A Step-by-Step Guide to Deploying Windows Virtual Desktop in Azure (Preview)

Windows Virtual Desktop (WVD) was finally released to public preview yesterday! For those of you that have been living under a rock (or spending time with your friends and families), WVD is Microsoft’s new Desktop-as-a-Service offering to provide Windows 10 virtual desktop infrastructure (VDI) in the Azure cloud for Windows 10 E3 / E5 subscribers. (and a few more SKUs too…)

Requirements for running Windows Virtual Desktop in Azure

Here are a few prerequisites that you’ll need already configured in your lab:

  • An Azure CSP Subscription from Infused Innovations (or any Azure Subscription will work too)

  • An empty resource group

    • I’d recommend creating it in the East US 2 or Central US data centers for the best performance as WVD compute clusters are only available in these regions during preview

  • An Azure Virtual Network that has access to your Active Directory (Boo-hiss! Azure AD Join only is not supported yet. Your instance needs to be domain joined or Hybrid Azure AD Joined.)

  • One of the following licenses:

    • Windows 10 E3 / E5

    • Windows 10 A3 / A5 (Education Licenses)

    • Microsoft 365 Business or F1 (WHAT?!)

    • Microsoft 365 E3 / E5

      • Licensing requirements appear to state that these are the only SKUs that will allow you to access WVD from a non-Windows 10 Professional device

      • Luckily, you’re running Microsoft 365 E3 with Identity Threat Protection in a Zero Trust environment, right? RIGHT?!

Deploy Windows Virtual Desktop in Azure

Now for the fun part!

Consent to using Windows Virtual Desktop

  1. Go here https://rdweb.wvd.microsoft.com/ and consent for both your Server and Client App:

Consent Page.png

a.      You’re doing this in a lab, so there’s no need to get approval from legal.

b.     To lookup your AAD Tenant GUID, copy the Directory ID from this page: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties

 

Configure Enterprise Application Administrators in Azure AD

  1. Go to this pane in the Azure Portal
    https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/

  2. Search for Windows Virtual Desktop and select it

  3. Select Users and Groups, then add everyone that you want to have access to WVD:

Users and Groups.png

Create a Windows Virtual Desktop Tenant in PowerShell

  1. Open PowerShell as an administrator

  2. Run the following block of code:

Powershell 1.jpg

The last line should look something like:

Powershell 2.jpg

Create a Windows Virtual Desktop Host Pool in the Azure Portal

  1. Create a new Azure resource at this link: https://portal.azure.com/#create/hub

  2. Search for Windows Virtual Desktop - Provision a host pool and select Create:

Provision a Pool.png

*Choose a name for the host pool and keep a note of it, as we’ll need it later

Provision a Pool 2.png

 NOTE: Windows Virtual Desktop is only available in East US 2 or the Central US during preview. Check a current list here:
https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-desktop

3. Don’t get yelled at by your boss—choose a small B series VM for testing:

VM Sizing.png

4. Everyone is so excited about Azure being the only cloud to offer a true multi-session Windows 10 Enterprise desktop, so let’s use that image:

VM Sizing 2.png

NOTE: Make sure you choose a network that has access to your AD environment

5. Specify the Windows Virtual Desktop Tenant Name that you created via PowerShell above:

Tenant Name.png

6. Buy it!

Buy.png

Add Users to your Windows Virtual Desktop Host Pool

Open PowerShell again and run the following command for every user you want to add. (Groups aren’t supported yet.)

Powershell 3.jpg

You’re Done! (Maybe.)

 

Connect to you Windows Virtual Desktop Environment

Access your WVD environment here:
https://rdweb.wvd.microsoft.com/webclient/index.html

You should see a web page with the following icon that will load the RDS session in the browser:

Session Desktop.png

Or install this client to access via the desktop:
https://go.microsoft.com/fwlink/?linkid=2068602

Using the desktop app, I was able to run three 4K monitors without any lag connecting to the East US2 Azure data center from San Diego, CA. That’s incredible!

Troubleshooting a Windows Virtual Desktop Deployment in Azure

I screwed up the first three times I deployed this today. Pro tip: RTFM.

Microsoft’s official Windows Virtual Desktop guide is available here:
https://docs.microsoft.com/en-us/azure/virtual-desktop/tenant-setup-azure-active-directory

 

I also had to RDP into the WVD Host Pool and run everything in this guide before I was able to connect:
https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-powershell

Closing Thoughts on Windows Virtual Desktop

Once I read the entire deployment guide, I was able to deploy WVD in under an hour. Granted, I haven’t configured any auto-scaling rules yet, that is an incredibly short amount of time for a small business to setup a VDI environment.

