In this blog post I will go through enabling password expiration within the Microsoft 365 portal. I will also go through the default password options within Azure AD.
Note: this only applies if you’re utilising a Microsoft cloud only setup. Also, at the time of writing this post, Azure AD does not allow configuring password expiration from the portal. You must do this via Powershell or from the 365 portal as we will be doing now.
Login to portal.office.com
Click Settings and Org settings
3. Click Security & privacy
4. Click Password and expiration policy
5. By default passwords are set to never expire. Click the option Set user passwords to expire after a number of days
6. Configure settings as required, or leave the defaults and click save
Moving on, let’s take a look at the default Azure password configuration
1) Click the link to launch the Azure Active Directory admin center
2) Click Azure Active Directory
3) Click Security from the left pane
4) Click Authentication Methods
5) Click Password protection
6) and here are the default settings
The audit option applies to the custom list of banned passwords. If set to Enforce, users will be prevented from setting banned passwords and the attempt will be blocked. If set to Audit, the attempt will only be logged.
In a previous post I created and deployed two Windows Virtual Desktop session hosts using a Windows 10 image (without 365 Apps) from the Azure market place. I manually installed the FSLogix app on both session hosts, configured Azure File shares for my profiles location and configured FSLogix application masking. The purpose of going through the process was to demonstrate how to setup a basic Windows Virtual Desktop solution within Azure.
In this blog post I will go through the process of building a Windows 10 image with 365 Apps included, install a few apps such as Google Chrome, Firefox, Adobe Reader and Notepad ++. I will then optimise the image as per Microsoft best practice. Let’s get started.
You can follow my Windows Virtual Desktop journey by visiting the blog posts I created previously.
> Click Virtual Machines > Click Add > Create a temp resource group (This resource group will be deleted later) > Select the Windows 10 Multi Session image. At the time of writing this blog post the latest version was Windows 10 Enterprise multi-session, Version 2004 + Microsoft 365 Apps > Select your VM size > Set a local admin username and password > This is a temporary setup in a lab environment – I’ll be connecting to this VM externally via RDP to allow me to configure further settings. Avoid allowing RDP externally. > Confirm your license status and click when ready > Click next and review disk setup > Click next to move on to networking and select your VNET and subnet > Click next to move onto management (No boot diagnostics or auto shutdown as the VM will be deleted later as part of the capture process) > Click review+create and then click create when validation passes
We now have a Windows 10 VM ready. Let’s login to the newly built VM
4. Because we selected the image with 365 apps, the apps are pre-installed
Check that the VM is up to date with the latest windows updates
10. Extract the folder to disk C (See example below)
11. Launch Powershell ISE from the start menu (Right click and run as administrator)
12. Click view and click show script pane if not already selected
13. Click file and browse to file Win10_VirtualDesktop_Optimize located at C:\OptimizationTool\Virtual-Desktop-Optimization-Tool-master, and click open
14. Scroll down and study the script
You can amend the configuration files and enable features which you don’t wish to disable.
In my case, I downloaded the Windows 10 2004 image so my configuration files are located at C:\OptimizationTool\Virtual-Desktop-Optimization-Tool-master\2004\ConfigurationFiles
15. For the purpose of this demo, I will be running the script as it comes (Note I typed 2004 as that’s the image version I am using)
Run the script when ready with a few additional switches
You will lose network connectivity for a couple of seconds but will auto connect to the session so not to worry.
16. Completed – total run time was 3 minutes and 50 seconds and a reboot is required. Reboot the VM
17. VM rebooted and we’re back in
Before optimising the VM, I took a snap of performance stats from the VM via task manager. Check out the stats below.
