Managing Windows Virtual Desktop with Microsoft Endpoint Manager - Part 1 - Setup Hybrid Azure Domain Join

Last week Microsoft announced the support for Windows Virtual Desktop machines in Microsoft Endpoint Manager. You can now enroll Windows Virtual Desktop VM’s that are hybrid Azure AD joined with Microsoft Intune and manage them in the Microsoft Endpoint Manager admin center the same way as physical devices.

At this moment I think we are all managing our virtual desktop environment with the use of Group Policies and Golden Images. At least that’s what I do and what I see my customers are doing.

In this series of posts I would like to explore the possibilities together with you for managing a Windows Virtual Desktop (WVD) environment with the use of Microsoft Endpoint Manager. In the next few weeks I will write multiple posts on how to setup and configure your Windows Virtual Desktop environment to be managed by Microsoft Endpoint Manager.

I’m curious to find out if we can replace the traditional GPO’s for Configuration Profiles, use Windows Update for Business for updating our persistent Personal Desktop and use the Company Portal for installing and updating applications.

The next step will be to see if the configuration profiles can replace GPO’s in a multi-session non-persistent environment based on a Golden Image. We don’t need to install software via Intune since we got MSIX App Attach and a non-persistent session host.

In this series I will cover the following subjects (for now). And find out what is useful and what isn’t.

• Part 1 – Setup Hybrid Azure AD join
• Part 2 – Enrolling your WVD session host into Intune
• Part 3 – Compliance policies for WVD (Coming soon)
• Part 4 – Setup Windows Update for Business (Coming soon)
• Part 5 – Application deployment (Coming soon)

In every post I will describe the current situation in my test environment and show you what we are trying to accomplish in the new situation. I will be using my Microsoft 365 E5 Developer tenant in combination with my Visual Studio subscription Azure credits.

Current situation

At this moment my complete test environment is running on Azure. My On-Premises AD where I am referring to is also running in Azure. Currently there is no support for Windows 10 Multi-Session, for this guide I am using the Windows 10 Enterprise 2004 image from the Image Gallery.

• Active Directory
  • Server 2019 configured as Domain Controller
  • Correct UPN suffix for my users with a custom domain in Azure (Brainpulse.it)
  • AADConnect installed and synced with Azure AD
• Azure Active Directory
  • Microsoft 365 E5 Developer subscription
• WVD Environment

  • The WVD Session Hosts are deployed from a Golden Image

  • The WVD Session Hosts are domain joined

  • The hostpool is configured with type “Personal”

• Group Policies are being used for managing my WVD hosts

New situation

• Active Directory
  • Server 2019 configured as Domain Controller
  • Correct UPN suffix for my users with a custom domain in Azure (Brainpulse.it)
  • AADConnect installed and synced with Azure AD
• Azure Active Directory
  • Microsoft 365 E5 Developer subscription
• WVD Environment

  • The WVD Session Hosts are deployed from a Golden Image

  • The WVD Session Hosts are domain joined

  • The WVD Session Hosts will automatically be Hybrid Joined to Azure AD

  • The hostpool is configured with type “Personal”

• Group Policies are being used for managing my WVD hosts

Hybrid Azure AD join

One of the requirements for managing your WVD environment with Endpoint Manager is the use of Hybrid Azure AD join. When you configure your devices to Hybrid join Azure AD, these devices will be visible and manageable in both your on-premises AD as well in Azure AD.

With this configuration you are able to use tools like Single Sign-On and Conditional Access while still using for example your GPO’s from your on-premises domain.

Requirements

You will also need the credentials of a global administrator for your Azure AD tenant and an Enterprise Administrator account for your on-prem forest as well.

• Domain Controller should be at least Windows Server 2008 R2 for Windows 10 devices
• A single forest should sync identities to only one Azure tenant
• Your golden image should NOT be already Azure joined

Hybrid Azure AD join requires devices to have access to the following Microsoft resources from inside your organization’s network:

• https://enterpriseregistration.windows.net
• https://login.microsoftonline.com
• https://device.login.microsoftonline.com
• https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)

Configure Hybrid Azure AD join via AAD Connect

Since Azure AD Connect for synchronizing your on-premises identities to Azure AD is one of the requirements for setting up your Windows Virtual Desktop I assume you already have the basic configuration in place.

If you want to have a more controlled validation of the Hybrid Azure AD Join on your WVD environment you could use the following article from Microsoft and skip the AADConnect part. https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control .

First start the Azure AD connect tool and click on Configure


You will see a nice overview of all the available Tasks, click on **Configure Device Options** and click **Next.**


Click on **Next** on the Overview page.


On the next screen, fill in your Azure AD global administrator account to connect to Azure AD and click **Next.**


On the Device options screen you will see multiple options.

Select Configure Hybrid Azure AD join and click Next.


On the Device Systems page, select the device OS which you are going to support in your Active Directory environment. In this case we can select **Windows 10 or later domain-joined devices** and click **Next.**


The service connection point (SCP) will be used by your devices to discover your Azure AD tenant information. This configuration must be configured for each forest. Click on the **Edit** button and fill in your Enterprise Administrator credentials and click on **Next.**

If you don’t have Enterprise Administrator credentials for the forest, you can optionally use the provided ConfigureSCP.ps1 script and let this run manually by an Enterprise Administrator in your organisation.


At this final step we are ready to configure the Hybrid Azure AD Join. Click on **Configure** to proceed.


The configuration will only take a few seconds, when the configuration has been completed you should see the Configuration Complete message. You can now click on **Exit.**


## Synchronizing your WVD Session Hosts

Most of the times customer will filter which objects are going to be synchronized to Azure AD. Before the registration can be completed the computer accounts must be synchronized from your local Active Directory to the Azure Active Directory.

Make sure you select the correct Organizational Unit within your Active Directory when you have applied certain filtering.

You should now see the computer object being synced to Azure AD. You can check this via the Synchronization Service Manager.


## Confirming Hybrid Azure AD Join status

After you have validated that your WVD Session Hosts are being synchronized to the Azure AD it’s time to check if the hosts are registered within Azure AD.

Client-Side

If your WVD Session Hosts is trying to perform the registration before you have synchronized the object you will get an Error with EventID 304. All the relevant event’s are being written to the User Device Registration Event Log.



The easiest way of checking the registration from the client is running the following command on the client.

dsregcmd /status

If you see the AzureAdJoined : YES under the Device State everything worked as expected!


Sometimes it can take up for at least 15 – 30 minutes before the registration will occur, but the best part here is that the Hybrid Join will be completely automatically!

Azure-Side

If you login to the Azure portal and click on Devices you can also see the status of the registration. The device Join Type should show Hybrid Azure AD joined.


That’s it, your WVD session host is now Hybrid Azure AD joined! In the next post I will walk you through the setup and configuration of enrolling those WVD hosts into Microsoft Intune!

Stay tuned!

Resources

https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan
https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current
https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-announces-support-for-windows-virtual/ba-p/1681048