Deploy VM in Azure via Powershell using Azure CloudShell

Reading Time: 5 minutes

In this blog post I will deploy virtual servers within the Azure Portal using Powershell via Azure Cloudshell.


1) Login to the Azure Portal portal.azure.com
2) Click the Cloud Shell icon found towards the top of the portal

3) Click Powershell

4) Click Create Storage. If you want to configure custom settings, click Show Advanced Settings

5) and we’re connected

6) Before creating a Virtual Machine, I will create a resource group to where I will deploy my new VM. My new resource group is named CloudBuildPSRG (PS for PowerShell and RG for Resource Group). My location is UKSouth. You could create this resource group as part of the VM Build commands further down this blog post but for the purpose of this demo, I will create the resource group first.

New-AzResourceGroup -Name CloudBuildPSRG -Location UKSouth

7) If I visit the resource group area within the Azure Portal, here is my newly created resource group

8) We don’t want to only view the new resource group via the portal, let’s take a look at the resource group via PowerShell. Here is the code to display your resource groups

Get-AzureResourceGroup

And here is the resource group

9) Let’s move onto creating a VM within this new resource group

Before running the below commands, i’ll explain what each line of code will do

New-AzVm `
    -ResourceGroupName "CloudBuildPSRG" `
    -Name "CloudBuildPSVM" `
    -Location "UK South" `
    -VirtualNetworkName "CloudBuild-PSVNET" `
    -SubnetName "subnet1" `
    -SecurityGroupName "CBNetworkSecurityGroup" `
    -PublicIpAddressName "GBPublicIpAddress" `
    -OpenPorts 80,3389

-ResourceGroupName “CloudBuildPSRG” – I will use an existing Resource Group that I created in this blog post earlier. In the event the resource group does not exist, a new resource group will be created.

-Name “CloudBuildPSVM” – This is the name of the VM


-Location “UK South” – The VM will be built in region UK South

-VirtualNetworkName “CloudBuild-PSVNET” – I am creating a new VNET but you could also use an existing VNET name if you have already created one

-SubnetName “subnet1” – A new subnet will be created named subnet1. Again you could use an existing by specifying the name.

-SecurityGroupName – NSG name for the VM (Network Security Group)

-PublicIpAddressName “GBPublicIpAddress” – For the purpose of this lab, I will be creating a public IP address. This is something you don’t want to do for a production server. You could use Azure Bastion to connect to a VM from the portal, or connect to the VM from your internal network over VPN.

-OpenPorts 80,3389 – Opening ports within the NSG (Network Security Group) to allow access to the web service and Remote Desktop access. My next blog post will include the installation of IIS via powershell and testing access externally.

10) Let’s continue with running the script. After triggering the script, you’re prompted to create a new local admin username and password for the VM.

and the machine build is in progress

VM build successful

11) Let’s check the status of the VM

get-azvm -name CloudBuildPSVM

12) Let’s check the Azure Portal. There it is. The VM has been deployed in my existing resource group CloudBuildPSRG

13) I’ll now obtain the Public IP address of the VM so I can connect to it. (Note that this is a demo. In a production environment you don’t want to allow RDP access externally). The Public IP could also be obtained from the Azure Portal, but as we’re doing everything within PowerShell, let’s continue with Powershell.

Here is the command I will run to obtain the public IP address of my newly created VM

Get-AzPublicIpAddress -Name GBPublicIpAddress -ResourceGroupName CloudBuildPSRG | Select IPAddress

14) You can now connect to your server

This process creates a Windows 2016 Datacenter server, but what if you want to use a different image available within the Microsoft Azure Marketplace?

Let’s continue with building another VM but this time specifying what image we want to use.

15) Type Get-AzVMImageOffer -Location “UK South” -PublisherName “MicrosoftWindowsServer”

Notes:

A Marketplace image in Azure has the following attributes:

  • Publisher: The organisation that created the image. Examples: Canonical, MicrosoftWindowsServer
  • Offer: The name of a group of related images created by a publisher. Examples: UbuntuServer, WindowsServer
  • SKU: An instance of an offer, such as a major release of a distribution. Examples: 18.04-LTS, 2019-Datacenter
  • Version: The version number of an image SKU.



MicrosoftWindowsServer is a VM publisher name. If you want to view all VM image publishers available within the market place in the UK South region, the command is as follows: Get-AzVMImagePublisher -location “UK South”

16) Here are the results from step 14. The below results show that I have a number of Microsoft Server authors available in the UK South region. I will be using WindowsServer

17) We now dig deeper and find out what images are available within the WindowsServer Publisher selection

Get-AzVMImageSku -Location “UK South” -PublisherName “MicrosoftWindowsServer” -Offer “WindowsServer”

and after running the command below, we have a selection to choose from:

18) Let’s deploy a 2012 R2 Datacenter server

19) Here is what the script look like this time.

New-AzVm `
-ResourceGroupName “CloudBuildPSRG” `
-Name “CloudBuildPSVM3” `
-Location “uksouth” `
-VirtualNetworkName “CloudBuild-PSVNET” `
-SubnetName “subnet1” `
-SecurityGroupName “CBNetworkSecurityGroup3” `
-PublicIpAddressName “GBPublicIpAddress3” `
-ImageName “MicrosoftWindowsServer:WindowsServer:2012-R2-Datacenter:latest” `
-OpenPorts 80,3389 `
-AsJob

Note:
AsJob allows the command to run in the background allowing you to use PowerShell for other tasks and not have to wait for the script to complete, as you’ll see from the results below.

latest – is a command which requests for the latest image available

After running the script above, as you can see from the screenshot below the output is different because of the additional command -AsJob. The job is now running in the background which means I don’t have to wait for PowerShell to complete the process.


20) And we have successfully deployed a Windows 2012 R2 Datacenter server






Backup Azure Files Share

Reading Time: 4 minutes

In this blog post I will be backing up an Azure File Share that I created to store my Windows Virtual Desktop FSLogix Profiles.

1) Login to the Azure Portal portal.azure.com

2) Firstly, i’ll create a recovery services vault

A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services such as IaaS VMs (Linux or Windows) and Azure SQL databases.

Search and click Recovery Services Vault

3) Click Add

4) Complete details for your new Recovery Services Vault. See example below

5) Add tags as required and click create

6) Next, visit Recovery Services Vault and click your newly created vault

7) Click + Backup

8) Click the notice as highlighted below

9) As you’ll see, by default the storage replication type is set to geo-redundant. For the purpose of this lab, i’ll be configuring locally-redundant. You may wish to select local or one of the other options depending on your requirements.

Important note:


10) I select Locally-redundant and click save

11) From the drop down (What do you want to backup?) select Azure FileShare

12) Click Backup

13) Click Select under Storage Account

14) Click your storage account and click ok

15) Click ‘Create a new policy’

16) Click Add and select the Azure Fileshare

17) Set your backup policy as per your requirements. For the purpose of this demo, I have configured as follows


18) Click Enable Backup

19) Wait for confirmation. Takes less then a minute

20) Next, visit your Recovery Services Vault, click backups from the left pane and then click Azure Storage (Azure Files)

21) Notice the backup is pending


22) Click the backup

23) Click Backup now

24) I’m going to leave the data retention as one month. You may wish to set as per your organisation requirements. Click OK

25) Wait for configuration to complete

26) If required, to modify the backup, click the recovery services vault, click backup policies and then select the policy.

27) Success


If you wish to monitor backups or restore data, visit the storage account and use the backup and snapshot options in the left pane




Use Azure Files for FSLogix User Profile Data with Window Virtual Desktop

Reading Time: 10 minutes

In this blog post I will go through the process of configuring FSLogix within a Windows Virtual Desktop platform using Azure file share. I will also go through the process to enable Active Directory authentication.

What is FSLogix
FSLogix is a set of solutions that enhance, enable, and simplify non-persistent Windows computing environments. FSLogix solutions are appropriate for Virtual environments in both public and private clouds. FSLogix solutions may also be used to create more portable computing sessions when using physical devices.

FSLogix Requirements
Before we get started and at the time of writing this blog post, there are a few requirements for FSLogix. You are eligible to access FSLogix Profile Container, Office 365 Container, Application Masking, and Java Redirection tools if you have one of the following licenses:

  • Microsoft 365 E3/E5
  • Microsoft 365 A3/A5/ Student Use Benefits
  • Microsoft 365 F1/F3
  • Microsoft 365 Business
  • Windows 10 Enterprise E3/E5
  • Windows 10 Education A3/A5
  • Windows 10 VDA per user
  • Remote Desktop Services (RDS) Client Access License (CAL)
  • Remote Desktop Services (RDS) Subscriber Access License (SAL)

FSLogix solutions may be used in any public or private data center, as long as a user is properly licensed. FSLogix tools operate on all operating systems newer than, and including:

  • Desktop – Windows 7
  • Server – 2008 R2
  • FSLogix solutions support both 32 bit and 64 bit where applicable
  • In no instance are FSLogix solutions supported in an environment that is not supported by Microsoft, or the original software or equipment vendor

What is Azure Files?

Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) protocol or Network File System (NFS) protocol. Azure file shares can be mounted concurrently by cloud or on-premises deployments. Azure Files SMB file shares are accessible from Windows, Linux, and macOS clients. Azure Files NFS file shares are accessible from Linux or macOS clients. Additionally, Azure Files SMB file shares can be cached on Windows Servers with Azure File Sync for fast access near where the data is being used.

Azure Files is used extensively/recommended for storing user profiles using FSLogix. Azure Files provides multiple tiers that you can select based on your cost/performance needs.

In this blog i will also go through the process of setting up Azure Files for FSLogix Profiles in Windows Virtual Desktop.

If your organisation have password expiration policies in place you may have to create a separate OU to block the password expiring for the account which represents the Azure storage account. Your organisation may run automated cleanup scripts that delete accounts once their password expires. Because of this, if you do not change your password before it expires, your account could be deleted, which will cause you to lose access to your Azure file shares. This will make more sense as we go through this blog post.

My lab environment includes a domain controller hosted in Azure, two Windows Virtual Desktop 10 session hosts. AD accounts are sync’d to Azure AD using Azure AD Connect. I created the WVD solution as part of the following blog post Deploying Windows Virtual Desktop

Please skip to section Create Storage Account in Azure if expiration policies don’t apply to your organisation.

1) For this demo, I have created the following OU within AD

2) I have created a group policy and disabled password expiry for computer accounts residing in this OU. Further details below.

3) I logged into group policy management and created a new policy as follows:

For this example, I have named my policy Azure Files – Password Does Not Expire

4) Right click and edit the policy and browse to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

5) Locate: Domain Member: Maximum machine account password age

6) Click define this policy setting and set to 0. Save

7) Now that i have created an OU and Group Policy that prevents accounts within the Azure Files OU from expiring, I will link the newly created policy to the OU.

Right click the Azure File OU within the Group Policy console and click link existing GPO. Click OK


Create Storage Account in Azure

I will now create a storage account within the Azure Portal

  1. Login to the Azure Portal portal.azure.com
  2. Locate and click storage accounts

3. Click +Add


4. Complete the details (Example below). I have created a new resource group named AzureFileRG. If you require higher IOPS up to 100,000, you may want to look into premium instead of standard.

Ensure storage account name is 15 or less characters. I’ll explain why later

5. Lock down your storage account so that only the VM’s on selected virtual networks have access to the file share

– Select Public endpoint (Selected Networks) and click the VNET to where your session hosts are connected to
– Click all subnets that the domain controller and sessions hosts connect to

6. I will leave the rest of the settings as default and click review and create.

7. Once validation passes, click create

Create File Share

Now that we have created the storage account, let’s create the file share

1. Click storage accounts and click the storage account you just created

2. Click File shares

3. Click + File share

4. Input new file share details and click next. For this example, I have inputted details as below. If you don’t configure a quota, the default limit is configured.

Azure Files offers four different tiers of storage, premium, transaction optimised, hot, and cool to allow you to tailor your shares to the performance and price requirements of your scenario:

  • Premium: Premium file shares are backed by solid-state drives (SSDs) and are deployed in the FileStorage storage account type. Premium file shares provide consistent high performance and low latency, within single-digit milliseconds for most IO operations, for IO-intensive workloads. Premium file shares are suitable for a wide variety of workloads like databases, web site hosting, and development environments. Premium file shares can be used with both Server Message Block (SMB) and Network File System (NFS) protocols.
  • Transaction optimized: Transaction optimized file shares enable transaction heavy workloads that don’t need the latency offered by premium file shares. Transaction optimized file shares are offered on the standard storage hardware backed by hard disk drives (HDDs) and are deployed in the general purpose version 2 (GPv2) storage account type. Transaction optimized has historically been called “standard”, however this refers to the storage media type rather than the tier itself (the hot and cool are also “standard” tiers, because they are on standard storage hardware).
  • Hot: Hot file shares offer storage optimized for general purpose file sharing scenarios such as team shares and Azure File Sync. Hot file shares are offered on the standard storage hardware backed by HDDs and are deployed in the general purpose version 2 (GPv2) storage account type.
  • Cool: Cool file shares offer cost-efficient storage optimized for online archive storage scenarios. Azure File Sync may also be a good fit for lower churn workloads. Cool file shares are offered on the standard storage hardware backed by HDDs and are deployed in the general purpose version 2 (GPv2) storage account type.

More info can be located here

5. File share configured successfully

Enable SMB Authentication

Next, I will enable SMB Authentication

1. Download AzFilesHybrid.zip from https://github.com/azure-samples/azure-files-samples/releases

2. Extract the files


3. Launch Powershell and type the below command. This command will allow the current user to execute scripts.

4. Next browse to the folder where the three scripts are stored as shown below.

5. Run the CopyToPSPath.ps1 script
This script adds the directory to the power shell path

6. Next we import the AZFilesHybrid Module using the command below. The import will take a few minutes.

7. Next, I connect to my Azure Tenant


8. Login when prompted, and we’re connected


9. Type Select-AzSubscription -SubscriptionId <subscription ID> and press enter

One of the places to retrieve your subscription ID: Click your storage account and click overview from the left menu.

10. Next we will run the following:

Please note that the domain account can be either a Computer or service account. For this example, i’m creating a computer account.

The next commands will create the object within your Windows Active Directory OU that was created earlier.

Join-AzStorageAccountForAuth
-ResourceGroupName AzureFileRG
-Name cbazurefile
-DomainAccountType ComputerAccount
-OrganizationalUnitDistinguishedName “OU=Azure Files,OU=CloudBuild,DC=CloudBuild,DC=co,DC=uk”

Note: “-Name” is the name of your storage account you created in the Azure Portal earlier. The commands i’ll be running are documented above. Your config will be different.

Note: You can obtain the OU Distinguished name, by right clicking the OU (Enable Advanced Features for options to appear), Clicking properties, Attribute Editor and then locating Distinguished Name as shown below.


11. Success

12. Now let’s check if the computer account has been created within AD Users and Computers.

Note that the computer name is the same as the storage account name. If the storage account had been more then 15 characters, the scripts above would have failed as only a maximum of 15 characters are allowed for a computer name.



13. Next, let’s assign permissions to the share we created in Azure. Go back to the Azure Portal > Click the Storage Account > File shares

14. Click the file share name and then click Access Control (IAM)

15. Click Add role assignments


The following SMB roles exist. We’re only adding the top two roles.

  • Storage File Data SMB Share Contributor: permissions to read, write and modify
  • Storage File Data SMB Share Elevated Conttributor: permissions to read, write, modify and manage NTFS permissions
  • Storage File Data SMB Share Reader: permission to read.

16. The first role is SMB Share Elevated Contributor and i’ll be assigning an admin account to this role as shown below. Cloud Build User 1 is my admin account.

17. Click save and add role assignment again and add SMB Share Contributor. I have assigned my WVD Users Group to this role

Anyone part of the WVD Users group will be assigned a FSLogix Profile.

18. Next we will require the Storage Access Key. Click the storage account and click Access Keys

19. Copy either key 1 or key 2 and paste to notepad for now (Keep this key SAFE. It’s the key to your storage account and files!)

In the next steps i will mount the share and assign NTFS permissions

19. I will now run the below command to check that i can mount the new share. I’ll be running the command from my domain controller but you can run from any domain joined machine.

net use W: "\\<StorageAccountHere>.file.core.windows.net\<ShareNameHere>" /user:Azure\>StorageAccountNameHere> <StorageAccountKeyHere>
net use W: "\\cbazurefile.file.core.windows.net\cloudbuildshare" /user:Azure\cbazurefile XXXXXXXXXXXXXNacmCQY6CDV3SDQ2DUxosXXXXXXXXXXR2eiBJ/xKemkX5coX7xE2EFYtO6XXXXXXXX8V8XgWLg==

20. Success

And the file share has mounted

21. Let’s create a folder for FSLogix Profiles

22. Next we will set permissions to allow user profies to be created and to prevent users from accessing other user profiles:

Right click the Profiles folder
Click properties
Click the Security tab
Click the advanced button
Click the disable inheritance button

23. Click Convert inherited permissions into explicit permissions on this object

24. Next, click authenticated users and click remove

25. Click users and click remove

26. Next, click CREATOR OWNER and click edit

27. Untick Full Control and save

28. Next add WVD Users, click add, click Select a principle, locate your WVD Users group and click ok

29. For WVD Permissions, select the modify option and change applies to This Folder Only

30. Click ok and apply

As a test you should be able to launch the WVD default desktop by accessing WVD and mapping to the following:

STORAGE-ACCOUNT-NAME-HERE.file.core.windows.net\FILE-SHARE-NAME-HERE

The next post will continue with configuring the FSLogix Group Policy and installing the FSLogix Service. Click the following link to continue – Configure FSLogix Group Policy and Install FSLogix App

Configure FSLogix Group Policy and install FSLogix App

Reading Time: 5 minutes

Continuing from the previous post where I used Azure Files for FSLogix User Profile Data with WVD, I will now continue with creating a group policy for FSLogix settings, installing the FSLogix service and testing. You can check out the previous post by clicking the following link Use Azure Files for FSlogix User Profile Data with Window Virtual Desktop

Before we get started, download the FSLogix templates from aka.ms/fslogix_download

The files will be required to allow you to configure FSLogix Group Policy settings.

  1. I start with logging into my domain controller and launch AD Users and Computers
  2. I created a new OU named WVD Session Hosts

3. I created a couple of WVD session hosts in a previous blog post. The blog post can be located at Deploying Windows Virtual Desktop in Microsoft Azure

I move the two hosts to my newly created OU. By default the sessions hosts were created in the Computers OU

4. ok, so both session hosts are now included in the new OU WVD Session Hosts

5. Now, back to the FSLogix files we downloaded at the beginning of this post

6. Copy the fslogix.admx file and paste it to your domain sysvol folder. As shown below.

In my case i will be browsing to:
\CloudBuild-Serv\SYSVOL\CloudBuild.co.uk\Policies\PolicyDefinitions

and will copy my admx file here as shown below. I had to create the PolicyDefinitions folder because this is a new domain controller. You may already have this folder in place.

7. Next i will copy the language file fslogix.adml file

I will copy this file to folder en-US. A folder didn’t exist because this is a new domain controller.

8. Next launch Group Policy

9. Create a new policy. I have named my policy FSLogix Profiles

10. Right click and edit the policy

11. Expand Computer Configuration > Administrative Templates > FSLogix and click Profile Containers

12. Firstly, i’ll enable FSLogix

Double click Enabled and click enable, Save

13. Next I will set the VHD location to where the FSLogix profiles will be stored. Don’t forget to add your profiles folder to the end of the path. Save settings

14. Then click Size in MBs

The default is 30GB, we’ll change to 20GB and save settings

15. Next, i click on Delete local profile when FSLogix Profile should apply

16. Click container and directory naming

17. Access Swap directory name components and enable as show below. Save

18. Next click virtual disk type, configure (Select VHDX) as shown below and save

That’s it for configuring the GPO

19. I will now link the GPO to the OU i created earlier

20. Now we’re ready to install the FSLogix client. So, I have two Windows 10 session hosts that were deployed as part of a previous blog post. You can check the post at the following link Deploying Windows Virtual Desktop in Azure

I’m going to RDP to both and install the FSLogix client. If you have a base image also known as a gold image, the application can be deployed to the the base image. I will cover this in a separate blog post.

Here is what i did to install the FSLogix App

1. RDP to both Windows Session Hosts from my domain controller
2. Visit and http://aka.ms/fslogix_download to download the FSLogix client
3. Extract the folder
4. Access the folders named x64 > Release
5. Run the FSLogixAppsSetup file
6. When ready to accept license agreement, click install

7. Run gpupdate /force
– Open command prompt on the session hosts
– Type gpupdate /force and enter
– Log off both hosts

8. Now the moment has arrived. We will be testing FSLogix

Login options via
– https://rdweb.wvd.microsoft.com/webclient/index.html
– Download and configure the Windows Virtual Desktop Client

9. Login with a user part of the WVD Users group

10. Let’s create a couple of test folders on the desktop

11. Now i need to log off and back on, but this time I want to logon to the second session host. I will enable drain mode on the host I am currently logged on to. Drain mode means that the session will not accept sessions. Similar to Maintenance mode in Citrix.


12. To enable drain mode on the WVD session host that i am currently logged onto:
– Log in to the Azure Portal
– Click Windows Virtual Desktop
– Click Host Pools
– Click on the host pool
– Click Session hosts from the left pane
– Click the session host showing an active session

13. Enable Drain mode

]

14. Log off and log back on

15. And here are the two folders we created on the desktop



16. Now lets access the Azure file share and check the profile

Success

I am logged onto the second host, whilst Drain mode is enabled on the other host


Stay tuned for further WVD posts 🙂

How to install and configure Windows Desktop client

Reading Time: 2 minutes

In this blog post I will go through the process of connecting to a Windows Virtual Desktop (WVD) solution via the Virtual Desktop Client

In previous blog posts, I have used the web client for testing by browsing to
https://rdweb.wvd.microsoft.com/webclient/index.html

1. Ok, so firstly I will download the Windows Desktop Client
2. I’ll be downloading the 64 bit version

#

3. Double click the install file, click next

4. Accept the license terms when ready to do so and click next

5. Click Install

6. Click subscribe or subscribe with url depending on what your organisation has provided. In my case, I’ll be clicking subscribe.

7. Sign in with your credentials

8. Wait for resources to load

9. And we’re in

The below WVD related posts may also be of interest to you:

Deploying Windows Virtual Desktop in Microsoft Azure
Windows Virtual Desktop Application Group Creation
Windows Virtual Desktop Pooled vs Personal Desktops