Azure [Windows] Virtual Desktop is generally available under continuous improvement and currently available in the ARM [Spring] and in the Classic [Fall] version. The ARM version is completely into the Azure Portal. Sometimes it helps to have a native GUI to make some configuration and - for me, most important - to have an easy image handling to deploy session hosts based on a template VM [golden image approach]. Therefore I build a native Windows application to do this, and Im happy to share it with the community.
The current version supports a lot of configuration and administration capabilities, and Im continuously improving WVDAdmin. Some features:
- Imaging
- Create images from golden masters [without destroying the master]
- Handle sysprep and modern app
- Clean-up
- Use of shared image gallery definitions
- Rollout
- Rollout of multiple session hosts
- Store some base settings encrypted for reuse [domain join name, password, ]
- Select VM type for each rollout [is not fixed to the host pool]
- Use of ephemeral disks
- Support of a second partition from the master VM [D:]
- Azure Monitor
- AAD only, join to MEM/intune
- AVD Support
- Classic AVD
- ARM AVD [Spring Update]
- Migration of resources and session hosts
- Working with AVD resources
- Add/create/delete
- Host Pools
- Application groups
- Workspaces
- Session hosts
- Working with user sessions
- Disconnect
- Logoff
- Send message
- Shadow
- Add/create/delete
- Session hosts
- Move between host pools
- Start/Stop/Restart
- Delete - with VM, disk, and nic
- Get error report from AVD agent
- Run scripts remotely on hosts [trigger Windows updates, enable RDP Shortpath, ]
- Change drain-mode
- Change disk type, e.g.: on-start -> to Premium, after deallocation -> to HDD[for cost savings]
- Remove user assignment
- Virtual machine
- List all VMs with power state in all subscriptions
- Start/Stop/Restart
- Run scripts remotely on hosts [trigger Windows updates, enable RDP Shortpath, ]
- Shrink disk to 64 or 32 GByte [to create small images for ephemeral hosts]
- Change disk type, e.g.: on-start -> to premium, after deallocation -> to HDD [for cost savings]
- Create and restore snapshots with a click
- Add an existing domain-joined VM as a session host
- Others
- Multi-Tenant switch
- Split-Tenant mode
- Search for unused disks and nics
- Rollout VM Scale Sets
- Start and deallocate Scale Set instances
- Re-image Scale Set instances
- Remove customer-managed key [CMK]
Release History
| 1.7.19.0 | Add: VM sizes for D and E series V5 |
| 1.7.18.0 | Add: Change the VM size for multiple VMs [Azure -> Virtual Machines]; New images are created with tags including the timestamp and resource ID of the master VM |
| 1.7.17.0 | Change: The API permission for Azure AD Graph is no longer needed for the service principal if you are using WVDAdmin for AVD [spring edition] |
| 1.7.16.0 | Add: Session host rollout will set an additional tag to VM, Nic and Disk: WVD.Host= |
| 1.7.15.0 | Fix: If you deallocate a VM without tags, the VM is deallocate but an error message is/was shown [Changing power state of Azure vm was not successful Object reference not set to an instance of an object.] |
| 1.7.14.0 | Change: Uninstallation of th RDAgent [if you capture a session host is now faster] |
| 1.7.13.0 | Add: Join MEM/Intune while rolling out session hosts; Add: Function to shrink a disk of a VM to 32 GByte to rollout cheaper instances and/or use smaller instances with ephemeral disks |
| 1.7.11.0 | Add: Optimization to capture a session host for a new image |
| 1.7.09.0 | Change: Change the rollout process to be more reliable if you deploy a lot of hosts at once; Fix: Secrets can now have special characters |
| 1.7.05.0 | Fix: The windows can now be resized to full-screen |
| 1.7.01.0 | Add: Support to show subscription name in rollout and imaging tab [set HKEY_CURRENT_USER\SOFTWARE\ITProCloud\WVDAdmin\ShowSubscriptionName to [reg-dword]] |
| 1.7.00.0 | Add: Support to deploy AAD-only session hosts; Fix: Resize of V2 VM disks |
| 1.6.99.0 | Add: Meta-data location for Canada and the UK |
| 1.6.98.0 | Fix: Resize the application window height in case you have a smaller resolution [ Configure Diagnostic settings] |
