One of the challenges of work from home is that people no longer have physical access to their work computers on-premises. This can either be employees who worked at a desk, teachers who had a computer in their classrooms, or students who need to access computers in a lab on campus.
End users simply want a familiar desktop environment to continue to work. Their own home computers are familiar and comfortable, but CSOs don't want them downloading content to their personal hard drives or unsanctioned cloud services.
Citrix and VMWare Horizon exist to meet some of these needs, but are complicated to set up and manage, and still tax the ISP circuit. Standing up a desktop virtualization environment is expensive and can take months to successfully implement.
Problems Solved by Windows Virtual Desktop:
Windows Virtual Desktop is a VDI solution hosted in Azure. WVD allows work from home employees to have secure access to their work data, but prohibits them from saving work data onto personal devices.
- WVD allows IT to:
- Avoid the complexity of traditional VDI
- Publish entire Win10 desktops or specific applications
- Control costs by right-sizing and scaling on demand
- Offload traffic from VPN appliances and data center ISP circuits
- WVD allows Users to:
- Get the experience of a local desktop from anywhere, including LOB apps
- Securely access work apps from Windows, Browser, Mac, iOS, and Android
- Save and access to files on ODFB, Azure Files, or on-prem file shares
- Quick access to mail, data, and profile information
A simple picture (courtesy Microsoft Mechanics) shows WVD hiding the complexity in the large, center bubble, components typically managed by IT in a Citrix or VMWare Horizon shop. Microsoft now abstracts all that infrastructure and presents it as an Azure (platform) service. IT builds, rents, and manages the Azure Virtual Machines (upper left) which present Virtual Desktops and applications to users. Licensing servers, data repositories, and LOB apps can be accessed on-premises (lower left).
The user experience
- Publish either entire desktops, specific apps, or a mix and match per user group
- File storage. OneDrive for Business provides the most cost and performance efficient data access, although Azure Files and on-premises SMB file shares are options.
- Integration with on-premises. If Line of Business services are tied in, a VPN into Azure is needed.
- Licensing. You may transfer an existing Windows license from on prem or rent from Microsoft.
- Standard Image. You can bring your own image or use a Microsoft template
- Networking. Through vnet peering, and a private VPN or ExpressRoute connection, the VMs running in Azure IaaS can access local file shares, licensing servers, or other data.
- Scalable load balancing (how many user sessions to support on a virtual machine (depth vs breadth load balancing, and at what point is another activated for better performance)
- Appropriate authentication and authorization can be provided by Azure AD Conditional Access and MFA Publish either entire desktops, specific apps, or a mix and match per user group
- No inbound firewall ports need to be opened. WVD uses a reverse connect technology, where an agent creates an outbound connection using TCP/443 into the Windows Virtual Desktop management plane. Azure is your reverse proxy for RDP traffic, and your destination VM doesn’t need any inbound ports to be opened. Even the default RDP port, TCP/3389, doesn’t have to be openFile storage. OneDrive for Business provides the most cost and performance efficient data access, although Azure Files and on-premises SMB file shares are options.
- Virtual machines in Windows Virtual Desktop are not exposed to the Internet directly. They can run using a private IP address and run isolated from other workloads or even the Internet Integration with on-premises. If Line of Business services are tied in, a VPN into Azure is needed.
The three main elements of cost for WVD are:
- Virtual machines and storage you use
- Network Egress– ingress is free (except for availability zones) but network egress to your users’ endpoints have a per GB fee
- Eligible Windows or Microsoft 365 license, to access Windows 10 Enterprise desktops and apps at no additional cost
Windows 10 Multi-session allows you to scalably support more users on the same VM. This enables you to use less Azure resources and save money. It’s also possible to set scaling rules so that if you approach peak load on a machine, that an additional VM automatically starts and takes the next set of users. In fact, all of Azure’s standard VM cost saving capabilities are available, including up/downscaling, session draining, time of day availability, etc. Azure Cost Management should be reviewed and customized for budgets and alerts to avoid surprises. For more common cost concerns and ways to avoid overruns, see the videos at the top of www.azureadvice.com.
- User profiles can be stored on a shared drive (ideally, hosted in Azure), so that their profiles and data are cached and readily available to give users a rapid login experience.
- VMs can either be updated with a management tool like Intune, or they can be replaced with new VMs each month. Spinning up new VMs with the next month’s updates, applying the standard image, testing all workloads, gradually shutting down and pointing new users to the updated servers allows another smooth transition option. Automation can be applied to repeat the process each month.
User Adoption Considerations:
It’ll be important for users to be aware of and buy-in to the experience change of WVD. You may block them from being able to save to their C:\ of the machine they’re using, for instance. If they want to print locally, they’ll need to walk through the steps to pair with their printer. These will raise tickets to the help desk if the proper communication, training, and / or manuals aren’t available.
For questions about your WVD project, contact Enabling Technologies. Our engineers can be a resource for your planning, implementation, and support needs for your WVD initiative. Other Azure services and solutions can be seen at https://www.enablingtechcorp.com/microsoft-azure.