Some points to consider:

  • I deployed Azure Security Center on the WVD Host Pool VM to get telemetry to Windows Defender Advanced Threat Protection and Cloud App Security

    • This is HUGE if you’re on a Microsoft 365 Business license, which doesn’t include those two products.

    • WVD is still in preview, so I wouldn’t base your budget on this just yet.

  • WVD cannot be managed by Intune…yet.

    • I just spent six months figuring out how to migrate anything in Group Policy over to Intune, and now I need to go back to Group Policy for management.

  • Azure AD Join is not an option for WVD. The VM must be connected to Active Directory.

  • I created a Conditional Access Policy to force an MFA challenge on login, but it didn’t work. There are some footnotes in the documentation about this not being supported yet.

  • Windows 7 will receive free Extended Security Updates until January 2023 for Windows Virtual Desktop instances.

  • If you’re testing WVD from outside of the United States, be aware that all WVD management is handled from the East US 2 data center during preview, so you will have data entering the US during preview.

  • It’s freaking AMAZING!

Overall, I am hugely impressed with the initial preview of Windows Virtual Desktop and I can’t wait to see what features Microsoft adds to the service over the next few months.

Interested in learning more? Contact us here.

Anatomy of a Breach Response

“Today’s biggest heists might not look like the movies.

But rest assured, I’m just as destructive. I’m better organized and more sophisticated. I target more than just a single enterprise; I can cripple an entire industry. There’s more at stake than ever before: business disruption, data loss, intellectual property damage, and financial gain. Before you can stop me, it’ll take you days to even notice I’m there—99 days, on average. (1)

In fact, most breaches go fully undetected and remain completely invisible—I’m probably already there. How do you plan on stopping me?”

(1) M-Trends Report, 2017, FireEye / Mandiant


Most organizations are learning to appreciate the gravity of Cyber breaches and the effect on their organization, industry and economy at large. We’ve collated some data into a short presentation to show you how a breach typically occurs as well as how the Microsoft Security suite helps detect and defend against them.

If you’re already a Microsoft O365 customer, or interested in learning about this solution in more detail, please contact us to see if you qualify for a free Secqur Modern Workplace Assessment.

Threat Hunting with Azure AD Premium Subscriptions

Every cloud security workshop that I perform with a client to enable Microsoft’s Enterprise Mobility + Security (EM+S) suite typically yields an unpleasant surprise. I had the CFO of one company demand the immediate implementation of Roles Based Access Control (RBAC) after seeing the granularity of the audit capabilities of Cloud App Security. During my most recent workshop with a national client that has 25+ offices across the US, we uncovered a large amount of Tor traffic within 15 minutes of enabling Azure AD Identity Protection. 

What is Azure AD Premium? 

Let me start off by stating that I think every organization that cares about protecting their data should be on Azure AD P2 as either an add-on subscription or part of a Microsoft 365 bundle. Especially if you’re a small business without a 24/7 support team. 

Azure AD is offered in three flavors: 

  • AAD Basic 

  • AAD P1 

  • AAD P2 

Azure AD Basic comes with every Office 365 subscription and is the default SKU for all your users. Azure AD P1 provides additional reporting into identity breaches, but the responsibility is on you to audit and respond to these reports. The key benefits to Azure AD P2 that I think are invaluable to every organization are risk-based conditional access and Azure AD Identity Protection

With the exponential increase of phishing and password spray attacks over the past year, your security responses must be automated to keep up with the sophistication of modern cyberattacks, which requires AAD P2. 

For a full feature comparison of Azure Active Directory, refer to the chart below or this link for the most recent feature list

AAD-FeaturesEditions.PNG

Threat Prevention with Azure AD: Enabling AAD Identity Protection 

This one feature allows me to feel comfortable going to sleep at night—especially if I’m camping in Yosemite with no cellular service. Azure AD Identity Protection is available in the Azure Marketplace and uses machine learning along with artificial intelligence to review log data from your entire organization. Both Azure AD and on-premises AD environments are continuously monitored to create risk profiles for your users and automate security responses. Risk data from Windows Defender Advanced Threat Protection can also be used in determining risk profiles. 

By default, I always enable accounts with a High-Risk to force a password change: 

AAD-UserRiskPolicy.PNG

A high-risk typically indicates that the account is breached. One example is if Microsoft detects that the user’s credentials are published in clear text on the dark web. 

