Page section: Design guidelines

There are only 6 ESLZ critical design areas listed from a total of 8.

Missing:

• Enterprise Agreement (EA) enrollment and Azure Active Directory tenants
• Management group and subscription organization

The wording in this section also reads to suggest that there are only 6 and not 8.

Fix:
Add additional pages for missing critical design areas.

OR

As these are likely to be very small sections, add commentary in the design guidelines sections detailing why there aren’t separate pages for them and our guidance on the 2 missing critical design areas for AVD "construction set"

It may be possible for us to automatically domain join an Azure Files storage account using a deployment script and Azure Image Builder.

We could prompt for domain credentials, and then pass parameters to the deployment script that AIB will inject into the VM. The VM can be domain joined, download the PowerShell cmdlets, run the commands, and then delete the VM.

We would likely use a service principal or potentially a managed identity attached to the VM (need to test) so that we could authenticate to Azure. This tends to be a challenging step in the deployment so if we could automate this it would be very beneficial.

This is tied to #2 and capabilities there. I would like to have an option for customers to upload both deploy scripts for their image build and any required SSL certificates to store in Key Vault. Not sure if we can accomplish this (I think we can), but it's something to investigate.

Page section: Design Recommendations & Infra Design Considerations

Why 1 workspace per region? Unless RBAC or data sovereignty requirements mandate this, then a central workspace would be more aligned to ESLZ for WVD use only.

Consider changing guidance to follow ESLZ design guidance and provide context as to why you may go against the central workspace approach for some parts of WVD monitoring (cost purposes, lower retention requirements, simplify management view in workbooks ensuring it only contains correct data).

Fix:

• Make a decision
• Update docs/arch accordingly

Page section: Design Recommendations - Creation of AVD Images

• This sections mentions using HashiCorp Packer to build the WVD images.
• Whilst this is the correct approach should we not be asking users to use Azure Image Builder, even in preview, as this aligns to the ESLZ design principles.

Fix:

• Change references to HashiCorp Packer to Azure Image Builder and provide links to relevant docs.

Page section: intro

• Provide link back to ESLZ BCDR guidance alongside link to WVD DR docs

Page section: Design Consideration - Host Pool Compute Strategy

• The content here is great, however does it clash with the WVD docs DR article that is linked in the intro? Set up Windows Virtual Desktop disaster recovery plan - Azure | Microsoft Docs

Page section: Design Consideration

• Convert this bullet point to an numbered/ordered list:
• "The recommended options for container storage types are (in order): Azure Files Premium, Azure NetApp Files Standard, and Azure NetApp Files Premium. The recommended storage type depends on the resources and latency required by the specific workload."

Fix:

• Provide a single source of truth for this information to avoid article drift over time
• Update docs

Page section: Design Recommendations

• No mention of vulnerability scanning

Fix:

• Include guidance to use Azure Defender integrated vulnerability assessment tooling powered by Qualys Security Center's integrated vulnerability assessment solution for Azure and hybrid machines | Microsoft Docs
  https://docs.microsoft.com/en-us/azure/security-center/deploy-vulnerability-assessment-vm

Page section: Design Recommendations - Azure Security Center

• Azure Security Center is mentioned however it has recently been renamed to Azure Defender for cloud. Also there is missing context as to how ESLZ assists by enforcing Azure Defender via Azure Policy on all subscriptions in scope.

Page section: Design Recommendations - Secure Score

• Microsoft Secure Score is referenced but not Azure Security Center's version

Fix:

• Update recommendation to reflect these points
• Include ASC Secure Score and context as to differences

We need to build custom Portal UI to support different deployment scenarios.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-specs-create-portal-forms

Depends on #5

Some services were updated since the arch/docs were created, examples:

• Update design recommendations and architecture based on the ability of AADDS service to create new replica sets un multiple regions
• Replica sets concepts for Azure AD Domain Services | Microsoft Docs AADJ

Additionally based on customer asks/feedback we should include commonly used services (that are now GA) like:

• Start VM on connect
• Bastion
• Image builder
• Azure firewall (CX enforce all traffic through NVA, good to give them the AzFW option)

Fix:

• Decide if new services/features should be added and which ones.
• Docs updated.
• Architecture updated.

