• https://go.microsoft.com/fwlink/?LinkId=828603
• https://aka.ms/dependencyagentwindows

The Monitor agent needs extravtion. To extract use the command: MMASetup-<platform>.exe /c /t:<Full Path>

e.g.: MMASetup-AMD64.exe /c /t:C:\Temp

Add all files to a network share like: \\server\share\

φτιάξε ένα bat or cmd file, π.χ. setupagents.bat με το παρακάτω περιεχόμενο αλλά βάλε τα δικά σου shares, workspace ID & Key:

create a bat or cmd file, e.g. setupagents.bat and add the below content. Change the share link, the Workspace ID and Key:

net use y: \\server\share\

y:\Setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID="<your workspace ID>" OPINSIGHTS_WORKSPACE_KEY="<your workspace key>" AcceptEndUserLicenseAgreement=1

y:\InstallDependencyAgent-Windows.exe /S /RebootMode=manual

net use y: /delete

For example, I created the setupagents.bat, and added the files to the network share  \\dcvm\Temp . The content of my setupagents.bat is:

net use y: \\dcvm\Temp

y:\Setup.exe /qn NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID="b987ae35-b7e3-44ba-bd27-000000000000" OPINSIGHTS_WORKSPACE_KEY="OZz8YN5A12biINsMbja9PHkZLDdYNNZEw+QDIsAmi0ys/2+000000000000==" AcceptEndUserLicenseAgreement=1

y:\Temp\InstallDependencyAgent-Windows.exe /S /RebootMode=manual

net use y: /delete

After running the setupagents.bat, both agents are installed. You can check at the programs and features:

At the control panel the Microsoft Monitoring Agent will appear and open it to check that it is connected to y our Log Analytics Workspace.

Here is a list of sample Log Search commands for the dependency analysis:

• https://learn.microsoft.com/en-us/previous-versions/azure/azure-monitor/vm/service-map#sample-log-searches
• https://learn.microsoft.com/en-us/azure/migrate/how-to-create-group-machine-dependencies#sample-review-inbound-connections

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Monitor & Dependencies agents at once! appeared first on Apostolidis Cloud Corner.

If you’re curious and want to dive deeper into how all this works, I highly recommend checking out the Azure Virtual Desktop architecture page on the Microsoft Architecture Center. It’s a treasure trove of information! Here you can find the Azure Virtual Desktop for enterprise page including a Visio diagram that you can download and edit.

Table of Contents

1. AVD Lab Setup
2. High level diagram of the Lab Setup
3. LAB Guided Steps
4. Domain Controller
5. User Profile Disks
6. Create the DirSync server
7. Join the Storage Account to the Active Directory Domain Services
8. Create the File Share for the User Profile Disks
9. Configure the FSLogix through Group Policy
10. Create the Image
11. Create the Host Pool
12. Assign user to the host pool application group
13. User access
14. Update Image
15. Auto scale & Start VM on connect
16. Scaling plan
17. Session Limits & Stop the VMs automation
18. Authentication & Security
19. User experience & Security
20. Monitoring

AVD Lab Setup

We will create an Azure Virtual Desktop environment for 50 remote users that will work in a Pooled session host architecture. What that means? Pooled session hosts means that we will deploy a pool of 7 session hosts (Virtual Machines) where users will be load balanced to any session host in the host pool.

The operating system will be Windows 11 multi-session with Office 365 preinstalled. We will select an Azure marketplace image; we will edit it to do any customizations we need and then we will create a custom image and use it for our AVD deployment.

To store the user profiles we need a persistent storage outside the hosts (virtual machines). We will store the images to an Azure File Share of a Storage Account and we will use the FXLogix tool to manage the profile containers.

High level diagram of the Lab Setup

LAB Guided Steps

Create three Resource Groups, one for Identity, one for Networking and one for the AVD, that will include the AVD Resource, the hosts and the private endpoints, and create the corresponding Virtual Networks. The AVD-Resources Virtual Network will have two subnets, one for the Hosts and one for the Private Endpoint. Finaly peer the identity & resources networks with the networking virtual network.

#create resource groups
az group create -n AVD-Identity-RG -l germanywestcentral
az group create -n AVD-Networking-RG -l germanywestcentral
az group create -n AVD-Resources-RG -l germanywestcentral

#create virtual networks
az network vnet create -n AVD-Identity-VNET -g AVD-Identity-RG --address-prefix 10.56.0.0/24 --subnet-name domain --subnet-prefixes 10.56.0.0/24
az network vnet create -n AVD-Networking-VNET -g AVD-Networking-RG --address-prefix 10.56.1.0/24 --subnet-name AzureFirewallSubnet --subnet-prefixes 10.56.1.0/26
az network vnet subnet create -g AVD-Networking-RG --vnet-name AVD-Networking-VNET -n AzureFirewallManagementSubnet --address-prefixes 10.56.1.64/26
az network vnet create -n AVD-Resources-VNET -g AVD-Resources-RG --address-prefix 10.56.2.0/24 --subnet-name hosts --subnet-prefixes 10.56.2.0/26
az network vnet subnet create -g AVD-Resources-RG --vnet-name AVD-Resources-VNET -n privatelink --address-prefixes 10.56.2.64/26

