Super Impressive Dean! Ive been following the custom image builder since that original video. This is a great new feature for automating the updates. Even as an MSP this is definitely the more efficient way of doing things. Typically MSP's are also charging based on agent count. It feels wrong to charge people for an agent on AVD when its just throw away infrastructure.
@@AzureAcademy i think for me. The two areas i’m intrigued on are how microsoft is working towards all entra id. I still have a hard time with cloud only when most clients have NTFS file shares and AVD in general. The concept of Entra ID Domain services setup just to facilitate avd users seems overkill. Also love to see more bicep for avd deployment
As a MSP tech, we use RMM to push updates to all our AVDs. I bet this is still a hard sell for MSPs as the patch management is usually done by other agents.
Dean man this is the feature I have been waiting for last 2 years, I know the AVD team was working hard on HPU (host pool image update) the disk swap and they were hitting some roadblocks but finally it has come to life and this is awesome feature. Especially now when there are some Capacity constraints in some of the US regions not all though and this disk swapping (HPU) helps keep the allocation of the VM and swaps the disks behind the scene without causing deallocation of the sessions hosts and achieve the updates that most of the enterprises want.
I just tried this and to my dismay, I couldn’t assign Azure Virtual Desktop as a member as it is missing. I’ll have to mess about with it in the morning. Need to prep for the 140.
Been waiting for this! Sorry if I missed it, but how does this mesh with scaling. Does the host update process pause scaling while it works through it's routine?
We have 3 different host pools and roughly 50 Avd users and all session hosts are all entra joined Can’t really use this feature until the option is available and not greyed out
Thank you for your video, it's an amazing feature :) Do you know when this feature will no longer be in preview and stable enough to be used in a production environment? Another question: If the new version of the image is problematic, can we push an older version of the image?
It is stable NOW. I have had several customers using it in production months. In Azure features are not released if they aren’t stable. The reason for public preview is to give the product team a chance to test the product with a very large audience before they put their full support and SLA behind a new feature. Yes, you can go back to an older image version if you need to!
sounds really nice but I guess since you are doing the image and host updating process with custom image template, there is still that limitation with trustedLaunch image definition. is there any solution for this?
It’s supported, here’s the doc to read how learn.microsoft.com/en-us/azure/virtual-machines/image-builder-overview?tabs=azure-powershell#confidential-vm-and-trusted-launch-support
I was not able to find the correct API to configure a new host pool with these new features using a Bicep template. Is that correct and will this probably come soon?
I'll have to rewatch at a slower speed, but in hybrid scenarios and witb LAPS in play changing the built-in admin password, does that pose an issue with the need to stash the local admin password as a secret? Or is the secret just an initial Host deployment/build item?
Yes and no. This seems to let you keep non-persistent hosts Intune Managed, BUT Nerdio looks like it still handles the templates much better. Nerdio lets you easily build the automation for the full lifecycle to the "grab latest marketplace image, run scripts and seal up" the day after patch tuesday (or what ever you set it to), then refresh validation pools, then promote to prod. This looks a bit more manual, though it might have some benefits if you are running Windows Update and it some how updates items that are not updated in each months latest marketplace image.
@@AzureAcademy Thats great. I'm not sure if creating the pool using the portal gives the same problem. However when I use Bicep to deploy the pool I need to set the access of my keyvault to public. Even if I enable my kv for template deployment, allow Microsoft services and whitelist my avd subnet on the keyvault I cannot deploy the host pool since 108.142.8.17 (a public Microsoft IP) does not has access to the keyvault. If I allow access from external networks in my kv everything works fine
@@AzureAcademy No NSG or firewall, i did not create a private link but don't know if that will work since it is failing during the deployment of the Host pool, not the host. A total unrelated note, I do not seem to get the ad join to function. Its not a rights issue since I can join the VM manually with the same account, its also not a issue with accessing the KV (when I make it publicly available) since my local account admin account is working.
