives and key results to
understand OKRs in more detail.

Next step: Plan for a virtual desktop environment

The following resources provide guidance for specific points throughout the cloud adoption journey to help you
be successful in the adoption of Azure Virtual Desktop, as part of your cloud environment.
Plan for Azure Virtual Desktop migration or deployment
Review your environment or Azure landing zones
Complete an Azure Virtual Desktop proof-of-concept
Assess for Azure Virtual Desktop migration or deployment
Deploy or migrate Azure Virtual Desktop instances
Release your Azure Virtual Desktop deployment to production
Enterprise-scale landing zone for Azure Virtual Desktop
Manage your virtual desktop environment
Govern your virtual desktop environment
 Azure Virtual Desktop planning
8/9/2021 • 3 minutes to read • Edit Online

Azure Virtual Desktop deployment scenarios follow the same Migrate methodology as other migration efforts.
This consistent approach allows migration factories or existing migration teams to adopt the process with little
change to non-technical requirements.

Plan your migration

As with other migrations, your team will assess workloads, deploy them, and then release them to end users.
However, Azure Virtual Desktop includes specific requirements that will necessitate a review of the Azure
landing zones during the assessment of the workloads. The process will also require a proof of concept prior to
the first deployment.
To build your plan, see the cloud adoption plan DevOps template for an existing migration backlog in Azure
DevOps. Use the template to create a detailed plan of activities.

Business justification
Part of your planning requires articulating the business benefits of moving to Azure Virtual Desktop.
The following items should be included in a business case:
The Azure Virtual Desktop control plane or management plane is provided as a service to customers. The
control plane manages end users' seamless global connectivity into their desktop, and the centralized
deployment and orchestration that IT requires. This is a platform as a service (PaaS) capability eliminating
the need for procuring, deploying, patching, or supporting hardware. It's an evergreen service that you
consume. It's a free service that you are entitled to via a license that you likely already own, helping you
achieve cost savings through efficiency. Also, after migration you don't need to manage or troubleshoot
an on-premises virtual desktop management service. This allows IT to focus on delivering business value,
like providing customers with the best user experience possible when accessing applications and data.
No upfront costs are incurred. Running an on-premises virtual desktop environment requires you to
either upfront payment or a lengthy leasing agreement for the hardware required to meet the peak load.
This requirement applies even if the hardware is not ultimately used as the project progresses, or if the
 hardware is not fully used when the project is complete. With Azure Virtual Desktop and Azure's
consumption-based model, you only pay for what you use, and you can scale up and down based on
your business needs, helping you reduce your costs.
Like other Azure services, Azure Virtual Desktop have a quicker delivery cadence for new features and
capabilities. On-premises hardware and off-the-shelf software typically don't provide large new feature
sets or new capabilities as frequently, and often require a costly project to implement. Conversely, Azure
services such as Azure Virtual Desktop regularly provide new capabilities, with deployment managed by
Microsoft. Azure Virtual Desktop is an evergreen service. Organizations don't need a project to roll out
new services to provide business users with new features. These new features could provide competitive
advantage or reduce the risk of technical debt.
Azure is a hyperscale cloud that provides services at massive scale. This functionality provides substantial
agility to your organization. Microsoft hosts services in an ever-increasing number of Azure regions,
enabling the infrastructure or services to be closer to your end users.
Azure Virtual Desktop provides the rich Windows 10 experience that users expect, at multi-session cost.
Azure Virtual Desktop enables the scale of Windows Server with Remote Desktop Services combined
with the user experience of Windows 10, without the compromise of application compatibility. Windows
10 Enterprise multi-session runs only on Azure Virtual Desktop.
There is no requirement for client access licenses with Windows 10 Enterprise multi-session, as Windows
10 Enterprise multi-session does not require a client access license (CAL).
In Azure Virtual Desktop, if you deploy Windows Server (Windows Server 2012 R2, 2016 or 2019), there
is no requirement to purchase a Windows Server license.
All Azure Virtual Desktop virtual machines are charged at the base compute rate. Azure Virtual Desktop is
entitled through another license that you probably already own (Microsoft 365 E3+), that includes a
Windows license.
All Windows 7 virtual machines in Azure Virtual Desktop receive free extended security updates until
January 14, 2023.

Next steps
For guidance on specific elements of the cloud adoption journey, see:
Review your environment or Azure landing zones
Complete an Azure Virtual Desktop proof of concept
Assess Azure Virtual Desktop migration or deployment
Deploy or migrate Azure Virtual Desktop instances
Release your Azure Virtual Desktop deployment to production
 Azure Virtual Desktop Azure landing zone review
8/9/2021 • 2 minutes to read • Edit Online

Before implementing Azure Virtual Desktop, the environment needs an Azure landing zone capable of hosting
desktops and any supporting workloads. The following checklist can help the team evaluate the landing zone for
compatibility. Guidance in the Ready methodology of this framework can help the team build a compatible
Azure landing zone, if one has not been provided.

Evaluate compatibility
Resource organization plan: The landing zone should include references to the subscription or
subscriptions to be used, guidance on resource group usage, and the tagging and naming standards to be
used when the team deploys resources.
Azure AD: An Azure Active Directory (Azure AD) instance or an Azure AD tenant should be provided for
end-user authentication. In addition, users must be synchronized from Active Directory Domain Services (AD
DS) or Azure Active Directory Domain Services (Azure AD DS) to Azure AD.
Network : Any required network configuration should be established in the landing zone prior to migration.
VPN or ExpressRoute: Additionally, any landing zone that supports virtual desktops will need a network
connection so that end users can connect to the landing zone and hosted assets. If an existing set of
endpoints is configured for virtual desktops, end users can still be routed through those on-premises devices
via a VPN or Azure ExpressRoute connection. If a connection doesn't already exist, you might want to review
the guidance on configuring network connectivity options in the Ready methodology.
Governance, users, and identity: For consistent enforcement, any requirements to govern access from
virtual desktops and to govern users and their identities should be configured as Azure policies and applied
to the landing zone.
Security: The security team has reviewed the landing zone configurations and approved each landing zone
for its intended use, including landing zones for the external connection and landing zones for any mission-
critical applications or sensitive data.
Azure Vir tual Desktop: Azure Virtual Desktop platform as a service has been enabled.
Any landing zone that the team develops by using the best practices in the Ready methodology and that can
meet the previously mentioned specialized requirements would qualify as a landing zone for this migration.
To understand how to architect Azure Virtual Desktop, review the Azure Virtual Desktop requirements.

Next steps
For guidance on specific elements of the cloud adoption journey, see:
Complete an Azure Virtual Desktop proof of concept
Assess for Azure Virtual Desktop migration or deployment
Deploy or migrate Azure Virtual Desktop instances
Release your Azure Virtual Desktop deployment to production
 Enterprise enrollment considerations for an Azure
Virtual Desktop implementation
8/9/2021 • 2 minutes to read • Edit Online

For most customer implementations, standard best practices around enterprise enrollment and Active Directory
tenants are unchanged when deploying Azure landing zones for Azure Virtual Desktop. There are seldom
specific considerations or recommendations that would impact enterprise enrollment or Active Directory tenant
decisions. See the following considerations to determine whether Azure Virtual Desktop requirements would
impact existing tenant decisions.
However, it could be important to understand any decisions previously made by the cloud platform team to be
aware of existing enterprise enrollment or Active Directory tenant decisions.
You might also want to review the identity and access management considerations to understand how the
Active Directory tenant is applied in the design of authentication and authorization solutions. You might also
want to evaluate the resource organization considerations to understand how the enrollment might be
organized into management groups, subscriptions, and resource groups.
 Identity and access management considerations for
Azure Virtual Desktop
8/9/2021 • 5 minutes to read • Edit Online

Azure Virtual Desktop is a managed service that provides a Microsoft control plane for your virtual desktop
infrastructure. Identity and access management for Azure Virtual Desktop uses Azure role-based access control
(RBAC) with certain conditions outlined in this article.

RBAC design
RBAC supports separation of duties for the various teams and individuals that manage the deployment of Azure
Virtual Desktop. As part of your landing zone design you should decide who assumes the various roles. You
then create a security group for each role to simplify adding and removing users to and from the roles.
Azure Virtual Desktop has custom Azure roles designed for each functional area. Configuration details are in
Built-in roles for Azure Virtual Desktop. Common roles include:
Desktop Vir tualization Contributor : This role lets you manage all aspects of the deployment but doesn't
grant access to compute resources.
Desktop Vir tualization Reader : This role lets you view everything in the deployment but doesn't let you
make changes.
Desktop Vir tualization Host Pool Contributor : This role lets you manage all aspects of host pools,
including access to resources. To create virtual machines you need another role, Virtual Machine Contributor.
You will also need Application Group Contributor and Workspace Contributor roles to create host pools
using the portal, or you can use the Desktop Virtualization Contributor role.
Desktop Vir tualization Host Pool Reader : This role lets you view everything in the host pool, but doesn't
let you make changes.
Desktop Vir tualization Application Group Contributor : This role lets you manage all aspects of
application groups. To publish application groups to users, or to user groups, you need the User Access
Administrator role.
Desktop Vir tualization Application Group Reader : This role lets you view everything in the application
group, but doesn't let you make changes.
Desktop Vir tualization Workspace Contributor : This role lets you manage all aspects of workspaces. To
get information on applications added to the application groups, you need the Desktop Virtualization
Application Group Reader role.
Desktop Vir tualization Workspace Reader : This role lets you view everything in the workspace, but
doesn't let you make changes.
Desktop Vir tualization User Session Operator : This role lets you send messages, disconnect sessions,
and use the logoff function to sign sessions out of the session host. However, it doesn't let you perform
session host management like removing session host, changing drain mode, and so on.
Desktop Vir tualization Session Host Operator : This role lets you view and remove session hosts, and
change drain mode. You can't add session hosts using the Azure portal because you don't have write
permission for host pool objects.
Azure built-in roles can be created and defined as part of the Cloud Adoption Framework for Azure deployment.
RBAC roles that are specific to Azure Virtual Desktop may need to be combined with other Azure RBAC roles to
provide the complete set of permissions users need for Azure Virtual Desktop and for other Azure services like
virtual machines and networking.
Design considerations
Azure Virtual Desktop users must be sourced from either the same instance of on-premises Active
Directory Domain Services (AD DS) that is synchronized to Azure Active Directory (Azure AD), or an
instance of Azure AD Domain Services (Azure AD DS) synchronized from Azure AD.

