Windows virtual desktops: How you can organize, monitor and virtualise devices remotely
With laptops and VPN bandwidth briefly provide, Windows Virtual Desktop and Microsoft Endpoint Manager come into their very own as tactics to stay body of workers no longer simply operating, but additionally productive and protected.
Microsoft arrange 32,000 desktops in WVD for its personal builders in two days and many WVD shoppers are doing even better deployments. One WVD spouse on my own (Nerdio, which has its personal WVD leadership carrier) has deployed virtual desktops for over 300,000 enterprises since March, starting from 150,000 to 1,000,000 desktops.
With such a lot of other folks operating from house, VDI has all of sudden develop into related to organizations which can be used to bodily devices and that do not essentially have enjoy in managing and securing virtual desktops, so managing it must be more straightforward. When WVD first introduced, atmosphere it up required figuring out Azure sources and manually connecting it for your Azure AD tenant; you may handiest monitor and organize your WVD tenant via PowerShell or via webhosting your individual Azure WebApps, and scaling out for extra customers supposed operating the similar deployment once more.
“Customers who did have that expertise were able to spin up 10,000 VMs really quickly and get a lot of benefit from that,” Melissa Grant, director of product advertising and marketing for Microsoft 365, informed TechRepublic. “But we can make it a simpler scenario for folks who may be endpoint managers but who don’t have experience with Azure, who didn’t need to do that before but who need to do that now, because virtual machines are going to be the best solution for their employees who didn’t have a corporate-procured laptop or weren’t able to take it with them when they went home. They’re having to enable people to work on personal machines and they’re trying to acquire and remotely provision and deploy new machines.”
As an ARM carrier, WVD could also be more straightforward to connect with different Azure products and services that you would possibly already be the usage of. Using ARM you can submit Far offApps and desktops no longer simply to particular person customers, but additionally to Azure AD Groups, and you can use Azure RBAC to keep watch over permissions for each WVD ARM object, giving you much more granularity for delegating keep watch over than you get with the 4 admin roles in WVD itself.
You can additionally monitor WVD via Log Analytics slightly than having to trawl through logs with PowerShell, so you can run Kusto queries or Power BI reviews at the knowledge. (If you’re nonetheless the usage of PowerShell to regulate WVD, the RDS module has been changed with AzWvd; run Install-Module Az.DesktopVirtualization so as to add the brand new instructions.)
You can monitor WVD desktops with Microsoft Defender ATP like some other tool, and mix that data with the Windows tournament logs and the WVD diagnostic logs in Azure Sentinel so you can do complete threat hunting throughout virtual desktops, VMs and different sources. The procedure for atmosphere that up is far more practical if you’re managing WVD with the brand new Azure Resource Manager objects than with the existing tools.
Although you can get started the usage of it now, the Spring Update continues to be in preview and you can’t organize current WVD desktops with the brand new equipment; Microsoft could have a conversion instrument emigrate them to ARM prior to common availability later in 2020.
Also coming later within the yr is the choice to select the place the metadata and configuration data on your WVD tenants is saved: that is now become independent from the operational WVD knowledge. So a long way that is simply in america, handiest with the number of extra US areas, however you will quickly be in a position to select places in Europe and later globally.
Connecting cloud and Config Manager
Connecting many extra body of workers via VPN is not at all times simple to scale briefly and some organisations have informed body of workers to restrict paintings all the way through core hours or imagine slowing down safety patching or decreasing their crisis restoration choices to give protection to VPN capability. Setting up cut up tunnelling for Office 365 and Config Manager site visitors and doing extra tool leadership from the cloud reduces VPN utilization with out expanding safety dangers. Microsoft estimates that obtaining the Patch Tuesday updates to Windows from Config Manager the usage of the Azure Cloud Management Gateway would price 8 cents in keeping with PC and no longer put any load for your VPN.
The subsequent step is the brand new tenant attach in Endpoint Manage; that is a midway space between the usage of Config Manager on-premises and complete co-management with Intune that Grant says will act as “a lower barrier to entry”.
“This allows you to take those traditionally managed devices, and get the benefits of a cloud service,” Grant mentioned. “IT pros have a consolidated view of all the devices in their estate, whether those devices were managed by Config Manager, or whether they’re managed by Intune. They can see one viewpoint of all the devices, and take actions that apply to all of those devices directly from the Microsoft Endpoint Manager admin centre. You don’t have to go to separate portals, and you don’t have to take separate actions to use cloud services and cloud management across all of those devices.”
Microsoft has labored with some organisations provisioning 100,000 new laptops via Endpoint Manager and Autopilot so they may ship them immediately to staff’ houses. “Now they can manage all of those in a single unified console and take action against those to ensure they’re all secure, ensure that there’s no data leakage, and ensure that identities are guaranteed as well,” mentioned Grant.
The talent to make use of MFA and unmarried sign-on for as many cloud apps as you need (whether or not that is a MongoDB database, a Cisco Meraki IT dashboard or Salesforce) will probably be helpful for organisations who’ve to transport clear of on-premise apps briefly.
That’s to be had to any buyer with an Azure AD Premium licence. “Any Microsoft customer with a subscription for a commercial online service can use single sign-on and then be able to protect access with multi-factor authentication at no extra cost, because identity is that first jumping off point to making sure that you can have a secure and reliable remote-work scenario,” Grant mentioned. “We guarantee the identity, we can then apply management, whether that is co-management in Endpoint Manager or cloud only [Intune] and ensure we have the right set of applications getting out to those users, whether those are corporate and line-of-business applications, or education applications.”
But having Azure AD and Endpoint Manager use the similar keep watch over airplane for identification and get right of entry to is a miles larger step ahead than simply enabling SSO. Whether they are the usage of a virtual desktop or a cloud app, taking part on paperwork or becoming a member of a Teams assembly, all the ones devices can do such things as testifying to their degree of safety prior to getting get right of entry to: you can ensure that the tool is controlled, that it is patched and has up-to-date anti-malware and encryption became on, and even that there is a timeout to fasten the tool and have the person input a PIN in the event that they stroll away and come again. That’s a large step in opposition to enforcing ‘0 consider’ safety that provides a lot more coverage than making use of crew insurance policies to fasten down tool options, and has a lot much less have an effect on on how briefly PCs boot up.
More apps on extra devices with much less bandwidth
Intune could also be getting a long-awaited growth of the leadership controls for macOS devices, and extra keep watch over over Outlook Mobile via Intune, as a result of lockdown approach coping with a much broader vary of devices.
The macOS leadership does not exchange Microsoft’s partnership with JAMF, which is able to proceed, Grant showed. “This provides some further controls shoppers were inquiring for to do scripting and task automation that make configuring Macs more straightforward throughout the Endpoint Manager console.”
The Intune app coverage insurance policies for Outlook Mobile – proscribing which garage paintings and college accounts can get right of entry to on iOS and Android – are to give protection to each corporate knowledge and worker privateness as paintings and house overlap so very a lot, Grant defined.
“When people are going between personal and work on a mobile device, or in a BYOD scenario — whether they intended it to be BYOD or that’s just what they’re left with — we’re providing security so they don’t accidentally attach a personal file to a work email in Outlook Mobile. Maintaining privacy is still really important and people are multitasking; they’re working in new ways they’re less familiar with. We want to make sure that we’re not allowing malicious content into the corporate environment, but we’re also protecting people’s privacy by helping them to keep their personal and their work estates separate.”
Unified app supply is partially about taking out confusion via combining two app galleries, Config Manager Software Centre and Azure AD My Apps, within the new Company Portal from Intune. Normally, having the ones separate would possibly make sense, Grant suggests. “Maybe part of the organisation is a highly mobile workforce that’s really used to using Company Portal and the folks back at headquarters were using Software Centre. But now those headquarters folks are also out in the field, so to speak, so we just wanted to make it easier for an IT admin to deploy apps securely regardless of what portal they’re going through.”
But it additionally works with the brand new Network Connectivity and Endpoint Analytics in Endpoint Manager’s Productivity Score to let IT admins assist accelerate staff.
“We’re able to provide visibility into which worksite locations have network challenges, and take a look at whether or not there is some sort of issue with the network that could be preventing people from getting their work done,” mentioned Grant. Previously that was once helpful to use insurance policies to workplace places with deficient connectivity or latency problems; now it shall we IT body of workers make tips. “If you’re seeing connectivity issues in an area, you might want to recommend that folks utilise web apps, you might reduce packet size, you might go about your patching in a different ways to put less pressure on the broadband. If they’re noticing that their home broadband is slow they might suggest to that employee, ‘why don’t you use Company Portal on your mobile phone to get access to that application?'”
Endpoint Analytics will display no longer simply the well being of devices, but additionally what’s slowing them down, prior to a annoyed worker raises a help-desk price tag. “They can see where things like Group Policy, or the lack of an update or maybe a really klugey application is slowing down performance,” Grant mentioned.
Strip away the needless brokers and the draconian insurance policies, and Microsoft suggests any SSD-based computer must have the ability to fit the 23 seconds from chilly boot to having the ability to open a internet browser that Microsoft 365 company vice-president Brad Anderson boasts about getting on his PC.
Microsoft Weekly Newsletter
Be your corporate’s Microsoft insider via studying those Windows and Office guidelines, methods, and cheat sheets.
Delivered Mondays and Wednesdays