| 1.6.62.0 | Add: You can now terminate file handles to an Azure Storage [orphaned handles avoiding a user to log in with its FSLogix profile] - Service Principal needs contributor permissions to the storage account |
| 1.6.61.0 | Add: VC++ runtime if you use the destkop installer |
| 1.6.60.0 | Add: Manage your Virtual Machines like session hosts: Click on Azure - Virtual Machines to list all VMs in your subscriptions [note: data for the VMs are are delayed [resource graph]] |
| 1.6.59.0 | Change: Rollback of advanced logging of create VM / create Image Powershell script: Shows unimportand messages as an error with existing images |
| 1.6.57.0 | Add: You can enable diagnostic settings directly on a host pool, appgroup and workspace [right-click]; Fix: Sometimes reading the state of a script extension is not directly possible. This cause that the WVDAdmin log shows an error even if everything works as expected |
| 1.6.56.0 | Change: Single session nodes are not listed under the session host node if more then 100 sessions exist to speed up WVDAdmin - all sessions are still in the session list |
| 1.6.54.0 | Add: Function to delete unused disks and nics; Add: More logging for the rollout of session hosts; Add: New VM-types, like L4s_v2, |
| 1.6.53.0 | Add: Add session hosts automatically to Loadbalancer Backend Pools; Add: If a VM resource is unavailable, the first alternative VM size will be tried |
| 1.6.51.0 | Add: Custom script to install Azure Monitor for WVD from sepago to existing session hosts |
| 1.6.50.0 | Add: Support for Dhsv3 |
| 1.6.46.0 | Add: You can now rollout new session hosts with accelerated network configuration, Change: NICs are now created with the name of the VM |
| 1.6.45.0 | Add: Add session hosts automatically to ASGs |
| 1.6.42.0 | Add: Support for Dasv4-series |
| 1.6.41.0 | Add: Experimental feature: Add applications to session hosts from Windows Package Manager repository |
| 1.6.40.0 | Change: Having a script-path for building images is no longer needed. If you leave the text box empty, the local script coming with WVDAdmin will be used and directly send to the VM |
| 1.6.35.0 | Add: On a session host > State > Mouse over will show the health report of the host |
| 1.6.34.0 | Fix: The drop-down list Feature release was not shown correctly. Feature release is the selector between the different WVD/AVD versions like Fall [WVD classic] and Spring [WVD modern on ARM] |
| 1.6.32.0 | Add: You can run scripts on multiple classic session hosts: Win Updates: Install new available updates; Custom script: Custom script located in the program files folder of WVDAdmin |
| 1.6.30.0 | Add: Sorting order for WVD/AVD resources |
| 1.6.29.0 | Add: Support for Eav4 and Easv4-series |
| 1.6.28.0 | Add: Speed up adding a lot of VMs to the treeview |
| 1.6.27.0 | Add: Support for using availability zones. Select it from the drop-down list right to the resource group list |
| 1.6.26.0 | Add: You can run scripts on multiple ARM session hosts: Win Updates: Install new available updates; Custom script: Custom script located in the program files folder of WVDAdmin |
| 1.6.24.0 | Add: Multi selection and action on session hosts for ARM if you select a session host container; Fix: Scale Set instances wasnt shown in 1.6.23 |
| 1.6.23.0 | Fix: New image was not visualized in the tree view after creation |
| 1.6.22.0 | Add: Support for shared image galleries: Add a shared image gallery from the Azure Portal into a resource group managed by WVDAdmin. In WVDAdmin right-click an existing image and select copy to shared image gallery. An image can be rolled-out right clicking the shared image |
| 1.6.21.0 | Add: Double-click on the tag Logs, Sessions or Sessions V2 enlarge the part of the windows [double-click again to revert] |
| 1.6.18.0 | Fix: API change from Microsoft cause that updating a host pool property fails if the location is written like Central US [centralus is no problem]; Add: First version able to deploy session hosts from images in a image gallery |
| 1.6.16.0 | Add: Session hosts icons are now based on the availability state; Fix: Enumerating thousands of sessions with thousands of session hosts takes longer as expected [> 4 minutes] |
| 1.6.14.0 | Add: Support US Government Cloud. Activate: Add a new string Reg_SZ Environment with value US to HKCU\SOFTWARE\ITProCloud\WVDAdmin |