NOTE
Azure Virtual Desktop does not support B2B or Microsoft accounts.

The account used for domain join can't have multifactor authentication or other interactive prompts, and
there are other requirements. For more information, see Virtual machine details.
Azure Virtual Desktop requires a hosting strategy for domain services. Choose either AD DS or Azure AD
DS.
When joining to an Azure AD DS domain, the account must be part of the Azure AD DC administrators
group and the account password must work in Azure AD DS. For more information, see Virtual machine
details.
Azure AD DS is a supported option, but there are limitations:
You must have password hash synchronization enabled (uncommon when federating Azure AD).
You can only project Azure AD DS into a single virtual network (and single Azure region) that uses a
non-public IP address range. You can't add domain controllers to an Azure AD DS domain.
You cannot use hybrid join for Azure Virtual Desktop VMs to enable Azure Active Directory Seamless
Single Sign-On for Microsoft 365 services.
For more information, see Frequently asked questions (FAQ) about Azure Active Directory Domain
Services (Azure AD DS).
When specifying an organizational unit, use the distinguished name without quotation marks.
Follow the principle of least privilege by assigning the minimum permissions needed for authorized
tasks.
The user principal name used to subscribe to Azure Virtual Desktop must exist in the Active Directory
domain where the session host virtual machine is joined. For more information about user requirements,
see Azure Virtual Desktop requirements.
When using smart cards, a direct connection (line of sight) with an Active Directory domain controller for
Kerberos authentication is required. For more information, see Configure a Kerberos Key Distribution
Center proxy.
Using Windows Hello for Business requires the hybrid certificate trust model to be compatible with Azure
Virtual Desktop. For more information, see Hybrid Azure AD joined certificate trust deployment.
When using Windows Hello for Business or smart-card authentication, the initiating client must be able to
communicate with the domain controller because these authentication methods use Kerberos to sign in.
For more information, see Supported authentication methods.
Single sign-on can improve user experience, but it requires additional configuration and is only
supported using Active Directory Federation Services. For more information, see Configure AD FS single
sign-on for Azure Virtual Desktop.

Design recommendations
Use Azure AD Connect to synchronize all identities to a single Azure AD tenant. For more information, see
What is Azure AD Connect? .
Ensure Azure Virtual Desktop session hosts can communicate with Azure AD DS or AD DS.
Use the Kerberos Key Distribution Center proxy solution to proxy smart-card authentication traffic and to
sign in remotely. For more information, see Configure a Kerberos Key Distribution Center proxy.
Segregate session host virtual machines into Active Directory organization units for each host pool to more
easily manage policies and orphaned objects. For more information, see Virtual machine details.
Use a solution like Local Administrator Password Solution (LAPS) to rotate local administrator passwords on
Azure Virtual Desktop session hosts frequently. For more information, see Security assessment: Microsoft
LAPS usage.
For users, assign the Desktop Virtualization User built-in role to security groups to grant access to Azure
Virtual Desktop application groups. For more information, see Delegated access in Azure Virtual Desktop.
Create conditional access policies for Azure Virtual Desktop. Such policies can enforce multifactor
authentication based on conditions like risky sign-ins to increase an organization's security posture. For more
information, see Enable Azure Active Directory multifactor authentication for Azure Virtual Desktop.
Configure AD FS to enable single sign-on for users on the corporate network.
 Network topology and connectivity considerations
for Azure Virtual Desktop
8/9/2021 • 7 minutes to read • Edit Online

Review network options

Designing and implementing Azure Virtual Desktop Azure networking capabilities is critical for your Azure
Virtual Desktop landing zone. Azure networking products and services support a wide variety of networking
capabilities. How you structure these services and the networking architectures you choose depends on your
organization's workload, governance, and connectivity requirements.

Identify workload networking requirements

Identify the networking capabilities that your landing zone needs to support. Assess each application and
service in your workloads to determine their connectivity network control requirements. After you identify and
document the requirements, create policies for your landing zone. Policies control networking resources and
configuration based on your workload needs.
For each application or service you'll deploy to your landing zone, use the following decision tree to help you
determine the networking tools or services to use:
The following questions help you make decisions based on the Azure networking services decision tree:
Is a virtual network needed for Azure Virtual Desktop?
Yes, Azure Virtual Desktop virtual machines must be deployed in an Azure virtual network.
What is the size of your virtual network?
The number of IP addresses needed in the virtual network will mainly depend on the load you want to
handle. Use appropriate address ranges as defined in your existing networking architecture to be able to
scale out your Azure Virtual Network infrastructure.
Will your workloads require connectivity between virtual networks and your on-premises datacenter?
Several reasons can require that you connect your virtual network to you on-premises datacenter, such as
extending your Active Directory on-premises domain in Azure or allowing an application that runs on
your Azure Virtual Desktop deployment to reach on-premises resources.
Azure provides two solutions for establishing hybrid networking capabilities:
Azure VPN Gateway connects your on-premises networks to Azure through Site-to-Site VPNs similar
to how you might set up and connect to a remote branch office. VPN Gateway has a maximum
bandwidth of 10 Gbps. For more information, see What is Azure VPN Gateway?
Azure ExpressRoute offers higher reliability and lower latency by using a private connection between
Azure and your on-premises infrastructure. Bandwidth options for ExpressRoute range from 50 Mbps
to 100 Gbps. For more information, see What is Azure ExpressRoute?
Will you need to inspect and audit outgoing traffic by using on-premises network devices?
Cloud-native workloads can use Azure Firewall or third-party network virtual appliances for internet
traffic. For more information, see What is Azure Firewall?. Additionally, Microsoft Defender for Endpoint
can provide insights for per-session traffic analysis when using Windows 10 Enterprise multi-session
devices. For more information, see Onboard Windows 10 Enterprise multi-session devices in Azure
Virtual Desktop.
Your security policies might require internet-bound outgoing traffic to pass through centrally managed
devices in the on-premises environment. Forced tunneling supports these scenarios, but not all managed
services support forced tunneling. For more information, see Virtual network traffic routing.
Azure Virtual Desktop supports forced tunneling, as long as all traffic form the virtual machines to the
Azure Virtual Desktop management plane doesn't go back on-premises. For more information on Azure
Virtual Desktop safe URLs list, see Azure Virtual Desktop required URL list
We recommend bypassing proxies for Azure Virtual Desktop traffic. Proxies don't make Azure Virtual
Desktop more secure because the traffic is already encrypted. However, some organizations require that
all user traffic goes through a proxy server for tracking or packet inspection. For more information on
proxy server guidelines for Azure Virtual Desktop, see Proxy server guidelines for Azure Virtual Desktop
Do you need to connect multiple virtual networks?
You can use virtual network peering to connect instances of Azure Virtual Network. Peering can support
connections across subscriptions and regions. For more information, see Virtual network peering.
Virtual network peering provides connectivity between only two peered networks. You might provide
services across multiple subscriptions or need to manage a large number of network peerings. Consider
adopting a hub and spoke networking architecture or using Azure Virtual WAN. For more information,
see:
Software Defined Networking: hub and spoke
What is Azure Virtual WAN?
 Will you need to support custom DNS management?
Azure DNS is a hosting service for DNS domains. Azure DNS provides name resolution by using the
Azure infrastructure. For more information, see What is Azure DNS?
Your workloads might require name resolution support beyond Azure DNS. Since Azure Virtual Desktop
requires Active Directory services, consider using Azure Active Directory Domain Services to augment
Azure DNS capabilities or deploy custom IaaS virtual machines. For more information, see:
What is Azure Active Directory Domain Services?
Name resolution for resources in Azure Virtual Network

Understand common networking scenarios

Azure networking includes products and services that provide different networking capabilities. As part of your
networking design process, compare your workload requirements to networking scenarios. Identify the Azure
tools or services that provide these networking capabilities:

SC EN A RIO N ET W O RK IN G P RO DUC T O R SERVIC E

I need networking infrastructure to connect everything, from Azure Virtual Network

virtual machines to incoming VPN connections.

I need to balance inbound and outbound connections and Azure Load Balancer
requests to my applications or services.

I want to optimize delivery from application server farms Azure Application Gateway and Azure Front Door
while increasing application security with a web application
firewall.

I need to securely use the internet to access Azure Virtual Azure VPN Gateway
Network through high-performance VPN gateways.

I need ultra-fast DNS responses and ultra-high availability Azure DNS

for all my domain needs.

I need to accelerate the delivery of high-bandwidth content Azure Content Delivery Network (CDN)
to customers worldwide. This content includes applications,
stored content, and streaming video.

I need to protect my Azure applications from DDoS attacks. Azure DDoS Protection

I need to distribute traffic optimally to services globally Azure Traffic Manager and Azure Front Door
across Azure regions, while providing high availability and
responsiveness.

I need to add private network connectivity to access Azure ExpressRoute

Microsoft cloud services from my corporate networks as if
they were on-premises.

I want to monitor and diagnose conditions at a network Azure Network Watcher

level.

I need native firewall capabilities, with built-in high Azure Firewall

availability, unrestricted cloud scalability, and zero
maintenance.
 SC EN A RIO N ET W O RK IN G P RO DUC T O R SERVIC E

I need to connect business offices, retail locations, and sites Azure Virtual WAN
securely.

I need a scalable, security-enhanced delivery point for global Azure Front Door
microservices-based web applications.

Choose a networking architecture

After you identify the Azure networking services to support your workloads, design the architecture to combine
these services. To learn about networking architecture patterns for your landing zone, see the Software Defined
Networking decision guide.
The following table summarizes the primary scenarios that these patterns support:

SC EN A RIO SUGGEST ED N ET W O RK A RC H IT EC T URE

All of the Azure-hosted workloads in your landing zone are PaaS-only

platform as a service (PaaS) resources. These resources don't
require a virtual network and aren't part of a wider cloud
adoption effort that includes infrastructure as a service (IaaS)
resources.

Your Azure-hosted workloads deploy IaaS-based resources Cloud-native

like virtual machines or the workloads require a virtual
network. These resources don't require connectivity to your
on-premises environment.

Your Azure-hosted workloads require limited access to on- Cloud DMZ

premises resources, but you're required to treat cloud
connections as untrusted.

