In this chapter, we will look at user experience. We will start by looking at the powerful capabilities of Universal Print before looking at Microsoft Endpoint Manager. Then, we will look at Start Virtual Machine (VM) on Connect, which is very useful for those who want to reduce the cost and control the startup of VMs. After that, we will cover Screen Capture protection for protecting corporate data, FSLogix profile troubleshooting, and provide some useful information on remote desktop client connection issues.
The following topics will be covered in this chapter:
Important Note
For more information on configuring persistent and non-persistent desktops and configuring Remote Desktop properties for a host pool, please refer back to Chapter 7, Configure Azure Virtual Desktop Host Pools.
We will kick off this chapter by looking at Universal Print and the fundamentals of how the product works.
What is Universal Print? This is a cloud-managed print service that's provided by Microsoft through Microsoft Azure. Universal Print runs solely on Microsoft Azure. So, when it's deployed with Universal Print-compatible printers, you do not require any on-premises infrastructure to use the service.
The service is essentially a Microsoft 365 subscription-based service that you can use to centralize print management through the Universal Print portal. It's important to note that this service is fully integrated into Azure Active Directory and supports single sign-on scenarios.
This section will look at Universal Print and how you can use this Azure service with Azure Virtual Desktop.
Let's take a quick look at its architecture:
The universal print service leverages the following components:
The preceding table was taken from the following Microsoft site: https://docs.microsoft.com/universal-print/fundamentals/universal-print-whatis#architecture.
Now, let's look at the required licensing and Universal Print's prerequisites.
Before we look at Universal Print, we must look at the required licensing for using the service. The following subscriptions include Universal Print:
If you have issues accessing the Universal Print service with any of the correct licenses, you need to ensure that you have checked the Universal Print Service Plan. To check this, follow these steps:
Next, let's look at the requirements we need to have in place for configuring Universal Print.
Important Note
Where is print data stored? Universal Print stores all print queues in its office data storage. This is the same storage that's used to store Office 365 mailboxes and OneDrive files. A job can be queued for a few days. If the job is not claimed by a printer within 3 days, the job gets marked as aborted. You may see jobs stay within Universal Print for up to 10 days. Please note that when print jobs are sent using Universal Print, they are cloud encrypted.
In this section, we will look at the prerequisites for Universal Print:
Ensure that the following firewall rules have been applied to the device that's been chosen to host the connector. If you are using a Windows client device, remember that you will need to disable the hibernation/sleep controls and that you also need to ensure that the following firewall rules are set at the perimeter and on the client device:
Important Note
Make sure that both TCP 443 and 445 are open on the firewall to ensure you don't experience any issues when using Universal Print.
There are two designated limited Azure administrator roles that you can use to manage Universal Print. The following table details these two roles:
The preceding table was taken from the following Microsoft resource: https://docs.microsoft.com/universal-print/fundamentals/universal-print-administrator-roles.
Now, let's learn how to set up Universal Print.
When it comes to setting up Universal Print, first, we need to deploy a Universal Print connector that enables printers to communicate with the Universal Print service.
Important Note
Some in-market printers do not support the required Universal Print protocols. It is most likely that printer manufacturers will offer printer firmware upgrades that add Universal Print support directly to the printer; however, you need to use the Universal Print connector for those that do not.
The connector's purpose, as per its name, is to make sure that a wide range of printers can connect to and communicate with the Universal Print service. All those printers with the Universal Print protocol within their firmware don't require the Universal Print connector.
The key functions of the connector are as follows:
Important Note
The print connector passes jobs to the print spooler without locally storing the files the user intends to print. However, depending on their size, the connector may need to store the file to ensure it is submitted successfully to the spooler. In some cases, the deletion may not be successful and IT admin intervention will be required to clear these no longer needed files.
Ensure that the following firewall rules are applied to the device chosen to host the connector. If you are using a Windows client device, remember that you will need to disable hibernation/sleep controls and that you also need to ensure the required firewall rules are set as detailed in the Prerequisites for Universal Print section.
The recommended operating system is Windows 10 64-bit Pro or Enterprise on build 1809 onwards. If you are using a server, you will need a minimum of Windows Server 2016 64-bit. Both Windows Server 2019 and 2022 are supported.
Important Note
When you create a print connector, a device object is created in Azure AD with an object ID.
Follow these steps to install the connector:
Important Note
For those using proxy services, you can use bitsadmin to set the proxy. You can find more information on this here: https://docs.microsoft.com/windows-server/administration/windows-commands/bitsadmin-util-and-setieproxy.
