Category: WVD
Extracted from MS Tech community
While volume activation is a process that many have utilized over the years, today’s post offers guidance to help you ensure that all your devices have been properly activated regardless of their connection to your organization’s network.
First, a refresher. Volume activation enables a wide range of Windows devices to receive a volume license and be activated automatically and en masse versus tediously entering an activation key on each Windows device manually.
The most common methods of volume activation require that devices to be connected to an organization’s network or connected via virtual private network (VPN) to “check in” from time to time with the organization’s activation service to maintain their licenses. When people work from home and off the corporate or school network; however, their devices’ ability to receive or maintain activation is limited.
Volume activation methods
There are several methods to activate devices via volume licensing. For detailed information, see Plan for volume activation. Here, however, is a summary for easy reference.
Key Management Service
Key Management Service (KMS) activation requires TCP/IP connectivity to, and accessibility from, an organization’s private network so that licenses are not accessible to anyone outside of the organization. By default, KMS hosts and clients use DNS to publish and find the KMS key. Default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements.
KMS activations are valid for 180 days (the activation validity interval). KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries to reach the host every two hours. After a client computer’s activation is renewed, the activation validity interval begins again.
Multiple Activation Key
A Multiple Activation Key (MAK) is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of activations allowed. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft-hosted activation service counts toward the activation limit.
You can use a MAK for individual computers or with an image that can be duplicated or installed using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation, which is useful for moving a computer off the core network to a disconnected environment.
Active Directory-based activation
Active Directory-based activation is similar to KMS activation but uses Active Directory instead of a separate service. Active Directory-based activation is implemented as a role service that relies on Active Directory Domain Services to store activation objects. Active Directory-based activation requires that the forest schema be updated using adprep.exe on a supported server operating system, but after the schema is updated, older domain controllers can still activate clients.
Devices activated via Active Directory maintain their activated state for up to 180 days after the last contact with the domain. Devices periodically attempt to reactivate (every seven days by default) before the end of that period and, again, at the end of the 180 days.
Windows 10 Subscription Activation
Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to Windows 10 Enterprise automatically if they are subscribed to Windows 10 Enterprise E3 or E5.
With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions – Windows 10 Education.
The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices.
To step a device up to Windows 10 Education via Subscription Activation the device must meet the following requirements:
- Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
- A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security > Activation.
- The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
| Note: If Windows 10 Pro is converted to Windows 10 Pro Education using benefits available in Store for Education, then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition. |
Volume activation while working from home
If you activate devices in your organization using MAK, the activation process is straightforward and the devices are permanently activated. If you are using KMS or Active Directory-based Activation, each device must connect to the organization’s local network at least once every 180 days to “check in” with either the KMS host or the Active Directory domain controller. Otherwise, the user will be warned to activate Windows again.
With many users working or taking classes from home, a connection to the organization’s network may not exist, which would ultimately leave their devices in a deactivated state. There are a few options to avoid this:
- Use a VPN. By having the device connect to your organization’s network via a VPN, it will be able to contact a KMS host or Active Directory domain controller and will be able to maintain its activation status. If you manage your devices through a wholly on-premises solution to deploy policies, collect inventory, and deploy updates and other software, there is a good chance you are already using a VPN. Depending on the VPN configuration, some manual configuration of the client device may be required to ensure the KMS service is accessible through the VPN. For more details on these settings, which can be implemented via script, see Slmgr.vbs options for obtaining volume activation information.
- Convert the devices from KMS to MAK activation. By converting from KMS to MAK activation, you replace the license that requires reactivation every 180 days with a permanent one, which requires no additional check-in process. There are some cases—in educational organizations, for example—where each device is re-imaged at the end of the school year to get ready for the next class. In this case, the license must be “reclaimed” by contacting your Microsoft licensing rep or a Microsoft Licensing Activation Center.
One way of converting a device from KMS to MAK activation is to use the Windows Configuration Designer app (available from the Microsoft Store) to create a provisioning package, which includes the MAK, and deploy the package through email or a management solution such as Microsoft Intune.
You can also deploy a MAK directly within Intune without creating a provisioning package by creating a simple PowerShell script with the following commands and deploying the script to a user group:slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX slmgr.vbs /ato
(In the example above, XXXXX-XXXXX-XXXXX-XXXXX-XXXXX is your MAK key.)