#create vnet peerings
# Get the id for vnet-1.
vNet1Id=$(az network vnet show -g AVD-Networking-RG --name AVD-Networking-VNET --query id --out tsv)
# Get the id for vnet-2.
vNet2Id=$(az network vnet show -g AVD-Identity-RG --name AVD-Identity-VNET --query id --out tsv)
# Get the id for vnet-3.
vNet3Id=$(az network vnet show -g AVD-Resources-RG --name AVD-Resources-VNET --query id --out tsv)
# peer vnet-1 to vnet-2
az network vnet peering create --name networking-to-identity -g AVD-Networking-RG --vnet-name AVD-Networking-VNET --remote-vnet $vNet2Id --allow-vnet-access
# peer vnet-1 to vnet-3
az network vnet peering create --name networking-to-resources -g AVD-Networking-RG --vnet-name AVD-Networking-VNET --remote-vnet $vNet3Id --allow-vnet-access
# peer vnet-2 to vnet-1
az network vnet peering create --name identity-to-networking -g AVD-Identity-RG --vnet-name AVD-Identity-VNET --remote-vnet $vNet1Id --allow-vnet-access --allow-forwarded-traffic
# peer vnet-3 to vnet-1
az network vnet peering create --name resources-to-networking -g AVD-Resources-RG --vnet-name AVD-Resources-VNET --remote-vnet $vNet1Id --allow-vnet-access --allow-forwarded-traffic

# Create an Azure Firewall Basic and add an allow network rule for the LAN
az network public-ip create --name "azfwpip" --resource-group "AVD-Networking-RG" --location "germanywestcentral" --sku "Standard"
az network public-ip create --name "azfwmpip" --resource-group "AVD-Networking-RG" --location "germanywestcentral" --sku "Standard"
az network firewall create -g AVD-Networking-RG -n AVDFirewall --sku AZFW_VNet --tier Basic --vnet-name AVD-Networking-VNET --conf-name avdIpConfig --m-conf-name avdmIpConfig --m-public-ip azfwmpip --public-ip azfwpip
az network firewall network-rule create --collection-name Net-Coll01 --destination-addresses 10.0.0.0/8 --destination-ports '*' --firewall-name AVDFirewall --name Allow-LAN --protocols Any --resource-group AVD-Networking-RG --priority 200 --source-addresses 10.0.0.0/8 --action Allow
az network firewall network-rule create --collection-name Net-Coll01 --destination-addresses '*' --destination-ports '*' --firewall-name AVDFirewall --name Allow-Internet --protocols Tcp --resource-group AVD-Networking-RG --source-addresses 10.0.0.0/8
az network firewall nat-rule create --collection-name Nat-Coll01 --priority 300 --dest-addr '4.185.80.0' --source-addresses '*' --destination-ports '3389' --firewall-name AVDFirewall --name rdptodc --protocols Any --resource-group AVD-Networking-RG --translated-address 10.56.0.4 --translated-port '3389' --action Dnat

# Create a Route Table (for the lab I created one route table to route all traffic to the Azure Firewall.) and associate it to the identity and resources subnets.
az network route-table create --name Firewall-rt-table --resource-group AVD-Networking-RG --location germanywestcentral --disable-bgp-route-propagation true
az network route-table route create --resource-group AVD-Networking-RG --name route-to-firewall --route-table-name Firewall-rt-table --address-prefix 0.0.0.0/0 --next-hop-type VirtualAppliance --next-hop-ip-address 10.56.1.4
RTiD=$(az network route-table show -g AVD-Networking-RG -n Firewall-rt-table --query id --out tsv)
az network vnet subnet update -n hosts -g AVD-Resources-RG --vnet-name AVD-Resources-VNET --route-table $RTiD
az network vnet subnet update -n privatelink -g AVD-Resources-RG --vnet-name AVD-Resources-VNET --route-table $RTiD
az network vnet subnet update -n domain -g AVD-Identity-RG --vnet-name AVD-Identity-VNET --route-table $RTiD

# create NSG (for the lab I will create just and allow lan rule)
az network nsg create -g AVD-Networking-RG -n AVD-NSG
az network nsg rule create -g AVD-Networking-RG --nsg-name AVD-NSG -n AllowLan --priority 100 --source-address-prefixes 10.0.0.0/8 --source-port-ranges '*' --destination-address-prefixes 10.0.0.0/8 --destination-port-ranges '*' --access Allow --protocol '*' --description "allowlan"
az network nsg rule create -g AVD-Networking-RG --nsg-name AVD-NSG -n AllowLanOut --priority 101 --source-address-prefixes 10.0.0.0/8 --source-port-ranges '*' --destination-address-prefixes 10.0.0.0/8 --destination-port-ranges '*' --access Allow --protocol '*' --description "allowlan" --direction Outbound
NSGId=$(az network nsg show -g AVD-Networking-RG --name AVD-NSG --query id --out tsv)
az network vnet subnet update -g AVD-Identity-RG -n domain --vnet-name AVD-Identity-VNET --network-security-group $NSGId
az network vnet subnet update -g AVD-Resources-RG -n hosts --vnet-name AVD-Resources-VNET --network-security-group $NSGId
az network vnet subnet update -g AVD-Resources-RG -n privatelink --vnet-name AVD-Resources-VNET --network-security-group $NSGId

Domain Controller

# Create a network interface with private ip address due to DNS requirements
az network nic create --resource-group AVD-Identity-RG --name "DCNic" --vnet-name "AVD-Identity-VNET" --subnet "domain" --private-ip-address "10.56.0.4"
# Create a virtual machine
az vm create --resource-group AVD-Identity-RG --name "DCVM" --image "win2022datacenter" --size "Standard_D2s_v3" --admin-username "azureuser" --admin-password "your-password" --nics "DCNic"

Login to the VM and promote to Domain Controller & DNS server. In case you have an on-premises Active Directory environment that you want to use, then you will need a hybrid connectivity (ExpressRoute or VPN) and instead of creating a new Domain, you will need to add this server as an additional domain controller. There are plenty of guides to create an Active Directory domain, like this Install Active Directory Domain Services (Level 100) | Microsoft Learn .

After the promotion, and once the DNS role is ready, change the DNS settings of all Virtual Networks to the private IP address of the ADDS/DNS server.

