Search

Staffordshire County Council Windows Virtual Desktop Delivery

Windows Virtual Desktop (WVD) is a hot topic right now for many companies and can serve as an excellent replacement for on-premise Remote Desktop Services (RDS) and Citrix implementations.


WVD promises to bring the benefits of cloud delivered underpinning infrastructures such as Active Directory, session hosts, networking, Windows EndPoint Protection, Office 365 & Azure MFA to the masses for a comprehensive and secure end user compute solution.


A4S were chosen for an ECIF funded delivery of WVD for Staffordshire County Council to

help them understand if it could replace their existing on-premise Citrix farm and its disaster recovery session hosts.


A4S have delivered various projects for our client Staffordshire County Council including:

The team at A4S Cloud Solutions was excited to deliver the WVD solution particularly as the product current changes frequently and lessons would be learned as we worked through the nuances of WVD delivery.


The Need


SCC are interested in replacing their existing on-premise virtual desktop environment that when combined with it's disaster recovery solutions takes significant hypervisor capacity.


As important as WVD itself, it was important the following questions were answered:

  • Could the clients applications with various nuances around integration and security function as MSIX packages. This approach is the direct replacement for Microsoft App-V, for more information read this link.

  • Can Microsoft Defender for Endpoint with reporting coming from Azure Log Analytics and Azure Sentinel replace their existing anti-virus solution?

  • Could roaming profiles managed by Microsoft FSLogix be easily migrated from the existing on-premise environment into WVD?

  • Can Azure MFA be used to protect user logons to WVD as a replacement for the existing MFA solution.

The solution would be delivered using automation for repeatability, it was essential the client's IT teams were fully involved in the project at all times.


All delivery would be undertaken using our online project delivery environment.


A full review of the solution would be undertaken as well as a small user pilot to confirm suitability for a larger deployment.


Discovery


A4S worked closely with the SCC end user compute focused IT team to perform a detailed review of the necessary infrastructure including:

  • Hypervisor

  • Roaming persona

  • Folder redirection

  • Licensing

  • Application delivery

  • Anti-virus & web proxy

  • OneDrive

Findings were documented and carefully reviewed with the client's IT teams, particular attention was paid to ensuring persona migration was simple and effective, and that the correct WVD and MSIX App-Attach approach was taken to support legacy applications.


Design


Following an in depth review of the discovered environment; a detailed design document was produced firstly at a high level to confirm the overall approach, then was later updated to include build level information.


The design would be based on a Microsoft WVD reference architecture as per below.

The key designed capabilities of the environment include:

  • A full desktop virtualisation environment in Azure without having to run any of the additional gateway or web servers roles.

  • Multiple host pools to accommodate any number of diverse workloads.

  • The ability to create your own image for production workloads or test from the Azure Gallery.

  • Reduce costs with pooled Windows 10 Enterprise multi-session hosts to allow multiple users per VM.

  • The ability to provide individual ownership through personal (persistent) desktops if required.

  • Publish full desktop or individual remote apps from a single host pool, create individual app groups for different sets of users, or even assign users to multiple app groups to reduce the number of images.

  • Management facilitated with the use of built-in delegated access to assign roles and collect diagnostics.

  • Use the new Diagnostics service to troubleshoot errors.

Once an agreement on the high level design approach was established, the finer design details were defined and agreed, some of the main design elements are detailed below:

  • Role Based Access Control (RBAC), with the necessary minimum privileges assigned to the different lines of support such as third line administration through to service desk teams, these would later be potentially managed through Azure PIM.

  • Virtual Networking, the advantages of WVD include the more secure method of access called Reverse Connect which eliminates the need for the traditional RDS Gateway and Web roles.

  • The approach to host pools, in this case the use of shared session hosts was chosen from an application compatibility and cost perspective, the preferred load balancing option was also defined.

  • The specific Active Directory location was defined with attached group policies.

  • Persona management was designed to build on the clients already in place FSLogix solution, this would utilise an Azure hosted and AD integrated SMB share, eventually file replication between on-premise and Azure SMB shared would be configured to support a wider user migration with no loss of persona.

A4S produced detailed design documents for the in-scope solution, at all times a cloud-first approach was taken inline with the clients ambitious cloud planning.


Our designs take into account the scalability and resilience needed, we also factor in security and will recommend various Microsoft Azure security technologies as best fit for the client need.


Application Delivery


The client wishes to review the use of MSIX App-Attach application delivery, the current approach to application delivery would be greatly improved through the use of MSIX in terms of consistency, deployment scope and service desk impact.


MSIX functions both on-premise and in your Azure VWD environments, it uses a layering approach to ensure application OS integration remains, there are some similarities to the VMWare approach of App Volumes.

Predictably there have been many customer groans as Microsoft have dropped their popular App-V deployment technology in favour of MSIX, however recently an App-V to MSIX native conversion tool has been made available, for more information on this huge time and cost saver that allows clients to retain their sometimes significant App-V investment click here.


Anti-Virus and Web Proxy


The client is interested in replacing it's existing anti-virus and internet proxy solution with the recently renamed Microsoft Defender for EndPoint solution, the design incorporated both the anti-virus and web proxy elements, this would potentially support the clients decision to move further toward cloud first technologies.