Page section: Design Recommendations - Enable Logging

• The reference to diagnostic logging is to log analytics workspaces is correct and good to see.

Fix:

• Advise how ESLZ framework with Azure Policies can help achieve or already perform this task for the AVD deployment.
• Update doc

Page section: Backup protection

• Azure backup is mentioned as a way to protect host pool VMs. However we would only suggest this for personal VMs as pooled VMs would be rebuilt from an image as are stateless. This is called out in the design recommendations near the bottom of the article

Fix:

• Update point to call this out and be prescriptive to provide guidance. It is adding costs to customers if they enable Azure Backup to backup pooled VMs when they have the profile data in FSLogix and the OS/Apps stored in an image held in a SIG. Perhaps make reference to the design recommendations in the earlier section.

File share size is visible even when create file share is set to no.

Microsoft endpoint manager is now supports AVD session hosts, but this is not referenced on the docs, we should include it.

Fix:

• Include MEM recommendations
• Update doc

Currently AIB has an Azure Portal bug with the 2021-10-01 API version. Any AIB template built with this API cannot be run from the Portal. We currently work around this by triggering the build via deployment script at the time of deployment, but subsequent runs will not work unless done via REST call.

In the interim I suggest we also deploy a template spec into the AVD resource group we create that can be used to trigger image builds.

Should there be a complete "deploy to Azure" button experience to enable the entire landing zone? Like we have for ESLZ?

• Sub? For supported billing models
• VNET
• Peering
• NSGs
• AVD stuff (Workspace, App Group, Host Pool)
• Azure Files
• Private Endpoint
• Auto scale Logic App
• Key Vault
• Shared Image Gallery
• NSG with AVD rules
• AzFW with AVD rules
• AADDS??

Fix:

• Author terraform for resources deployment.

Page section: Design recommendations

• Open statements that are not prescriptive could cause customers to become confused as to what to do.
• Collect telemetry from the following platform services:
• Workspaces
• Host pools
• Performance counters should be collected.
• Windows Event Logs should be collected.
• Create a dashboard from the platform logs to centralize visuals for reporting operations.

This will make it clear to customers where to go for more detail on exactly what to do

Fix:

• Update docs

Page section: Design recommendations

• Should the points be in the Identity and Access management section also, or a link to them in one of these pages?
• Assign application groups to user groups to ease your administration overhead.
• Application groups can be segregated in many ways. We recommend separating them based on which department or user type (for example, power, engineering, or general) the user is a part of.
• this page has a mix of good prescriptive guidance & some very open suggestions. Consider adding points to be more prescriptive to align to ESLZ

Page section: Design recommendations - Infra

• The last bullet point here, in my opinion, is where this page should go into detail on as to how to implement WVD in an ESLZ world and all our best practices for the workload on top of that, we should Add context on how to achieve this point with the construction set

Fix:

• Move points to IAM section
• Update docs

We need to determine the options and flow for the custom UI.

Pooled / Personal radio button
If pooled then show: load balancing option, users per pool, scaling option, etc.

Create training content/material for training delivery and sessions with the field.

• Docs
• Slide decks
• Training delivery model
• Levelup sessions content.

This page has a lot of information on it that isn't specific to AVD as a "construction set" upon an ESLZ framework.

The CAF networking decision tree & common networking scenarios etc. Shouldn't live in this doc and are covered in the ESLZ networking sections for what is relevant for "corp" connected workloads which is effectively what WVD is.

This page seems more like a general CAF doc for networking which we already have covered in ESLZ and elsewhere.

This should be prescriptive around the networking considerations for WVD deployments on and ESLZ framework.

Make this doc specific to the AVD construction set networking design covering the below:

• VNET design
• Subnets
• Micro segmentation
• Peering back to hub or VWAN as per ESLZ
• DNS configuration
• For AD DS Join
• Private Link/Endpoint
• NSGs
• Including suggested rules
• Private Endpoints
• Creation and placement
• DNS Zones back to central ones in ESLZ
• WVD required URLs
• How to handle with and without Azure Firewall
• Azure Files
• Private Endpoint
• SMB Multi-Channel
• Considerations before enabling
• (breaks NTFS GUI & have to use icacls)
• How to handle internet breakout
• Connectivity back to on-prem
• Linking back to ESLZ network docs and just providing context as to how ESLZ sits on top of ESLZ and therefore uses the hubs

Currently we build 2 images:

Win10 20H2
Win10 20H2 + M365

We should decide what other images we should add as part of the build. I think certainly we want to add a GPU image with a different set of customizations: https://docs.microsoft.com/en-us/azure/virtual-desktop/configure-vm-gpu

[NK]: User selects one (1) image during the selection of the managed image.

