Scribd
Upload
284 views20 pages

Azure WVD Prerequisites & Dependencies

This document provides a checklist of prerequisites and dependencies for deploying Azure Windows Virtual Desktop (WVD). It includes requirements such as having an Azure subscription, Active Directory, networking components, licensing, security tools, monitoring solutions, backup processes, and more. Completing each item is necessary before standing up the full WVD environment.

Uploaded by

Paul_Pedroza
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
284 views20 pages

Azure WVD Prerequisites & Dependencies

This document provides a checklist of prerequisites and dependencies for deploying Azure Windows Virtual Desktop (WVD). It includes requirements such as having an Azure subscription, Active Directory, networking components, licensing, security tools, monitoring solutions, backup processes, and more. Completing each item is necessary before standing up the full WVD environment.

Uploaded by

Paul_Pedroza
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd

Azure WVD Prerequistes & Dependencies C

Item
Azure Subscription

Windows 10 Enterprise Licensing for WVD

Azure Active Directory (AAD) Tenant


& Active Directory
Azure Region
On Premises connectity

WVD Implementation Team ID creation & group

Permissions on Azure subscription


Remote Access to Infrastructure
Network

AD OU Creation

AD Delegated Access

Internet Access

Azure Governance doument

Service Account Creation

# Sensitivity: Internal Restricted


Test user accounts creation

New vnet addition to AD Sites & Subnets

VDI /Server OS/RDS Licensing

Antivirus Agents

User Profile Solution

User profile storage & user data drive

Storage Accounts

Permissions on Azure storage

NetApp File Storage requirment

Image Management
Monitoring Tools

Backup

Security

Network

Windows Virtual Desktop Client


(End points)

# Sensitivity: Internal Restricted


Windows Virtual Desktop Client
(End points)

Users Information

Line of Business(LOB) applications list

# Sensitivity: Internal Restricted


Azure WVD Prerequistes & Dependencies Checklist
Description Prerequistes/Dependencies Status
An Azure subscription (needed to host resources) Prerequiste
To avail WVD Service,, customer should have Win 10 Enterprise
license - Refer License sheet for more details Prerequiste

An Active Directory to which you can join your VMs


A Windows Server Active Directory in sync with Azure Active
Directory. Prerequiste
Auzre region information to deploy WVD Session hosts Information
Azure Express Route or VPN Information

User ID and group creation for WVD Implementation team Prerequiste

Owner - Prefered access


or
Builtin Contributor access , User Access Admin role to assign
users in WVD and assign permissions for Azure Files (Storage
File Data SMB Share Contributor) Prerequiste
Jump Server or Bastion Service to access Azure VM's Prerequiste
Vnets and Subnets to use for WVD Prerequiste

Need dedicated OU structure -Wipro provides structure


Test OU - With block inheritance - This is temporary till project
completion

To create,Modify& Delete OU's, Computer Accounts,


DomainJoin
Permissions to create/Modify Group Policy Objects on VDI OU's
Delegated permission on implementation team user id's or
Delegate above permissions to service account Prerequisite
Internet access at WVD subnet level to create Host pool
creation. (recommended option)
or allow safe URL list as per MS
Prerequisite

Governance doument required to follow policies, naming and


compliance standards to deploy azure resources Prerequisite

Service Account creation for all WVD build activities


( Ex: Virtuadesk monitor schedule tasks, admin schedule tasks
& Domain Join)
Note: MFA should not enable for Admin /Service accounts Dependency

# Sensitivity: Internal Restricted


Need minimum of 2 user accounts for end to end VDI testing Dependency
It is required to add new WVD Vnet's to AD Sites & Subnets for
authentication Dependency

Windows VDI OS
Windows Server OS - As applicable
RDS License - As applicable
Refer License sheet for more details Dependency

Information on AV agents(Symantec/Mac Afee/Trend


Micro/Sentinel/Crowd strike/MS Defender) to deploy on
images Dependency
AD Native Roaming or RES or App Sense or Fslogix etc.. Information

User profile storage (Azure Files or Netapp Files)


Data drive -One Drive or same as profile storage or home
drives Information
Azure Storage
Azure Monitro Diagnostics Information

Storage File Data SMB Share Elevated Contributor to Admin


Group & Storage File Data SMB Share Contributor to all user
Group
All Groups should synch to Azure AD
Dedicated subnet
Includes Patches & applications
Deployment method to use: SCCM or Azure Gallery Information
Azure Monitor/SCOM or any other 3rd party tools Information
Backup tool (Azure Backup or any other 3rd party) to take
backup for Profile/Persistent & Golden Images Information
Windows OS hardening Dependency
Multi Factor Authentication details (Azure MFA/OKTAor any
other) Information
Azure Security Center Information
Network Security Groups(NSG's) to restrict traffic Information

Azure Firewall for internet access or to use onprem proxy Information


Any customer specific security Agents like DLP or any other
tools Information
Public IP's ( if applicable)
JumpServer or Bastion uses public ip Dependency

Communication with all enterprise services as applicable Dependency

Install the Windows Virtual Desktop Client on client devices Dependency

# Sensitivity: Internal Restricted


Allow MS safe list of URL's to access wvd Dependency
Pilot Users Dependency
Migration phase list (as applicable) Dependency
Production Users Dependency
Web application list with URL details Dependency
Applications(thick) Exe's to install on Golden Image Dependency
Communication from WVD to application servers Dependency
Point of contact for application installation Dependency

# Sensitivity: Internal Restricted


Remarks

https://docs.microsoft.com/en-
us/azure/virtual-desktop/faq

DSC ext:
https://docs.microsoft.com/en-
us/azure/virtual-
machines/extensions/dsc-windows
Safe URL:
https://docs.microsoft.com/en-
us/azure/virtual-desktop/safe-url-list

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging

https://docs.microsoft.com/en-us/azure/virtual-desktop/expand-existing-host-pool

# Sensitivity: Internal Restricted


https://docs.microsoft.com/en-
us/azure/virtual-
machines/windows/hybrid-use-
benefit-licensing?WT.mc_id=Portal-
Microsoft_Azure_Compute

# Sensitivity: Internal Restricted


https://docs.microsoft.com/en-us/azure/virtual-desktop/safe-url-list

# Sensitivity: Internal Restricted


Server OS

VDI OS

# Sensitivity: Internal Restricted


# Sensitivity: Internal Restricted
You are eligible to access Windows 10 multi-session, Windows 10, or Windows 7 with Windows Virtual
Desktop if you have one of the following per user licenses
Microsoft 365 F1, E3, E5, A3, A5, Business
Windows 10 Enterprise E3, E5
Windows 10 Education A3, A5
Windows 10 VDA per user

You are eligible to access Windows Server 2012 R2/2016/2019 and newer desktops and apps if you have a
per-user or per-device RDS CAL license with active Software Assurance (SA).
Remote Desktop Services (RDS) Client Access License (CAL) with active Software Assurance (SA)

FSLogix
Microsoft 365 F1, E3, E5, A3, A5, Business
Windows 10 Enterprise E3, E5
Windows 10 Education A3, A5
Windows 10 VDA per user
Remote Desktop Services (RDS) Client Access License (CAL) with active Software Assurance (SA)

For customers with Software Assurance, Azure Hybrid Benefit for Windows Server allows you to use your
on-premises Windows Server licenses and run Windows virtual machines on Azure at a reduced cost. You
can use Azure Hybrid Benefit for Windows Server to deploy new virtual machines with Windows OS

For customers with Windows 10 Enterprise E3/E5 per user or Windows Virtual Desktop Access per user
(User Subscription Licenses or Add-on User Subscription Licenses), Multitenant Hosting Rights for Windows
10 allows you to bring your Windows 10 Licenses to the cloud and run Windows 10 Virtual Machines on
Azure without paying for another license

Windows 10 Sinle -Custom Image

# Sensitivity: Internal Restricted


Windows 10 Multi Session

Windows Server

# Sensitivity: Internal Restricted


https://azure.microsoft.com/en-us/pricing/details/virtual-desktop/

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/hybrid-
use-benefit-licensing
https://azure.microsoft.com/en-us/pricing/hybrid-benefit/

https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx

# Sensitivity: Internal Restricted


# Sensitivity: Internal Restricted
1. Resource Group - Contributor role at Resource Group Level
2. Virtual networks - Contributor role at Virtual Network Level
3. Virtual Machines/Images/AV Set - Contributor role at Virtual Machine Level
4. Storage Accounts - Contributor role at Storage accounts Level
5. Azure Monitor- Monitoring contributor role at Subscription level.
6. Azure Advisor - Contributor role at resource group level.
8. Security Center - "Contributor / Security Admin" role at Subscription Level
9. Key Vault - "Contributor" Role at Resource Group Level.
10. Network Security Group - "Contributor" role at Resource Group Level.
14.Log Analytics workspace require Contributor Role at subscription Level
Contributor rights to register Resource Providers
Azure Image Builder/Azure Shared Image Gallery- Contributor Access
IAM Roles required :
Storage File Data SMB Share Contributor
Storage File Data SMB Share Elevated Contributor (NTFS configurations)

# Sensitivity: Internal Restricted


Virtual machines
The virtual machines you create for Windows Virtual Desktop must have access to

Address Outbound TCP port

*.wvd.microsoft.com 443

gcs.prod.monitoring.core.windows.net 443

production.diagnostics.monitoring.core.wi 443
ndows.net
*xt.blob.core.windows.net 443
*eh.servicebus.windows.net 443
*xt.table.core.windows.net 443
catalogartifact.azureedge.net 443
kms.core.windows.net 1688
mrsglobalsteus2prod.blob.core.windows.n 443
et
wvdportalstorageblob.blob.core.windows. 443
net
169.254.169.254 80

168.63.129.16 80
*.microsoftonline.com 443

*.events.data.microsoft.com 443
www.msftconnecttest.com 443

*.prod.do.dsp.mp.microsoft.com 443
login.windows.net 443

*.sfx.ms 443

*.digicert.com 443

Remote Desktop clients


Any Remote Desktop clients you use must have access to the follow

Address Outbound TCP port


*.wvd.microsoft.com 443

*.servicebus.windows.net 443

go.microsoft.com 443
aka.ms 443
docs.microsoft.com 443
privacy.microsoft.com 443
query.prod.cms.rt.microsoft.com 443

# Sensitivity: Internal Restricted


Virtual machines
indows Virtual Desktop must have access to the following URLs in Azure

Purpose Service Tag Remarks

Service traffic WindowsVirtualDesktop Mandatory

Agent traffic AzureCloud Mandatory

Agent traffic AzureCloud Mandatory

Agent traffic AzureCloud Mandatory


Agent traffic AzureCloud Mandatory
Agent traffic AzureCloud Mandatory
Azure Marketplace AzureCloud Mandatory
Windows activation Internet Mandatory
Agent and SXS stack updates AzureCloud Mandatory

Azure portal support AzureCloud Mandatory

Azure Instance Metadata service endpoint


N/A Mandatory

Session host health monitoring N/A Mandatory


Authentication to Microsoft Online login.microsoftonline.us Optional
Services
Telemetry Service None Optional
Detects if the OS is connected to None Optional
the internet
Windows Update None Optional
Sign in to Microsoft Online Services, login.microsoftonline.us Optional
Microsoft 365
Updates for OneDrive client oneclient.sfx.ms Optional
software
Certificate revocation check None Optional

Remote Desktop clients


op clients you use must have access to the following URLs:

Purpose Clients Azuregov


Service traffic All *.wvd.micros
oft.us
Troubleshooting data All *.servicebus.
usgovcloudap
i.net
Microsoft FWLinks All None
Microsoft URL shortener All None
Documentation All None
Privacy statement All None
Client updates All None

# Sensitivity: Internal Restricted


WVD Safe URL List

Office 365 URLs and IP address ranges

# Sensitivity: Internal Restricted


https://docs.microsoft.com/en-us/azure/virtual-desktop/safe-url-list

https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

# Sensitivity: Internal Restricted

You might also like