Session host update Part 1: The prerequisites

Hi All,

Microsoft released a new feature in public preview to update and manage session hosts. Let’s imagine that this feature can build your session hosts on a schedule basis with a configuration that you have chosen. Well, now you can with Session host update.

In this blogpost I’ll walk you through the prerequisites you need to configure to make this new feature work. In the next part I’ll show how it’s works.

Very important to remember is that this feature is in public preview so don’t use it for production environments.

To get all the info about this feature, use this link.

Prerequisites

As with all automated services, you need to put some resources and access rights for the AVD service principal in place before it will work.

Key Vault

This feature can domain domain join the session hosts if you choose this option. For this to work the AVD service needs to be able to access the secrets in the key vault. This can be done using RBAC access or with vault policies.

In this case I’m using a vault access policy and give the AVD service principal the Get secret permissions. Do not forget that AVD had a name change in the past. Because of this some tenants will see Windows Virtual Desktop as the name of the service principal.

During the setup of this feature you will be asked to give 4 secrets when you want to domain join the session hosts. Make sure you create these secrets in the key vault.

  • local admin username
  • local admin password
  • domain join username
  • domain join password

For the IT admin who wants to use RBAC control for the key vault, the correct role is Key Vault secrets user.

Correct RBAC permissions

For this feature to work properly it needs the correct permissions. This is done using RBAC. The service principal for the AVD service needs to be assigned the correct permissions. This is the Desktop Virtualization Virtual Machine Contributor role. In an ideal scenario your AVD environment is on a separate subscription. In that case you can assign the service principal the access on the entire subscription. Otherwise you have to assign it on resource group level which can cause more administrative overhead.

The last important setting that needs to be correct is the Azure Resource Manager for template deployment checkbox that needs to be selected.

Now that we have all this in place, in time to start using the feature. In part 2 I’ll walk your through the initial setup wizard and show what is changed in the UI to create a host pool.

See you soon!

Leave a Reply

Your email address will not be published. Required fields are marked *