| 1.6.12.0 | Add: Support for VM types: Dv4 and Dsv4-series, Ev4 and Esv4-series |
| 1.6.11.0 | Fix: WVD/AVD ARM resources are deployed with the tags; Workspaces and host pools are separated by subscription name |
| 1.6.9.00 | Fix: Generating toke for Spring host pool fails sometimes [Error: ExpirationTime value must be between one hour and 30 days from now - An error occurred while gathering an WVD2 token from backend: Object reference not set to an instance of an object.] |
| 1.6.5.00 | Add: Support for DD_v2 and DDS_V4 virtual machine types; Fix: Forwarding from the WVD/AVD API cause a authentication lost [error 401, 403 reading resources in the FALL update] |
| 1.6.4.00 | Add: Support for GEN2 virtual machines |
| 1.6.2.00 | Add: New naming feature for new session host. Default [is]: Name for a session host is the highest matching name +1; new concept [must be enabled]: Name for a session host is the next free name. To enable add a reg dword to HKCU\Software\ITProCloud\WVDAdmin Name:NamingMode and value to 1 |
| 1.6.1.00 | Fix: Default session limit for V2 host pool is now 999999 |
| 1.6.0.00 | Change: The tag WVD.Path is aligned to Microsoft naming of tenant and host pool for the spring update. Tenant=resource group name and no longer subscription name |
| 1.5.9.00 | Add: Load assigned users button to the app group tab [fall update] |
| 1.5.7.00 | Add: You can join existing VM to a host pool [VMs must be domain joined and not in a host pool right now] |
| 1.5.6.00 | Add: You can now move session host around host pools not created with WVDAdmin [it downloads the necessary files automatically]; you can join existing VM to a host pool [VMs must be domain joined] |
| 1.5.5.00 | Fix: Enumerating VMs was endless in some circumstance |
| 1.5.4.00 | Add: Migration from Fall to Spring Update; moving session hosts to another host pool |
| 1.5.3.00 | Fix: Improvement updating the treeview |
| 1.5.0.00 | Add: Supporting the WVD Spring Release / Spring Update ; Some user operations from the session grid are now async; Fix: Spontaneous resize of the windows if data are reloaded |
| 1.4.9.00 | Add: Filter users, session hosts and host pools in the overview of sessions |
| 1.4.8.00 | Add: Support to add users by groups from Azure Active Directory, including an AAD browser [check my blog post and configure the service principal to use this feature] |
| 1.4.6.00 | Add: New VM sizes; all new scale sets are deployed as really scalable version [up to 600 instances each] |
| 1.4.4.00 | Fix: Service Principal Keys with some special characters are working now; Add: Faster loading of resources from WVD/AVD and Azure backend |
| 1.4.2.00 | Add: Support for NVv4 VM sizes [based on AMD Radeon Instinct MI25-GPU]; support to set custom Azure tags for resources while deploying resources |
| 1.4.0.00 | Fix: From an older version, disks are deployed as standard-hdd even if premium-disk was selected; Change: Connection views are now located parallel to the logging list on the bottom [tenant-view]; Add: Function to check for an updated version via //blog.itprocloud.de/assets/files/WVDAdmin.xml |
| 1.3.6.00 | Add: New tag for session hosts: WVD.Path - used by Azure Monitor for WVD and Azure Autoscale for WVD - aka Project MySmartScale if an installed language pack conflicts with the Microsoft RDAgent [read this post to learn more] |
| 1.3.5.00 | Add: Allow an local admin to shadow a user session [WVDAdmin needs direct access to the session host via RDP] |
| 1.3.4.00 | Add: Networks are now listed as VNET/SUBNET in the rollout tab |
| 1.3.3.00 | Add: Support for a special mode if your WVD/AVD tenant and the session hosts in two different Azure Active Directory tenants |
| 1.3.1.00 | Fix: WVDAdmin crashed if 1.3.0 is your first version of WVDAdmin [HKEY_CURRENT_USER\Software\ITProCloud doesnt exist while checking for multi-tenancy mode] |
| 1.3.0.00 | Add: AAD multi-tenancy mode [drop down list to handle different AADs] - //blog.itprocloud.de/Windows-Virtual-Desktop-Windows-Virtual-Desktop-Administration-for-CSP-and-Consulting-Partners |
| 1.2.8.00 | Add: If you click a tenant a tenant wide list of sessions is listed. Logoff or send messages to multiple sessions |