Your Azure-hosted workloads require limited access to on- Hybrid

premises resources. You plan to implement mature security
policies and secure connectivity between the cloud and your
on-premises environment.

You deploy and manage a large number of virtual machines Hub and spoke
and workloads, you need to share services across
subscriptions, or you need a more segmented structure for
role, application, or permission segregation. For more
information, see Azure subscription and service limits,
quotas, and constraints.

You have many branch offices that need to connect to each Azure Virtual WAN
other and to Azure.

In addition to using one of these architecture patterns, if you plan to host more than 1,000 assets, including
applications, infrastructure, and data assets, in the cloud within 24 months, consider an enterprise-scale landing
zone. The enterprise-scale landing zone provides a combined approach to networking, security, management,
and infrastructure.
For organizations that meet some of the following criteria, you may also want to start with an enterprise-scale
landing zone:
Your enterprise is subject to regulatory compliance requirements for centralized monitoring and audit
 capabilities.
You maintain common policy, governance compliance, and centralized IT control over core services.
Your industry depends on a complex platform that requires complex controls and deep domain expertise to
govern the platform. This situation is common in large enterprises in finance, oil and gas, or manufacturing.
Your existing IT governance policies require tight parity with existing features, even during early stage
adoption.
For more information, see Start with Cloud Adoption Framework enterprise-scale landing zones.

Follow Azure networking best practices

As part of your networking design process, see these articles:
Plan virtual networks. Learn how to plan for virtual networks based on your isolation, connectivity, and
location requirements.
Azure best practices for network security. Learn about Azure best practices that can help you enhance your
network security.
Best practices for networking when you migrate workloads to Azure. Get more guidance about how to
implement Azure networking to support workloads.

Next steps
Management and monitoring
 Resource organization considerations for Azure
Virtual Desktop
8/16/2021 • 2 minutes to read • Edit Online

As with all cloud environments, the structure within which resources are deployed will have a direct bearing on
how they are managed and governed.
The following considerations and recommendations will help establish proper resource organization and
segmentation across management group hierarchies, subscriptions, landing zones, and resource groups. It will
also help establish proper tagging strategies to keep resources organized.

Design considerations
How many Azure Virtual Desktop virtual machines will you require?
You shouldn't deploy more than 5,000 virtual machines per region (for both personal and host pools based on
Windows 10 Enterprise single and multi-session). Increasing the resources of an individual session host virtual
machine can help to accommodate more user sessions.
To manage enterprise environments with more than 5,000 VMs per Azure subscription in the same region, you
can create multiple Azure subscriptions in a hub-spoke architecture and connect them via virtual network
peering, as in the preceding example architecture. You could also deploy VMs in a different region in the same
subscription to increase the number of VMs.
Which regions will the hosts be deployed in?
Consider deploying your hosts to Azure regions that are closest to your users in order to help with performance
related to network connectivity and latency. Also consider compliance and data residency requirements when
choosing a specific region.

Design recommendations
Naming and tagging
Use naming and tagging standards to organize resources and help simplify resource management, cost tracking
and governance.
Maintaining consistency across resources helps identify deviation from agreed-upon policies. Prescriptive
guidance for resource tagging demonstrates how one of the following patterns can help when deploying
governance practices. Similar patterns are available to evaluate regulatory compliance using tags.
A standardized naming convention is the starting point for organizing your cloud-hosted resources. A properly
structured naming system allows you to quickly identify resources for both management and accounting
purposes. If you have existing IT naming conventions in other parts of your organization, consider whether your
cloud naming conventions should align with them or if you should establish separate cloud-based standards.
Management groups and subscriptions
As part of the Azure landing zone best practices, resources should be grouped logically in management groups
in order to target policy and initiative assignments using Azure Policy.
Create management groups under your root-level management group to represent the types of workloads
(archetypes) that you'll host and ones based on their security, compliance, connectivity, and feature needs. This
grouping structure allows you to have a set of Azure policies applied at the management group level for all
workloads that require the same security, compliance, connectivity, and feature settings.
Subscriptions serve as a scale unit so that component workloads can scale within the platform subscription
limits. Make sure to consider subscription resource limits during your workload design sessions.
Subscriptions provide a management boundary for governance and isolation, which clearly separates concerns.

Next steps
Further reading on recommendations for Azure Virtual Desktop resource organization
Further reading on recommendations for naming and tagging in Azure
 Governance baseline considerations for Azure
Virtual Desktop
8/16/2021 • 8 minutes to read • Edit Online

This article covers key design considerations and recommendations for security, governance, and compliance in
a Cloud Adoption Framework enterprise-scale landing zone architecture for Azure Virtual Desktop.
As with any IT service, it's important to build the environment to scale, secure it, and be able to operate your
environment simply and efficiently. While the Azure Virtual Desktop service does most of the front-end work,
you still need to have the right control mechanisms to keep your systems and data safe. You also need processes
to continually review those controls, report changes and, if necessary, remediate. At the end of this article, you'll
understand the critical design areas for security, governance, and compliance, and you'll have clear guidance on
Microsoft recommendations in each area.
In most cases, Azure Virtual Desktop is deployed into a landing zone as part of the Microsoft Cloud Adoption
Framework for Azure. Microsoft recommends reviewing the Cloud Adoption Framework to ensure that your
environment has the right foundation for security, compliance, governance, and cost management.

Design considerations
Identity: Decide on a tool for multifactor authentication and conditional access for user identities. For Azure
Virtual Desktop, as for most workloads in Azure, identity is a security boundary. User identity is the central
mechanism of user access to desktops, applications, and company data. It's best to protect user credentials
during sign-in with multifactor authentication and conditional access.
Audit logs: Audit logs and Azure Virtual Machines are critical to troubleshooting when issues arise, but also
serve as a security tool for an Azure Virtual Desktop environment. What tools do you use to capture security
or performance logs within your virtual machine (VM)? Are audit logs for Azure Virtual Desktop stored in a
central Azure Monitor Logs workspace, or in an isolated Azure Monitor Logs workspace dedicated for Azure
Virtual Desktop? Also consider whether to use a partner tool to analyze the logs for security patterns or
other reporting needs. What tools do you use to capture security or performance logs within your VM?
Compliance: Nearly all corporations are required to comply with government or industry regulatory
policies. It's important to review those policies with your compliance team and have the correct controls for
your Azure Virtual Desktop landing zone. You may need controls for specific policies like the Payment Card
Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act of 1996
(HIPAA).
Defined roles: Defined administrative, operations, and engineering roles within your organization plays a
large part in defining the day-to-day operations in the Azure Virtual Desktop environment. Knowing which
team is responsible for what area will help determine Azure role-based access control (RBAC) roles and
configuration. Be sure to review the identity and access management section for more information. Consider
creating a RACI matrix to map who owns each responsibility, then build controls into the Cloud Adoption
Framework management group structure.
Security audit tools: What tools and methods do you use to continually scan, and evaluate your
environment for security audits, and vulnerabilities?
Software updates: Define a strategy for continuous operations to keep Windows and applications current.
Disk encr yption: Do you have regulatory or internal security requirements to manage and maintain your
own keys for encrypting VMs at rest? Are Azure Key Vault keys acceptable for encryption? Do you need
advanced hardware encryption or in-guest OS encryption like BitLocker? How will data at rest or data in
transit be encrypted?
 Data protection: How will data in the VMs be protected? You can use a tool like Azure Information
Protection to protect data. Consider using antimalware tools for protection.
Ser vice tags: A service tag represents a group of IP address prefixes for an Azure service. Microsoft
manages the address prefixes and automatically updates the tags as addresses change, simplifying frequent
updates to network security rules. Sometimes it's necessary to have additional tags in an Azure Virtual
Desktop environment for areas like chargeback, security audits, reporting, and alerts.
Policies: Policies for managing your Azure Virtual Desktop environment should be defined in your Cloud
Adoption Framework platform design. Include policies pertaining to security, RBAC controls, regulatory
governance, and types of resources that can be deployed.
Resource group organization: Organize your resource groups to facilitate good management and
prevent accidental deletions, and define who can manage your environment.

Design recommendations
Multifactor authentication: Multifactor authentication for all users is essential to securing desktops and
company data. Use multifactor authentication in Azure Active Directory or a partner multifactor
authentication tool.
Conditional access: Conditional access helps you to manage risks when granting access to users in your
Azure Virtual Desktop environment. Before deciding to grant access to a user, consider who the user is, how
they sign in, and which device they use. See What is Azure AD Conditional Access? for an overview of
conditional access and advice on best practices.
Enable logging: Enable Azure Virtual Desktop service logging, host pool logging, and workspace logging
for all Azure Virtual Desktop objects. For more information, see Use Log Analytics for the diagnostics feature.
Enable Azure Virtual Desktop host logging and performance logging as outlined in the management and
monitoring section of the Azure Virtual Desktop landing zone architecture.
Endpoint protection: Microsoft strongly advises enabling a next-generation antivirus to create a protection
layer and response mechanism to threats. An example is Microsoft Defender for Endpoint. It's integrated with
Azure Security Center to provide a data analytics and AI approach to proactively maintain security. Other
security needs like network protection, web content filtering, attack surface reduction, security baselines for
VM hosts, and threat vulnerability management should be part of your Azure Virtual Desktop design. See the
following section for links to Azure Virtual Desktop host security best practices.
Microsoft Information Protection: Enable and configure Microsoft Information Protection to discover,
classify, and protect sensitive information wherever it is.
Control device redirection: Only enable what your end users need. Common devices to disable include
local hard drive access and USB or port restrictions. Limiting camera redirection and remote printing can
help protect company data. Disable clipboard redirection to prevent copying remote content to endpoints.
Policy tools: Use group policy and a device management tools like Intune and Microsoft Endpoint
Configuration Manager to maintain a thorough security and compliance practice for your desktops.
Patch management: Patch management is a vital part of the overall security strategy for your environment.
You need a consistent practice and deployment policy to maintain secure systems. Tools like Microsoft
Endpoint Configuration Manager and partner applications can help manage patches and keep your systems
up to date.
Screen capture: The screen capture feature, when enabled, prevents screen information from capture on
the client endpoints. Remote content is blocked or hidden in screenshots and screen shares, and from
software that captures screen content. For more information, see Enable screen capture protection.
Security baseline: Use a security baseline as a starting point for securing the Windows operating system.
For more information, see Windows security baselines.
Application control: Implement Windows Defender Application Control and AppLocker, which allows
organizations to control drivers and applications that can run on Windows 10 clients.
Azure Security Center : Enable Security Center to help maintain security compliance and alerting within
 your environment.
Microsoft Secure Score: Microsoft Secure Score provides recommendations and best practice advice for
increasing your security posture and securing surrounding infrastructure with documented best practices.
Disk encr yption: Enable Azure Disk Encryption for your VMs. This option is configured by default with
Azure-provided keys. In many cases, this configuration is acceptable to security teams and auditors. However,
if you have a security practice or regulatory requirement that requires you to maintain your own keys, you
can implement that practice for Azure Virtual Desktop VMs.
Key Vault: Enable Key Vault to protect security principal accounts and encryption keys.
Security best practices: Review security best practices for Azure Virtual Desktop as a starting point to
security within your environment, and implement as appropriate.
Azure Vir tual Desktop ser vice and internet traffic routing and inspection: By using reverse connect,
built into the Azure Virtual Desktop platform, VMs do not need a public IP. VMs communicate outbound
securely to Azure Virtual Desktop service URLs over port 443. It's good practice to enable Azure Firewall or a
partner firewall appliance for traffic logging, routing, or inspection. Having a web proxy filter to monitor and
log internet traffic is also recommended.
Azure Vir tual Desktop metadata: A good resource group design for Azure Virtual Desktop can help
protect against accidental deletion of workspace and host pool objects, can separate VM machine types, and
can allow for administrators from different departments. Outside the Cloud Adoption Framework best
practice for RBAC, security controls and landing zone design, here is a sample resource group structure for
Azure Virtual Desktop.

NOTE
This structure should be duplicated for each region you deploy into.

- Networking: Generally created as part of the Cloud Adoption Framework Landing zone
- Azure Virtual Desktop Service Objects: Separate Azure Virtual Desktop Service Objects from Host Pool
VMs. Service objects include Workspaces, Host Pools and RemoteApp/Desktops App groups. Create a resource
group for these objects.
- Storage: If not already created as part of Cloud Adoption Framework, create a resource group for
storage accounts
- Images: Create a resource group for custom VM images
- Host Pools: Create a resource group for each host pool
- Basic Structure
- Subscription
- rg-wu2-network-services
- rg-wu2-wvd-storage
- rg-wu2-wvd-service-objects
- rg-wu2-wvd-images
- rg-wu2-wvd-hostpool1
- rg-wu2-wvd-hostpool2
- rg-wu2-wvd-hostpool3

Azure Virtual Desktop host operating system security

In addition to service level logging for Azure Virtual Desktop, administrators need to have a security strategy
inside the guest operating system. Microsoft recommends security tools such as:
Microsoft Defender for Endpoint: OS-level antivirus and antimalware
Threat protection (Windows 10): Threat protection overview and details
Azure Monitor agents and Azure Monitor deployment at scale with Azure Policy: Capture guest logs and
performance metrics
Guest configuration extension for local machines: Monitor, alert, and track guest changes and audit reports
Azure Monitor dependency extension: Troubleshoot guest connections, logs traffic flows, and configuration
 Enable screen capture protection: Protects from remote capture of data
Azure Security Center: Security audits, regulatory compliance scanning, policy compliance
Windows security baselines
For more information on Azure Virtual Desktop best practices, see Session host security best practices. For a
detailed list of best practices for Azure VMs, see Security recommendations for virtual machines in Azure.
 Management baseline considerations for an Azure
Virtual Desktop
8/9/2021 • 3 minutes to read • Edit Online

Achieve operational excellence and customer success by properly designing your Azure Virtual Desktop
environment with management and monitoring in mind.

Platform management and monitoring

Review the following considerations and recommendation for platform management and monitoring of Azure
Virtual Desktop.
Design considerations
Use Azure Monitor Log Analytics workspaces as the administrative boundary of logs.
Collect telemetry from the following platform services:
Workspaces
Host pools
Performance counters should be collected.
Azure event logs should be collected.
Create a dashboard from the platform logs to centralize visuals for reporting operations.
Learn to use Azure Monitor for Azure Virtual Desktop to monitor your deployment.
Design recommendations
Use a separate dedicated Azure Monitor Log Analytics workspace for Azure Virtual Desktop.
Centralize your Azure Monitor Log Analytics workspace in the region of your Azure Virtual Desktop
deployment.
Export diagnostic settings to a storage account if there's a need to go beyond the two-year retention
period.
Enable the platform service diagnostic telemetry stated in the considerations to go to the Azure Monitor
Log Analytics workspace.
The following Windows performance counters should be collected by Log Analytics for Azure Virtual
Desktop monitoring:

O B JEC T N A M E C O UN T ER N A M E IN STA N C E N A M E IN T ERVA L ID

LogicalDisk % Free Space C: 60 LogicalDisk, % Free

Space, C:

PhysicalDisk Avg. Disk sec/Read * 30 PhysicalDisk, Avg.

Disk sec/Read, *

PhysicalDisk Avg. Disk * 30 PhysicalDisk, Avg.

sec/Transfer Disk sec/Transfer, *

PhysicalDisk Avg. Disk sec/Write * 30 PhysicalDisk, Avg.

Disk sec/Write, *
O B JEC T N A M E C O UN T ER N A M E IN STA N C E N A M E IN T ERVA L ID

Processor % Processor Time _Total 30 Processor

Information Information, %
Processor Time,
_Total

Terminal Services Active Sessions * 60 Terminal Services,

Active Sessions, *

LogicalDisk Avg. Disk Queue C: 30 LogicalDisk, Avg.

Length Disk Queue Length,
C:

Terminal Services Inactive Sessions * 60 Terminal Services,

Inactive Sessions, *

Terminal Services Total Sessions * 60 Terminal Services,

Total Sessions, *

User Input Delay Max Input Delay * 30 User Input Delay

per Process per Process, Max
Input Delay, *

User Input Delay Max Input Delay * 30 User Input Delay

per Session per Session, Max
Input Delay, *

RemoteFX Network Current TCP RTT * 30 RemoteFX Network,

Current TCP RTT, *

RemoteFX Network Current UDP * 30 RemoteFX Network,

Bandwidth Current UDP
Bandwidth, *

LogicalDisk Avg. Disk C: 60 LogicalDisk, Avg.

sec/Transfer Disk sec/Transfer, C:

LogicalDisk Current Disk Queue C: 30 LogicalDisk, Current

Length Disk Queue Length,
C:

Memory Available MB * 30 Memory, Available

MB, *

Memory Page Faults/sec * 30 Memory, Page

Faults/sec, *

Memory Pages/sec * 30 Memory, Pages/sec,

*

Memory % Committed Bytes * 30 Memory, %

In Use Committed Bytes In
Use, *
 O B JEC T N A M E C O UN T ER N A M E IN STA N C E N A M E IN T ERVA L ID

PhysicalDisk Avg. Disk Queue * 30 PhysicalDisk, Avg.

Length Disk Queue Length,
*

Collect the following Windows event logs into the Azure Monitor Log Analytics workspace.
Windows Event Log name
System
Application
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Microsoft-FSLogix-Apps/Operational
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
Microsoft-FSLogix-Apps/Admin
Use Azure Monitor for Azure Virtual Desktop for ease of configuration.
Assign application groups to user groups to ease your administration overhead.
Application groups can be segregated in many ways. We recommend separating them based on which
department or user type (for example, power, engineering, or general) the user is a part of.
For a glossary, data storage cost estimations, and additional troubleshooting guidance, see Azure Monitor next
steps.

Infrastructure management and monitoring

Review the following considerations and recommendation for infrastructure management and monitoring of
Azure Virtual Desktop.
Design considerations: Infrastructure
Use the same Log Analytics workspace that's used for the Azure Virtual Desktop platform.
The session host performance counters are collected and logged.
Use network performance monitoring for user experience management.
Set up an alerting model around the collected logs and metrics.
Use Windows Update Management for the session hosts between feature updates.
Design recommendations: Infrastructure
Use a centralized Azure Monitor Log Analytics workspace in the region of your session hosts.
Set up the performance counters according to the documentation.
Set up the Network Performance Monitor in the same region as your Azure Virtual Network and session
hosts.
Incorporate Azure policies and governance for enterprise-scale into the Azure Virtual Desktop landing zone.
 Business continuity and disaster recovery (BCDR)
considerations for Azure Virtual Desktop
8/9/2021 • 9 minutes to read • Edit Online

Azure Virtual Desktop is a Microsoft-managed service that provides a control plane for your desktop
virtualization environment. The service is free of charge and Microsoft doesn't offer a financially backed service-
level agreement (SLA). Despite having no SLA, we try to achieve at least 99.9% availability for the Azure Virtual
Desktop service URLs.

NOTE
The availability of the session host virtual machines in your subscription is covered by the Azure Virtual Machines SLA.

A good BCDR strategy keeps your critical applications and workload up and running during planned and
unplanned service or Azure outages. Your strategy should consider resources that are deployed in your
subscription as part of the Azure Virtual Desktop data plane, like host pools and storage.
To ensure business continuity, Azure Virtual Desktop also preserves customer metadata during region outages.
If there is an outage, the service infrastructure components fail over to the secondary location and continue
functioning as normal.
For more information on BCDR considerations for your Azure resources, see Set up a business continuity and
disaster recovery plan.

Design considerations
Host pool active-active vs. active-passive
For an Azure Virtual Desktop host pool, you can adopt either an active-active or active-passive BCDR approach.
An active-active approach:
Storage outages are mitigated without requiring the user to reauthenticate.
Continuous testing of the disaster recovery location is enabled.
A single host pool can contain VMs from multiple regions. In this scenario, usage of cloud cache is required
to actively replicate the user's FSLogix profile and office containers between the regions.
For virtual machines (VMs) in each region, the cloud cache registry entry specifying locations needs to be
inverted to give precedence to the local one.
Load balancing of incoming user connection can't take proximity into account; all hosts will be equal and
users may be directed to a remote (not optimal) Azure Virtual Desktop host pool VM.
This configuration is limited to a pooled (shared) host pool type. For a personal (dedicated) type, once a
desktop is assigned to a user on a certain session host VM, it sticks and doesn't change, even if not available.
This configuration can be complex and isn't considered to be either a performance or cost optimization.
With active-passive:
Azure Site Recovery or a secondary host pool (hot stand-by) can be used to maintain a backup environment.
Azure Site Recovery is supported for both personal (dedicated) and pooled (shared) host pool types, and lets
you maintain a single host pool entity.
You can create a new host pool in the failover region while keeping all of the resources turned off. For this
 method, set up new application groups in the failover region and assign users to them. You can then use a
recovery plan in Azure Site Recovery to turn on host pools and create an orchestrated process.
Host pool resiliency
For host pool VM resiliency:
Different options are available when creating a new Azure Virtual Desktop host pool.
It's important to select the right option based on your requirements during creation. These options can't
be changed later.
The default resiliency option for Azure Virtual Desktop host pool deployment is Availability Set . This
option only ensures host pool resiliency at the single Azure datacenter level, with formal 99.95 percent
high-availability SLA.

NOTE
The maximum number of VMs inside an Availability Set is 200, as documented in Subscription and service
limits.

Using Availability Zones, VMs in the host pool are distributed across different datacenters. VMs are still
inside the same region, and have higher resiliency and higher formal 99.99 percent high-availability SLA.
Your capacity planning should take into account enough extra compute capacity to ensure Azure Virtual
Desktop continues to operate even if a single zone is lost.

NOTE
An Azure Resource Manager (ARM) template must be used to specify zones. This option isn't available yet in the
Azure portal.

Before approaching BCDR planning and design for Azure Virtual Desktop, consider which applications accessed
via Azure Virtual Desktop are critical. You might want to separate them from non-critical applications so you can
provision multiple host pools with a different disaster recovery approaches and capabilities.
Optimal storage for profile and office containers
The location of storage used for FSLogix containers is critical to ensure the lowest latency from the host pool
VM. The FSLogix agent can support multiple profile locations for higher resiliency if you configure the
VHDLocations registry entry. You can use cloud cache or ensure that a proper replication mechanism is in place
based on the storage type used.
Azure offers multiple storage solutions that you can use to store your FSLogix profile and office container:
Storage options for FSLogix profile containers in Azure Virtual Desktop compares the different managed
storage solutions available.
Azure Files or Azure NetApp Files offers the most value to customers, simplifying management of Azure
Virtual Desktop. This is the preferred storage solution for this workload.
Storage Spaces Direct is also supported with FSLogix and Azure Virtual Desktop. It's a self-managed storage
solution that's out of scope for this article.
User data storage replication and resiliency
In case of an outage, you can reduce the time required to back up, restore, and replicate data by:
Separating the user profile and office container disks. FSLogix offers the option to place disks in separate
storage locations.
In normal usage, the office disk can consume many more gigabytes than the profile disk and the office
 disk isn't required to be resilient. It's a cache of data and can be downloaded again from Microsoft 365
online services.
OneDrive can be used to redirect well-known folders ( Desktop , Documents , Pictures , Screenshots , and
Camera Roll ) if present. This redirection enables the resilience of this data without needing special
consideration in a BCDR scenario.
Backup, replication, and restore of the profile disk is quicker without the inclusion of the cache data.

NOTE
The FSLogix cloud cache feature is write back by design. This design uses asynchronous replication, which
increases performance characteristics to high latency targets.

Multiple replication mechanisms and strategies can be used for user data in FSLogix containers.
Profile pattern #1: Native Azure Storage replication mechanisms. For example geo-redundant storage
(GRS) for standard file shares, cross-region replication of Azure NetApp Files, or Azure File Sync for VM-
based file servers.
Profile pattern #2: FSLogix cloud cache has a built-in automatic mechanism to replicate containers
between up to four different storage accounts.
Profile pattern #3: Only set up geo-disaster recovery for application data and not for user data or
profile containers. Store important application data in separate storages, like OneDrive or other external
storage with its own built-in disaster recovery mechanism.
Golden image availability
If you use custom images to deploy Azure Virtual Desktop host pool VMs, it's important to ensure those
artifacts are available in all regions if there's a major disaster. Use the Azure Shared Image Gallery service to
replicate images across all regions where a host pool is deployed with redundant storage and multiple copies.
Backup protection
Preventing data loss for critical user data is important.
Assess which data needs to be saved and protected. If you're using OneDrive or some other external storage,
saving the user profile or office container data might not be necessary.
Consider the appropriate mechanism to provide protection for critical user data.
You can use the Azure Backup service to protect profile and office container data when stored in either Azure
Files Standard tier or Premium tier.
You can use Azure NetApp Files snapshots and policies for Azure NetApp Files on all tiers.
You can use Azure Backup to protect host pool VMs. This practice is supported even if host pool VMs are
stateless.
Infrastructure and application dependencies
If users of the Azure Virtual Desktop infrastructure need on-premises resource access, it's critical that you
consider the high availability of network infrastructure required to connect. Assess and evaluate the resiliency of
authentication infrastructure and consider BCDR aspects for dependent applications and other resources. These
considerations will help to ensure availability in the secondary disaster recovery location.

Design recommendations
The following are best practices for your design:
For the Azure Virtual Desktop host pool compute deployment model BCDR, use the active-passive option if it
 satisfies your requirements for recovery point objective (RPO) and recovery time objective (RTO).
Azure Site Recovery is recommended for personal (dedicated) host pools. The target region should be
aligned with the disaster recovery of the storage backend used by FSLogix.
Azure Site Recovery is also supported for pooled (shared) host pools. This option can be evaluated and
compared to the deployment of another host pool in the secondary disaster recovery region.
When maximum resiliency of the host pool is required in a single region, use Availability Zones. Verify the
Availability Zones feature availability in the specific region, and availability of the specific VM SKU inside all
the zones.
We recommend storing FSLogix user profile and office containers on Azure Files or Azure NetApp Files for most
scenarios.
Split user profile and office containers.
The recommended options for container storage types are (in order): Azure Files Premium tier, Azure
NetApp Files Standard tier, and Azure NetApp Files Premium tier.
The recommended storage type depends on the resources and latency required by the specific workload.
For optimal performance, place FSLogix containers on storage close to the VM the user is logged on to.
Keeping the containers in the same datacenter is best.
Use Azure Storage built-in replication mechanisms for BCDR when possible for less critical environments.
Use zone-redundant storage (ZRS) or GRS for Azure Files.
Use LRS with local only resiliency if no zone/region protection is required.

NOTE
GRS isn't available with Azure Files Premium tier or Standard tier with large file support enabled.

Only use cloud cache when:

The user profile or office container data availability requires high-availability, or an SLA is critical and
must be resilient to region failure.
The selected storage option can't satisfy BCDR requirements. For example, GRS isn't available with
Azure Files Premium tier or Standard tier with large file support enabled.
Replication between disparate storage is required.
We recommend the following guidelines when using cloud cache:
Use a solid-state drive (SSD) for the managed disk of the Azure Virtual Desktop host pool VMs.
Have a backup solution in place to protect user profile and office containers.
Make sure that the managed disk for the local VM is large enough to accommodate the local cache of
all user's FSLogix profile and office containers.
Use an Azure Shared Image Gallery to replicate golden images to different regions.
The storage used for image creation should be zone-redundant storage (ZRS). At least two copies per
region should be maintained.
Use Azure Backup to protect critical user data from data loss or logical corruption when using either
Azure Files Standard tier or Premium tier.
Use snapshots and policies when using the Azure NetApp Files service.
Even if supported, using Azure Backup to save your VM state in the host pool isn't recommended
since it should be stateless.
Carefully review your resiliency and BCDR plans for dependent resources. These resources include
networking, authentication, applications, and other internal services in Azure or on-premises.
Network infrastructure, as part of hub and spoke or virtual wide area network (WAN) architecture,
must be available in the secondary region.
Hybrid connectivity must be highly available in both the primary and secondary regions.
Active Directory authentication must be available in the disaster recovery region, or connectivity to
the on-premises domain must be guaranteed.
 Platform automation and DevOps considerations
for an Azure Virtual Desktop
8/9/2021 • 9 minutes to read • Edit Online

Azure Virtual Desktop is a managed service that provides a Microsoft control plane for your desktop
virtualization environment.
This article on automation focuses on the operational tasks you need to run an Azure Virtual Desktop
environment. Each recommendation can be applied individually, and not all recommendations need to be
implemented for automation to be worthwhile.

Design considerations
Integrate image creation with DevOps
Automation doesn't have to mean integration with DevOps, but there are many advantages to doing so. It's
worth spending the time to automate the build process for your golden image because:
Using a DevOps pipeline gives you better management of your automation flow.
A DevOps pipeline provides reporting and alerting on deployments.
You can configure your pipeline to integrate with testing frameworks and create approval gates for the
stages in your automation process.
You can start pipelines from many predefined events like the release of a new gallery image, application or
using a set schedule.
Automating host pool creation makes it easy to move your host pool metadata to a new geographical
location as new locations are made available.
Pooled vs. personal
As organizations scale out their environment, most of the workload falls under a pooled configuration rather
than a personal configuration. A personal configuration is often more expensive to run than a pooled
configuration, but it's suitable for specific workload users like developers, since developers usually require
elevated permissions. If you run host pools in personal mode, try to maintain the machines like you maintain
your physical desktops. This method reduces the amount of tooling required in your environment.
Since pooled is the most popular configuration for desktop virtualization, it's the focus of this article.
You'll update pooled environments differently than in a traditional environment. The virtual machines (VMs)
should be updated from a gold image at the correct cadence for your organization, which is usually every 1-3
months. In highly automated organizations, it's possible to increase that cadence to weekly or even nightly if
needed.
Image creation
When scaling up your Azure Virtual Desktop environment, your host pools are created from a gold image,
which is ideally created using an automated process.
Another option is to use a build checklist. In large environments, this process should only be part of the initial
dev/test setup. The more you automate your gold image creation, the more secure you'll be in the accuracy of
your build and environment stability.
The process of using your existing image to create a VM which is updated with new with your applications and
configuration changes, then captured for use as your "new" gold image is not recommended. This process is
risky to maintain and is a major cause of desktop virtualization environments becoming static and fragile.
There are many automation tools available to create gold images including the Packer process outlined later in
this article. However, organizations should use the tool set that's most appropriate for them. Regardless of the
tools that you choose, try to get as much of your gold image creation automated so its easier to maintain the
health of your Azure Virtual Desktop environment.
Application installation
Applications are made available to your users in two ways: installed in the image or delivered dynamically per
user.
Applications installed in the image should be universal to your users. For example, security products and
the Microsoft 365 suite. These applications should be a part of your automated image creation process.
Applications dynamically delivered per user should include everything else that requires a more flexible
approach, such as applications that are restricted to a specific group or aren't compatible with other
applications.
Language deployment
As Azure Virtual Desktop environments start to scale out, your images may need to be localized into the native
language for your users. You can start from the local language if you prefer or you can add additional languages
to your image on build. Consider this requirement when selecting your base image. The pre-optimized Windows
10 gallery image for example, both with and without Microsoft 365, is only supplied in United States English
(en-US).