When looking at a vm deployment in a normal host pool, after de DSC step is completed we are getting a joindomain step. It looks like this step is not being run in the new preview hostpool type for whatever reason
It is creating a new disk from your image, with the same name as your original VMs then doing an OS disk swap on your existing VMs, joining the VMs to your existing AD computer objects do you don’t have to clean up anything
Pretty cool seeing this feature, it’s essentially how Citrix mcs works for pooled and it’s been missing from avd. This will save a lot of extra overheads and make transitioning to avd easier. It was one of the main benefits of using something like nerdio so it’s great to see it now part of native avd for customers who don’t need all the bells and whistles of nerdio
@ yes and a few more granular autoscaling options and also backup SKUs for host pools. Scripted actions are useful for creating new images with apps, sort of like azure image builder but all the scripts hidden behind a simple ui. They are also useful for applying updates or config changes quickly machines in a pool. However depends how you build images if you use terraform or packer already the scripted actions are less valuable but still useful to have for those items you might just want to quickly test
People seriously patch each session host monthly?? We patch the master image using ansible, manually capture the image since you can't automate capture for trusted launch, then use terraform to redeploy and kick in ansible for AD joining with automation. This seems like it will provide cloud native solution that does the same thing, which is nice for not having to maintain custom code.
@@AzureAcademy Sure, we patch monthly (or on zero-days) but we do not touch session hosts - they are immutable infrastructure. We patch the master image, capture it, then run Terraform to deploy to the hostpool and drain / remove the old ones. How is this an advantage to use the Azure config versus Terraform deployment for the same thing? We still must patch & capture the image to the gallery, and add in an extra step of changing all of the configs to select the new image vs terraform is setup to run and just grab the image marked "latest".
I understand what you are saying...I had a PowerShell script I used for years to deploy new hard drives from an updated image and do OS disk swap on my hosts. This process is 100% native...so no custom coding, also recycling the computer objects, the scheduling and notification system would be the biggest ones. Also...there are more features and changes coming soon, thanks to the new host configuration model...LOTS MORE!
WVDAdmin is a great tool...but I'd suggest you get into this "horrible interface" more...because the host configuration approach changes everything on managing AVD...more features are coming soon and you don't want to get left behind 👍😉💯
This seems great. How to use Microsoft Entra ID join instead of (Hybrid) Active Directory? In your video that seems to be an option but it's greyed out in the Azure portal and the docs says only Active Directory or hybrid join is supported.
Super Impressive Dean! Ive been following the custom image builder since that original video. This is a great new feature for automating the updates. Even as an MSP this is definitely the more efficient way of doing things. Typically MSP's are also charging based on agent count. It feels wrong to charge people for an agent on AVD when its just throw away infrastructure.
Agreed! and thanks for watching since Custom Image Builder...that's a while!
So what else would you like to see in a video?
@@AzureAcademy i think for me. The two areas i’m intrigued on are how microsoft is working towards all entra id. I still have a hard time with cloud only when most clients have NTFS file shares and AVD in general. The concept of Entra ID Domain services setup just to facilitate avd users seems overkill. Also love to see more bicep for avd deployment
Bicep is cool, I’ll work on that, cloud only deployments work with FSLogix today, watch this -> ua-cam.com/video/yJqTJh2Tgxo/v-deo.html
As a MSP tech, we use RMM to push updates to all our AVDs. I bet this is still a hard sell for MSPs as the patch management is usually done by other agents.
This feature is native to AVD so your MSP folks can run it directly in the AVD environments without agents or other tools...also ZERO Cost!
Dean man this is the feature I have been waiting for last 2 years, I know the AVD team was working hard on HPU (host pool image update) the disk swap and they were hitting some roadblocks but finally it has come to life and this is awesome feature. Especially now when there are some Capacity constraints in some of the US regions not all though and this disk swapping (HPU) helps keep the allocation of the VM and swaps the disks behind the scene without causing deallocation of the sessions hosts and achieve the updates that most of the enterprises want.
Hey @ketanshah9082 yeah I have been invested in this feature for years and am so excited it is now available to the public!
It appears that AAD-joined VMs are not supported. When I try to select the directory to join, Microsoft Entra ID is grayed out.
Cloud Join is coming soon, stay tuned
Hopefully soon. Because I can’t use until that option is available
I will let the team know this is a blocker flow you. Can you tell me more about the types of workloads, number of use cases and number of AVD users?
I just tried this and to my dismay, I couldn’t assign Azure Virtual Desktop as a member as it is missing. I’ll have to mess about with it in the morning. Need to prep for the 140.
If Azure Virtual Desktop isn’t there, try Windows Virtual Desktop. Or just type in the app ID 9cdead84-a844-4324-93f2-b2e6bb768d07
@ You are the freaking guy!!! Thank you, thank you, thank you!