| 1.2.7.00 | Add: The main window of the application is now resizeable |
| 1.2.5.00 | Add: Support for Scale Sets [with normal and ephemeral disks] -> see below |
| 1.2.4.00 | Add: Support for availability sets |
| 1.2.3.00 | Add: Support for automatic and static assigned host pools |
| 1.2.1.00 | Fix: Logging of rollout parameter by Azure custom extension is removed to avoid logging secrets |
| 1.0.0.30 | Fix: Rollout - OU can now be empty to join the default OU |
| 1.0.0.29 | Add: Supporting special license mode to save up to 50% on compute-cost [//docs.microsoft.com/en-us/azure/virtual-desktop/apply-windows-license] |
| 1.0.0.26 | Add: Template VM can now be a VM with a standard disk [non-managed] |
| 1.0.0.25 | Fix: If you delete a VM the OS disk will deleted as well |
| 1.0.0.23 | Support for ephemeral disks |
| 1.0.0.22 | First published version - without auto-update of WVDAdmin |
Configuration
Service principal [functional account]
To work with the GUI, you need a service principal [function account] with permission to administrate access to the WVD/AVD and Azure resources. I decide to use a service principal to avoid confusion if my Azure AD user is only a guest account in the WVD/AVD tenant I have to administrate and easily switch between different tenants.
To create a service principal, go to your Azure AD -> App registration -> New registration and type a name for your principal like svc_WVDAdmin and press register.
Click on certificates & secrets. Click new client secret, select a validity period and a description [like Key01]. Press add.
Copy the generated key directly - it will never be displayed again. Note the key for later.
To assign users to app groups, the service principal needs two API permissions to get the users and groups from Azure AD:
Add the permission Microsoft Graph -> Application Permission -> Directory.Read.All
From version 1.7.17 and AVD [spring version] you can skip this permission [is no longer available in Azure for new installations]: API Permissions: Add the permission Azure Active Directory Graph -> Application Permission -> Directory.Read.All
To consent, the permission and administrator of Azure AD have to grant this:
Go to Overview. Note the Application [client] ID and the Directory [tenant] ID as well.
You now have all data for your service principal:
- Tenant id
- Service principal id [application id]
- Service principal key
WVD permissions [Classic / Fall Version]
This chapter is for WVD Classic / Fall. Skip this chapter if you only work with WVD/AVD ARM [Spring].
To use WVDAdmin you need at least an existing WVD/AVD tenant. If you new to WVD/AVD follow this article to create a WVD/AVD tenant: [//docs.microsoft.com/en-us/azure/virtual-desktop/virtual-desktop-fall-2019/tenant-setup-azure-active-directory]
You have to use PowerShell to give the WVD/AVD the appropriated permission:
WVD/AVD permissions [ARM / Spring Version]
This chapter is for WVD/AVD ARM / Spring. Skip this chapter if you only work with WVD Classic [Fall].
The service principal needs permission to add and modify WVD/AVD resource objects [host pools, workspaces, app groups]. To assign users and groups to app groups, the service principal needs the owner role on the resource groups you want to use for your WVD/AVD environment. Add the service principal in the next step and use the owner role.
Register Resource Provider [ARM / Spring Version]
This chapter is for WVD/AVD ARM / Spring. Skip this chapter if you only work with WVD/AVD Classic [Fall].
If you have never worked with WVD, you have to register the WVD/AVD resource provider once. To do that, go to the Azure portal -> subscriptions -> select your subscription -> Resource providers
Search for Microsoft.DesktopVirtualization and click on Register.
Azure resource permissions
The service principal needs permission to subscriptions or resource groups to manage your WVD/AVD resources, imaging template VM and rollout session hosts.
Open the Azure portal and go to the resource groups you want to use or to the subscriptions. In each resource group/subscription, click Access control [IAM] -> select Add -> Add role assignment. Select owner and search in Select for your service principal name. Click on the principal and save the settings.
