Monitor Windows Virtual Desktop with Azure Monitor

Reading Time: 7 minutes

With an Azure virtual machine you get host CPU, disk and up/down state of your VMs out of the box.  Enabling additional monitoring capabilities provides insights into the performance and dependencies for your virtual machines.You will be billed based on the amount of data ingested and your data retention settings.

Note: It can take between 5-10 minutes to configure the virtual machine and the monitoring data to appear.

In this blog post I will be going through the process of monitoring my Windows Virtual Desktop session hosts via Azure monitor. I will configure an Azure Log Analytics Workspace, enable diagnostic settings for my host pool, application group and workspace. I will also enable diagnostic settings for Azure AD user sign ins. Finally, I will create a workbook to provide a visual display of stats from my WVD solution.

Let’s get started

Create an Azure Log Analytics Workspace

1. Login to the Azure Portal portal.azure.com
2. Locate and click Log Analytics Workspace

3. Click Add

4. Complete details for your new Log Analytics Workspace. For the purpose of this demo, I have inputted the details below.

5. Click next to move onto pricing tier. There is only one option available

6. Click review + create, allow validation to pass and click create


7. Next, let’s enable diagnostics starting within the Windows Virtual Desktop Host pool. Click Windows Virtual Desktop or locate via the search box

8. Click Host pools

9. Click your host pool

10. Click Diagnostic Settings

11. Click + Add diagnostic setting

12. Select the required log categories

13. Click the option to send to Log Analytics workspace and input a name. When done, click save. That’s the host pool diagnostics linked up to the new Log Analytics Workspace.

Note: If you receive the below error after clicking save, wait a couple of minutes and click save again. The resource does register after the error message appears. If you want to confirm microsoft.insights has registered:

– Click your subscription
– Click Resource Providers from the left pane
– Locate microsoft.insights

Failed to update diagnostics for ‘ ‘.{“code”:”SubscriptionNotRegistered”,”message”:”The subscription ‘0000000-0000-0000-0000-00000000000’ is not registered to use microsoft.insights.”}.

14. Repeat the steps (10 – 13) for Application Groups, Workspaces and also Azure AD Sign in Logs (Name accordingly)

Note the message about requiring Azure AD Premium when clicking user sign ins within Azure AD Diagnostic Settings. This refers to Azure Heat Map only that won’t work unless you have an AD P1 or P2 license.

15. Let’s enable the workspace agent on the session hosts. Locate Azure Monitor and click

16. Select Virtual Machines from the left pane

17. Click not monitored

18. Click enable against each session host you wish to deploy the agent

19. Click enable and perform the same step for the remaining session hosts you wish to install the agent

20. Select your workspace and click enable




The process may take up to 10 minutes

21. Once enabled, click your Log Analytics Workspace and click Advanced settings located in the left pane

22. Click Data and Windows Performance Counters


23. There were 36 performance and diagnostic counters to add at the time of writing this post. Travis Roberts has created a power shell script to automate the adding of these performance counters. The script is available to at performance and diagnostic data

You also have the option to add them manually (36 to add)

At the time of writing this blog post there was a limit of 20 performance counters which can be added at once through the Azure Portal. If adding manually, ensure you add the counters in batches to avoid the error below. Add batch one, save and then add batch two, or break down into smaller batches and save after each batch.


If adding manually, add the performance counter, click the blue + button and change the sample interval from 10 seconds to 60 seconds to avoid high costs


At the time of writing this blog post, the up to date performance counters are listed below (Visit Travis Roberts Git Hub page for the most up to date list)

‘Terminal Services Session()\% Processor Time’,
‘Terminal Services()\Active Sessions’,
‘Terminal Services()\Inactive Sessions’,
‘Terminal Services()\Total Sessions’,
‘LogicalDisk()\% Free Space’,
‘LogicalDisk()\Avg. Disk sec/Read’,
‘LogicalDisk()\Avg. Disk sec/Write’,
‘LogicalDisk()\Current Disk Queue Length’,
‘LogicalDisk()\Disk Reads/sec’,
‘LogicalDisk()\Disk Transfers/sec’,
‘LogicalDisk()\Disk Writes/sec’,
‘LogicalDisk()\Free Megabytes’,
‘Processor(_Total)\% Processor Time’,
‘Memory()\% Committed Bytes In Use’,
‘Network Adapter()\Bytes Received/sec’,
‘Network Adapter()\Bytes Sent/sec’,
‘Process()\% Processor Time’,
‘Process()\% User Time’,
‘Process()\IO Read Operations/sec’,
‘Process()\IO Write Operations/sec’,
‘Process()\Thread Count’,
‘Process()\Working Set’,
‘RemoteFX Graphics()\Average Encoding Time’,
‘RemoteFX Graphics()\Frames Skipped/Second – Insufficient Client Resources’, ‘RemoteFX Graphics()\Frames Skipped/Second – Insufficient Network Resources’,
‘RemoteFX Graphics()\Frames Skipped/Second – Insufficient Server Resources’, ‘RemoteFX Network()\Current TCP Bandwidth’,
‘RemoteFX Network()\Current TCP RTT’,
‘RemoteFX Network()\Current UDP Bandwidth’,
‘RemoteFX Network()\Current UDP RTT’,
‘PhysicalDisk()\Avg. Disk Bytes/Read’,
‘PhysicalDisk()\Avg. Disk Bytes/Write’,
‘PhysicalDisk()\Avg. Disk sec/Write’,
‘PhysicalDisk()\Avg. Disk sec/Read’,
‘PhysicalDisk()\Avg. Disk Bytes/Transfer’,
‘PhysicalDisk(*)\Avg. Disk sec/Transfer’

24. Performance counters added and interval set from 10 to 60 seconds

25. Click Save

26. Next, we’ll add the work book so we can view the data

27. Click Azure Monitor from within the portal

28. Click Workbooks from the left Pane

29. Click New

30. Click the icon </> as shown below

31. Copy and paste the code from the following WVD Community Git Hub page replacing the code currently displayed – Monitoring Workbook code

32. Click apply after replacing the code

33. Click to select your work analytics workspace if you see warnings such as the one below.

34. Click Done Editing


35. Click save and name your workbook accordingly

36. Done

Further sample queries can be located at the following Microsoft article created by Christiaan Brinkhoff – Proactively monitor ARM-based Windows Virtual Desktop with Azure Log Analytics and Azure Monitor. This is an excellent article and was a great help when creating this blog post. Also, thanks to Travis Roberts for creating the Powershell script to speed up the entering of performance counters. If you’re getting started with WVD, Travis has created a great WVD course available on the Udemy website called Zero to Hero with Windows Virtual Desktop.

Create and Optimise a Windows Virtual Desktop image

Reading Time: 7 minutes

In a previous post I created and deployed two Windows Virtual Desktop session hosts using a Windows 10 image (without 365 Apps) from the Azure market place. I manually installed the FSLogix app on both session hosts, configured Azure File shares for my profiles location and configured FSLogix application masking. The purpose of going through the process was to demonstrate how to setup a basic Windows Virtual Desktop solution within Azure.

In this blog post I will go through the process of building a Windows 10 image with 365 Apps included, install a few apps such as Google Chrome, Firefox, Adobe Reader and Notepad ++. I will then optimise the image as per Microsoft best practice. Let’s get started.

You can follow my Windows Virtual Desktop journey by visiting the blog posts I created previously.

1. Deploying Windows Virtual Desktop (WVD) in Microsoft Azure
2. Windows Virtual Desktop – Pooled vs Personal Desktops
3. Windows Virtual Desktop Application Group Creation
4. How to install and configure Windows Virtual Desktop Client
5. Configure FSLogix group policy and install FSLogix app
6. Use Azure Files for FSLogix user profile data with Window Virtual Desktop
7. Backup Azure Files Share
8. FSLogix application masking in Windows Virtual Desktop

  1. Login to the Azure portal portal.azure.com
  2. Build a new Windows 10 virtual machine

    > Click Virtual Machines
    > Click Add
    > Create a temp resource group (This resource group will be deleted later)
    > Select the Windows 10 Multi Session image. At the time of writing this blog post the latest version was Windows 10 Enterprise multi-session, Version 2004 + Microsoft 365 Apps
    > Select your VM size
    > Set a local admin username and password
    > This is a temporary setup in a lab environment – I’ll be connecting to this VM externally via RDP to allow me to configure further settings. Avoid allowing RDP externally.
    > Confirm your license status and click when ready
    > Click next and review disk setup
    > Click next to move on to networking and select your VNET and subnet
    > Click next to move onto management (No boot diagnostics or auto shutdown as the VM will be deleted later as part of the capture process)
    > Click review+create and then click create when validation passes

  3. We now have a Windows 10 VM ready. Let’s login to the newly built VM

4. Because we selected the image with 365 apps, the apps are pre-installed

Check that the VM is up to date with the latest windows updates

5. Next, install the FSLogix app available at: https://docs.microsoft.com/en-us/fslogix/install-ht


6. For the purpose of this demo, I will install some free software.

– Firefox
– Notepad ++
– Google Chrome
– Adobe Reader


7. Next we optimise the Windows 10 VM to remove services/apps which are not required for a WVD image. Microsoft’s recommended optimiser tool is Virtual Desktop Optimization Tool. The tool is based on optimising Windows 10 in a WVD environment. More information can be located at the following Microsoft Tech article: (Windows) Virtual Desktop Optimization Tool now available

Note: at the time of writing this blog post, the Virtual Desktop optimization was script based only

8. Let’s get started with applying the optimisations. Visit the following link from your newly created Windows 10 VM – https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool

9. Download the Virtual Desktop Optimization tool

10. Extract the folder to disk C (See example below)

11. Launch Powershell ISE from the start menu (Right click and run as administrator)

12. Click view and click show script pane if not already selected

13. Click file and browse to file Win10_VirtualDesktop_Optimize located at C:\OptimizationTool\Virtual-Desktop-Optimization-Tool-master, and click open

14. Scroll down and study the script

You can amend the configuration files and enable features which you don’t wish to disable.

In my case, I downloaded the Windows 10 2004 image so my configuration files are located at C:\OptimizationTool\Virtual-Desktop-Optimization-Tool-master\2004\ConfigurationFiles

15. For the purpose of this demo, I will be running the script as it comes (Note I typed 2004 as that’s the image version I am using)

Run the script when ready with a few additional switches

You will lose network connectivity for a couple of seconds but will auto connect to the session so not to worry.

16. Completed – total run time was 3 minutes and 50 seconds and a reboot is required. Reboot the VM

17. VM rebooted and we’re back in

Before optimising the VM, I took a snap of performance stats from the VM via task manager. Check out the stats below.

Before optimisation


After optimisation

18. Now, we sysprep the VM


Click the option to generalize and shutdown from the drop down

19. VM shutdown

20. We now capture the VM so it can be used as the base image when deploying our WVD host pool. Click the VM and click Capture

21. Input details (See example below)

Shared image gallery is a service that helps you build structure and organization around your managed images. You will be able to replicate your images globally, maintain versions, and more. Visit the following Microsoft link for more information Learn more

22. Review + Create

23. VM deleted but earlier in the post I deployed the original VM to a temp resource group. The VM has been deleted from the console but the resource group with some VM components remain.

We created a new resource group for our base image so this one is no longer required. Take care when deleting a resource group and ensure there are no other services you require making use of the resource group.


And we’re done

When creating your host pool, click the link to Browse all images and disks

Click My Items and select your VM

I won’t go through the process of creating a WVD Host Pool as I have covered this in previous posts. See links posted at the beginning of this post.

I have created a WVD Pool and selected my custom image

You’ll find that the source is no longer market place. See example below

Let’s login to the WVD web client

We’re in. Apps we installed earlier are visible

365 apps are also visible

The VM’s were automatically added to the domain and are visible within my selected OU in Active Directory

FSLogix Application Masking in Windows Virtual Desktop

Reading Time: 9 minutes

In previous posts, I configured group policy for FSLogix and installed the FSLogix App within my WVD platform. The post can be located at the following link: Configure FSLogix Group Policy and install FSLogix App

I also configured Azure Files to store my Windows Virtual Desktop FSLogix User Profile data. The post can be located at the following link: Use Azure Files for FSLogix User Profile Data with Window Virtual Desktop

In this blog post I will be configuring FSLogix Application Masking. Application Masking is used to manage user access of installed components. Application Masking can be used in both physical and virtual environments. Application Masking is most often applied to manage non-persistent, virtual environments, such as Virtual Desktops.

Application Masking manages access to Applications, Fonts, and other items based on criteria. The Application Rules Editor is used to describe the item, such as application, to be managed. The Editor is also used to define criteria rules are managed by. For instance, GitHub should be hidden from the Accounting group. Things you can do with the Apps Rules Editor:

  • Create new Rule Sets
  • Edit existing Rule Sets
  • Manage the user and group assignments for Rule Sets
  • Temporarily test rule-sets

In this blog post, I will configure application masking on my WVD session hosts. Let’s get started.

1) Login to the Azure Portal portal.azure.com

2) For the purpose of this demo, I already have a domain controller, WVD session hosts and AD Sync to Azure AD (AD Connect) configured. I have powered on all the required VM’s within the Azure Portal.

3) Before we get started, i’ll create a WVD Admin account. The default domain admin account is a protected admin account, therefore, it’s not sync’d to Azure AD and will not have access to resources in Azure such as Azure File share. I have setup a new account within Active Directory named WVDAdmin, granted domain admin and also added to my previously created WVD User group. I have also created a new group named Sales and added users to the group. I will be using the Sales group when configuring my FSLogix rule set assignment and testing.

4) If you have just created your objects within AD, sync the accounts to Azure AD by running the below Powershell command. You could also wait for the default 30 min sync interval.

5) Next, I will be installing the FSLogix Rule editor on a window 10 image outside of the Windows Virtual Desktop environment. This VM must be a duplicate of your Windows Virtual Desktop session host to avoid issues when testing. I will also configure Rule Sets. Rule Sets are assigned to users, groups, and other entities using the Rules editor. Before using the Application Rules Editor, it must be installed. Let’s get started by logging into a VM outside of the WVD platform (Login as WVD Admin) and download and install the rules editor from the following link FSLogix Rules Editor

Visit the link above and read through the licensing and entitlement section. When ready, download FSLogix and extract the folder

6) FSLogix downloaded and folder extracted. Access the extracted folder, click x64 > release and execute the file FSLogixAppsRuleEditorSetup

7) Agree to license terms and conditions and click install when ready

8) Launch the rule editor application (Right click and run as administrator)

9) Click File and New, or click the new icon available towards the top of the application

10) For the purpose of this demo, I will hide Notepad so will name my rule HideNotepad as shown below. Click Enter file name when done

11) A few options appear which may be of interest to you. For the purpose of this demo, I will be creating a Blank Rule Set and clicking OK

If you’re app is already installed and visible, click Choose from installed programs. This is another reason why you must run the rules editor from a VM which matches the session hosts running within your WVD Pool

12) Next, click on the + icon to create a new rule, as shown below

13) There are a number of options to choose from.

Hiding Rule – hides the specified items using specified criteria


Redirection Rule – causes the specified item to be redirected as defined

App Container Rule – redirects the specified content into a VHD


Specify Value Rule – assigns a value for the specified item


14) For this demo, I will be using the Hiding Rule. Click browse and because I will be hiding the notepad application, I will be selecting file. Other options are available depending on what component you wish to create a rule for.

15) Browse to the application .exe located in the system32 folder.


16) Click Ok and and click Yes

17) The above will hide notepad exe located in the system32 folder but we now need to hide the shortcut which appears in the start menu

Click the + icon to create another rule



Note that the path includes the username you’re currently logged on with. C:\Users\WVDADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories. Ensure you change the username to * as shown below.

18) Create another rule within the existing set and hide notepad.exe located within c:\windows\ as shown below

19) Before rolling this out, testing would be useful. FSLogix offers a testing feature. The check box icon highlighted below will allow you test the rule on the system you’re on. I previously mentioned that it’s important to install the rules editor on a VM outside of your WVD Solution that is a duplicate of your session hosts.


20) Checkbox enabled, check if Notepad is still accessible

You’ll find that when you click Notepad from the start menu, nothing happens. But the icon is still visible within the start menu because the start menu has already been built. It will disappear when we test by assigning the policy shortly. You will find that notepad.exe has disappeared from C:\Windows and C:\Windows\System32 folders

21) Uncheck the testing box and click the manage assignments icon as shown below

22) For this demo, I will be hiding Notepad for the sales group

Please note that assignments are executed from top to bottom. For example, if two assignments were made for the same Rule Set. The first assignment applies the Rule Set to Everyone, the second specifies the Rule Set does NOT apply to the Sales Group. In this case, the Rule Set would apply to everyone except the Sales Group.

If the assignments above are reversed, so Everyone is after the exclusion Sales Group, the Rule Set would apply to Everyone including the Sales Group.

23) By default the rule applies to no one. I only want to allow users within the sales group to access Notepad. Note that if you click on Everyone below, the option is set to Rule Set does not apply to user/group.

Click Add and for this demo I will be selecting a group. There are a number of options available in case you wish to apply the assignment to other then a group.

24) I select an existing group names Sales and apply the rule for everyone apart from sales

The rule set below will prevent all users excluding members of the Sales group from accessing notepad.

25) Click save or save all if you have created further rules sets.

26) FSLogix provide a feature named AD reporting to test permissions. See icon below

27) Click the AD reporting icon displayed above and click new query as shown below


28) Let’s test by inputting details of a member of the Sales group. The assignment will not apply because the assignment allows members of the sales group access to Notepad.

29) And now let’s test a user outside the Sales group. The assignment will apply


30) Save your rule sets if not already done so. We can now move onto applying the rule sets to our session hosts

31) Browse to the location where the FSLogix rule sets are saved and copy the rules. See below

32) The next step involves rolling out the files to your session hosts. You could use automation tools to copy the files to your session hosts.

The below files need to be copied:

Copy files from: Documents\FSLogix Rule Sets

to: C:\Program Files\FSLogix\Apps\Rules

You’ll find that a number of files are automatically created by the FSLogix application in the CompiledRules location after copying the files. Files are copied to the Rules folder and the automatically created files are compiled in the Compiled Rules folder.


In a production environment, you will want to create a network share including a copy of the rule sets from where you can automated the copy of files to your session hosts and update as and when required from one central location.

For the purpose of testing, I have copied the files directly to one of my two session hosts and placed the other one into Drain mode so it’s not available when I login to WVD to test

Before copying files, both folders are empty

After copying files to Rules folder only. Files are automatically created in the CompiledRules folder as shown below

Time for testing

I’ll login with a user who is not part of the Sales group

Notepad within the start menu is not available because user cloudbuild1 is not part of the Sale Group so therefore is no longer able to view.

And the notepad.exe file is no longer visible

Thanks for reading and stay tuned for further posts

Backup Azure Files Share

Reading Time: 4 minutes

In this blog post I will be backing up an Azure File Share that I created to store my Windows Virtual Desktop FSLogix Profiles.

1) Login to the Azure Portal portal.azure.com

2) Firstly, i’ll create a recovery services vault

A Recovery Services vault is a storage entity in Azure that houses data. The data is typically copies of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations. You can use Recovery Services vaults to hold backup data for various Azure services such as IaaS VMs (Linux or Windows) and Azure SQL databases.

Search and click Recovery Services Vault

3) Click Add

4) Complete details for your new Recovery Services Vault. See example below

5) Add tags as required and click create

6) Next, visit Recovery Services Vault and click your newly created vault

7) Click + Backup

8) Click the notice as highlighted below

9) As you’ll see, by default the storage replication type is set to geo-redundant. For the purpose of this lab, i’ll be configuring locally-redundant. You may wish to select local or one of the other options depending on your requirements.

Important note:


10) I select Locally-redundant and click save

11) From the drop down (What do you want to backup?) select Azure FileShare

12) Click Backup

13) Click Select under Storage Account

14) Click your storage account and click ok

15) Click ‘Create a new policy’

16) Click Add and select the Azure Fileshare

17) Set your backup policy as per your requirements. For the purpose of this demo, I have configured as follows


18) Click Enable Backup

19) Wait for confirmation. Takes less then a minute

20) Next, visit your Recovery Services Vault, click backups from the left pane and then click Azure Storage (Azure Files)

21) Notice the backup is pending


22) Click the backup

23) Click Backup now

24) I’m going to leave the data retention as one month. You may wish to set as per your organisation requirements. Click OK

25) Wait for configuration to complete

26) If required, to modify the backup, click the recovery services vault, click backup policies and then select the policy.

27) Success


If you wish to monitor backups or restore data, visit the storage account and use the backup and snapshot options in the left pane