The added advantage of using these solutions is the ability to integrate monitoring and alerting with Azure Log Analytics and Sentinel, when combined these cloud based solutions provide an incredible level of in depth reporting.


Some example visualisations and screens provided by the combination of Sentinel and Log Analytics are shown below illustrating possible power and detail that can be achieved in a very short time frame:

Fully Automated Deployment


A4S where possible always utilise fully automated deployments through technologies such as Azure Resource Manager (ARM) templates.


The Microsoft YouTube channel includes useful ARM template videos for your review:


ARM templates can be used to deliver multiple solutions at scale with assurance that every configuration is consistent and not prone to human error during the actual deployment process.


Team Knowledge Building & Empowerment


Throughout the project the need to involve the clients IT teams was central to our design and deployment approach.


Effective skills and knowledge transition helps to ensure the long term success of the clients cloud journey, A4S is committed to working closely with our clients and we utilise a number of methods to ensure our clients receive the knowledge and skills they need to succeed including:

  • Constant online sharing of assets as they're being produced, we take an iterative approach with frequent consultation rather than making stakeholder wait for the final product.

  • Routine iterative reviews of design documents.

  • A high volume of online conversation using our online project management portal.

  • Routine operational processes created that integrate with existing infrastructure solutions where appropriate.

  • Delivery activities undertaken with stakeholders attending shared Microsoft Teams meetings.


Positive Use Of The A4S Online Project Management Tool


All of our projects are carried out with real time access to all aspects of the project, at any time a stakeholder can see:

  • Task progress.

  • Risks and Issues.

  • Decisions.

  • Meeting Minutes.

  • Budget position.

  • Schedule and actions.

On this project in particular stakeholders of all levels engaged in a timely manner and with productive and helpful contribution. By keeping communications all in one place we ensure actions, issues and much more are never missed.


Lessons Learned


Despite being at a pre-pilot stage, already important lessons have been learned, for exiting clients our lessons learned log is here, for those who are yet to enjoy the experience of working with A4S we have shown them at a high level below:

  • FSlogix easy persona migrations from on-premise to Azure WVD are possible.

  • MSIX provisioned legacy applications can function as normal due to the high level of OS integration when compared to Microsoft App-V.

  • WVD Windows 10 shared sessions cost can be very low compared to a linked-clones approach.

  • MFA prompts occur at a minimum of 1 hour intervals, this can be a security concern for some clients depending on their security needs, at the time of writing; per connection MFA prompts are in the pipeline but with no engineering date.

Conclusion


With the delivery phase of the Windows Virtual Desktop environment completed, it's clear that the Microsoft cloud hosted solution is always changing and improving, the process of deploying WVD is far from a simply next, next, next activity with various pre-requisite tasks and detailed changes to the client's environment needed.


Even at a pre-pilot stage we can see very positive signs around ease of migration from existing on-premise solutions to WVD in areas such as persona migration and application OS integration.


We look forward to continuing the project into the pilot stage with our forward thinking client!


The SCC Technical Design and Architecture Manager Pam Rowley has been particularly supportive for this WVD delivery and is keen to see the potential of benefits of a cloud based virtual desktop delivery demonstrated, once piloted; SCC can decide if WVD can replace their existing on-premise virtual desktop environment to being operational savings and performance improvements.

The experience of working with A4S always had knowledge sharing, positivity and transparency at its core, once again our teams have enjoyed the process of learning more about cloud based delivery.
We need to fully understand if Azure Windows Virtual Desktop can replace our existing on-premise solution so that can potentially be decommissioned saving space and cost.
Potentially as important as WVD is the potential to replace our existing anti-virus and application delivery approaches with Microsoft EndPoint Protection and MSIX App-Attach.
Microsoft EndPoint Protection is exciting as it could consolidate our architecture more into cloud delivery with very detailed reporting and analysis.
MSIX App-Attach could transform our application delivery across all Windows devices with significant cost savings and operational improvements.
We look forward to the next stage of the project which is to perform a user pilot to confirm the use case and architecture benefits of WVD and its associated technologies.

Pam Rowley, SCC Technical Design and Architecture Manager


A4S Jason Birchall A4S Managing Director confirmed the A4S team greatly enjoyed working with SCC on this WVD delivery....


We immediately understood SCCs need to progress this delivery at speed and with minimum impact to their already busy IT teams.
During the project kick off meeting we quickly discussed understood the potential fit and benefit of WVD which also includes the operational benefits of MSIX App-Attach and Microsoft Protection for EndPoint which would be integrated into Azure Log Analytics.
Working with the SCC IT team is a great opportunity for A4S, and working with a client who is focused on understanding a solution like WVD in detail is a great help.
SCC made highly skilled team members available during this project, they've been engaging throughout the project and were always quick engage, make decisions and to respond with any urgently needed information.
A4S would once again like to again thank the SCC IT teams for the opportunity to be part of this project and we look forward to further opportunities to work together in the future.

Many Thanks


The A4S Team


If you would like to learn more about this project or would like to find out more about A4S Cloud Solutions and our approaches to cloud application migrations then you can get in touch via email or Teams on jason.birchall@a4scloud.solutions, ring me on 07415 897953 or check out this link: Work With The Experts!