For medium-level risks, I typically require an MFA challenge: 

AAD-SignInRiskPolicy.PNG

But I review the estimated impact before enforcing the policy. If there is a large potential impact, I may consider creating a conditional access policy instead to allow for a more targeted response depending on the user activity. 

Threat Hunting with Azure AD: Detecting Malicious Activity 

As I mentioned earlier, I was able to identify Tor traffic within 15 minutes of activating Azure AD Premium during my last workshop. How? By reviewing the users with risky sign-ins report, we saw one user login from 9 different countries within about 90 minutes. 

AAD-Logins.PNG

We responded immediately by creating conditional access policies to block countries that the company does not have business relationships with, and to require MFA challenges in other regions, including unknown regions. 

I suspect Ryan was also notified by HR for violating the company’s acceptable use policy. 

However, if Ryan’s credentials had been compromised, Azure AD Identity Protection would have required him to change his password immediately. No more waiting for your support desk to contact the user after determining there was a breach—the response is immediate with AAD P2. 

Conclusion 

I hope this has helped show the value of Azure AD P2. Many of the low-level tasks of a Security Operation Center can be automated using the Microsoft cloud security stack. We’ll explore more ways to protect your organization in our upcoming series: The Anatomy of a Breach Response. 

Troubleshooting SQL and Code Challenges on Azure

Sometimes we are engaged to solve tough performance problems. We’ve all been in situations where the infrastructure team is blaming the developers, the developers are blaming the infrastructure, and the product or project manager is frustrated because nothing is getting solved.

Recently we were asked to provide a second set of eyes on a problem that had been causing delays on an important project. The SQL database was hosted in an FCI cluster on Azure IaaS, the application was running as Azure App Services, and ultimately there were “random and sporadic” issues. Random and sporadic are every troubleshooter’s favorite words of course, because we like repeatable and predictable… but that’s just not the way the world works!

We worked with their development team to implement Azure App Insights in order to log the random and sporadic failures so that we could find them quickly instead of hoping to be able to reproduce the errors.

AppInsights.PNG

Setting up App insights as a VM is as easy as:

AppInsights

However for setting up against App Services, there is great documentation at docs.microsoft.com to learn how you use special tags to monitor the code.

After some due diligence we configured memory threshold limitations on the SQL cluster to help eliminate several memory pressure events that were being triggered. We believed this would help with a few memory management issues, but on continued investigation we identified a few memory issues that appeared to be the result of unhandled exceptions in the code.

Although the failed methods reported by the developers were stating a connection error, the actual exceptions were throwing various logic issues (manifesting as closed connections in some cases), three examples of which are obfuscated and shown below.



Sample 1: Referenced Database does not exist; causes a 1.3 second timeout

CUSTOMER-USE-APP-API Log Query:

// All telemetry for Operation ID: xxx-yyy1
union *
// Apply filters
| where timestamp > datetime("2019-03-05T19:38:26.111Z") and timestamp < datetime("2019-03-07T19:38:26.111Z")
| where operation_Id == "xxx-yyy1"

Failed method

System.Data.SqlClient.SqlConnection.OnError

Exception
System.Data.SqlClient.SqlException (0x80131904): Invalid object name 'XXX.YYYY'.

  

Sample 2: Unhandled Deadlocked resource exceptions; causes a 3.4 minute timeout

CUSTOMER-USE-APP-API Log Query:

// All telemetry for Operation ID: xxx-yyy2
union *
// Apply filters
| where timestamp > datetime("2019-03-03T23:05:13.481Z") and timestamp < datetime("2019-03-05T23:05:13.481Z")
| where operation_Id == "xxx-yyy2"

Failed Method

System.Data.SqlClient.SqlConnection.OnError

Exception

System.Data.SqlClient.SqlException (0x80131904): The ROLLBACK TRANSACTION request has no corresponding BEGIN TRANSACTION.

 

Sample 3: Circular reference causing a 1.3 second delay

CUSTOMER-USE-APP-API Log Query:

// All telemetry for Operation ID: xxx-yyy3
union *
// Apply filters
| where timestamp > datetime("2019-03-05T19:38:27.181Z") and timestamp < datetime("2019-03-07T19:38:27.181Z")
| where operation_Id == "xxx-yyy3"

Failed Method

Newtonsoft.Json.Serialization.JsonSerializerInternalWriter.CheckForCircularReference

 

Ultimately, a neutral look by Infused Innovations as an outside party, paired with Azure App Insights and our SQL expertise, helped move the project forward and helped put the focus back on areas of opportunity in both the deployment of the SQL cluster and the structure and error trapping of the code as well as the frameworks selected.