Welcome to the Baseline Deployment Guide for Azure Virtual Desktop! This guide will help you deploy the Baseline solution by providing deployment instructions and prerequisites.
Prior to deploying the Baseline solution, you need to ensure you have met the following prerequisites:
- Deploy an ALZ architecture (recommended but not mandatory) from a template reference implementation available at Deploying Enterprise-Scale Architecture in your own environment.
- Configure Azure AD Connect and ensure users are synchronized from AD DS to Azure AD, unless session hosts are joining Azure AD and FSLogix is not in use.
- Access to the Azure Virtual Desktop Azure subscription with owner permissions.
- The following resource provider must be registered in the subscription to be used for deployment:
- Microsoft.DesktopVirtualization
- Microsoft.Compute (When deploying Zero Trust mathe feature EncryptionAtHost will need to be registered)
- Microsoft.Network
- Microsoft.Storage
- The account used for the deployment and the Active Directory Domain Join account cannot have multi-factor authentication (MFA) enabled.
- The Domain Controllers used for AD join purposes should be standard writable Domain Controllers, not Read Only Domain Controllers (when using AD DS or AAD DS).
- Ensure you have the appropriate licenses for proper Azure Virtual Desktop entitlement.
- If the new Azure Virtual Desktop workload will be connected (peered) with a Hub VNet, contributor permissions are required on the referenced Hub VNet.
- Virtual network subnet used for Azure Virtual Desktop session host deployment, needs to access the following:
- list of URLs session host VMs need to access for Azure Virtual Desktop (During and after deployment).
- List of URLs required during deployment:
- https://raw.githubusercontent.com/Azure/avdaccelerator/main/workload/scripts/Set-FSLogixRegKeys.ps1
- https://raw.githubusercontent.com/Azure/avdaccelerator/main/workload/scripts/Set-FSLogixRegKeysAAD.ps1
- https://raw.githubusercontent.com/Azure/avdaccelerator/main/workload/scripts/Manual-DSC-Storage-Scripts.ps1
- https://github.com/Azure/avdaccelerator/raw/main/workload/scripts/DSCStorageScripts.zip
- https://wvdportalstorageblob.blob.core.windows.net/galleryartifacts/Configuration_09-08-2022.zip
- If using existing Virtual Networks, disable deny private endpoint network policies. The deployment will fail if deny private endpoint network policies are enabled. See the following article on disabling them: Disable private endpoint network policy.
- Set up private DNS zones for Azure Files and Key Vault private endpoints name resolution. Link the private DNS zones to the Azure Virtual Desktop vNet when NOT using custom DNS servers or to the vNet where the custom DNS servers are located if configured on the Azure Virtual Desktop vNet.
- Azure Commercial: privatelink.file.core.windows.net (Azure Files) and privatelink.vaultcore.azure.net (Key Vault).
- Azure Government: privatelink.file.core.usgovcloudapi.net (Azure Files) and privatelink.vaultcore.usgovcloudapi.net (Key Vault).
- If implementing Zero Trust, ensure the prerequisites for encryption at host have been implemented: Prerequisites.
- If enabling Start VM on Connect or Scaling Plans features, it is required to provide the ObjectID for the enterprise application Azure Virtual Desktop (Name can also be displayed as 'Windows Virtual Desktops'). To get the ObjectID got to Azure AD > Enterprise applications, remove all filters and search for 'Virtual Desktops' and copy the ObjectID that is paired with the Application ID: 9cdead84-a844-4324-93f2-b2e6bb768d07.
- Account used for portal UI deployment, needs to be able to query Azure AD tenant and get the ObjectID of the Azure Virtual Desktop enterprise app, query will be executed by the automation using the user context.
This section covers the high-level steps for planning an Azure Virtual Desktop deployment and the decisions that need to be made. The deployment will use the Microsoft provided Bicep/PowerShell/Azure CLI templates from this repository and the customer provided configuration files that contain the system specific information.
This Azure Virtual Desktop accelerator supports deployment into greenfield scenarios (no Azure Virtual Desktop Azure infrastructure components exist) or brownfield scenarios (some Azure Virtual Desktop Azure infrastructure components exist).
In the Greenfield scenario, there are no existing Azure infrastructure components for Azure Virtual Desktop deployment. The automation framework will create an Azure Virtual Desktop workload in the desired Azure region, create a new VNet or reuse an existing VNet, and configure basic connectivity.
It is important to consider the life cycle of each of these components. If you want to deploy these items individually or via separate executions, then please see the Brownfield Deployment section.
The Azure Virtual Desktop Green Field template provides a complete Azure Virtual Desktop landing zone reference implementation within a single template.
In the Brownfield scenario, the automation framework will deploy the solution using existing Azure VNet, allowing you to create a new Azure Virtual Desktop workload and utilize and integrate existing Azure resources.
The templates and scripts need to be executed from an execution environment, the currently available options are:
| Deployment Type | Link |
|---|---|
| Azure portal UI | |
| Command line (Bicep/ARM) |  |
| Terraform |  |
The Azure Virtual Desktop - Baseline deploys Azure Virtual Desktop workload resources and necessary resources to allow for feature add-ins (like connectivity and monitoring) as per operational best practices.
It is preferable to have a new subscriptions for each deployment respectively, adhering to the Azure Landing Zone guidance. However, they can also be deployed to existing subscriptions and single subscription if required, see Resource Organization for further information.
This diagram is an example of the Azure resources and organization created with this reference implementation. The following input values were used in this example:
- Azure Virtual Desktop - Baseline deployment:
avdWorkloadSubsId: ID for Subscription name: Subscription Azure Virtual Desktop LZdeploymentPrefix: app1avdManagementPlaneLocation: East US 2avdSessionHostLocation: East US 2avdUseCustomNaming: falseUnique string: a1b2c3 (6 characters string calculated by the deployment)
For baseline deployment cost estimate, see here.
The accelerator has built-in resource naming automation based on Microsoft Cloud Adoption Framework (CAF) best practices for naming convention, the recommended abbreviations for Azure resource types and suggested tags.
To learn more about the resource naming used in this accelerator take a look at the Naming Standard and Tagging page.
Continue with:
- Azure Virtual Desktop LZA - Baseline - Deployment if you are ready to deploy an Azure Virtual Desktop workload from the market place, an updated and optimized image previously created by the custom image deployment, or the the Azure market place or from an Azure Compute Gallery.