Note: Owner is needed to assign users to app groups. For other resources, contributor is fine.
The service principal must have permissions to your virtual network [vnet] to assign new VMs to the right subnet. Go to your vnet, click Access control [IAM] -> select Add -> Add role assignment. Select contributor and search in select for your service principal name. Click the principal and save the settings. You could skip this step if you assigned the service principal to the subscription or to the resource group containing your vnet.
Prepare your native Active Directory
Today each session host must be part of a native active directory domain [or have to use the domain services]. To add new session hosts unattended, we need an administrative user account to add a computer object to the active directory domain. You can use an existing one, or you can create a new service user:
Open Active Directory Users and Computers and create a user object with a complex password, and set a password to never expire [if you fine with this]. I added the user .
Delegate permission for the user to an OU. I found a really good blog post from Prajwal Desai. Check out hist post on [external web site]: Method 2 Delegate rights to user/group using Active Directory Users and Computers
In my case I added my function account to: OU=WVD,OU=Azure,OU=Site,OU=Servers,OU=Sys,OU=Organisation,DC=ITProCloud,DC=test
In earlier versions [ Virtual Machines -> RG -> VM]
You can and should reuse the template VM for new updates and applications. After these changes, shut down the template VM and create a new image.
VM Scale Sets
First node: VM Scale Sets cannot autoscale WVD/AVD session hosts. Auto-scaling only works for stateless services like a web server. But if you need hundreds of session hosts, then VM Scale Set allows you to work with these numbers efficiently.
From version 1.2.5, WVDAdmin support VM Scale Sets. A Scale Set can have several instances, which are the VMs / session hosts. There are some essential things you have to know if you use VM Scale Set with WVDAdmin and WVD/AVD itself:
- Build a Scale Set with WVDAdmin. Select an image, right-click and select Create session host from image. Check Rollout as VM Scale Set
- You can use regular disks and ephemeral disks. If you use ephemeral disks, you cannot deallocate the instances of your Scale Set. You have to delete the instances
- Today, you can not use ultra disks
- You can add and remove instances with WVDAdmin or in the Azure Portal. New instances will join the domain and WVD
- A new instance can only join WVD/AVD if the session host with the new name doesnt exist. If you delete instances, the session host entry will also be removed
- You can re-image single instances or all instances of a Scale Set. After that, the instances are clean as at the first rollout
- Adding instances or re-imaging assumes that the Scale Set configuration [which is a custom script extension] has a valid WVD/AVD token to join new instances to WVD. While WVD/AVD provides only one token per host pool and that the token can be expiring, you can update the token with a right-click on the Scale Set and select Update WVD token. The max. lifetime of a token is 59 days
- Unfortunately, WVDAdmin cannot change the source image for a VM Scale Set. So if you want to update the image for a host pool, take these steps:
- Rollout a new Scale Set based on the new image
- Disable new logons for the old session host from the previous Scale Set
- Test the host pool based on the new Scale Set
- If no user logged on to the ancient Scale Set, remove all instances from the Scale Set [this deletes the session hosts in WVD/AVD as well]
- Remove the Scale Set
Ephemeral disks
Ephemeral disks are awesome. They give you a high performance free of charge. Especially in a WVD/AVD multiuser environment where no data a stored permanently on the session hosts, this kind of disk can give you some value add.
Read moreEphemeral disks are running on the Azure hypervisor and not stored. This has some advantages:
Please note:
- You can not deallocate a VM with this disk type - you have to delete the VM [and roll out a new one instead of starting a normal VM]
- Not each VM size is available, and there are limitations of the disk size [image size for rollout] based on the VM size: Max ephemeral disk size for Standard_D4s_v3 is 64 GByte while a Standard_D8s_v3 can have up to 128 GByte. See //docs.microsoft.com/en-us/azure/virtual-machines/linux/sizes-general
- If the Azure hypervisor fails, your session host will fail as well and can not be re-deployed automatically
Secret Features
WVDAdmin has some features not directly visible but configurable via registry keys. All settings in the registry are in the current user part under HKEY_CURRENT_USER\SOFTWARE\ITProCloud\WVDAdmin. Keep in mind to restart WVDAdmin after changing the registry settings.
Read moreMulti-Tenant-Mode
From version 1.3.0 WVDAdmin will support a multi-AAD-tenancy mode allowing to switch the Azure AD tenant very easily. Follow this link
Having multiple Service Principals for a single Tenant
In the Multi-Tenant-Mode, you can add one service principal per tenant. Sometimes you need more service principals for the same tenant. You can add more service principals for a tenant if you append #1 directly behind the tenant id [or #2, ].
Naming of the Session Hosts
If you deploy session hosts to a host pool, WVDAdmin counts up the names from the highest available VM. E.g., if you have a session host with the name WVD-PROD-012 and you rollout new hosts [WVD-PROD-###], the first new hostname is WVD-PROD-013 - even if you have gaps in the existing numeration. You can force WVDAdmin to fill this gaps [non-existing hosts in the naming schema] if you set the following registry key: Reg-DWord: NamingMode = 1
Split-Tenant
Usually, the WVD/AVD tenant and the resources [sessions hosts] are in the same AAD tenant. If you have two Azure AD tenant, you can use WVDAdmin with a second service principal for the session hosts [resource tenant]. Follow this link
US-Government Cloud
WVDAdmin can be used to deploy WVD/AVD in the Azure Government Cloud. You can enable WVDAdmin to work in the US Government Cloud via registry: Reg-SZ: Environment = US
Run custom actions simultaneously
From version 1.6.15, WVDAdmin supports custom scripts to run administrative tasks simultaneously on different session hosts. And that is easy to use and to extend. Follow this link
Add a session host automatically to an ASG
You can add a session host automatically to application security groups [ASG] within the rollout process. To achieve this, add one or more tags to the host pool containing your new session hosts. Name WVD.Default.ASG.X and add the azure resource id of an existing asg. X can be numbers to assign more ASGs. You can copy the id from an ASG from your browser. It looks like this: /subscriptions//resourcegroups//providers/Microsoft.Network/applicationSecurityGroups/
Add a session host automatically to a Loadbalancer Backend Pool
You can add a session host automatically to a loadbalancer backend pool within the rollout process. To achieve this, add one or more tags to the host pool containing your new session hosts. Name WVD.Default.LBPool.X and add the azure resource id of an existing loadbalancer backend pool. X can be numbers to assign more ASGs. You can copy the id from a pool from your browser. It looks like this: /subscriptions//resourcegroups//providers/Microsoft.Network/loadBalancers//backendAddressPools/Keep in mind to use availability sets for each rollout to use this feature.
Rollout session hosts with Azure Disk Encryption [ADE]
Set two tags to the host pool to use it: WVD.Default.KeyVault.Id with the resource id of the KeyVault, WVD.Default.KeyVault.KeyUri with the URI [including the version] of the prepared key to wrap the secret.
Create an Image
- The image is not created. An error message occurs:
- Check if your template VM part of the AD
- If your file server Windows Server 2019, read above
- Check if you have set the NTFS and share permission correctly
- Azure portal: Go to the temp VM [next to the template VM] and check the extension installation state. There should be an error message like script not found, access denied, etc.
- Have you renamed the RD agent and bootloader?
- Is the script saved correctly: ITPC-WVD-Image-Processing.ps1, not ITPC-WVD-Image-Processing.ps1.txt
- Dont forget to delete the temp VM and temp disk to avoid costs
- Make sure that your template VM uses managed disk
- The script generates additional log files in %WinDir%\System32\LogFiles
- Windows 7: Make sure to install PowerShell 5.1 and all Windows updates [including the optional updates without the language packages] to the template VM and restart the VM to take effect: //www.microsoft.com/en-us/download/details.aspx?id=54616 Makes sure that you use the newest script file from 09/2020: ITPC-WVD-Image-Processing.ps1
- NEW: An endless loop of Waiting for the temporary vm [power off] : Update to the newest PowerShell script for generalizing: ITPC-WVD-Image-Processing.ps1
Others
- You have created a host pool, an app group, and assigned a user to the app group, but the user cannot see the apps/desktop.
- For WVD/AVD ARM: Dont forget to create a workspace and link the app group in the workspace. The workspace is mandatory to show the users resources.
- For the HTML5 web site: Check the correct web address: