Salaam, Namaste, Ola and Hello!
Firstly I would just like to say that I hope everyone is doing well and keeping safe in these uncertain times! This is another post that has been sat in my drafts for a few weeks now but has been a service I seem to be deploying a lot of with the recent COVI-19 situation causing businesses to evaluate there remote working policies.
I was recently lucky enough to present this specific use case at the inaugural WVDUK User Group which was a virtual event via Teams (like most user groups at the moment!) and thought it would be good to follow it up with a blog post!
Use Case Problem/Requirement
Right at the start of the pandemic I was hired by a 3rd party to implement a Windows Virtual Desktop environment for an NHS trust in the UK. With lock down looming this particular trust had a number of problems & requirements they needed addressing to ensure there staff would still be able to function as a business and carry on the fight against COVID. They had the following problems/requirements they needed the new solution to be able to resolve:
- Work from home
One major requirement was that the trust needed to be able to function with over 200 of their staff working from home. The two options available to the trust were either sourcing, imaging and deploying laptops to over 200 users or a remote session based solution. As you can imagine, sourcing laptops early on in the pandemic was a major issue as there was so much demand. To add to this, the amount of time needed to image and deploy the devices would be almost unmanageable, not to mention currently having no way to remotely manage all these devices
- Time constraints
This particular NHS trust were under extreme tight time constraints. As mentioned earlier, lock down was looming and they were not sure how this would affect the users being able to travel into work. Whatever solution was going to be implemented needed to be done quickly and efficiently, another reason why issuing laptop devices to over 200 staff was just not practical or manageable in this scenario.
- Robust Solution
They needed a robust solution that could easily scale up and down depending on demand and the number of users working from home. The initial requirement was for 200 concurrent users, however if the solution was successful it could grow very fast.
- Secure Solution
The solution needed to be secure as with the remote solution there was a potential for users connecting in via their personal devices. The NHS trust needed to ensure they were able to protect their data and Infrastructure but have still allow staff the flexibility of using their own devices
- On-Premises Integration
The final requirement was that the NHS trust needed to ensure the solution was able to integrate with there existing on-premises Infrastructure. 90% of the Infrastructure was hosted on-premises including all the application stack and file shares. This needed to be accessible without too much administration overhead.
Why Windows Virtual Desktop?
The NHS trust had decided to move forward with Windows Virtual Desktop, but what was it about WVD that made them go down this route? Well the main and obvious reason is that it solved the problem/requirement.
- Windows Virtual Desktop can be accessed from any device in any location as long as you have an Internet connection.
- It is a solution that can be implemented quickly. At the time of this project WVD was not available via the Azure portal as we find it now in the recent Spring release, but it had to be configured and managed via PowerShell, however it was still a quick process to implement.
- Windows Virtual Desktop was robust, highly available and most importantly you are able to scale up, and down for that matter, with ease and speed. You can easily add a new session host into the Host pool as and when the number of users increases.
- From a security perspective, the NHS Trust would be able to use Multi-Factor Authentication and Conditional Access to ensure they could protect data and access to the Infrastructure.
- Finally, although this is not a feature of WVD specifically its part of Azure. The NHS trust were able to integrate the WVD environment with the on-premises Infrastructure by implementing an IPSEC Site to Site VPN via the Azure Native Virtual Network Gate.
Windows 10 Image: The first major hurdle was getting the correct image into Azure as this particular NHS client had a very specific Windows 10 golden image they wanted to deploy to the WVD tenant. One of the pre-requisites for the Windows 10 image you can use in the WVD environment is that it needs to be a multi-session version of the OS, unfortunately I learnt this the hard way and initially the image as captured on a standard Windows 10 Pro OS version. Luckily this was caught in the POC/testing phase, so we were able to follow the correct process which was:
- Create a VM in Azure
- Export it to a VHD
- Download it and import into an on-premises Hyper-V host
- Build the golden image
- Sys-prep image and export VHD
- Upload back into Azure and create a VM from this VHD.
- Sys-prep the VM in Azure and then capture the image
Once this completed the captured image can be used to provision to the WVD deployment during the provisioning process
MFA Adoption: Although there were no issues with the configuration of MFA with conditional access, one issue we found was that users were struggling with adopting MFA. This specific NHS trust had already been using Microsoft 365 for Exchange Online, however they had not yet adopted MFA for this, meaning that this was the first exposure to it which made it a massive learning curve for the users. We created really granular documentation and guides to try and mitigate any issues, however we were still finding users were enrolling personal devices by mistake during the process, or in some cases totally screwing up the MFA configuration process which meant they needed Admin intervention to reset MFA and try again. We obviously couldn’t control how users followed the documentation, it just meant we had to go into a lot of more detail in the documentation than we would have liked.
On-Premises Integration: One of the biggest challenges was the requirement to have on-premises integration. Originally the scope was to integrate the WVD deployment with Azure Active Directory Domain Services, however during the testing phase the customer realised that there were several group policies that were essential to the deployment. In the existing configuration the hosts were added to the Azure AD DS instance, hence didnt have any integration with Group policy which was on premises. To fix this I essentially had to amend the VNET’s DNS settings so it pointed to the on premises Domain Controllers (via a Site to Site VPN), remove the WVD hosts from the Azure AD DS domain and join the on premises domain. This allowed the VMs to be placed in the relevant OU in Active Directory and in turn pickup the correct Group Policies.
Where are they now?
I wanted to finish this post off with a little bit on now they are almost 5 months on from when the project was completed, how have the NHS trust adapted to this new way of working and some of the benefits Windows Virtual Desktop has brought them
- 5 months on and they have over 200 staff working from home and have already added another two hosts into the pool. This shows that the Windows Virtual Desktop deployment has solved the problem they had of getting users working remotely as quick as they could without having to issue new laptops to so many staff.
- Unfortunately MFA is still causing the same issues no matter how granular we make the documentation. This has obviously been a massive learning curve for the users but its not something we can work around…its necessary and we continue to try and educate the users best we can.
To put it simply, Windows Virtual Desktop is saving lives! By allowing this NHS trust to send users home and continue to do there jobs in an efficient way it has helped lower the risk of people getting infected and those people in turn have been able to play a vital role in the fight against COVID19.
Hope you find this helpful, if you would like any more information feel free to tweet me @shabazdarr or ask a question in the comments section below! Until next time, ‘IamITGeek’ over and out!