Once the Universal Print connector has been launched, you will see the option to sign in. Go ahead and sign in using the administrator account that's been assigned to the Universal Print license:
Important Note
Make sure that the user account that's used to configure the Universal Print connector's configuration has either the role of Printer Administrator or Global Administrator.
Within the Universal Print portal, you will see the connector under Universal Print | Connectors:
In this subsection, we looked at the Universal Print connector's prerequisites and installed the connector on a device. Now that we have installed the Universal Print connector, we can register the printer.
In this section, we'll learn how to register printers with Universal Print using the Universal Print connector we installed in the previous section.
Important Note
Ensure that you have configured the correct external URLs through the perimeter security and localhost firewall.
There are essentially three steps to registering a printer with Universal Print:
The registration process can take between 10 to 30 seconds on a typical internet connection. It may take longer, so please be patient.
Important Note
The option to set Enable Hybrid AD Configuration to Enable is used for those organizations that use both Active Directory as well as Azure AD. In this type of setup, the user account exists in both Directory services.
You can read more about Hybrid AD Configuration here: https://docs.microsoft.com/en-us/universal-print/fundamentals/universal-print-hybrid-ad-aad-environment-setup#what-is-a-hybrid-adconfiguration.
Now that we have registered the printer, you should see the newly registered printer within Azure portal | Universal Print | Printers:
If the printer registration process fails, you will note that it will remain in the operations list and show a failure in the status section. You can retry the failed registration process and clear it using the buttons at the bottom left of the form, as shown in the preceding screenshot.
Now that we have registered a printer with Universal Print, we can assign permissions to the registered printers and share them.
Now that we have installed the print connector and registered the printers, the next stage is to share the printer. This means making the printer accessible to users. Before a user can print to a printer, the printer must be shared, thus granting access.
The quickest way to share a printer is to navigate to Printer Shares and click the Add button (https://portal.azure.com/#blade/Universal_Print/MainMenuBlade/PrinterShares):
Once you have clicked the Add button, the Create printer share blade will appear. Enter the share name, the printer/printers, and the selected Azure users/Azure groups or allow access to everyone in your organization. Once you have entered the correct information for the share, click Share Printer:
Once created, you will see the printer share appear on the Printer Shares page within Universal Print, as per the following screenshot:
When you click on Printer Shares, you will see options for managing access control, which is where you can add more users to the printer share, have the opportunity to delete the printer share, and swap the printer, as shown in the following screenshot:
Tip
When a printer needs to be replaced, you can use the Swap Printer button to choose another printer that has been registered with Universal Print.
In this section, we learned how to assign printers to a printer share and how to assign user (member) permissions to use the Universal Print service. Now that we have configured printer sharing, we must add the Universal Print printer to a Windows device.
In this final section on configuring Universal Print, we will assign a printer to a Windows device. The following are the prerequisites we must have before we can add the printer to the user's device:
There are typically three steps to adding a Universal Print printer to a device:
Important Note
It is advised that you don't change the driver for Universal Print printers as this could cause the printer to stop printing.
There you have it – with that, we have deployed Universal Print for Azure Virtual Desktop. The key takeaway from this section is that you need to install a connector on a device on-premises to register the printers within the Azure Universal Print portal page. Then, unless you have a printer that supports the Universal Print protocols out of the box, you need to share the printer and assign the necessary permissions. Once they have been shared, you can add the printer to user devices that have the required license to use Universal Print.
In the next section, we will look at user settings in Group Policy and Microsoft Endpoint Manager.
This section will briefly look at ways you can configure and manage user settings on Azure Virtual Desktop. You can manage user settings using local policies and registry entries, group policy settings, and Microsoft Endpoint Manager.
Endpoint Manager is a cloud-based platform that focuses on both mobile and device management. This type of service offering is referred to as Mobile Device Management (MDM) or Mobile Application Management (MAM).
Microsoft Endpoint Manager enables you to control and manage your organization's devices and how they are used. This is the same for Azure Virtual Desktop and Microsoft's latest offering, which is known as Windows 365 or, as some call it, Cloud PC.
In the Devices | Windows section, there are several Windows policies you can configure. This includes compliance, configuration, the use of PowerShell scripts, and Windows updates/feature updates.
Let's take a brief look at creating a Configuration Profile for Azure Virtual Desktop users:
Important Note
Intune/Endpoint Manager supports both Windows 10 Enterprise machines and Windows 10 Enterprise Multi-Session for Azure Virtual Desktop.
Enter a name and description for the configuration policy:
As you can see, there are several different policies you can enable to lock down a desktop. These are the same ones that you would find in a group policy or the local policy on the session host itself.
As shown in the following screenshot, I have selected three user configuration items in this policy that will be rolled out to the Azure Virtual Desktop session hosts.
Once created, you will see the new policy within the Configuration policies page:
There you have it – we have created our first configuration policy for Azure Virtual Desktop using Microsoft Endpoint Manager! You can learn more about Microsoft Endpoint Manager by reading Mastering Microsoft Endpoint Manager, by Christiaan Brinkhoff, Per Larsen, Packt Publishing.
This section looked at how we can assign configuration policies to Azure Virtual Desktop session hosts using Microsoft Endpoint Manager. In the next section, we will look at configuring Start Virtual Machine on Connect.
In this section, we will look at the Start VM on Connect feature. This offers a cost-saving mechanism for organizations as Start Virtual Machine on Connect essentially allows you to turn VMs on when required; when they are not needed, the user can turn them off. Start Virtual Machine on Connect is a great way for you to boot VMs on demand. This can be useful for personal desktops or resources that shut down every evening, as scheduled by the IT department.
The following screenshot shows Start Virtual Machine on Connect in action:
Important Note
Start Virtual Machine on Connect is available for personal and pooled host pools and uses the Azure portal and PowerShell.
We now take a look at using the Azure portal to configure Start Virtual Machine on Connect.
Now, let's look at the configuration within the Azure portal:
The JSON template should look something like this:
{ "properties": { "roleName": "Start VM on connect (Custom)", "description": "Start VM on connect with AVD (Custom)", "assignableScopes": [ "/subscriptions/<EnterSubscriptionHere>" ], "permissions": [ { "actions": [ "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] }}
The following screenshot shows where you would import the JSON configuration file for the custom role:
Once you have completed this step, you will be ready to enable Start Virtual Machine on Connect within the required host pool.
This section looked at setting up Start Virtual Machine on Connect by creating a custom role and assigning the Windows Virtual Desktop (soon to be renamed Azure Virtual Desktop) service to the role.
In the next section, we will look at screen capture protection for Azure Virtual Desktop.
The screen capture protection feature can be used as a data leak prevention tool to prevent sensitive information from being captured on endpoint clients. When this feature is enabled, remote content will be automatically blocked or hidden in screenshots and screen shares.
Important Note
The Remote Desktop Client hides content from any malicious software that may be capturing the screen.
Screen capture protection is an Azure Virtual Desktop feature that is configured at a session host level and is enforced on the client. You can only use screen capture protection with Windows Desktop Clients for full desktops only. However, macOS clients using version 10.7.0 or later support screen capture protection for both RemoteApp and full desktops.
In this subsection, we will configure screen capture protection:
Tip
This example shows you how to configure the Session Host itself. However, you can use the Group Policy Central store within Active Directory to do this.
Important Note
There is no guarantee that the feature will fully restrict protected content, and it is recommended that you test it before rolling it out to a production environment. It is also recommended that you consider restricting access to items such as the clipboard, drive, and printer redirection as well as using screen capture protection. It is also important to understand that users cannot use local collaboration software such as Microsoft Teams when the screen capture protection feature is enabled.
In this section, we looked at how to configure and enable screen capture protection for Azure Virtual Desktop. Now, let's learn how to troubleshoot FSLogix profile containers.
This section will provide an overview of troubleshooting FSLogix profile containers. We will provide a few pointers to help you when you're diagnosing profile-related issues.
The quickest way to get insight into FSLogix profile issues is to review the logs using the FSLogix profile status utility. This enables you to view both administrative and operational profile-related events. You can find the profile status utility here: C:Program FilesFSLogixAppsfrxtray.exe.
Tip
You can review the logs for FSLogix remotely via %ProgramData%FSLogixLogs.
Using the FSLogix profile status utility and cross-referencing the status codes will help you quickly diagnose an issue. You can find the list of status codes on the Microsoft Docs site at https://docs.microsoft.com/fslogix/fslogix-error-codes-reference:
You can also review VHD/VHDX disk usage and size using the FSLogix profile status utility tool and view logs that are specific to a particular area, such as the profile or service.
Important Note
You can review the FSLogix logs via the Event Viewer by going to EventViewer - Applications and Services Logs | Microsoft | Fslogix.
You can read more about FSLogix profile logs by going to the Microsoft Docs site: https://docs.microsoft.com/fslogix/logging-diagnostics-reference.