Currently we run a modified version of the VDI optimization script here: https://github.com/edm-ms/poc/blob/main/avd/Bicep/Parameters/script-vdi-optimize.ps1

There are other things we should do in the images. Here are a few I was thinking about:

Registry + Firewall settings for RDP Shortpath: https://docs.microsoft.com/en-us/azure/virtual-desktop/shortpath#configure-rdp-shortpath-for-managed-networks

FSLogix Settings: https://docs.microsoft.com/en-us/fslogix/profile-container-configuration-reference

Consider splitting considerations into separate sections/sub-headings for Azure AD DS, AD DS and AADJ to simplify reading experience

Fix:

• Split into sub-sections

We should build cost estimates and diagrams for all items deployed.

1. Self-Contained POC (AAD Join)
2. Self-Contained POC w Hybrid Networking (AADDS or AD DS)
3. Deployment w AZFW Premium
4. Deployment w Third-party NVA
5. Deployment w no FW

All self-contained POC scenarios will include the following:

• AZFW Premium w self-generated SSL Certificate
• AIB with AZFW certificate injected into VM image
• Pre-built AVD firewall rules with TLS inspection and web content filtering

We also should include Template Spec definitions for deployments that link to Azure Key Vault enabling easy addition of session hosts without prompting for domain join and local admin passwords.

Page section: Design Recommendation - Integrate Windows Virtual Desktop golden image creation with DevOps

This section is more of a suggestion than prescriptive, opinionated guidance as per ESLZ approach

Fix:

• Update section to provide prescriptive and opinionated approach to using SIGs for images and the considerations that need to be made.
• Also name of the service needs to be updated in the document since the service was renamed to "Azure Compute Galleries".

Page section: Design Recommendations - Endpoint Protection

• Recommendation for endpoint protection states that "Other security needs like network protection, web content filtering, attack surface reduction, security baselines for VM hosts, and threat vulnerability management should be part of your Windows Virtual Desktop design" However in both this section and the below AVD OS Security section there is no reference to Azure Firewall or other Azure Network Security tools/practices
• The last sentence says "See the following section for links to Azure Virtual Desktop host security best practices.

Fix:

• Include guidance/suggestions for Azure Firewall (Standard/Premium) and NSGs, Service Tags, etc.
• Provide link to this section for ease of use
• Update doc

Page section: Architecture

Why "Collaboration Team" naming for AVD subscription?

Could this lead to potential RACI confusion for customers on the operational side of things?

Collaboration to me, means Teams/M365 etc. not Image Management for AVD etc.

Fis:

• Update with a subscription name that clearer alignment and demarcation.

For example:

Graphic Design Optimized
Low Bandwidth Optimized
General Use Optimized

https://docs.microsoft.com/en-us/windows-server/administration/performance-tuning/role/remote-desktop/session-hosts

Page section: Design Consideration - Host Pool Compute Strategy

• For the VM resiliency points AV Sets & AZs are mentioned but not the single instance SLAs for Standard HDD/SSD & Premium SSD. This is called out in the design recommendations near the bottom of the article

Fix:

• Add details on SLA for single instance VM depending on which disk storage option is chosen
• Perhaps make reference to the design recommendations in the earlier section.

Page section: Design Consideration - Host Pool Compute Strategy

• In the active-active suggestion FSLogix Cloud Cache is used. However there is no reference to ensuring that there is enough local disk space and the performance tier of the local disk caching these profiles.

Fix:

• Include detail around disk storage size and performance requirements when using FSLogix Cloud Cache

No mention of diagnostic logs, configured by Azure Policy, going to the ESLZ central Log Analytics Workspace (not 1 per region)

Fix:

• Updated docs to state diagnostic settings for all AVD resources should still be configured, preferably via a DeployIfNotExists Azure Policy assigned to a higher scope Management Group (AVD landing zone MG), alongside the performance and more detailed AVD monitoring.

Page section: Design Recommendations - Creation of AVD Images

• This section details using an Azure Storage Account with Storage Account Keys.
• The ESLZ reference implementations will put in place a policy to "Prevent usage of Public Endpoints for PaaS services in the corp connected landing zones", which this workload would meet.

Fix:

• Update the recommendation on this page to accommodate the default ESLZ policy applications to ensure compliance with ESLZ. E.g. Private Link
• Also if a Storage Account Key can be avoided from using and changed to Managed Identities etc. Then this should also be changed.

Page section: Design Recommendations - App Installs in AVD Images

• App-V is mentioned here, however MSIX AA is the direction of travel for app delivery.
• Also refence to 3rd parties is outside of ESLZ design principles.

Fix:

• Add or change guidance for App-V to MSIX AA to align with roadmap etc.
• Remove references to 3rd parties.

We need to deploy the monitoring workbook: https://docs.microsoft.com/en-us/azure/virtual-desktop/azure-monitor as part of the base deployment.

We can create diagnostic settings in our build, and keep the name: setByPolicy to match ESLZ.

We can prompt to create a new workspace, use an existing, or have it set by policy.

Re: the monitoring workbook we should see if we can get access to the template so that we can deploy it.

As part of the main landing zone deployment we should prompt for creation of a storage account to support profile containers.

We should also prompt to integrate Azure Backup for the files if the option above is selected.

Private Link + Private DNS needs to be integrated as well.

• New/Existing Private DNS Zone
• New/Existing VNet to link zone

Page section: Intro

The intro paragraph state that WVD is "free of charge", this is incorrect as requires eligible licensing as per Windows Virtual Desktop Pricing | Microsoft Azure
https://azure.microsoft.com/en-us/pricing/details/virtual-desktop/

Fix:

• Update paragraph to reflect licensing requirements and clarify WVD costs for the service are included as part of eligible licenses, but it is not "free"

Include in the architecture and recommendations the option to use RDP short path.

Fix:

• Update docs/arch accordingly

Update in the docs the name of all the services that have been renamed, examples:

• ELZ to ALZ
• SIG to Azure Compute Galleries
• WVD to AVD

Page section: Design Recommendations - Patch Management

• Patch management is called out as important but only reference to tooling of MECM.

Fix:

• Include guidance for differences in approaches between pooled and personal host pools and suggested tooling.
• Also include other approaches like image management refreshes and host pool redeployment for pooled host pools etc.
• Update doc

As I am working through the different options for RDP settings on the host pool it's clear we have an opportunity to better explain the options.

For example:

"Encoded video quality"

The options are:

Enable encoding of redirected video.
Disable encoding of redirected video.

What does this actually mean?

What is the impact on the client and host from a CPU/performance perspective?
What does this do to video playback performance?

Do we have a recommendation here based on the type of expected workload running on the session host?

Do we have general recommendations for multiple settings based on the workload? (GPU user, graphics design, developer, etc.)

• This page could benefit from some simple diagrams to add context to the narrative in several places.
• This page does not follow the standard approach of bullet points for design considerations and recommendations. Whilst it has excellent content, it is very long and this can make it difficult to consume.

Fix:

• Add some diagrams to support the narrative
• Convert page to the concise bullet point page structure approach

Page section: Design Recommendations

• When mentioning ASR for pooled host pools, also make reference to using SIG and replicate to multiple regions as a normal approach to this instead of ASR

Fix:

• Update docs
• Also name of the service needs to be updated from SIG to Azure Compute Galleries

Add logs analytics option to UI

Page section: Design recommendations

Should we add a note to make customers aware this data is only available to query and not visible as part of the data shown in workbooks etc.?

Also add references and recommendations to leverage AVD workbook and insights.

Fix:

• Update Docs

AIB is only supported in a few regions: https://docs.microsoft.com/en-us/azure/virtual-machines/image-builder-overview#regions

We should give canned options for where this is deployed, and make certain to note we can distribute images anywhere Azure Compute Gallery is supported.

Page section: Design Recommendations

Fix:

• Convert text code snippet for Resource Groups to a diagram or a bullet point list, to make it easier for users to consume.