18. Now, we sysprep the VM
Click the option to generalize and shutdown from the drop down
19. VM shutdown
20. We now capture the VM so it can be used as the base image when deploying our WVD host pool. Click the VM and click Capture
21. Input details (See example below)
Shared image gallery is a service that helps you build structure and organization around your managed images. You will be able to replicate your images globally, maintain versions, and more. Visit the following Microsoft link for more information Learn more
22. Review + Create
23. VM deleted but earlier in the post I deployed the original VM to a temp resource group. The VM has been deleted from the console but the resource group with some VM components remain.
We created a new resource group for our base image so this one is no longer required. Take care when deleting a resource group and ensure there are no other services you require making use of the resource group.
And we’re done
When creating your host pool, click the link to Browse all images and disks
Click My Items and select your VM
I won’t go through the process of creating a WVD Host Pool as I have covered this in previous posts. See links posted at the beginning of this post.
I have created a WVD Pool and selected my custom image
You’ll find that the source is no longer market place. See example below
Let’s login to the WVD web client
We’re in. Apps we installed earlier are visible
365 apps are also visible
The VM’s were automatically added to the domain and are visible within my selected OU in Active Directory
In this blog post I will be configuring FSLogix Application Masking. Application Masking is used to manage user access of installed components. Application Masking can be used in both physical and virtual environments. Application Masking is most often applied to manage non-persistent, virtual environments, such as Virtual Desktops.
Application Masking manages access to Applications, Fonts, and other items based on criteria. The Application Rules Editor is used to describe the item, such as application, to be managed. The Editor is also used to define criteria rules are managed by. For instance, GitHub should be hidden from the Accounting group. Things you can do with the Apps Rules Editor:
Create new Rule Sets
Edit existing Rule Sets
Manage the user and group assignments for Rule Sets
Temporarily test rule-sets
In this blog post, I will configure application masking on my WVD session hosts. Let’s get started.
1) Login to the Azure Portal portal.azure.com
2) For the purpose of this demo, I already have a domain controller, WVD session hosts and AD Sync to Azure AD (AD Connect) configured. I have powered on all the required VM’s within the Azure Portal.
3) Before we get started, i’ll create a WVD Admin account. The default domain admin account is a protected admin account, therefore, it’s not sync’d to Azure AD and will not have access to resources in Azure such as Azure File share. I have setup a new account within Active Directory named WVDAdmin, granted domain admin and also added to my previously created WVD User group. I have also created a new group named Sales and added users to the group. I will be using the Sales group when configuring my FSLogix rule set assignment and testing.
4) If you have just created your objects within AD, sync the accounts to Azure AD by running the below Powershell command. You could also wait for the default 30 min sync interval.
5) Next, I will be installing the FSLogix Rule editor on a window 10 image outside of the Windows Virtual Desktop environment. This VM must be a duplicate of your Windows Virtual Desktop session host to avoid issues when testing. I will also configure Rule Sets. Rule Sets are assigned to users, groups, and other entities using the Rules editor. Before using the Application Rules Editor, it must be installed. Let’s get started by logging into a VM outside of the WVD platform (Login as WVD Admin) and download and install the rules editor from the following link FSLogix Rules Editor
Visit the link above and read through the licensing and entitlement section. When ready, download FSLogix and extract the folder
6) FSLogix downloaded and folder extracted. Access the extracted folder, click x64 > release and execute the file FSLogixAppsRuleEditorSetup
7) Agree to license terms and conditions and click install when ready
8) Launch the rule editor application (Right click and run as administrator)
9) Click File and New, or click the new icon available towards the top of the application
10) For the purpose of this demo, I will hide Notepad so will name my rule HideNotepad as shown below. Click Enter file name when done
11) A few options appear which may be of interest to you. For the purpose of this demo, I will be creating a Blank Rule Set and clicking OK
If you’re app is already installed and visible, click Choose from installed programs. This is another reason why you must run the rules editor from a VM which matches the session hosts running within your WVD Pool
12) Next, click on the + icon to create a new rule, as shown below
13) There are a number of options to choose from.
Hiding Rule – hides the specified items using specified criteria
Redirection Rule – causes the specified item to be redirected as defined
App Container Rule – redirects the specified content into a VHD
Specify Value Rule – assigns a value for the specified item
14) For this demo, I will be using the Hiding Rule. Click browse and because I will be hiding the notepad application, I will be selecting file. Other options are available depending on what component you wish to create a rule for.
15) Browse to the application .exe located in the system32 folder.
16) Click Ok and and click Yes
17) The above will hide notepad exe located in the system32 folder but we now need to hide the shortcut which appears in the start menu
Click the + icon to create another rule
Note that the path includes the username you’re currently logged on with. C:\Users\WVDADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories. Ensure you change the username to * as shown below.
18) Create another rule within the existing set and hide notepad.exe located within c:\windows\ as shown below
19) Before rolling this out, testing would be useful. FSLogix offers a testing feature. The check box icon highlighted below will allow you test the rule on the system you’re on. I previously mentioned that it’s important to install the rules editor on a VM outside of your WVD Solution that is a duplicate of your session hosts.
20) Checkbox enabled, check if Notepad is still accessible
You’ll find that when you click Notepad from the start menu, nothing happens. But the icon is still visible within the start menu because the start menu has already been built. It will disappear when we test by assigning the policy shortly. You will find that notepad.exe has disappeared from C:\Windows and C:\Windows\System32 folders
21) Uncheck the testing box and click the manage assignments icon as shown below
22) For this demo, I will be hiding Notepad for the sales group
Please note that assignments are executed from top to bottom. For example, if two assignments were made for the same Rule Set. The first assignment applies the Rule Set to Everyone, the second specifies the Rule Set does NOT apply to the Sales Group. In this case, the Rule Set would apply to everyone except the Sales Group.
If the assignments above are reversed, so Everyone is after the exclusion Sales Group, the Rule Set would apply to Everyone including the Sales Group.
23) By default the rule applies to no one. I only want to allow users within the sales group to access Notepad. Note that if you click on Everyone below, the option is set to Rule Set does not apply to user/group.
Click Add and for this demo I will be selecting a group. There are a number of options available in case you wish to apply the assignment to other then a group.
24) I select an existing group names Sales and apply the rule for everyone apart from sales
The rule set below will prevent all users excluding members of the Sales group from accessing notepad.
25) Click save or save all if you have created further rules sets.
26) FSLogix provide a feature named AD reporting to test permissions. See icon below
27) Click the AD reporting icon displayed above and click new query as shown below
28) Let’s test by inputting details of a member of the Sales group. The assignment will not apply because the assignment allows members of the sales group access to Notepad.
29) And now let’s test a user outside the Sales group. The assignment will apply
30) Save your rule sets if not already done so. We can now move onto applying the rule sets to our session hosts
31) Browse to the location where the FSLogix rule sets are saved and copy the rules. See below
32) The next step involves rolling out the files to your session hosts. You could use automation tools to copy the files to your session hosts.
The below files need to be copied:
Copy files from: Documents\FSLogix Rule Sets
to: C:\Program Files\FSLogix\Apps\Rules
You’ll find that a number of files are automatically created by the FSLogix application in the CompiledRules location after copying the files. Files are copied to the Rules folder and the automatically created files are compiled in the Compiled Rules folder.
In a production environment, you will want to create a network share including a copy of the rule sets from where you can automated the copy of files to your session hosts and update as and when required from one central location.
For the purpose of testing, I have copied the files directly to one of my two session hosts and placed the other one into Drain mode so it’s not available when I login to WVD to test
Before copying files, both folders are empty
After copying files to Rules folder only. Files are automatically created in the CompiledRules folder as shown below
Time for testing
I’ll login with a user who is not part of the Sales group
Notepad within the start menu is not available because user cloudbuild1 is not part of the Sale Group so therefore is no longer able to view.
And the notepad.exe file is no longer visible
Thanks for reading and stay tuned for further posts
In this blog post I will deploy virtual servers within the Azure Portal using Powershell via Azure Cloudshell.
1) Login to the Azure Portal portal.azure.com 2) Click the Cloud Shell icon found towards the top of the portal
3) Click Powershell
4) Click Create Storage. If you want to configure custom settings, click Show Advanced Settings
5) and we’re connected
6) Before creating a Virtual Machine, I will create a resource group to where I will deploy my new VM. My new resource group is named CloudBuildPSRG (PS for PowerShell and RG for Resource Group). My location is UKSouth. You could create this resource group as part of the VM Build commands further down this blog post but for the purpose of this demo, I will create the resource group first.
-ResourceGroupName “CloudBuildPSRG” – I will use an existing Resource Group that I created in this blog post earlier. In the event the resource group does not exist, a new resource group will be created.
-Name “CloudBuildPSVM” – This is the name of the VM
-Location “UK South” – The VM will be built in region UK South
-VirtualNetworkName “CloudBuild-PSVNET” – I am creating a new VNET but you could also use an existing VNET name if you have already created one
-SubnetName “subnet1” – A new subnet will be created named subnet1. Again you could use an existing by specifying the name.
-SecurityGroupName – NSG name for the VM (Network Security Group)
-PublicIpAddressName “GBPublicIpAddress” – For the purpose of this lab, I will be creating a public IP address. This is something you don’t want to do for a production server. You could use Azure Bastion to connect to a VM from the portal, or connect to the VM from your internal network over VPN.
-OpenPorts 80,3389 – Opening ports within the NSG (Network Security Group) to allow access to the web service and Remote Desktop access. My next blog post will include the installation of IIS via powershell and testing access externally.
10) Let’s continue with running the script. After triggering the script, you’re prompted to create a new local admin username and password for the VM.
and the machine build is in progress
VM build successful
11) Let’s check the status of the VM
get-azvm -name CloudBuildPSVM
12) Let’s check the Azure Portal. There it is. The VM has been deployed in my existing resource group CloudBuildPSRG
13) I’ll now obtain the Public IP address of the VM so I can connect to it. (Note that this is a demo. In a production environment you don’t want to allow RDP access externally). The Public IP could also be obtained from the Azure Portal, but as we’re doing everything within PowerShell, let’s continue with Powershell.
Here is the command I will run to obtain the public IP address of my newly created VM
This process creates a Windows 2016 Datacenter server, but what if you want to use a different image available within the Microsoft Azure Marketplace?
Let’s continue with building another VM but this time specifying what image we want to use.
15) Type Get-AzVMImageOffer -Location “UK South” -PublisherName “MicrosoftWindowsServer”
A Marketplace image in Azure has the following attributes:
Publisher: The organisation that created the image. Examples: Canonical, MicrosoftWindowsServer
Offer: The name of a group of related images created by a publisher. Examples: UbuntuServer, WindowsServer
SKU: An instance of an offer, such as a major release of a distribution. Examples: 18.04-LTS, 2019-Datacenter
Version: The version number of an image SKU.
MicrosoftWindowsServer is a VM publisher name. If you want to view all VM image publishers available within the market place in the UK South region, the command is as follows: Get-AzVMImagePublisher -location “UK South”
16) Here are the results from step 15. The below results show that I have a number of Microsoft Server authors available in the UK South region. I will be using WindowsServer
17) We now dig deeper and find out what images are available within the WindowsServer Publisher selection
Note: AsJob allows the command to run in the background allowing you to use PowerShell for other tasks and not have to wait for the script to complete, as you’ll see from the results below.
latest – is a command which requests for the latest image available
After running the script above, as you can see from the screenshot below the output is different because of the additional command -AsJob. The job is now running in the background which means I don’t have to wait for PowerShell to complete the process.
20) And we have successfully deployed a Windows 2012 R2 Datacenter server
Subscribe to new tech posts.
We will never send you spam email or forward your details to third parties.