One of the more typical issues related to FSLogix profile containers is ensuring that you have enabled the service on the session host or via Group Policy central management. Also, ensure that you have specified a valid VHD location (VHDLocations) and that the permissions have been set correctly for the profile to be mounted for the user trying to log on.
Important Note
When you're using the FSLogix cloud cache, VHDLocations is replaced with CCDLocations.
A couple of final closing issues to watch out for when troubleshooting FSLogix profile containers are that the user or group in question is not in the FSLogix profile's excluded group, that a local profile doesn't already exist for the user or group of users, and that there is space available on the selected profile storage.
Important Note
For more information on configuring FSLogix profile containers, please refer back to Chapter 12, Implementing and Managing FSLogix.
In this section, we looked at troubleshooting FSLogix profile container issues within Azure Virtual Desktop. We provided a high-level summary and discussed the FSLogix profile status utility, as well as some common problems to watch out for. In the next section, we will look at troubleshooting Azure Virtual Desktop clients.
In this section, we will look at troubleshooting Azure Virtual Desktop client issues and some hints and tips to help you on your way with diagnosing problems.
You need to ensure that your user can communicate with the Azure Virtual Desktop service and on corporate devices; you should add the correct firewall rules to do so.
The following table details the required URLs that the client should be able to access:
The preceding table was taken from https://docs.microsoft.com/azure/virtual-desktop/safe-url-list#remote-desktop-clients.
In the next section, we will look at testing connectivity to help you troubleshoot any issues.
This subsection will look at how to test that the client can communicate correctly with Azure Virtual Desktop. We will look at two tests – one that uses PsPing and another that uses nslookup.
You can also complete client tests using Sysinternals PsPing, which allows you to test connectivity from the client to the Azure Virtual Desktop service.
You can download PsPing from https://docs.microsoft.com/sysinternals/downloads/psping.
The test that was run in the following screenshot essentially pings the RDweb service using port 443; that is, "psping64.exe" -t rdweb.wvd.microsoft.com:443.
As you can see, the device can communicate with the service:
You can also use nslookup to ensure that DNS is working as expected:
nslookup rdweb.wvd.microsoft.com
You should see the following output. If DNS is working, it should resolve with IP addresses and other information, such as aliases:
Now that we have looked at how to test client connectivity to the Azure Virtual Desktop service, let's learn how to reset the client.
If you find that a user's Remote Desktop Client stops responding, cannot be opened, or you receive messages such as certificate errors, you may want to try resetting the client as a way to resolve the issue:
"%userprofile%appdatalocalappsRemote Desktopmsrdcw.exe" /reset
The result of the preceding query is shown in the following screenshot:
You can also add the [/f] switch to force the reset without receiving a popup message. This is useful if you want to automate the process of resetting multiple devices using an endpoint manager or other tool.
To reset with the force switch, you can use the following command:
"%userprofile%appdatalocalappsRemote Desktopmsrdcw.exe" /reset /f
Now that we have covered resetting the remote desktop client, let's move on to the next section, where we will learn what to do if the remote desktop client is showing no resources.
If your client is showing no resources, this is usually because the user has been taken out of the app group. If there has been a resource move between resource groups, this can impact the configuration of Azure Virtual Desktop. If no resources exist, check the app groups first. It is also advised that the user logs out of the client and re-authenticates to see if the issue persists.
In this section, we looked at troubleshooting Azure Virtual Desktop clients. We looked at troubleshooting and confirming connectivity, including testing connectivity to the Azure Virtual Desktop service using PsPing from Sysinternals and nslookup to ensure that DNS is working correctly.
In this chapter, we started by learning about Universal Print, which offers a modern, flexible print solution for organizations and compliments Azure Virtual Desktop as both services are built inside Microsoft Azure. We then looked at Microsoft Endpoint Manager and the benefits it offers Azure Virtual Desktop in the sense that you can centralize and configure configuration policies for users using scope tags. Next, we looked at a relativity new feature to the Azure Virtual Desktop portfolio known as screen capture protection, which offers better protection for sensitive workspaces. We looked at how to add the required policies and configure them. Finally, we looked at troubleshooting FSLogix profile containers and troubleshooting the Remote Desktop client.
The next chapter is very exciting as we look at installing and configuring apps on a session host.
Step-by-Step: Configure and manage Microsoft Universal Print: https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-configure-and-manage-microsoft-universal-print/ba-p/2227224
Answer the following questions to test your knowledge of this chapter: