Staffordshire County Council Windows Virtual Desktop Delivery

Windows Virtual Desktop (WVD) is a hot topic right now for many companies and can serve as an excellent replacement for on-premise Remote Desktop Services (RDS) and Citrix implementations.


WVD promises to bring the benefits of cloud delivered underpinning infrastructures such as Active Directory, session hosts, networking, Windows EndPoint Protection, Office 365 & Azure MFA to the masses for a comprehensive and secure end user compute solution.


A4S were chosen for an ECIF funded delivery of WVD for Staffordshire County Council to

help them understand if it could replace their existing on-premise Citrix farm and its disaster recovery session hosts.


A4S have delivered various projects for our client Staffordshire County Council including:

The team at A4S Cloud Solutions was excited to deliver the WVD solution particularly as the product current changes frequently and lessons would be learned as we worked through the nuances of WVD delivery.


The Need


SCC are interested in replacing their existing on-premise virtual desktop environment that when combined with it's disaster recovery solutions takes significant hypervisor capacity.


As important as WVD itself, it was important the following questions were answered:

  • Could the clients applications with various nuances around integration and security function as MSIX packages. This approach is the direct replacement for Microsoft App-V, for more information read this link.

  • Can Microsoft Defender for Endpoint with reporting coming from Azure Log Analytics and Azure Sentinel replace their existing anti-virus solution?

  • Could roaming profiles managed by Microsoft FSLogix be easily migrated from the existing on-premise environment into WVD?

  • Can Azure MFA be used to protect user logons to WVD as a replacement for the existing MFA solution.

The solution would be delivered using automation for repeatability, it was essential the client's IT teams were fully involved in the project at all times.


All delivery would be undertaken using our online project delivery environment.


A full review of the solution would be undertaken as well as a small user pilot to confirm suitability for a larger deployment.


Discovery


A4S worked closely with the SCC end user compute focused IT team to perform a detailed review of the necessary infrastructure including:

  • Hypervisor

  • Roaming persona

  • Folder redirection

  • Licensing

  • Application delivery

  • Anti-virus & web proxy

  • OneDrive

Findings were documented and carefully reviewed with the client's IT teams, particular attention was paid to ensuring persona migration was simple and effective, and that the correct WVD and MSIX App-Attach approach was taken to support legacy applications.


Design


Following an in depth review of the discovered environment; a detailed design document was produced firstly at a high level to confirm the overall approach, then was later updated to include build level information.


The design would be based on a Microsoft WVD reference architecture as per below.

The key designed capabilities of the environment include:

  • A full desktop virtualisation environment in Azure without having to run any of the additional gateway or web servers roles.

  • Multiple host pools to accommodate any number of diverse workloads.

  • The ability to create your own image for production workloads or test from the Azure Gallery.

  • Reduce costs with pooled Windows 10 Enterprise multi-session hosts to allow multiple users per VM.

  • The ability to provide individual ownership through personal (persistent) desktops if required.

  • Publish full desktop or individual remote apps from a single host pool, create individual app groups for different sets of users, or even assign users to multiple app groups to reduce the number of images.

  • Management facilitated with the use of built-in delegated access to assign roles and collect diagnostics.

  • Use the new Diagnostics service to troubleshoot errors.

Once an agreement on the high level design approach was established, the finer design details were defined and agreed, some of the main design elements are detailed below:

  • Role Based Access Control (RBAC), with the necessary minimum privileges assigned to the different lines of support such as third line administration through to service desk teams, these would later be potentially managed through Azure PIM.

  • Virtual Networking, the advantages of WVD include the more secure method of access called Reverse Connect which eliminates the need for the traditional RDS Gateway and Web roles.

  • The approach to host pools, in this case the use of shared session hosts was chosen from an application compatibility and cost perspective, the preferred load balancing option was also defined.

  • The specific Active Directory location was defined with attached group policies.

  • Persona management was designed to build on the clients already in place FSLogix solution, this would utilise an Azure hosted and AD integrated SMB share, eventually file replication between on-premise and Azure SMB shared would be configured to support a wider user migration with no loss of persona.

A4S produced detailed design documents for the in-scope solution, at all times a cloud-first approach was taken inline with the clients ambitious cloud planning.


Our designs take into account the scalability and resilience needed, we also factor in security and will recommend various Microsoft Azure security technologies as best fit for the client need.


Application Delivery


The client wishes to review the use of MSIX App-Attach application delivery, the current approach to application delivery would be greatly improved through the use of MSIX in terms of consistency, deployment scope and service desk impact.


MSIX functions both on-premise and in your Azure VWD environments, it uses a layering approach to ensure application OS integration remains, there are some similarities to the VMWare approach of App Volumes.

Predictably there have been many customer groans as Microsoft have dropped their popular App-V deployment technology in favour of MSIX, however recently an App-V to MSIX native conversion tool has been made available, for more information on this huge time and cost saver that allows clients to retain their sometimes significant App-V investment click here.


Anti-Virus and Web Proxy


The client is interested in replacing it's existing anti-virus and internet proxy solution with the recently renamed Microsoft Defender for EndPoint solution, the design incorporated both the anti-virus and web proxy elements, this would potentially support the clients decision to move further toward cloud first technologies.


The added advantage of using these solutions is the ability to integrate monitoring and alerting with Azure Log Analytics and Sentinel, when combined these cloud based solutions provide an incredible level of in depth reporting.


Some example visualisations and screens provided by the combination of Sentinel and Log Analytics are shown below illustrating possible power and detail that can be achieved in a very short time frame:

Fully Automated Deployment


A4S where possible always utilise fully automated deployments through technologies such as Azure Resource Manager (ARM) templates.


The Microsoft YouTube channel includes useful ARM template videos for your review:


ARM templates can be used to deliver multiple solutions at scale with assurance that every configuration is consistent and not prone to human error during the actual deployment process.


Team Knowledge Building & Empowerment


Throughout the project the need to involve the clients IT teams was central to our design and deployment approach.


Effective skills and knowledge transition helps to ensure the long term success of the clients cloud journey, A4S is committed to working closely with our clients and we utilise a number of methods to ensure our clients receive the knowledge and skills they need to succeed including:

  • Constant online sharing of assets as they're being produced, we take an iterative approach with frequent consultation rather than making stakeholder wait for the final product.

  • Routine iterative reviews of design documents.