NOTE
If you're using Windows 10 Enterprise multi-session, this cannot be built using a different language. In this case, you must
adapt the provided gallery image. To adapt the existing en-US gallery image, install the additional languages before you
install other applications.

Image location
In Azure Virtual Desktop, you have more freedom around the geographic placement of your host pools than in a
traditional desktop environment. This freedom exists because all Azure locations support Azure Virtual Desktop.
To avoid creating VMs from an image across the wide area network (WAN) make your gold image available in
the same locations as your users.
Host pool gold image updates
There are two approaches to updating the gold image that VMs in a host pool are based on:
Deploy a second host pool, then cut the users over to the new host pool when you're ready.
The old host pool is then available if a rollback is needed.
The old host pool can be removed after the organization is satisfied that the new host pool is working
correctly.
Or:
Set the existing VMs to drain mode in the host pool.
Deploy new VMs from the updated gold image into the same host pool.
Take care not to hit resource constraints or API throttling limits when doubling the number of VMs in a single
host pool.

Design recommendations
Creation of Azure Virtual Desktop images
Microsoft recommend using Packer pipelines to automate image creation and management. To use this method,
prerequisites are:
Azure DevOps licensing is required to use the full suite of Packer tools.
A user assigned the Global Administrator role in Azure Active Directory (Azure AD).
A service principal with contributor access to the subscription.
An Azure Key Vault to store secrets in, giving the service principal secret management in the access policy.
For more information about Packer, see the Packer website.
Version control
We recommend using Git for version control.
The Git repo and Azure DevOps project should be private unless your company policy specifies that
repositories must be public.
Initialize the repo with a README file. The file lets you start filling information into the repository about your
project.
A good structure for the repository is to have two folders in the root of the repository: one called
ARM templates to store the Azure Resource Manager (ARM) templates, and one for the build you're planning,
such as Windows 2004 - EVD .
Amend your project permissions to allow other team members access to the project.
Adopt a basic work item process to develop the pipeline and keep your workloads streamlined.
Pipelines
Azure Pipelines has many different features. Our recommendations when it comes to setting up Packer are to
use gateways, marketplace, and deployment services.
When working with Packer in the deployment pipeline:
You must install Packer tools into the VM you will use as your base image.
We recommend creating a validation stage in the pipeline to validate that the build works.
After validation, clone the validation stage and set the deployment mode to Incremental .
Variables and Azure Key Vault
When working in Azure Pipelines, use variable groups.
Variable groups let you have repeatable parameters in your pipelines, such as secrets and file locations.
There are two variable groups in Azure DevOps: one stores standard variables, and the other is linked to
Azure Key Vault. The variable group linked to Azure Key Vault is used to pull across secrets for use in the
pipeline.
Packer file storage
Store your Packer files and provisions in a centralized location for Azure Pipelines to access. We recommend
using Azure file shares to securely store these files.
Store the access credentials for Azure Files in Key Vault. You can pull the access credentials from Key Vault on
build using the pipeline variables.
Additionally, store the Packer file name and account key in the key vault that's linked to the variable group in
Azure DevOps. These credentials are accessed by pipelines to download the Packer files to the VM that's used
to create the image.
Like the storage account name and primary key, store the UNC path as a variable in the Azure DevOps
variable group.
Shared Image Gallery service
The Shared Image Gallery service in Azure is the simplest way to build structure and organization around your
golden images. It provides:
 Global replication of images to different Azure regions.
Versioning and grouping of images for easier management. It's helpful if you need to roll back Azure Virtual
Desktop host pools to previous image versions.
Highly available images with zone-redundant storage (ZRS) accounts in regions that support Availability
Zones. ZRS offers better resilience against zonal failures.
Sharing Azure Virtual Desktop images across subscriptions, and even between Azure AD tenants, using role-
based access control (RBAC).
Scaling your deployments with image replicas in each region.
For more information, see the Shared Image Gallery service overview.
Application installation in Azure Virtual Desktop images
For universal applications installed in the gold image, use the same Packer method as above to install
applications.
App-V is currently the supported method from Microsoft for streaming applications on a per-user basis.
Use FSLogix application masking to hide or reveal applications or plug-ins when those applications don't
work well with App-V.
Deployment of languages in Azure Virtual Desktop images
Microsoft has processes for installing language packs manually or automatically. We recommended keeping as
little administration overhead as possible and automating the process of language installation. This involves
downloading a PowerShell script onto the VM that will be converted into your image. Example automation
scripts are found in Microsoft documentation. If you're following the recommendation for Packer pipelines, you
can include this process as an extra build task.
For more information on installing language packs in Windows 10 Enterprise multi-session, see Install language
packs on Windows 10 VMs in Azure Virtual Desktop.
Create Azure Virtual Desktop host pools using ARM templates from images in shared image galleries
Using ARM templates allows for an infrastructure as code (IaC) approach to the deployment and customization
of Azure Virtual Desktop resources. They should be used whenever possible to ensure consistency in
deployments. ARM templates can be used to deploy Azure Virtual Desktop resources as part of a DevOps
pipeline task. You can also use them when using the Azure portal, Azure PowerShell, or Azure CLI.
The example above shows one method of image automation using Azure DevOps and a Packer continuous
integration and continuous delivery (CI/CD) pipeline. Part of the underlying technology in the process is an ARM
template.
The Shared Image Gallery is a service that helps you build structure and organization around your images.
These images can be referred to in your IaC deployments of your Azure Virtual Desktop session hosts. The
service allows for versioning, grouping, and replication of images.
When you deploy your session hosts with an ARM template, we recommend using the resource ID of the image
you created in your gallery as the VM custom image source ID. The image that you're using must be replicated
via the Shared Image Gallery service to the Azure regions where you're deploying your Azure Virtual Desktop
host pools.
 Enterprise-scale support for the Azure Virtual
Desktop construction set
8/16/2021 • 2 minutes to read • Edit Online

Enterprise-scale construction sets provide you with a specific architectural approach and reference
implementation. These construction sets enable effective construction and start-up of platform workload
landing zones. These landing zones are within the Cloud Adoption Framework enterprise-scale landing zone.
The Azure Virtual Desktop construction set is used after you've implemented an enterprise-scale landing zone.
Review the enterprise-scale overview and implementation guidance before deploying the Azure Virtual Desktop
construction set.

Getting started with the Azure Virtual Desktop construction set

Not everyone adopts Azure Virtual Desktop in the same way. The Cloud Adoption Framework for Azure
enterprise-scale construction set architecture varies between organizations. The technical considerations and
design recommendations of the construction set might result in trade-offs based on your organization's needs.
Some variation happens, but if you follow the core recommendations, the resulting architecture prepares your
organization for sustainable scale. The construction set is modular by design so that you can customize
environmental variables. The construction set approach to landing zones includes three sets of assets to support
cloud teams.
Design guidelines
Learn about guidelines that drive the design of the Cloud Adoption Framework for Azure enterprise-scale
landing zone. There are six critical design areas:
Identity and access management
Network topology and connectivity
Management and monitoring
Business continuity and disaster recovery
Security, governance, and compliance
Platform automation and DevOps
Architecture
The following image shows a conceptual reference architecture that demonstrates design areas and best
practices.
Implementation with Azure Resource Manager (ARM ) templates for Remote Desktop Services
ARM Azure Virtual Desktop templates provide a collection of infrastructure-as-code ARM templates to deploy
an Azure Virtual Desktop environment on Azure.
The automate Azure Virtual Desktop deployments in Azure GitHub repository contains code that lets you
automatically deploy Azure Virtual Desktop environments in the Azure cloud.

Next steps
Review the critical design areas for the Azure Virtual Desktop construction set for considerations and
recommendations about your Azure Virtual Desktop construction set architecture.
Identity and access management
 Azure Virtual Desktop proof of concept
8/9/2021 • 2 minutes to read • Edit Online

Before deploying end-user desktops, validate the configuration of the Azure landing zone and end-user network
capacity by completing and testing a proof of concept.
The following approach to the migration process is simplified to outline a proof-of-concept implementation.
Step 1: Assess :
The team deploys host pools by using the default virtual machine (VM) sizes. Assessment data helps
the team identify the expected number of concurrent user sessions and the number of VMs required
to support those concurrent sessions.
Step 2: Migrate :
The team creates a host pool for pooled desktops by using a Windows 10 Enterprise multi-session
gallery image from Azure Marketplace and the sizing from assessment step 1.
The team creates either desktop or RemoteApp application groups for workloads that it has already
migrated.
The team creates an FSLogix profile container to store user profiles.
Step 3: Release :
The team tests the performance and latency of application groups and deployed desktops for a
sampling of users.
The team onboards its end users to teach them how to connect through Windows desktop client, web
client, Android client, macOS client, or iOS client.

Assumptions
The proof-of-concept approach could meet some production needs, but it's built on a number of assumptions.
It's unlikely that all the following assumptions will prove to be true for every enterprise migration of Azure
Virtual Desktop, but they serve as a reference point to determine where tailoring may be required.
The adoption team should assume the production deployment will require a separate deployment that more
closely aligns to the production requirements that it identifies during the Azure Virtual Desktop assessment. The
assumptions are:
End users have a low-latency connection to the assigned landing zone in Azure.
All users can work from a shared pool of desktops.
All users can use the Windows 10 Enterprise multi-session image from Azure Marketplace.
All user profiles will be migrated to either Azure Files, Azure NetApp Files, or a VM-based storage service for
the FSLogix profile containers.
All users can be described by a common persona with a density of six users per virtual central processing
unit (vCPU) and 4 gigabytes (GB) of RAM, as per the VM sizing recommendations.
All workloads are compatible with Windows 10 Enterprise multi-session.
Latency between the virtual desktops and application groups is acceptable for production usage.
To calculate the cost of the Azure Virtual Desktop scenario based on the proof of concept configuration
reference, consider the following examples using the Azure pricing calculator for East US, West Europe, or
Southeast Asia.
 NOTE
These examples all use Azure Files as the storage service for user profiles.

