Home | Design | Get Started | Troubleshooting | Parameters | Scope | Zero Trust Framework
This optional feature enables backups to protect user profile data. When selected, if the host pool is "pooled" and the storage solution is Azure Files, the solution will protect the file share. If the host pool is "personal", the solution will protect the virtual machines.
Reference: Azure Backup - Microsoft Docs
Deployed Resources:
- Recovery Services Vault
- Backup Policy
- Protection Container (File Share Only)
- Protected Item
When this optional feature is deployed, the sessions hosts will be put in drain mode to ensure the end users cannot access them until they have been validated.
Reference: Drain Mode - Microsoft Docs
Deployed Resources:
- Virtual Machine
- Run Command
If selected, this solution will deploy the required resources and configurations so that FSLogix is fully configured and ready for immediate use post deployment.
Azure Files and Azure NetApp Files are the only two SMB storage services available in this solution. A management VM is deployed to facilitate the domain join of Azure Files (AD DS only) and configures the NTFS permissions on the share(s). With this solution, FSLogix containers can be configured in multiple ways:
- Cloud Cache Profile Container
- Cloud Cache Profile & Office Container
- Profile Container (Recommended)
- Profile & Office Container
Reference: FSLogix - Microsoft Docs
When deploying Azure Files and using either of the domain service identity options, you have the option to deploy more than one Azure Files storage account to shard your storage by deploying a storage account for each group defined in the fslogixUserGroups parameter.
In addition to the optional deployment of resources, you can choose to configure the registry of session host VMs with the proper registry settings to support each of these container types whether or not the resources are deployed. In addition, if you choose one of the Cloud Cache options, you can provide storage accounts in remote regions to support an active/active Business Continuity and disaster recovery configuration as documented at https://learn.microsoft.com/en-us/fslogix/concepts-container-recovery-business-continuity#option-3-cloud-cache-active--active.
Deployed Resources:
- Azure Storage Account (Optional)
- File Services
- Share(s)
- Azure NetApp Account (Optional)
- Capacity Pool
- Volume(s)
- Virtual Machine
- Network Interface
- Disk
- Private Endpoint (Optional)
- Private DNS Zone (Optional)
When an appropriate VM size (Nv, Nvv3, Nvv4, or NCasT4_v3 series) is selected, this solution will automatically deploy the appropriate virtual machine extension to install the graphics driver and configure the recommended registry settings.
Reference: Configure GPU Acceleration - Microsoft Docs
Deployed Resources:
- Virtual Machines Extensions
- AmdGpuDriverWindows
- NvidiaGpuDriverWindows
- CustomScriptExtension
This optional feature will deploy the selected availability option and only provides high availability for "pooled" host pools since it is a load balanced solution. Virtual machines can be deployed in either Availability Zones or Availability Sets, to provide a higher SLA for your solution. SLA: 99.99% for Availability Zones, 99.95% for Availability Sets.
Reference: Availability options for Azure Virtual Machines - Microsoft Docs
Deployed Resources:
- Availability Set(s) (Optional)
This feature deploys the required resources to enable the AVD Insights workbook in the Azure Virtual Desktop blade in the Azure Portal.
Reference: Azure Monitor for AVD - Microsoft Docs
In addition to Insights Monitoring, the solution also allows you to send security relevant logs to another log analytics workspace. This can be accomplished by configuring the securityLogAnalyticsWorkspaceResourceId parameter for the legacy Log Analytics Agent or the securityDataCollectionRulesResourceId parameter for the Azure Monitor Agent.
Deployed Resources:
- Log Analytics Workspace
- Data Collection Endpoint
- Data Collection Rules
- AVD Insights
- VM Insights
- Azure Monitor Agent extension
- System Assigned Identity on all deployed Virtual Machines
- Diagnostic Settings
- Host Pool
- Workspace
Autoscale lets you scale your session host virtual machines (VMs) in a host pool up or down according to schedule to optimize deployment costs.
Reference: AutoScale Scaling Plan - Microsoft Docs
This optional feature deploys the required resources & configuration to enable virtual machine managed disk encryption on the session hosts using a customer managed key. The configuration also enables double encryption which uses a platform managed key in combination with the customer managed key. The FSLogix storage account can also be encrypted using Customer Managed Keys.
Reference: Azure Server-Side Encryption - Microsoft Docs
Deployed Resources:
- Key Vault (1 per host pool for VM disks, 1 for each fslogix storage account)
- Key Encryption Key
- Disk Encryption Set
This feature is automatically enabled when Azure Files Premium is selected for FSLogix storage. This feature is only supported with Azure Files Premium and it allows multiple connections to an SMB share from an SMB client.
Reference: SMB Multichannel Performance - Microsoft Docs
This optional feature allows your end users to turn on a session host when all the session hosts have been stopped / deallocated. This is done automatically when the end user opens the AVD client and attempts to access a resource. Start VM On Connect compliments scaling solutions by ensuring the session hosts can be turned off to reduce cost but made available when needed.
Reference: Start VM On Connect - Microsoft Docs
Deployed Resources:
- Role Assignment
- Host Pool
This feature is enabled automatically with the safe boot and vTPM settings when the following conditions are met:
- a generation 2, "g2", image SKU is selected
- the VM size supports the feature
It is a security best practice to enable this feature to protect your virtual machines from:
- boot kits
- rootkits
- kernel-level malware
Reference: Trusted Launch - Microsoft Docs
Deployed Resources:
- Virtual Machines
- Guest Attestation extension
Azure confidential VMs offer strong security and confidentiality for tenants. They create a hardware-enforced boundary between your application and the virtualization stack. You can use them for cloud migrations without modifying your code, and the platform ensures your VM’s state remains protected.
Reference: Confidential Virtual Machines - Microsoft Docs
Deployed Resources:
- Azure Key Vault Premium
- Key Encryption Key protected by HSM
- Disk Encryption Set
Azure Government supports applications that use Impact Level 5 (IL5) data in all available regions. IL5 requirements are defined in the US Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG). IL5 workloads have a higher degree of impact to the DoD and must be secured to a higher standard. When you deploy this solution to the IL4 Azure Government regions (Arizona, Texas, Virginia), you can meet the IL5 isolation requirements by configuring the parameters to deploy the Virtual Machines to dedicated hosts and using Customer Managed Keys that are maintained in Azure Key Vault and stored in FIPS 140 Level 3 validated Hardware Security Modules (HSMs).
Prerequisites
You must have already deployed at least one dedicated host into a dedicated host group in one of the Azure US Government regions. For more information about dedicated hosts, see (https://learn.microsoft.com/en-us/azure/virtual-machines/dedicated-hosts).
Reference:
Azure Government isolation guidelines for Impact Level 5 - Azure Government | Microsoft Learn
Deployed Resources
- Azure Key Vault Premium (Virtual Machine Managed Disks - 1 per host pool)
- Customer Managed Key protected by HSM (Auto Rotate enabled)
- Disk Encryption Set
- Azure Key Vault Premium (FSLogix Storage Accounts - 1 per storage account)
- Customer Managed Key protected by HSM (Auto Rotate enabled)
For an example of the required parameter values, see: IL5 Isolation Requirements on IL4