Prepare Windows 10 Master Image & Deploy Windows Virtual Desktop

Microsoft announced Windows Virtual Desktop and began a private preview. Since then, we’ve been hard at work developing the ability to scale and deliver a true multi-session Windows 10 and Office 365 ProPlus virtual desktop and app experience on any device.

Windows Virtual Desktop will also be extended and enriched by leading partners in the following ways:

  • Citrix can extend Windows Virtual Desktop capabilities with their Citrix Cloud services.
  • Through our partnership with Samsung, Windows Virtual Desktop will provide highly mobile First line Workers access to a full Windows 10 and Office 365 ProPlus experience with Samsung DeX.
  • Software and service providers will extend Windows Virtual Desktop to offer targeted solutions in the Azure marketplace.
  • Microsoft Cloud Solution Providers (CSPs) will deliver end-to-end desktop-as-a-service (DaaS) offerings and value-added services to their customers.

Prepare Image

Prepare Windows 10 Ent Golden Image to be used for Windows Virtual Desktop in Azure Cloud. Execute the following steps on the Windows 10 Ent master image.

Step1: Remove Persistent Routing using this command, route delete

Step2: Remove Proxy Server using this Command, netsh winhttp reset proxy

Step3: Set the disk SAN policy to Onlineall using this command, diskpart then san policy=onlineall

Step4: Set time zone to Windows Automatic

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\TimeZoneInformation’ -name “RealTimeIsUniversal” -Value 1 -Type DWord -force

Set-Service -Name w32time -StartupType Automatic

Step5: Setup Power Profile using this command powercfg /setactive SCHEME_MIN

Step6: Setup TEMP and TMP and location to default

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment’ -name “TEMP” -Value “%SystemRoot%\TEMP” -Type ExpandString -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment’ -name “TMP” -Value “%SystemRoot%\TEMP” -Type ExpandString –force

Step7: Setup Windows Services to automatic

Set-Service -Name bfe -StartupType Automatic

Set-Service -Name dhcp -StartupType Automatic

Set-Service -Name dnscache -StartupType Automatic

Set-Service -Name IKEEXT -StartupType Automatic

Set-Service -Name iphlpsvc -StartupType Automatic

Set-Service -Name netlogon -StartupType Manual

Set-Service -Name netman -StartupType Manual

Set-Service -Name nsi -StartupType Automatic

Set-Service -Name termService -StartupType Manual

Set-Service -Name MpsSvc -StartupType Automatic

Set-Service -Name RemoteRegistry -StartupType Automatic

Step8: Setup Remote Desktop registry

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server’ -name “fDenyTSConnections” -Value 0 -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “fDenyTSConnections” -Value 0 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “PortNumber” -Value 3389 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “LanAdapter” -Value 0 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “UserAuthentication” -Value 1 -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “SecurityLayer” -Value 1 -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “fAllowSecProtocolNegotiation” -Value 1 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “KeepAliveEnable” -Value 1  -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “KeepAliveInterval” -Value 1  -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “KeepAliveTimeout” -Value 1 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “KeepAliveEnable” -Value 1  -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “KeepAliveInterval” -Value 1  -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “KeepAliveTimeout” -Value 1 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “fDisableAutoReconnect” -Value 0 -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “fInheritReconnectSame” -Value 1 -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “fReconnectSame” -Value 0 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “MaxInstanceCount” -Value 4294967295 -Type DWord –force

Remove-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “SSLCertificateSHA1Hash” –force

Step9: Setup Firewall

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

Enable-PSRemoting -force

 Set-NetFirewallRule -DisplayName “Windows Remote Management (HTTP-In)” -Enabled True

Set-NetFirewallRule -DisplayGroup “Remote Desktop” -Enabled True

Set-NetFirewallRule -DisplayName “File and Printer Sharing (Echo Request – ICMPv4-In)” -Enabled True

Step10: Check VM disk on next boot

Chkdsk /f

Step11: Set the Boot Configuration Data (BCD) settings

 bcdedit /set {bootmgr} integrityservices enable

 bcdedit /set {default} device partition=C:

 bcdedit /set {default} integrityservices enable

 bcdedit /set {default} recoveryenabled Off

 bcdedit /set {default} osdevice partition=C:

 bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

 #Enable Serial Console Feature

 bcdedit /set {bootmgr} displaybootmenu yes

 bcdedit /set {bootmgr} timeout 5

 bcdedit /set {bootmgr} bootems yes

 bcdedit /ems {current} ON

 bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200

Step11: Setup Crash dump

# Setup the Guest OS to collect a kernel dump on an OS crash event

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl’ -name CrashDumpEnabled -Type DWord -force -Value 2

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl’ -name DumpFile -Type ExpandString -force -Value “%SystemRoot%\MEMORY.DMP”

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl’ -name NMICrashDump -Type DWord -force -Value 1

#Setup the Guest OS to collect user mode dumps on a service crash event

$key = ‘HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps’

if ((Test-Path -Path $key) -eq $false) {(New-Item -Path ‘HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting’ -Name LocalDumps)}

New-ItemProperty -Path $key -name DumpFolder -Type ExpandString -force -Value “c:\CrashDumps”

New-ItemProperty -Path $key -name CrashCount -Type DWord -force -Value 10

New-ItemProperty -Path $key -name DumpType -Type DWord -force -Value 2

Set-Service -Name WerSvc -StartupType Manual

Step12: Verify that the Windows Management Instrumentations (WMI) repository

winmgmt /verifyrepository

Step14: Do not remove or modify access for the following accounts

  • Administrators
  • Backup Operators
  • Everyone
  • Users

Step13: Install Azure VM Agents

Install the Azure VMs Agent.

Step14: Setup Pagefile to different location

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management’ -name “PagingFiles” -Value “D:\pagefile.sys” -Type MultiString –force

Generalise Golden Image

  1. Boot a PC into Audit Mode. When Windows boots into Audit Mode, System Preparation Tool will appear on the desktop. You can choose to either close the System Preparation Tool window or allow it to remain open.
  2. Customize Windows by adding drivers, changing settings, and installing programs. Do not install any Microsoft Store apps using the Microsoft Store.
  3. Run Sysprep. %WINDIR%\system32\sysprep\sysprep.exe /generalize /shutdown /oobe

Convert disk using Hyper-V Manager

  1. Open Hyper-V Manager and select your local computer on the left. In the menu above the computer list, click Action > Edit Disk.
  2. On the Locate Virtual Hard Disk screen, locate and select your virtual disk.
  3. On the Choose Action screen, and then select Convert and Next.
  4. If you need to convert from VHDX, select VHD and then click Next.
  5. If you need to convert from a dynamically expanding disk, select Fixed size and then click Next.
  6. Locate and select a path to save the new VHD file to.
  7. Click Finish.
  8. You can do the same using PowerShell Convert-VHD –Path c:\test\MY-VM.vhdx –DestinationPath c:\test\MY-NEW-VM.vhd -VHDType Fixed

Export Windows 10 Enterprise VHD

  1. On Hyper-V Manager, right-click the virtual machine and select Export.
  2. Choose where to store the exported files, and click Export.
  3. When the export is done, you can see all exported files under the export location.

Upload VHD to Azure Blob Storage

You can also upload a VHD to your storage account using one of the following:

  • AzCopy
  • Azure Storage Copy Blob API
  • Azure Storage Explorer Uploading Blobs
  • Storage Import/Export Service REST API Reference
  • PowerShell

Use the Add-AzVhd cmdlet to upload the VHD to a container in your storage account.

$rgName = “myResourceGroup”

$urlOfUploadedImageVhd = “https://mystorageaccount.blob.core.windows.net/mycontainer/myUploadedVHD.vhd”

Add-AzVhd -ResourceGroupName $rgName -Destination $urlOfUploadedImageVhd

    -LocalFilePath “C:\Users\Public\Documents\Virtual hard disks\myVHD.vhd”

Create a managed image from the uploaded VHD

$location = “Australia East”

$imageName = “Windows10EntGoldImage”

$imageConfig = New-AzImageConfig -Location $location

$imageConfig = Set-AzImageOsDisk -Image $imageConfig -OsType Windows -OsState Generalized -BlobUri $urlOfUploadedImageVhd -DiskSizeGB 20

New-AzImage  -ImageName $imageName -ResourceGroupName $rgName –Image $imageConfig

Create the VM

New-AzVm -ResourceGroupName $rgName  -Name ” VM1″ -ImageName $imageName -Location $location -VirtualNetworkName “myVnet” -SubnetName “mySubnet” -SecurityGroupName “myNSG” -PublicIpAddressName “myPIP” -OpenPorts 3389

Deploy Windows Virtual Desktop Host Pool from the Azure Managed Image.

Use the below KBs to create Windows Virtual Desktop host pool.

KB1 and KB2. Follow the KBs except when selecting an image select Managed Image you created using above how to. 

Azure AD B2B Collaboration With SharePoint Online

Azure AD B2B collaboration capabilities to invite guest users into your Azure AD tenant to allow them to access Azure AD service Azure AD B2B collaboration invited users can be picked from OneDrive/SharePoint Online sharing dialog boxes. OneDrive/SharePoint Online invited users also show up in Azure AD after they redeem their invitations and other resources such OneDrive for Business, SharePoint Online in your organization.

Azure B2B
Azure AD B2B Collaboration (Source Microsoft Corp)

Licensing Requirements for Paid Features:

The customer who owns the inviting tenant must be the one to determine how many B2B collaboration users need paid Azure AD capabilities. Depending on the paid Azure AD features you want for your guest users, you must have enough Azure AD paid licenses to cover B2B collaboration users in the same 5:1 ratio.

Extranet Collaboration.png
Contoso Corp B2B Collaboration with partners (Source Microsoft Corp)

The below guides articulate how to deploy Azure B2B functionality for SharePoint Online.

Turning on Azure AD Integrated App for Office 365

  1. Log on to Office 365 portal.office.com using your work or school account.
  2. Go to the Office 365 admin center, and from the left navigation bar, click Settings> Services & add-ins
  3. On the Integrated apps page, use the toggle to turn Integrated Apps on or off.

Add a B2B User

  1. Sign in to the Azure portal as an Azure AD administrator.
  2. In the navigation pane, select Azure Active Directory.
  3. Under Manage, select Users. Select New guest user.
  4. Under User name, enter the email address of the external user. Optionally, include a welcome message.
  5. Select Invite to automatically send the invitation to the guest user.
  6. To assign Group Permission, Under Manage, select Groups.
  7. Select a group (or click New group to create a new one). It’s a good idea to include in the group description that the group contains B2B guest users.
  8. Select Members. Add the Guest User.

Add Azure AD B2B Licenses

  1. Log on to Azure Portal.Azure.com, Navigate to Azure Active Directory
  2. To assign a license, under Azure Active Directory > Licenses > All Products, select one or more products, and then select Assign on the command bar.
  3. You can use the Users and groups blade to choose multiple users or groups or to disable service plans in the product. Use the search box on top to search for user and group names.
  4. When you assign licenses to a group, it can take some time before all users inherit the license depending on the size of the group. You can check the processing status on the Group blade, under the Licenses

Add guest users to a SharePoint Online App

  1. Sign in to the Azure portal as an Azure AD administrator. In the navigation pane, select Azure Active Directory.
  2. Under Manage, select Enterprise applications > All applications. Select the application to which you want to add guest users.
  3. On the application’s dashboard, select Total Users to open the Users and groups pane.
  4. Select Add user. Under Add Assignment, select User and groups.
  5. If the guest user already exists in the directory, search for the B2B user. Select the user, click Select, and then click Assign to add the user to the app.
  6. The guest user appears in the application’s Users and groups list with the assigned role of Default Access or Under Edit Assignment, click Select Role, and select the role you want to assign to the selected user. Click Select. Click Assign.

Turn on External Sharing for SharePoint Online

  1. Sign in to Office 365 as a global admin or SharePoint admin.
  2. Select the app launcher icon The app launcher icon in Office 365 in the upper-left and choose Admin to open the Office 365 admin center. (If you don’t see the Admin tile, you don’t have Office 365 administrator permissions in your organization.)
  3. In the left pane, choose Admin centers > SharePoint.
  4. In the left pane, click sharing.
  5. Select “Allow sharing only with the external users that already exist in your organization’s directory.”
  6. You can setup additional settings such as Limits external sharing using domains, prevent external users from sharing files, External User must accept sharing invitations.

Turn on External Sharing for Specific Site Collection

  1. Sign in to Office 365 as a global admin or SharePoint admin.
  2. Select the app launcher icon The app launcher icon in Office 365 in the upper-left and choose Admin to open the Office 365 admin center. (If you don’t see the Admin tile, you don’t have Office 365 administrator permissions in your organization.)
  3. In the left pane, choose Admin centers > SharePoint.
  4. Click Try the preview to open the new SharePoint admin center.
  5. In the left pane, click Site management.
  6. Locate the site that you want to update, and click the site name.
  7. In the right pane, under Sharing status, click Change.
  8. Select your option (see the following table) and click Save.

Redemption through the invitation email

If invited through a method that sends an invitation email, users can also redeem an invitation through the invitation email. An invited user can click the redemption URL in the email, and then review and accept the privacy terms.

  1. After being invited, the invitee receives an invitation through email that’s sent from Microsoft Invitations.
  2. The invitee selects Get Started in the email.
  3. If the invitee doesn’t have an Azure AD account or an MSA, they’re prompted to create an MSA.
  4. The invitee is redirected to the Review permissions screen, where they can review the inviting organization’s privacy statement and accept the terms.