You’re welcome, now pay it forward! help promote my videos on your social media so I can help more people ☺️
Been waiting for this! Sorry if I missed it, but how does this mesh with scaling. Does the host update process pause scaling while it works through it's routine?
ah...patience grasshopper! Details coming soon!
We have 3 different host pools and roughly 50 Avd users and all session hosts are all entra joined
Can’t really use this feature until the option is available and not greyed out
Stay tuned, Entra Cloud Auth is coming soon
does anyone know if you can do ephermal disks with AVD without needing a third party? Would love it if we could with this new Host-config.
Yes you can do Ephemeral disks, watch this -> ua-cam.com/video/GyXx5Er9jYo/v-deo.htmlsi=k9BA-5-2TteSBaPS
Another excellent video!- thanks Dean
Glad you enjoyed it
Thank you for your video, it's an amazing feature :)
Do you know when this feature will no longer be in preview and stable enough to be used in a production environment?
Another question: If the new version of the image is problematic, can we push an older version of the image?
It is stable NOW. I have had several customers using it in production months.
In Azure features are not released if they aren’t stable. The reason for public preview is to give the product team a chance to test the product with a very large audience before they put their full support and SLA behind a new feature.
Yes, you can go back to an older image version if you need to!
Are there any limitations on Entra ID deployments? Grey'd out for me in the portal, all roles are in place - awesome feature and vid though =)
During this phase of the preview Entra Cloud join is not yet supported, it is coming soon…STAY TUNED 👍☺️👍
@@AzureAcademy appreciate you guys
🎊🎉☺️👍
sounds really nice but I guess since you are doing the image and host updating process with custom image template, there is still that limitation with trustedLaunch image definition. is there any solution for this?
which limitation are you talking about?
That i cannot use custom images with trustedlaunch…
It’s supported, here’s the doc to read how
learn.microsoft.com/en-us/azure/virtual-machines/image-builder-overview?tabs=azure-powershell#confidential-vm-and-trusted-launch-support
@@AzureAcademy thanks for that, I will go through this... keep up your good work. your videos are great and very helpful ❤
Thanks for your feedback! 👍
great great video !
Is Azure Virtual Desktop Session host configuration and update now available in public preview or still in private one ?
It is now in public preview
@@AzureAcademy It doesnt show up on my Tenant?
In the description I put a link to this form -> forms.office.com/r/ZziQRGR1Lz fill it out to access the preview
I was not able to find the correct API to configure a new host pool with these new features using a Bicep template. Is that correct and will this probably come soon?
I have done ARM templates for this not Bicep, but they are supposed to be equal. It will definitely work soon if it doesn’t yet
@@AzureAcademy Mind sharing the template? I was not able to find the specific setting where you define the "Create Session Host Configuration" to yes.
I haven’t uploaded one to GitHub yet, You can find it when you do a build then click download template at the end
I'll have to rewatch at a slower speed, but in hybrid scenarios and witb LAPS in play changing the built-in admin password, does that pose an issue with the need to stash the local admin password as a secret? Or is the secret just an initial Host deployment/build item?
The local admin password is required to build a new VM, once it is joined to your domain your LAPS policy will kick in
So is this effectively AVD's new solution of handling non-persistent hosts while continuing to manage them with Intune?
Yes this is a new way to manage non-persistent hosts. But they can be managed by AD GPOs, configmgr, or Intune.
How do I enable this as when creating a new pool it doesnt give me the config opitons
I linked this form in the description -> forms.office.com/r/ZziQRGR1Lz
When might this be a provision for all in the Cloud Entra ID Trusted Launch AVD VMs with FSLogix and no ADDS?
That video is coming soon…stay tuned! 👍☺️👍
@@AzureAcademy oh i cant wait for this
👍☺️👍
Most exciting vid of the day
Awesome! 👍😁👍
I guess this is redundant if using Nerdio right?
I'd say Nerdio is redundant...since this is a native feature and you pay for Nerdio...but up to you 😉
@@AzureAcademy Agreed!
👍😁👍
Yes and no. This seems to let you keep non-persistent hosts Intune Managed, BUT Nerdio looks like it still handles the templates much better. Nerdio lets you easily build the automation for the full lifecycle to the "grab latest marketplace image, run scripts and seal up" the day after patch tuesday (or what ever you set it to), then refresh validation pools, then promote to prod. This looks a bit more manual, though it might have some benefits if you are running Windows Update and it some how updates items that are not updated in each months latest marketplace image.
AVD does all that natively Custom Image Templates & Session Host Updates
does anyone know how we can provide feedback on this preview? I found a bug with the kv link
You can start with me! I work with the product teams on all these videos. Just give me the details and I will give them directly to the Team.
@@AzureAcademy Thats great. I'm not sure if creating the pool using the portal gives the same problem. However when I use Bicep to deploy the pool I need to set the access of my keyvault to public. Even if I enable my kv for template deployment, allow Microsoft services and whitelist my avd subnet on the keyvault I cannot deploy the host pool since 108.142.8.17 (a public Microsoft IP) does not has access to the keyvault.
If I allow access from external networks in my kv everything works fine
Interesting…Have you tried to use private link on your KeyVault? Also do you have network security groups or a firewall?
@@AzureAcademy No NSG or firewall, i did not create a private link but don't know if that will work since it is failing during the deployment of the Host pool, not the host. A total unrelated note, I do not seem to get the ad join to function. Its not a rights issue since I can join the VM manually with the same account, its also not a issue with accessing the KV (when I make it publicly available) since my local account admin account is working.
When looking at a vm deployment in a normal host pool, after de DSC step is completed we are getting a joindomain step. It looks like this step is not being run in the new preview hostpool type for whatever reason
Isnt this essentially swapping the hard disk
It is creating a new disk from your image, with the same name as your original VMs then doing an OS disk swap on your existing VMs, joining the VMs to your existing AD computer objects do you don’t have to clean up anything
Pretty cool seeing this feature, it’s essentially how Citrix mcs works for pooled and it’s been missing from avd. This will save a lot of extra overheads and make transitioning to avd easier. It was one of the main benefits of using something like nerdio so it’s great to see it now part of native avd for customers who don’t need all the bells and whistles of nerdio
yeah, interesting point about nerdio...I think the only other feature they have that AVD doesn't is scripted actions...what do you think?
@ yes and a few more granular autoscaling options and also backup SKUs for host pools. Scripted actions are useful for creating new images with apps, sort of like azure image builder but all the scripts hidden behind a simple ui. They are also useful for applying updates or config changes quickly machines in a pool. However depends how you build images if you use terraform or packer already the scripted actions are less valuable but still useful to have for those items you might just want to quickly test
good point...but this big change in host configuration management will give AVD new features...more to come so stay tuned!
People seriously patch each session host monthly?? We patch the master image using ansible, manually capture the image since you can't automate capture for trusted launch, then use terraform to redeploy and kick in ansible for AD joining with automation. This seems like it will provide cloud native solution that does the same thing, which is nice for not having to maintain custom code.
Almost all of my customers patch monthly at least to get the security benefits. This process even works if you need to patch for a ZERO DAY 👍☺️👍
@@AzureAcademy Sure, we patch monthly (or on zero-days) but we do not touch session hosts - they are immutable infrastructure. We patch the master image, capture it, then run Terraform to deploy to the hostpool and drain / remove the old ones. How is this an advantage to use the Azure config versus Terraform deployment for the same thing? We still must patch & capture the image to the gallery, and add in an extra step of changing all of the configs to select the new image vs terraform is setup to run and just grab the image marked "latest".
I understand what you are saying...I had a PowerShell script I used for years to deploy new hard drives from an updated image and do OS disk swap on my hosts. This process is 100% native...so no custom coding, also recycling the computer objects, the scheduling and notification system would be the biggest ones. Also...there are more features and changes coming soon, thanks to the new host configuration model...LOTS MORE!
That's what WVDAdmin is for. So you don't have to muck about with that horrible interface when you update your image and roll out new hosts.
WVDAdmin is a great tool...but I'd suggest you get into this
"horrible interface" more...because the host configuration approach changes everything on managing AVD...more features are coming soon and you don't want to get left behind 👍😉💯
LOL. they just copied Citrix non-persistent VM's. MCS, PVS.
Funny, because I think Citrix copied my PowerShell script I have been using for years ☺️ all depends on where you started I guess
This seems great. How to use Microsoft Entra ID join instead of (Hybrid) Active Directory? In your video that seems to be an option but it's greyed out in the Azure portal and the docs says only Active Directory or hybrid join is supported.
Remember the feature is brand new in private preview. Entra Cloud Join support is coming very soon…stay tuned!
@@AzureAcademy any idea when this feature will be available?
Not that I can share at this time…Stay Tuned!