It is important to monitor the success of these activations and remove users from the target group once their devices have been activated so that their other devices do not receive a new license.
Note: Windows Configuration Designer is also available as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10. - Use Subscription Activation. This requires the devices to be joined to your Azure AD domain, enabling activation in the cloud. This is possible if you have one of the following subscriptions:
- Windows 10 Enterprise E3/E5
- Windows 10 Education A3/A5
- Windows 10 Enterprise with Software Assurance
- Microsoft 365 E3/E5
- Microsoft 365 E3/A5
- Microsoft 365 F1/F3
- Microsoft 365 Business Premium
If you need assistance and have one of the preceding subscriptions with at least 150 licenses, you may be eligible for assistance through FastTrack. Contact your Microsoft representative or request assistance from FastTrack and a Microsoft FastTrack representative will contact you directly.
Conclusion
Windows volume activation has been around for a long time, but the increased number of users working from home may require your organization to re-evaluate how to best keep your devices activated if they cannot reach your on-premises activation service if you are using KMS or Active Directory-based Activation. It is important to consider the options available to you to ensure your devices stay activated. As always, there is no “one-size-fits-all” approach, so consider the pros and cons of each option as you plan on how to best support your remote workers and students.
To learn more about activation, check Activate clients running Windows 10.
Below are the common WVD build issues which I encountered during implementations
Issue 1 -Unable to create any Host Pool
Error
{“code”:”DeploymentFailed”,”message”:”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.”,”details”:[{“code”:”Conflict”,”message”:”{\r\n \”status\”: \”Failed\”,\r\n \”error\”: {\r\n \”code\”: \”ResourceDeploymentFailure\”,\r\n \”message\”: \”The resource operation completed with terminal provisioning state ‘Failed’.\”,\r\n \”details\”: [\r\n {\r\n \”code\”: \”DeploymentFailed\”,\r\n \”message\”: \”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.\”,\r\n \”details\”: [\r\n {\r\n \”code\”: \”Conflict\”,\r\n \”message\”: \”{\r\n \\”status\\”: \\”Failed\\”,\r\n \\”error\\”: {\r\n \\”code\\”: \\”ResourceDeploymentFailure\\”,\r\n \\”message\\”: \\”The resource operation completed with terminal provisioning state ‘Failed’.\\”,\r\n \\”details\\”: [\r\n {\r\n \\”code\\”: \\”VMExtensionProvisioningError\\”,\r\n \\”message\\”: \\”VM has reported a failure when processing extension ‘dscextension’. Error message: \\\\”The DSC Extension failed to execute: Error downloading https://wvdportalstorageblob.blob.core.windows.net/galleryartifacts/Configuration_9-11-2020.zip after 29 attempts: Unable to connect to the remote server.\\r\\nMore information about the failure can be found in the logs located under ‘C:\\\\WindowsAzure\\\\Logs\\\\Plugins\\\\Microsoft.Powershell.DSC\\\\2.80.1.0’ on the VM.\\\\”\\r\\n\\r\\nMore information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot \\”\r\n }\r\n ]\r\n }\r\n}\”\r\n },\r\n {\r\n \”code\”: \”Conflict\”,\r\n \”message\”: \”{\r\n \\”status\\”: \\”Failed\\”,\r\n \\”error\\”: {\r\n \\”code\\”: \\”ResourceDeploymentFailure\\”,\r\n \\”message\\”: \\”The resource operation completed with terminal provisioning state ‘Failed’.\\”,\r\n \\”details\\”: [\r\n {\r\n \\”code\\”: \\”VMExtensionProvisioningError\\”,\r\n \\”message\\”: \\”VM has reported a failure when processing extension ‘dscextension’. Error message: \\\\”The DSC Extension failed to execute: Error downloading https://wvdportalstorageblob.blob.core.windows.net/galleryartifacts/Configuration_9-11-2020.zip after 29 attempts: Unable to connect to the remote server.\\r\\nMore information about the failure can be found in the logs located under ‘C:\\\\WindowsAzure\\\\Logs\\\\Plugins\\\\Microsoft.Powershell.DSC\\\\2.80.1.0’ on the VM.\\\\”\\r\\n\\r\\nMore information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot \\”\r\n }\r\n ]\r\n }\r\n}\”\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}”}]}
Root Cause:
There was no internet access for the subnet used for host pool creation
Resolution:
Internet connectivity required for WVD VNET as DSC extension need to download from Azure Websites. The DSC extension for Windows requires that the target virtual machine is able to communicate with Azure and the location of the configuration package (.zip file) if it is stored in a location outside of Azure.
Ref: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-windows
Issue 2: Unable to create Host pool from Custom Image
Error
{“code”:”DeploymentFailed”,”message”:”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.”,”details”:[{“code”:”Conflict”,”message”:”{\r\n \”status\”: \”Failed\”,\r\n \”error\”: {\r\n \”code\”: \”ResourceDeploymentFailure\”,\r\n \”message\”: \”The resource operation completed with terminal provisioning state ‘Failed’.\”,\r\n \”details\”: [\r\n {\r\n \”code\”: \”DeploymentFailed\”,\r\n \”message\”: \”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.\”,\r\n \”details\”: [\r\n {\r\n \”code\”: \”Conflict\”,\r\n \”message\”: \”{\r\n \\”status\\”: \\”Failed\\”,\r\n \\”error\\”: {\r\n \\”code\\”: \\”ResourceDeploymentFailure\\”,\r\n \\”message\\”: \\”The resource operation completed with terminal provisioning state ‘Failed’.\\”,\r\n \\”details\\”: [\r\n {\r\n \\”code\\”: \\”VMExtensionProvisioningTimeout\\”,\r\n \\”message\\”: \\”Provisioning of VM extension dscextension has timed out. Extension provisioning has taken too long to complete. The extension did not report a message. More information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot\\”\r\n }\r\n ]\r\n }\r\n}\”\r\n },\r\n {\r\n \”code\”: \”Conflict\”,\r\n \”message\”: \”{\r\n \\”status\\”: \\”Failed\\”,\r\n \\”error\\”: {\r\n \\”code\\”: \\”ResourceDeploymentFailure\\”,\r\n \\”message\\”: \\”The resource operation completed with terminal provisioning state ‘Failed’.\\”,\r\n \\”details\\”: [\r\n {\r\n \\”code\\”: \\”VMExtensionProvisioningTimeout\\”,\r\n \\”message\\”: \\”Provisioning of VM extension dscextension has timed out. Extension provisioning has taken too long to complete. The extension did not report a message. More information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot\\”\r\n }\r\n ]\r\n }\r\n}\”\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}”}]
Root Cause
Issue with Image which is captured from existing Host Pool
Resolution
Do not capture image from Hostpool Sessions as this breaks sometimes , always
Take new image from Market Place ->convert to Image ->Create Host pools -> For Host update , again use previous captured image
Issue 3: Host pools are able to create with fresh images but not with applications installed on Image (custom)
Error
{“code”:”DeploymentFailed”,”message”:”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.”,”details”:[{“code”:”VMExtensionProvisioningTimeout”,”message”:”Provisioning of VM extension joindomain has timed out. Extension provisioning has taken too long to complete. The extension did not report a message. More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot”}]}
Root Cause
Visual studio 2015 & 2017 , customer 3rd part application are blocking to create Host pool – Issue experienced with 2 customers
Resolution
Able to create Hostpools after uninstallation of Visual studio
Windows Virtual Desktop is a service that gives users easy and secure access to their virtualized desktops and RemoteApps. This topic will tell you a bit more about the general structure of the Windows Virtual Desktop environment.
Host pools
A host pool is a collection of Azure virtual machines that register to Windows Virtual Desktop as session hosts when you run the Windows Virtual Desktop agent. All session host virtual machines in a host pool should be sourced from the same image for a consistent user experience.
A host pool can be one of two types:
- Personal, where each session host is assigned to individual users.
- Pooled, where session hosts can accept connections from any user authorized to an app group within the host pool.
You can set additional properties on the host pool to change its load-balancing behavior, how many sessions each session host can take, and what the user can do to session hosts in the host pool while signed in to their Windows Virtual Desktop sessions. You control the resources published to users through app groups.
App groups
An app group is a logical grouping of applications installed on session hosts in the host pool. An app group can be one of two types:
- RemoteApp, where users access the RemoteApps you individually select and publish to the app group
- Desktop, where users access the full desktop
By default, a desktop app group (named “Desktop Application Group”) is automatically created whenever you create a host pool. You can remove this app group at any time. However, you can’t create another desktop app group in the host pool while a desktop app group exists. To publish RemoteApps, you must create a RemoteApp app group. You can create multiple RemoteApp app groups to accommodate different worker scenarios. Different RemoteApp app groups can also contain overlapping RemoteApps.
To publish resources to users, you must assign them to app groups. When assigning users to app groups, consider the following things:
- A user can be assigned to both a desktop app group and a RemoteApp app group in the same host pool. However, users can only launch one type of app group per session. Users can’t launch both types of app groups at the same time in a single session.
- A user can be assigned to multiple app groups within the same host pool, and their feed will be an accumulation of both app groups.
Workspaces
A workspace is a logical grouping of application groups in Windows Virtual Desktop. Each Windows Virtual Desktop application group must be associated with a workspace for users to see the remote apps and desktops published to them.
End users
After you’ve assigned users to their app groups, they can connect to a Windows Virtual Desktop deployment with any of the Windows Virtual Desktop clients.
Microsoft manages the following Windows Virtual Desktop services as part of Azure:
Web Access
The Web Access service within Window Virtual Desktop lets user’s access virtual desktops and remote apps through an HTML5-compatible web browser as they would with a local PC, from anywhere on any device. Web Access is secured for Diageo users using OKTA multifactor authentication.
Gateway
The Remote Connection Gateway service connects remote users to Windows Virtual Desktop apps and desktops from any internet-connected device that can run a Windows Virtual Desktop client. The client connects to a gateway, which then orchestrates a connection from a VM back to the same gateway.
Connection Broker
The Connection Broker service manages WVD user connections to virtual desktops and remote apps. The Connection Broker provides load balancing and reconnection to existing sessions.
Diagnostics
Remote Desktop Diagnostics is an event-based aggregator that marks each user and administrator action on the Windows Virtual Desktop deployment as a success or failure. WVD Administrators can query the event aggregation to identify failing components as per requirements.
Extensibility components
Windows Virtual Desktop includes several extensibility components. Windows Virtual Desktop can be managed using Windows PowerShell or with the provided REST APIs, which also enable support from third-party tools. WVD team is using Azure ARM/GUI for WVD management for this deployment.
WVD User Connection Traffic flow
WVD uses Reverse Connect, which means that no inbound ports need to be opened on the VM to setup the RDP connection. Once the connection flow proceeds, bidirectional communication between session hosts/host pools will go over port https (443).
Windows Virtual Desktop is a global load balanced service via Azure front-door. This means that the traffic flow always goes via the nearest management control-plane/service location.
User Connection Flow
- User launches RD client which connects to Azure AD, Azure MFA, user signs in, and Azure AD returns token
- RD client presents token to Web Access, Broker queries DB to determine resources authorized for user
- User selects resource, RD client connects to Gateway
- Broker orchestrates connection from host agent to Gateway
RDP traffic now flows between RD client and session host VM over connections 3 and 4
Guest Post -Thanks to cloudsapient blog
Azure AD Connect Authentication (sign-in) Options:
Below are the four different authentication (sign-in) mechanisms provided by Azure AD when you are using Azure AD Connect, based on your feasibility from security and compliance perspective you can choose the one appropriate. During Azure AD Connect installation wizard you will have the ability to choose one of the authentication mechanism.
1. Password Hash Synchronization (PHS):
–When we install Azure AD Connect with “Express Settings” then Password Harsh Synchronization (PHS) authentication mechanism is the default configuration.
–AAD Connect synchronizes a hash, of the hash, of an AD user’s password from an on-premises AD to Azure AD.
–To synchronize user’s password, Azure AD Connect sync extracts user’s password hash from the on-premises Active Directory. Extra security processing is applied to the password hash before it is synchronized to the Azure Active Directory.
–PHS process runs every 2 minutes and we cannot modify the frequency of this process.
2.Pass-through Authentication (PTA):
–Users credentials are validated by on-premises Active Directory Domain Controller via AAD Connect Authentication Agent, On-premises AD user’s passwords are not stored in Azure AD in any form.
–For Pass-through Authentication to work, users need to be provisioned into Azure AD from on-premises Active Directory using Azure AD Connect. Pass-through Authentication does not apply to cloud-only users.
–Communication between Authentication Agent and Azure AD is uses certificate-based authentication. These certificates are automatically renewed every few months by Azure AD.
–Microsoft recommends to have more than one AAD Connect Authentication Agent to provide high availability of authentication requests.