Next steps
For guidance on specific elements of the cloud adoption journey, see:
Assess for Azure Virtual Desktop migration or deployment
Deploy or migrate Azure Virtual Desktop instances
Release your Azure Virtual Desktop deployment to production
 Azure Virtual Desktop assessment
8/9/2021 • 5 minutes to read • Edit Online

The Azure Virtual Desktop proof of concept provides an initial scope as a baseline implementation. However, the
output of that proof of concept is unlikely to meet their production needs as-is.
The Azure Virtual Desktop assessment exercise serves as a focused means of testing assumptions through a
data-driven process. Assessment data will help the team answer a series of important questions, validate or
invalidate their assumptions, and refine the scope as necessary to support the team's Azure Virtual Desktop
scenario. By using this assumption-validation approach, the team can accelerate the migration or deployment of
its end-user desktops to Azure Virtual Desktop.

Assess Azure Virtual Desktop deployments

Each Azure Virtual Desktop assessment will evaluate a combination of a user persona, a consistent host pool of
virtual machines (VMs), end-user applications and data, and user profiles (data). During the assessment, the
team's objective is to use data to answer the questions in this section. The answers will shape the actual scope of
the deployment and release of the Azure Virtual Desktop migration.
The answers to these questions start with data. In the Plan methodology, specifically best practices and digital
estate assessment, data should already be collected and analyzed to create a migration plan. However, the
questions in this specific workload assessment will likely require additional data. Data about the desktops, users,
and workloads to be used by each user is required to develop an Azure Virtual Desktop deployment plan.
If you use Movere as your data collection tool, you'll likely have the data you need to develop personas and
answer these questions by using data in Azure Migrate, just like any other migration scenario.
If you don't have the data that you require to answer all the questions in this section, an additional third-party
software vendor can provide a separate discovery process to augment the data you have. The vendor, Lakeside
Software, is also integrated with Azure Migrate within the virtual desktop infrastructure migration goals section.
The vendor can help you map out a plan for Azure Virtual Desktop deployment, including personas, host pools,
applications, and user profiles.
User personas
How many distinct personas will be required to support all of the users included in this migration scenario?
Defining personas will come as a result of bucketing users based on the following criteria:
Personal pools: Do specific groups of users require dedicated desktops, instead of pools? For example,
security, compliance, high-performance, or noisy-neighbor requirements might lead to some users running
on dedicated desktops that aren't part of a pooling strategy. You'll enter this information by specifying a host
pool type of personal during the Azure Virtual Desktop host pool deployment.
Density: Do specific groups of users require a lower-density desktop experience? For example, heavier
density might require two users per virtual central processing unit (vCPU) instead of the light-user
assumption of six users per vCPU. You'll enter density information in the pool settings of the Azure Virtual
Desktop host pool deployment.
Performance: Do specific groups of users require a higher-performance desktop experience? For example,
some users require more memory per vCPU than the assumed 4 gigabytes (GB) of RAM per vCPU. You'll
enter the VM sizing in the virtual machine details of the Azure Virtual Desktop host pool deployment.
Graphical processing (GPU): Do specific groups of users have greater graphical requirements? For
example, some users require GPU-based VMs in Azure, as demonstrated in this guide for configuring GPU
VMs.
 Azure region: Do specific groups of OS users operate from various geographic regions? For example,
before you configure the host pool, a user from each region should test latency to Azure by using the
estimation tool. The test user should share the lowest-latency Azure region and the latency in milliseconds
for the top three Azure regions.
Business functions: Can the specific groupings of users be bucketed by business unit, charge code, or their
business function? This type of grouping will help align corporate costs in later stages of operations.
User count: How many users will be in each distinct persona?
Max session counts: Based on geography and hours of operation, how many concurrent users are
expected for each persona during maximum load?
Distinctions in each of the preceding questions will start to illustrate user personas by business function, cost
center, geographic region, and technical requirements. The following table can aid in recording responses to
populate a completed assessment or design document:

C RIT ERIO N P ERSO N A GRO UP 1 P ERSO N A GRO UP 2 P ERSO N A GRO UP 3

Pools Pools Pools Dedicated (security

concerns)

Density Light (6 users/vCPU) Heavy (2 users/vCPU) Dedicated (1 user/vCPU)

Performance Low High memory Low

GPU N/A Required N/A

Azure region North America Western Europe North America

User count 1,000 50 20

Session count 200 50 10

Each persona, or each group of users with distinct business functions and technical requirements, would require
a specific host-pool configuration.
The end-user assessment provides the required data: pool type, density, size, CPU/GPU, landing zone region, and
so on.
Host-pool configuration assessment now maps that data to a deployment plan. Aligning the technical
requirements, business requirements, and cost will help determine the proper number and configuration of host
pools.
See examples for pricing in the East US, West Europe, or Southeast Asia regions.
Application groups
Both Movere and Lakeside scans of the current on-premises environment can provide data about the
applications that are run on end-user desktops. By using that data, you can create a list of all applications
required per each persona. For each required application, the answers to the following questions will shape
deployment iterations:
Do any applications need to be installed for the persona to use this desktop? Unless the persona uses 100
percent web-based software as a service applications, you'll likely need to configure a custom master VHD
image for each persona, with the required applications installed on the master image.
Does this persona need Microsoft 365 applications? If so, you'll need to select an image from the gallery that
has Microsoft 365 apps included or add Microsoft 365 to a customized master VHD image.
 Is this application compatible with Windows 10 Enterprise multi-session? If an application isn't compatible, a
personal pool might be required to run the custom VHD image. For assistance with application and Azure
Virtual Desktop compatibility issues, see the desktop application assure service.
Are mission-critical applications likely to suffer from latency between the Azure Virtual Desktop instance and
any back-end systems? If so, you might want to consider migrating the back-end systems that support the
application to Azure.
The answers to these questions might require the plan to include remediation to the desktop images or
supporting application components prior to desktop migration or deployment.

Next steps
For guidance on specific elements of the cloud adoption journey, see:
Deploy or migrate Azure Virtual Desktop instances
Release your Azure Virtual Desktop deployment to production
 Azure Virtual Desktop deployment or migration
8/9/2021 • 4 minutes to read • Edit Online

The guidance in this article assumes that you've established a plan for Azure Virtual Desktop, assessed the
desktop deployment requirements, completed a proof of concept, and are now ready to migrate or deploy your
Azure Virtual Desktop instances.

Initial scope
The deployment of Azure Virtual Desktop instances follows a process that's similar to the proof of concept
process. Use this initial scope as a baseline to explain the various scope changes that are required by the output
of the assessment.
Create a host pool for pooled desktops by using a Windows 10 gallery image from Azure Marketplace and
the sizing from the first step of that procedure.
Create desktop or RemoteApp application groups for workloads that have already been migrated.
Create an FSLogix profile container to store user profiles.
Deployment and migration consist of persona migration, application migration, and user profile migration.
Depending on the results of the workload assessment, there will likely be changes to those migration tasks. This
article helps identify ways that the scope would change based on the assessment feedback.

Iterative methodology
Each persona will likely require an iteration of the previously outlined initial scope, resulting in multiple host
pools. Depending on the Azure Virtual Desktop assessment, the adoption team should define iterations that are
based on the number of personas or users per persona. Breaking the process into persona-driven iterations
helps to reduce the change velocity impact on the business and allows the team to focus on proper testing or
onboarding of each of the persona pools.

Scope considerations
Each of the following sets of considerations should be included in the design documentation for each persona
group to be migrated or deployed. After the scope considerations are factored in to the previously discussed
initial scope, the deployment or migration can begin.
Azure landing zone considerations
Before you deploy the persona groups, a landing zone should be created in the Azure regions required to
support each persona to be deployed. Each assigned landing zone should be evaluated against the landing zone
review requirements.
If the assigned Azure landing zone doesn't meet your requirements, scope should be added for any
modifications to be made to the environment.
Application and desktop considerations
Some personas might have a dependency on legacy solutions, which are not compatible with Windows 10
Enterprise multi-session. In these cases, some personas might require dedicated desktops. This dependency
might not be discovered until deployment and testing.
If they're discovered late in the process, future iterations should be allocated to modernization or migration of
the legacy application. This will reduce the long-term cost of the desktop experience. Those future iterations
should be prioritized and completed based on the overall pricing impact of modernization versus the extra cost
associated with dedicated desktops. To avoid pipeline disruptions and the realization of business outcomes, this
prioritization should not affect current iterations.
Some applications might require remediation, modernization, or migration to Azure to support the desired end-
user experience. Those changes are likely to come after release. Alternately, when desktop latency can affect
business functions, the application changes might create blocking dependencies for the migration of some
personas.
User profile considerations
The initial scope assumes that you're using a VM-based FSLogix user profile container.
You can use Azure NetApp Files to host user profiles. Doing so will require a few extra steps in the scope,
including:
Per NetApp instance: Configure NetApp files, volumes, and Active Directory connections.
Per host/persona: Configure FSLogix on session host virtual machines.
Per user : Assign users to the host session.
You can also use Azure Files to host user profiles. Doing so will require a few extra steps in the scope, including:
Per Azure Files instance: Configure the storage account, disk type, and Azure Active Directory connection
(Azure Active Directory Domain Services (AD DS) is also supported, assign Azure role-based access control
access for an Active Directory user group, apply NTFS permissions on Azure Files, and get the storage
account access key.
Per host/persona: Configure FSLogix on session host virtual machines.
Per user : Assign users to the host session.
The user profiles for some personas or users might also require a data migration effort, which can delay the
migration of specific personas until user profiles can be remediated within your local Active Directory or
individual user desktops. This delay could significantly affect the scope outside of the Azure Virtual Desktop
scenario. After they've been remediated, the initial scope and the preceding approaches can be resumed.

Deploy or migrate Azure Virtual Desktop

After all considerations are factored into your production scope for the Azure Virtual Desktop migration or
deployment, the process can begin. On an iterative cadence, the adoption team will now deploy host pools,
applications, and user profiles. After this phase is completed, the post deployment effort of testing and
onboarding users can begin.