–PTA can also be used in conjunction with PHS for high availability scenarios, As per Microsoft “Enabling Password Hash Synchronization gives you the option to failover authentication if your on-premises infrastructure is disrupted. This failover from Pass-through Authentication to Password Hash Synchronization is not automatic. You’ll need to switch the sign-in method manually using Azure AD Connect. If the server running Azure AD Connect goes down, you’ll require help from Microsoft Support to turn off Pass-through Authentication.”
3. Federation with ADFS:
–In ADFS federation scenario, Azure AD will be redirecting authentication request to ADFS.
4. Federation with PingFederate:
–If you are already using PingFederate in your environment then you may choose this method for authentication. AAD Connect natively supports PingFederate, please refer below official document from PingFederate regarding implementation of this.
https://support.pingidentity.com/s/article/PingFederate-Microsoft-Azure-End-to-End-Integration
WVD Implementation step by step guides in Non ARM(WVD 1.0) and ARM Model (WVD 2.0)
Most of us have years of experience with Active Directory and delegating rights to Administrators that control the environment. Some enterprises don’t grant Domain Admin rights to all the Administrators. How does one set up just the right amount of access in Azure for Admins to manage the WVD Spring release?
To answer this question, I started with Role Base Access Control (RBAC). In this scenario, the Administrators will have the Contributor role on the Azure subscription, and the Admin should have the ability to manage other users’ permissions both in Azure and WVD.
Azure uses RBAC to manage resources. A role is a group of permissions.
Azure has many built-in roles; some of the main are Owner, Contributor, and Reader. See here for a list of built-in roles. You can also use PowerShell to get a list with the command: Get-AzRoleDefinition | FT Name,Description
The Owner role has full access to everything, including the ability to delegating access to users. The Contributor role has the permissions to create and manage resources, even create a new tenant but, cannot delegate access to users. The Reader role can view all but make now changes.
If the Administrator has Owner, the person would have full access to manage all resources, but we don’t want that for our Administrator in this case. We know the Administrator has the Contributor role. However, that means the Administrator does not have the right to delegate access to users. The Administrator will need the ability to add and remove users/groups to WVD.
There are multiple ways to solve this; you can grant the Administrator rights on the individual resource groups.
You can add a custom role. If you are more comfortable with the GUI, select Subscriptions, Access control (IAM), Add custom role.
To make it easier, you can choose to clone a role as a starting point.
The predefined permissions already defined will give you a good starting point.
However, to accomplish the requirements, it will need to be adjusted.
You can add permissions and exclude permissions from the above page, but there are limitations. The better method would be to edit the JSON.
Below is a JSON example:
{
“properties”: {
“roleName”: “Custom_Admins”,
“description”: “Custom Role to allow contribution and access control”,
“assignableScopes”: [
“/subscriptions/subscriptionID”
],
“permissions”: [
{
“actions”: [
“Microsoft.Authorization/roleAssignments/delete”,
“Microsoft.Authorization/roleAssignments/write”,
“Microsoft.DesktopVirtualization/*”
],
“notActions”: [
“Microsoft.Blueprint/blueprintAssignments/write”,
“Microsoft.Blueprint/blueprintAssignments/delete”,
],
“dataActions”: [],
“notDataActions”: []
}
]
}
}
For a list of operations see here
To use the PowerShell to create the custom role using a json file:
New-AzRoleDefinition –InputFile “C:\CustomRoles.json”
This solution is granular and most secure, but it will involve some research and knowledge of JSON. If you are new to Azure, this can be challenging.
So, for this use case since the granular security is not a requirement, the Administrator will be granted two built-in roles that allow for the access needed, not just for WVD but Azure as well.
Below are Azure Windows Virtual Desktop (WVD) Reference conceptual architectures.
WVD Reference Architecture’s -ARM
Reference Architecture -Classic (Non-ARM)
Reference Architecture -Classic (Non-ARM)
Reference Architecture -Classic (Non-ARM)
Reference Architecture -Classic (Non-ARM)
Reference Architecture -Classic (Non-ARM)
This overview picture is meant to show a simple WVD architecture High-level and also the different features and options one has available as part of Windows Virtual Desktop. Where I split it up into two main services, where the first part is Microsoft services in Azure and the second is 3.party services
For more details, refer https://msandbu.org/windows-virtual-desktop-ecosystem/