Next steps
Release your Azure Virtual Desktop deployment to production
 Azure Virtual Desktop post-deployment
8/9/2021 • 2 minutes to read • Edit Online

The release process for the migration or deployment of Azure Virtual Desktop instances is straightforward. This
process mirrors the one used during the Azure Virtual Desktop proof of concept:
Test the performance and latency of application groups and deployed desktops for a sampling of users.
Onboard end users to teach them how to connect via:
Windows desktop client
Web client
Android client
macOS client
iOS client

Post-deployment
After the release has been completed, it's common to add logging and diagnostics to better operate Azure
Virtual Desktop. It's also common for operations teams to onboard the pooled hosts and desktop virtual
machines into the Azure server management best practices to manage reporting, patching, and business
continuity and disaster recovery configurations.
Although the release process is out of scope for this migration scenario, the process might expose the need to
migrate additional workloads to Azure during subsequent iterations of migration. If you haven't configured
Microsoft 365 or Azure Active Directory, your cloud adoption team might choose to onboard into those services
upon the release of the desktop scenarios. For a hybrid operating model, operations teams might also choose to
integrate Intune, System Center, or other configuration management tools to improve operations, compliance,
and security.

Next steps
After the Azure Virtual Desktop migration is complete, your cloud adoption team can begin the next scenario-
specific migration. Alternately, if there are additional desktops to be migrated, you can reuse this article series to
guide your next Azure Virtual Desktop migration or deployment.
Plan for Azure Virtual Desktop migration or deployment
Review your environment or Azure landing zones
Complete an Azure Virtual Desktop proof of concept
Assess for Azure Virtual Desktop migration or deployment
Deploy or migrate Azure Virtual Desktop instances
Release your Azure Virtual Desktop deployment to production
 Innovation and Azure Virtual Desktop environment
8/9/2021 • 2 minutes to read • Edit Online

Technologies such as virtual desktops offer new ways to deliver a productivity environment to organizations.
Virtual desktops provide a central, scalable, and secure desktop experience. The result is users can work in ways
that traditionally weren't possible, and with a more performant experience.
The following guidance provides information on how Azure Virtual Desktop can help organizations drive
innovative new ways for their teams to work.

Innovation scenarios
Provide desktop environments for temporar y workers: Azure Virtual Desktop instances can be
deployed and configured quickly and at scale. Similarly, they can be shut down quickly. This technology
provides a standardized access method to corporate applications and information for temporary workers.
By using Azure Virtual Desktop, virtual desktops can be used to securely provide productivity
environments without the need to build, ship, and manage physical devices. An Azure Virtual Desktop
approach also provides enterprise-level security and access management.
Deliver latency sensitive applications to remote workers: Remote working is most effective for
asynchronous or latency-tolerant applications, where performance isn't degraded significantly by
inconsistent network quality or round-trip latency. For those applications that do require short ping times
from client to server, an Azure Virtual Desktop environment can help provide a performant experience.
By hosting the desktop session in Azure alongside the application, organizations can use the Azure
network to connect the application client and server. This configuration results in a lower-latency
connection than a traditional VPN connection over a public network.
Provide highly secure working environments: In certain scenarios, the need to remove the risk of
corporate data being stored on physical devices, for example laptops, is a key requirement.
By providing specific users access to a desktop, and the associated applications and data using Azure
Virtual Desktop, organizations can retain the entire desktop within the corporate environment. The result
is if the local device is lost, or accessed by someone without authorization, the data and applications are
not stored locally and not at risk.
Modernize applications with MSIX app attach: MSI installer packages have become the application
packaging standard for Windows-based applications. MSIX is a new packaging format that offers many
features aimed to improve the packaging experience for all Windows applications. The Azure Virtual
Desktop related innovation to application management is a new feature called MSIX app attach. MSIX app
attach is a way to deliver MSIX applications to both physical and virtual machines. However, MSIX app
attach is different from regular MSIX because it's made specifically for Azure Virtual Desktop. This creates
separation between user data, the operating system, and applications by using MSIX containers. You can
remove the need for repackaging when you deliver applications dynamically. You can reduce the time it
takes for a user to sign in to Azure Virtual Desktop. At the same time, you can reduce infrastructure
requirements and cost.

Next steps
The following resources provide guidance for specific points throughout the cloud adoption journey to help you
be successful in the adoption of Azure Virtual Desktop, as part of your cloud environment.
Plan for Azure Virtual Desktop migration or deployment
Review your environment or Azure landing zones
Complete an Azure Virtual Desktop proof-of-concept
Assess for Azure Virtual Desktop migration or deployment
Deploy or migrate Azure Virtual Desktop instances
Release your Azure Virtual Desktop deployment to production
Enterprise-scale landing zone for Azure Virtual Desktop
Manage your virtual desktop environment
Govern your virtual desktop environment
 Governing an Azure Virtual Desktop environment
8/9/2021 • 2 minutes to read • Edit Online

The Cloud Adoption Framework provides a methodology to systematically and incrementally improve
governance of your cloud portfolio. This article demonstrates how you can extend your governance approach to
Azure Virtual Desktop environments deployed to Azure.

Initial governance foundation

Governance starts with an initial governance foundation often referred to as a governance MVP. This foundation
deploys the basic Azure products required to deliver governance across your cloud environment.
The initial governance foundation focuses on the following aspects of governance:
Basic hybrid network and connectivity.
Azure role-based access control (RBAC) for identity and access control.
Naming and tagging standards for consistent identification of resources.
Organization of resources using resource groups, subscriptions, and management groups.
Azure Policy and Azure Blueprints to enforce governance policies.

Expanding on governance disciplines

For Azure Virtual Desktop, the baseline needs to expand to include controls for functions specific to virtual
desktops:
User device used to access the virtual desktop
Application security
Session host OS
Deployment configuration

Security baseline
The following guides provide best practices for implementing security controls for Azure Virtual Desktop
environments:
Azure Virtual Desktop security baseline.
Azure Virtual Desktop security guide: best practices.
 Manage an Azure Virtual Desktop environment
8/9/2021 • 4 minutes to read • Edit Online

The Cloud Adoption Framework provides a core methodology to define operation management processes for
the cloud in an agnostic sense. Its guidance helps establish an operations management baseline and other
specialized layers of operations. This article outlines what you need to integrate into your existing operations to
prepare for virtual desktop management.

Business alignment for operations management needs

Using virtual desktops simplifies the provisioning and management of desktops for users, leading to improved
operations management outcomes. To realize these operational improvements, you might have to revise your
desktop management strategy, starting with the business alignment.
To establish proper operations management practices, you must understand how virtual desktops will be used
in your cloud adoption plans and what benefits you want to realize from this shift to virtualized desktops.
Will you manage multiple technology solutions, such as virtual desktops and remote access from physical
devices in your cloud platform?
Will centralized teams support operations and management of the virtual desktop platform? Does this
accountability shift to the individual workload teams?
Will centralized teams support operations and management of the applications running in each virtual
desktop configuration? Does this accountability shift to the individual workload teams?
Are you using virtual desktops for access to mission-critical applications?
Are you only using virtual desktops for less-critical or utility applications and functions to reduce costs?
How important is the performance and reliability of your virtual desktop environment?
Are the applications accessed via your virtual desktop resistant to disconnection? Do you need to persist
state to protect and recover the application session on the desktop session?
These basic questions will shape how to best integrate Azure Virtual Desktop into your operations management
strategy.

Operations baseline
Implementing an operations baseline provides centralized access to the tools required to operate and manage
all assets in your cloud environment. If you don't have an operations baseline for your assets, you can
implement the operations baseline defined in the Manage methodology.
Your operations baseline should include tools and configurations to provide visibility, monitoring, operational
compliance, optimization, and protection/recovery.
Platform operations
Unless this implementation is your organization's first or only deployment to the cloud, you should have an
operations baseline. This section identifies a few tools you might want to include to help manage your virtual
desktop environment.
Inventory and visibility
Monitoring Azure Virtual Desktop uses the tools, dashboards, and alerts in your operations baseline. However,
you might need to add extra configuration to integrate data from your virtual desktop into operations
monitoring tools like Azure Monitor for Azure Virtual Desktop.
Once you've configured Azure Monitor to collect data on your virtual desktop, you can monitor the following
areas as part of your centralized management processes:
Disk performance
Host performance
Session performance
Session diagnostics
These metrics will enable operations teams to monitor and react to performance and user experience issues to
ensure a good overall platform experience.
Operations compliance
Patching and scaling are key elements of the ongoing operational management of an Azure Virtual Desktop
environment. The operators may sit in many different teams, depending on your desired operations approach.
To maintain operations compliance, an operator will monitor usage, resize assets to balance performance and
cost, and patch the underlying systems to minimize risk and configuration drift.
Central IT organizations tend to deliver these tasks as part of the operations baseline for infrastructure as a
service (IaaS).
The following guides provide best practices for implementing management capabilities for Azure Virtual
Desktop environments:
Use Azure Monitor for Azure Virtual Desktop
Use Azure Advisor for Azure Virtual Desktop
Configure automatic updates for Azure Virtual Desktop
Protect and recover
The Azure Virtual Desktop architecture separates the host compute from the user profile and associated data,
making it easier to move the host if necessary for performance reasons.
You can manage user profiles in solutions such as FSLogix profile containers in order to store the complete user
profile in a single container. This configuration enables the profile to roam between virtual desktops.
In addition, using concepts such as MSIX app attach also helps separate the applications from the operating
system. It's then easier to provision virtual machines.
Workload operations
The platform operations section above illustrates a common conversation when managing Azure Virtual
Desktop. Will the virtual desktops platform and applications be managed centrally? Or are they a workload tool
that should be managed by the teams who own each of the workloads? The answer is different for different
organizations. The constant seen across most organizations is that virtual desktops are designed to give the
users more flexibility in how they want to work and access applications in a secure way.
Workload operations can build on your existing operations baseline and platform-specific operations. You can
also safely operate an Azure Virtual Desktop environment using completely decentralized workload operations.
In either case, when you need to elevate operations to focus on specific outcomes for a specific workload, you
can use the Azure Well-Architected Framework and Microsoft Azure Well-Architected Review to get specific on
the types of operational processes and tools to use for your workload.