# Set DNS servers on VNets
az network vnet update --resource-group AVD-Identity-RG --name AVD-Identity-VNET --dns-servers "10.56.0.4"
az network vnet update --resource-group AVD-Networking-RG --name AVD-Networking-VNET --dns-servers "10.56.0.4"
az network vnet update --resource-group AVD-Resources-RG --name AVD-Resources-VNET --dns-servers "10.56.0.4"

User Profile Disks

Create one Storage Account with a Private Endpoint and a Private DNS Zone that is needed to access the Storage Account endpoint. In case of an Enterprise Scale deployment, the Private DNS Zones will be located in a centralized location. The Storage Account name needs to be globally unique.

# Create storage account
az storage account create --name avdupd916 -g AVD-Resources-RG -l germanywestcentral --sku 'Standard_LRS' --allow-blob-public-access false --public-network-access Disabled --https-only true

# Get the Storage Account ID
storageAccountId=$(az storage account show -n avdupd916 -g AVD-Resources-RG --query id --output tsv)

# Get the Subnet ID
subnetId=$(az network vnet subnet show -g AVD-Resources-RG -n privatelink --vnet-name AVD-Resources-VNET --query id --out tsv)

# Create the private endpoint
az network private-endpoint create --name avdupd916files --resource-group AVD-Resources-RG --vnet-name AVD-Resources-VNET --subnet $subnetId --private-connection-resource-id $storageAccountId --group-ids file --connection-name avdupd916filesconnection

# Create the private DNS zone
az network private-dns zone create --name 'privatelink.file.core.windows.net' -g AVD-Resources-RG

# Create the private DNS zone group
az network private-endpoint dns-zone-group create --name avddnszonegroup --endpoint-name avdupd916files --private-dns-zone 'privatelink.file.core.windows.net' -g AVD-Resources-RG --zone-name 'privatelink.file.core.windows.net'

#Create a VNET link to the identity VNET
IDVnetId=$(az network vnet show -g AVD-Identity-RG --name AVD-Identity-VNET --query id --out tsv)
az network private-dns link vnet create -g AVD-Resources-RG -n fileslinktoid -z privatelink.file.core.windows.net -v $IDVnetId -e False

Create the DirSync server

# Create a network interface
az network nic create --resource-group AVD-Identity-RG --name "DSNic" --vnet-name "AVD-Identity-VNET" --subnet "domain"
# Create a virtual machine
az vm create --resource-group AVD-Identity-RG --name "DSVM" --image "win2022datacenter" --size "Standard_D2s_v3" --admin-username "azureuser" --admin-password "your-password" --nics "DSNic"

Sync the AD DS users using DirSync

Go to the Microsoft Entra Connect / Connect Sync / and download the Microsoft Entra Connect. Install it to the DirSync server and complete the express installation. After this process the AD DS users will be synced to the Entra ID.

Join the Storage Account to the Active Directory Domain Services

The Storage Account needs to be joined to the Active Directory Domain Servers in order to support domain user permissions and SSO. The process is described in this article: Enable AD DS authentication for Azure file shares | Microsoft Learn

• Login to the DirSync server
• install the latest .Net Framework Download .NET Framework | Free official downloads (microsoft.com)
• download the AzFilesHybrid module.
• Run Join-AzStorageAccount script, changing the required parameters.

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
# Navigate to where AzFilesHybrid is unzipped and stored and run to copy the files into your path
C:\temp>.\CopyToPSPath.ps1 
# Import AzFilesHybrid module
Import-Module -Name AzFilesHybrid
# Install the Az module and Connect to Azure
Install-Module Az
Connect-AzAccount
# Define parameters
$SubscriptionId = "********-****-****-****-********"
$ResourceGroupName = "AVD-Resources-RG"
$StorageAccountName = "avdupd916"
$SamAccountName = "avdupd916"
$DomainAccountType = "ComputerAccount"
$OuDistinguishedName = "OU=UPD,OU=AVDResources,DC=myavdd,DC=com"
# Select the target subscription for the current session
Select-AzSubscription -SubscriptionId $SubscriptionId 
# Register the target storage account with your active directory environment under the target OU 
Join-AzStorageAccount -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName -SamAccountName $SamAccountName -DomainAccountType $DomainAccountType -OrganizationalUnitDistinguishedName $OuDistinguishedName

After this process, a computer object will appear at the specified OU and the Storage Account, at the File Share settings will have the identity-based access as Configured.

Create two Groups. One for the AVD Admins and one for the AVD Users. In my case is AVDAdmins and AVDUsers. Wait until the users and groups are synced to the Microsoft Entra ID.

Create the File Share for the User Profile Disks

Create the File Share and Add the Admins Group to the “Storage File Data SMB Share Elevated Contributor” Role of the Storage Account and the Users Group to the “Storage File Data SMB Share Contributor” Role.

• “avdadmins” the “Storage File Data SMB Share Elevated Contributor” role
• “avdusers: the “Storage File Data SMB Share Contributor” role

# changing to PowerShell cause the Azure Cli caused me some problems. | Create the File Share
New-AzRmStorageShare -ResourceGroupName AVD-Resources-RG -StorageAccountName avdupd916 -Name updhare

# Back to Azure Cli | Provide access to the synced groups to the file share. To add a group you will need the object id of the group.
# avdadmins = ********************-0d5db5b092f8
az role assignment create --role "Storage File Data SMB Share Elevated Contributor" --assignee-object-id ********************-0d5db5b092f8 --assignee-principal-type Group --scope "/subscriptions/********************/resourceGroups/AVD-Resources-RG/providers/Microsoft.Storage/storageAccounts/avdupd916/fileServices/default/fileshares/updshare"
# avdusers = ********************-5e934d6f5c7d
az role assignment create --role "Storage File Data SMB Share Contributor" --assignee-object-id ********************-5e934d6f5c7d --assignee-principal-type Group --scope "/subscriptions/********************/resourceGroups/AVD-Resources-RG/providers/Microsoft.Storage/storageAccounts/avdupd916/fileServices/default/fileshares/updshare"

Assign NTFS permissions to the share

# mount the share to a member server to take a drive letter
net use Z: \\avdupd916.file.core.windows.net\updshare
icacls Z: /remove "Authenticated Users"
icacls Z: /remove "Builtin\Users"    
icacls Z: /remove "Creator Owner"
icacls Z: /grant "avdusers:(M)"
icacls Z: /grant "Creator Owner:(OI)(CI)(IO)(M)"

Configure the FSLogix through Group Policy

Download the FSLogix zip and copy the admx and adml files to the correct location based to your setup. Here for more info. Open the Group Policy Management. Create a new GPO and link it to the AVD Hosts OU. If the admx/adml files are copied correctly you should see the FSLogix settings under Computer Configuration / Policies / Administrative Templates

Settings to configure:

FSLogix / Profile Containers:

1. Enabled = Enabled
2. VHD Locations: \avdupd916.file.core.windows.net\updshare
3. DeleteLocalProfileWhenVHDShouldApply = Enabled
4. LockedRetryCount = 3
5. LockedRetryInterval = 5
6. ProfileType = Normal

FSLogix / Profile Containers / Container and Directory Naming

1. VolumeType = VHDX
2. SIDDirNameMatch = %username%.%userdomain%
3. SIDDirNamePattern = %username%.%userdomain%
4. VHDNameMatch = %username%
5. VHDNamePattern = %username%

Create the Image

Create a VM from the marketplace. I chose a Windows 11 multi-sesison image with MS apps.

# Create a network interface
az network nic create --resource-group AVD-Resources-RG --name "ImageNic" --vnet-name "AVD-Resources-VNET" --subnet "hosts"
#find the image name
az vm image list --location germanywestcentral --publisher microsoftwindowsdesktop --offer office-365 --all --output table
# Create a virtual machine
az vm create --resource-group AVD-Resources-RG --name "ImageVM" --image "MicrosoftWindowsDesktop:office-365:win11-23h2-avd-m365:22631.3447.240409" --size "Standard_D2s_v3" --admin-username "vmadmin" --admin-password "*********" --nics "ImageNic"

This image already has Microsoft 365, Teams, Edge, OneDrive in a multi-session installation and the FSLogix app to control the user profile disks. Install whatever application is needed and do any configuration, like language etc. I will install 7-zip & VLC Player just for the customization.

Take a snapshot of the VM disk before performing sysprep. You will need this snapshot when you need to do any updates and customizations to this image. After the sysprep you will no longer be able to spin an Azure VM. It is recommended to stop/deallocate the VM to take the snapshot. Open the Disk resource and press + Create Snapshot

Generalize the image with sysprep

C:\Windows\System32\Sysprep\sysprep.exe /oobe /generalize /shutdown

Capture the VM to create the Image. This is done by the Azure Portal, at the VM Overview blade, press Capture. Since the sysprep makes the OS unusable, select to delete the VM after creating the image. I like using the Azure compute gallery to store the images and versions, so I will select to add the image to a gallery.

• Share image to Azure compute gallery: Yes
• Automatically delete this virtual machine after creating the image: Yes
• Azure compute gallery: AVDACG
• Operating system state: Generalized
• Target VM image definition: win11-23H2
• Version number: 0.0.1
• Source virtual machine: imagevm

Create the Host Pool

At the Azure Portal, go to the Azure Virtual Desktop and Create a host pool

Basics: Select the subscription, the Resource Group, the Host Pool Name, location for the metadata, I will create an environment for Desktops, in a Pooled host pool type, so there will be no dedicated VMs per users.

Virtual Machines: Select to add Virtual Machines. Give a prefix up to 12 characters, since AVD will add -## numbering. Select the image from the shared image gallery and how many VMs will be spined in total. At he networking select the network that is prepared for the hosts. For domain join add the UPN of the user (not domain\user, you need user@domain.com), enter the domain name and the OU distinguished name. Finaly add details for the local admin user.

Workspace: Register the host pool to a workspace.

Advanced: Enable the diagnostic settings. You will need to have prepared a log analytics workspace.

When the process is complete you will see two computer accounts at you active directory

and at the Azure Portal / Azure virtual Desktop / host pool will see the two hosts ready to connect

Go to Azure Monitor and enable the monitor for the host virtual machines.

Assign users access to the Azure Virtual Desktop hosts

For the users to be able to see the session and connect, they need to be assigned access to the application group of the specific host pool. Go to the Azure Virtual Desktop / Host Pools / YourHostPool / Application Groups / YourApplicationPool Assignments and add the AVD Users group.

User access

AVD Web Access: https://aka.ms/avdweb

AVS Client for Windows, MacOS, iOS, Android, ChromeOS & Thin Clients: https://aka.ms/avdclient

after the first login, the folder that stores the User Profile Disk will appear at the Azure File Share

Disk Management run as administrator, see the attached VHDX User Profile Disk.

Update Image

There are some options here. If we need to change the OS version, either from Windows 10 to 11, or from a version of 11 to another like 22H2 to 23H3, then create a new VM the marketplace with the target version, customize, capture and add it to the gallery as a new version. If you need to make changes to the existing image, create a VM from the image snapshot, customize and add it to the gallery as a new version.

In my lab I will create a VM from the snapshot just to see the process. Find the disk snapshot at the Azure Portal and press +Create Disk.

Open the disk and Create VM

Once the VM is ready do any customizations and run Sysprep, the same way we run it for the initial image, then Capture the VM and select to add it to the gallery as a new version. I selected the same gallery, the same VM image definition, since it is still win11, and I changed the version number.

• Share image to Azure compute gallery: Yes
• Automatically delete this virtual machine after creating the image: Yes
• Azure compute gallery: AVDACG
• Operating system state: Generalized
• Target VM image definition: win11-23H2
• Version number: 0.0.2
• Source virtual machine: imagevm

The process of updating the host pool

• Add new hosts to the host pool, selecting the latest image

Once the new hosts are ready & Available at the host pool, select the old hosts and turn n drain mode, in order to stop accepting new sessions. After that point all new sessions will go to the new hosts. Once the old hosts are empty, remove them from the pool and delete the VMs.

After log off / log on:

Auto scale & Start VM on connect

There are two options to save a lot of money by using auto scale and start VM on connect. With auto scale, you can have one host running 24/7 and the rest stopped. Once the host reach the max session limit, the AVD will start the next host, until it reaches the maximum hosts created for this host pool. Combining the auto scale with the start VM on connect, even the first host can be stopped, and it will start when the first user will try to logon. With a Scaling Plan, you can have the hosts start and stop based to a schedule, like weekdays and working hours.

Some requirements

You must have a configured Max Session Limit parameter for that host pool & enable the Start VM On connect (if you need this feature too). Those options are at the Host Pool Properties.

you must assign the Desktop Virtualization Power On Off Contributor RBAC role to the Azure Virtual Desktop service principal l with your Azure subscription as the assignable scope. Go to the Subscription / Access Control (AIM, Add role assignment, select Role: “Desktop Virtualization Power On Off Contributor”, select member the service principal “Azure Virtual Desktop” and assign.

At this point, you can stop/deallocate the VMs from the Azure portal and then try to access the SessionDesktop with one user. The user will see a message stating that the VM is starting, and it may take up to 5 minutes and at the host pool you will see the first VM starting. For the LAB, I configured the max sessions to 1, so once I try to login with the second user, I will see the same message and it will start the second VM. If you need at least one VM to stay running, you can add a resource lock and make is read-only so the automation will not be able to deallocate it.

Scaling plan

Create a Scaling plan. Go to the Azure Virtual Desktop, under Manage select Scaling plans and Create a scaling plan. At the scaling plan you select a General configuration, like weekdays, select a presentence of the host to ramp-up a specific hour, to spin the VMs to be ready for your users in order to don’t wait 5 minutes for the VM to start on connect, select the peak hours, where most of your users are working, then select the Ramp-down, where a percentage of the hosts will stop. Here you can select if you will force log off the users or it will wait for the last user to log off. You can learn more here.

Once the scaling plan is created, select Next: Host pool assignments and assign the Schedule to one or more host pools.

Session Limits & Stop the VMs automation

One thing that is recommended is to configure the Session limits for the Remote Desktop Session Hosts. You can use the same GPO as the FSLogix settings, as it is computer configuration too. Open the GPO and go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits.

Set time limit for disconnected sessions: End a disconnected session = 30 minutes. Keep in mind that setting this after 30 minutes the disconnected session will be logged off.

If you want to trigger the Hosts to Stop/Deallocate once there are no active sessions, you can leverage Azure Automation account. There are plenty of guides like this: How to automate AVD VM shutdown based on usage and disconnected state? – Microsoft Q&A

The specific guide creates a runbook that runs a PowerShell script that queries the hosts for active sessions. If a host has no active sessions, then it stops the VM. First create a managed identity and assign the “Desktop Virtualization On Off Contributor” Azure role at the Hosts Resource Group. I altered it to check all the Session Hosts in a Host Pool:

#Please enable appropriate RBAC permissions to the system identity of this automation account. Otherwise, the runbook may fail

# Authenticate to Azure with user assigned managed identity
try
{
    "Logging in to Azure..."
    Connect-AzAccount -Identity
}
catch {
    Write-Error -Message $_.Exception
    throw $_.Exception
}

# Set the Azure subscription ID, resource group name, and VM name
$subscriptionId = "*************-360a051fbe3d"
$hostPoolName = "AVDPooledHP"
$resourceGroupName = "avd-resources-rg"
$myADDSDomain = ".myavdd.com"

$sessionhosts = Get-AzWvdSessionHost -ResourceGroupName $resourceGroupName -HostPoolName $hostPoolName
foreach ($sessionhost in $sessionhosts) {
$splitText = $sessionhost.name.Split("/")
$hostName = $splitText[1]
$vmName = $hostName.Replace($myADDSDomain, "")
# Get the connected user count
$connectedUserCount = Get-AzWvdSessionHost -ResourceGroupName $resourceGroupName -HostPoolName $hostPoolName -Name $hostName | Select-Object -ExpandProperty Session
# Check if the conditions are met and deallocate the VM
if ($connectedUserCount -eq 0 ) {Stop-AzVM -ResourceGroupName $resourceGroupName -Name $vmName -Force}
}

Authentication & security

Microsoft Entra ID provides some security features that can help secure the access to the Azure Virtual Desktop. One of those features is the Conditional Access Policies. Conditional Access Policies are essentially if-then statements used to enforce organizational security policies. They bring together various signals (like user or group membership, IP location, device information, etc.) to make access decisions. For example, if a user wants to access a resource, they might be required to complete an action like multifactor authentication.

Add a Policy to require MFA to access Azure Virtual Desktop

1. From the Azure Portal go to Microsoft Entra ID / Security / Conditional Access / Create new policy
2. Users: Select the group that includes the avd users. Mine is “avdusers” group.
3. Target resources: Include / Select apps / Select / Azure Virtual Desktop

• 4. Conditions: Client Apps / select Browser and Mobile apps and desktop clients

5. Access Controls: Grand / Grand access / Require multi factor authentication

6. Session: It is not required but you can select the frequency that the user will be required to re-authenticate. You can select a periodic authentication and select some hours or some days or you can select every time.

Find out more here: Enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access – Azure | Microsoft Learn

User experience & Security

Many settings can be set directly from the Host Pool RDP Properties, like Device Redirection, Display Settings and Session behavior. Some other security settings, like Screen capture protection and Watermarking must be set by the GPO or Intune, by using the AVD Administrative Template. Once you install the templates the policy settings will be available under Azure Virtual Desktop administrative template is available, browse to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop.

• Screen capture protection in Azure Virtual Desktop – Azure | Microsoft Learn
• Watermarking in Azure Virtual Desktop | Microsoft Learn

In addition, the Hosts can be hardened by using GPO or/and Intune.

Monitoring

Azure Virtual Desktop Insights have plenty of information about Connection Reliability, Diagnostics, Performance, Users, Utilization, Clients and alerts out-of-the-box. You can customize the Insights dashboards and you can create a Workbook that fit your needs.

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Azure Virtual Desktop (AVD) LAB appeared first on Apostolidis Cloud Corner.

There is plenty of information and guides for Azure Firewall at the Microsoft Docs Azure Firewall documentation | Microsoft Docs. In this post, I want to share some PowerShell scripts that we created with my colleague Panagiotis Tsoukias. One script to Export all Firewall Policy rules, of all Policy Groups in a CSV file. Then edit the rules in Excel. And a second script to import the rules to the same or to a different Firewall Policy.

Export the Azure Firewall Policy Rules

The first script is to Export the Firewall Policy Rules of a Rule Collection, in a manageable CSV format. Edit the script, change the first three variables, and the path to export, and run it. Open the exported CSV with Microsoft Excel and you will have this result:

The first three columns are the Rule Collection’s Name, Priority & Action Type. We will need this info to create the Rule Collections and import the rules to the corresponding Rule Collection.

You can copy the script from the below box or download it from my GitHub link: Export Azure Firewall Policy Rules.ps1

#Provide Input. Firewall Policy Name, Firewall Policy Resource Group & Firewall Policy Rule Collection Group Name
$fpname = azfwpolicy
$fprg = azurehub
$fprcgname = DefaultNetworkRuleCollectionGroup

$fp = Get-AzFirewallPolicy -Name $fpname -ResourceGroupName $fprg
$rcg = Get-AzFirewallPolicyRuleCollectionGroup -Name $fprcgname -AzureFirewallPolicy $fp

$returnObj = @()
foreach ($rulecol in $rcg.Properties.RuleCollection) {

foreach ($rule in $rulecol.rules)
{
$properties = [ordered]@{
    RuleCollectionName = $rulecol.Name;
    RulePriority = $rulecol.Priority;
    ActionType = $rulecol.Action.Type;
    RUleConnectionType = $rulecol.RuleCollectionType;
    Name = $rule.Name;
    protocols = $rule.protocols -join ", ";
    SourceAddresses = $rule.SourceAddresses -join ", ";
    DestinationAddresses = $rule.DestinationAddresses -join ", ";
    SourceIPGroups = $rule.SourceIPGroups -join ", ";
    DestinationIPGroups = $rule.DestinationIPGroups -join ", ";
    DestinationPorts = $rule.DestinationPorts -join ", ";
    DestinationFQDNs = $rule.DestinationFQDNs -join ", ";
}
$obj = New-Object psobject -Property $properties
$returnObj += $obj
}

#change c:\temp to the path to export the CSV
$returnObj | Export-Csv c:\temp\rules.csv -NoTypeInformation
}

Import the Azure Firewall Policy Rules

After done editing the rules in Excel, we are ready to import them back to the Azure Policy or to a new Azure Policy. We need to export one CSV per Rule Collection. It will help us that the first column has the Rule Collection Name. Then run the import script. The script creates a Rule Collection, if it does not already exist, and adds the Rules in this specific Rule Collection.

You can copy the script from the below box or download it from my GitHub link: Import Azure Firewall Policy Rules.ps1

#Provide Input. Firewall Policy Name, Firewall Policy Resource Group & Firewall Policy Rule Collection Group Name
$fpname = azfwpolicy
$fprg = azurehub
$fprcgname = DefaultNetworkRuleCollectionGroup

$targetfp = Get-AzFirewallPolicy -Name $fpname -ResourceGroupName $fprg
$targetrcg = New-AzFirewallPolicyRuleCollectionGroup -Name $fprcgname -Priority 200 -FirewallPolicyObject $targetfp

$RulesfromCSV = @()
# Change the folder where the CSV is located
$readObj = import-csv C:\temp\rules.csv
foreach ($entry in $readObj)
{
    $properties = [ordered]@{
        RuleCollectionName = $entry.RuleCollectionName;
        RulePriority = $entry.RulePriority;
        ActionType = $entry.ActionType;
        Name = $entry.Name;
        protocols = $entry.protocols -split ", ";
        SourceAddresses = $entry.SourceAddresses -split ", ";
        DestinationAddresses = $entry.DestinationAddresses -split ", ";
        SourceIPGroups = $entry.SourceIPGroups -split ", ";
        DestinationIPGroups = $entry.DestinationIPGroups -split ", ";
        DestinationPorts = $entry.DestinationPorts -split ", ";
        DestinationFQDNs = $entry.DestinationFQDNs -split ", ";
    }
    $obj = New-Object psobject -Property $properties
    $RulesfromCSV += $obj
}

$RulesfromCSV
Clear-Variable rules
$rules = @()
foreach ($entry in $RulesfromCSV)
{
    $RuleParameter = @{
        Name = $entry.Name;
        Protocol = $entry.protocols
        sourceAddress = $entry.SourceAddresses
        DestinationAddress = $entry.DestinationAddresses
        DestinationPort = $entry.DestinationPorts
    }
    $rule = New-AzFirewallPolicyNetworkRule @RuleParameter
    $NetworkRuleCollection = @{
        Name = $entry.RuleCollectionName
        Priority = $entry.RulePriority
        ActionType = $entry.ActionType
        Rule       = $rules += $rule
    }
}

# Create a network rule collection
$NetworkRuleCategoryCollection = New-AzFirewallPolicyFilterRuleCollection @NetworkRuleCollection
# Deploy to created rule collection group
Set-AzFirewallPolicyRuleCollectionGroup -Name $targetrcg.Name -Priority 200 -RuleCollection $NetworkRuleCategoryCollection -FirewallPolicyObject $targetfp

Feel free to take, edit, use & comment on the scripts, you can find them at my repo:

Dark Mode

automation (this link opens in a new window) by proximagr (this link opens in a new window)

1 Subscriber 0 Watchers 0 Forks Check out this repository on GitHub.com (this link opens in a new window)

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Azure Firewall Policy Rules to CSV appeared first on Apostolidis Cloud Corner.

Changes:

• • Shows the disk capacity of the VM and asks how many disks to add.
  • Prompts for the size of every disk
  • Checks for empty Luns to add the disks

# 1. You need to login to the Azure Rm Account

Login-AzAccount

# 2. The script will query the Subscriptions that the login account has access and will promt the user to select the target Subscription from the drop down list
 
$subscription = Get-AzSubscription | Out-GridView -Title "Select a Subscription" -PassThru
Select-AzSubscription -SubscriptionId $subscription.Id

# 3. The script will query the available VMs and promt to select the target VM from the VM list
 
$vm = Get-AzVM | Out-GridView -Title "Select the Virtual Machine to add Data Disks to" -PassThru

# 4. I set the storage type based on the OS disk. If you want to spesify somehting else you can cahnge this to: $storageType = StandardLRS or PremiumLRS etc.

$storageType = $VM.StorageProfile.OsDisk.ManagedDisk.StorageAccountType

# 5. Enter how many data disks you need to create

$VMdiskCapacity = ($VM.StorageProfile.DataDisks).Capacity
 
$diskquantity = Read-Host "How many disks you need to create? Max Capacity" $VMdiskCapacity "."

# 6. The script will promt for disk size, in GB

$diskSizeList = @()
for($i = 1; $i -le $diskquantity; $i++)
{
    $disk = (Read-Host "Disk " $i " Size")
    $diskSizeList += $disk
}
$diskSizeList

# 7. check for exisiting disks

$existinglun = @()
for($i = 0; $i -lt $VMdiskCapacity; $i++) {
    $existinglun += ($VM.StorageProfile.DataDisks)[$i].Lun
}

# 8. disks creation

for($i = 0; $i -lt $diskquantity; $i++)
{
$diskName = $vm.Name + "-DataDisk-" + $i.ToString()
$diskConfig = New-AzDiskConfig -AccountType $storageType -Location $vm.Location -CreateOption Empty -DiskSizeGB $diskSizeList[$i]
$DataDisk = New-AzDisk -DiskName $diskName -Disk $diskConfig -ResourceGroupName $vm.ResourceGroupName
for ($j = 0; $j -lt $VMdiskCapacity; $j++) {
    if ( $null -eq $existinglun[$j] ) {
        $nextLunIndex
        for ($k = 0; $k -lt $VMdiskCapacity; $k++ ) {
            $nextLunIndex = $k
            for ( $m = 0; $m -lt $VMdiskCapacity; $m++ ) {
                if ( $k -eq $existinglun[$m] ) {
                    $nextLunIndex = -1 
                    break 
                }
            }
            if ($nextLunIndex -ne -1 ) {
                break
            }
        }
        Add-AzVMDataDisk -VM $vm -Name $DiskName -CreateOption Attach -ManagedDiskId $DataDisk.Id -Lun $nextLunIndex
        $existinglun[$j] = $nextLunIndex
        break
    } 
}
}
Update-AzVM -VM $vm -ResourceGroupName $vm.ResourceGroupName

You can download the script from: https://github.com/proximagr/automation/blob/master/Add-DataDisks-DIffSize_v3.ps1

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Azure VM | Add Multiple Data Disks v2 appeared first on Apostolidis Cloud Corner.

Did you know that you can use Azure for free for learning purposes? And when I say free, i am not talking about the free account where you need to add your credit card and have 170€ credit. I am talking about a completely free environment to learn the Azure services and resources, but only for Learning purposes.

The Azure Sandbox is offered by the Microsoft Learn platform. Microsoft Learn is a completely free, online training platform that provides interactive learning for Microsoft products and more.

The Microsoft Learn sandbox (sometimes called the Azure sandbox) is a free environment that you can use to explore Azure through Microsoft Learn content.

And the magic here is that you don’t need an Azure account to use a sandbox! All you need is a Microsoft account to sign in with. If you don’t have one, you can create one for free.

Take a look at this. This is the Microsoft Learn home page where you can select whatever learning path or module you want to follow.

When you start a module that needs Microsoft Azure Access, there is an “Activate sandbox” button

When you press is, the only thing that you will be asked is to enter a mobile phone number, just for verification. It will not ask for credit card!

Once you verify your number, it will ask you to Review and accept the permissions to use Microsoft Azure using your Microsoft Account

And the Sandbox environment is ready! You can have 10 Sandboxes per day, for 2 hours each.

You can use Bash, PowerShell and the Azure Poral at will:

Bash:

PowerShell:

Azure Portal:

You can use the Sandbox to complete the specific exercise, but you can also play around with the resources. You can see at the below screenshot, that except the two “webVM”s of the exercise, I have created a “test” VM directly from the portal.

Start your learning path at Microsoft Learn NOW!

And remember: The sandbox may only be used to complete training on Microsoft Learn.

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Learn Azure for Free using Sandbox! appeared first on Apostolidis Cloud Corner.

Today I was trying to troubleshoot an Azure VM. This VM is behind a Network Virtual Appliance (NVA) and at the subnet it has User Defined Routes (UDR) that routes the traffic to the NVA. We was troubleshooting the NVA and it was not possible to connect with RDP to the VM.

Serial Console

This is an excellent scenario to use the Serial Console. From the Azure Portal, portal.azure.com, navigate to the Azure VMs blade, scroll down to the Support + Troubleshooting section and select “Serial Console”

The Serial Console will initialise and after a while it will establish the connection and the prompt will be the SAC>. If you encounter any errors establishing the SAC link, please follow this link: https://aka.ms/serialconsolewindows

At the SAC> prompt press help to list the available commands.

Using the i command we can get the IP Address configuration of the VM

Command Prompt

To create a command prompt session, first enter “cmd”. This will create a session.

To list the cmd sessions press “ch”

to select & login to a cmd session press “ch -si #” where # is the channel number. At the below screen press Enter

At the next screen enter the admin credentials

and we have Command Prompt. At this command prompt we can use all cmd commands.

Some examples:

ping -t

dir

enable telnet client:

dism /online /Enable-Feature /FeatureName:TelnetClient

PowerShell

at the command prompt enter “PowerShell” and press Enter to open a PowerShell Session

PowerShell example, disable windows firewall:

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

and yes, its off

of course, for the firewall we could disable it using CMD

netsh advfirewall set allprofiles state off

PowerShell for conenction test: Test-NetConnection -Computername “hostname,IP,URL” -Port “portNumber”

For more example commands follow this link: https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/serial-console-cmd-ps-commands

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Azure VM CMD & PowerShell from the Portal appeared first on Apostolidis Cloud Corner.

Azure VM Antimalware Extension Management has always been a tricky subject. You can easily enable the Microsoft Antimalware Extension from the Azure Portal upon the Azure VM creation or by using the Extensions blade. But after that, the management of the extension is somehow tricky. There is no way to manage the Microsoft Antimalware exclusion list and auto-scan setting from the portal or from inside the VM. Even using PowerShell there is not a single command to manage the Microsoft Antimalware settings.

There is no need to point out that all VMs must have an Endpoint Protection Solution. Azure provides the ability to add an Endpoint Protection Solution to all Azure VMs. Microsoft Antimalware for Azure Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your system and it is absolutely free. For the 3rd party extensions you need to add your key.

For Windows Server VMs up to version 2012 R2, the extension will install the System Center Endpoint Protection client and apply the configuration policies. Windows Server 2016 and above have build-in the Windows Defender, so the extension will only apply the configuration.

Below we will walk through on how to deploy & manage the Microsoft Antimalware Extension Using the Azure Portal (Single VM), Using the Azure Security Center (Multiple VMs)and Using PowerShell for a Single VMand for Multiple VMs filtered by Resource Groups or Tags.

Deploy the Microsoft Antimalware Extension

Using the Azure Portal for single VM deployment

Go to the Azure VM’s blade, navigate to the Extensions section and press Add.

Select the Microsoft Antimalware extension and press Create

Fill the “Install extension” form as desired and press OK. Here we can set the exclusions and the scan  type and schedule.

Using the Azure Security Center for multi VM deployment

Go to the Azure Security Center, navigate to “Compute & Apps” and click “Install endpoint protection solution on virtual machines”

The Azure Security Center will check which VMs does not have Endpoint Protection and will check them all. Press “Install on # VMs” to select the extension

Select “Microsoft Antimalware” and press create

Fill the “Install extension” form as desired and press OK. Here we can set the exclusions and the scan  type and schedule.

Using the PowerShell for single and multi VM deployments

Single VM

Declare the variables

$ResourceGroupName = "devrg"
$VMName = "devrgvm"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"

Get the latest major version

#view all versions for the West Europe location
Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type | fl Version
#view the latest major version
((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#add the latest major version in a variable called "amversion"
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')

Set the Microsoft Antimalware Settings, exclusions and schedules

$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:\\IISlogs;D:\\DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@

Enable the Microsoft Antimalware Extension at one Azure VM

Set-AzVMExtension -ResourceGroupName $ResourceGroupName -VMName $VMName -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio -ResourceGroupName $ResourceGroupName -VMName $Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio

The whole scipt

Login-AzAccount
#variables
$ResourceGroupName = "devrg"
$VMName = "devrgvm"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, exclusions and schedules
$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:\\IISlogs;D:\\DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@
#enable the Microsoft Antimalware Extension with the above settings
Set-AzVMExtension -ResourceGroupName $ResourceGroupName -VMName $VMName -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversion

Multi VM – All VMs in a Resource Group

To deploy the extension to multiple VMs use the “For Each-Object” loop, like this:

#enable the Microsoft Antimalware Extension with the above settings to all VMs in the Resource Group
Get-AzVM -ResourceGroupName $ResourceGroupName | ForEach-Object {
    Set-AzVMExtension -ResourceGroupName $_.ResourceGroupName -VMName $_.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $_.Location -TypeHandlerVersion $amversion
    }

The whole script

#Login-AzAccount
#variables
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, exclusions and schedules
$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:\\IISlogs;D:\\DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@
#enable the Microsoft Antimalware Extension with the above settings to all VMs in the Resource Group
Get-AzVM -ResourceGroupName $ResourceGroupName | ForEach-Object {
    Set-AzVMExtension -ResourceGroupName $_.ResourceGroupName -VMName $_.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $_.Location -TypeHandlerVersion $amversion
    }

Using Tags instead of Resource Group to filter the VMs

Login-AzAccount
#variables (filter by tags)
$tagName = "Service"
$tagValue = "dev"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, excusions and schedules
$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:\\IISlogs;D:\\DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@
#enable the Microsoft Antimalware Extension with the above settings to all VMs of a spesific Tag
$tagResList = Get-AzResource -TagName $tagName -TagValue $tagValue
foreach($tagRes in $tagResList) { 
    Set-AzVMExtension -ResourceGroupName $tagRes.ResourceGroupName -VMName $tagRes.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $tagRes.Location -TypeHandlerVersion $amversion
    }

After a successful deployment, at the VMs extensions, you will see an IaaS Antimalware extension with status “Provisioning succeeded”

Change the settings in an existing deployment

After the first deployment / installation, to change any settings of the WIndows Defender  / Forefront Endpoint Protection, we need to run the same PowerShell after changing the required settings at the “#Antimalware extension settings, exclusions and schedules” section

Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/iaas-antimalware-windows

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Azure VM Antimalware Extension Management appeared first on Apostolidis Cloud Corner.

Check for expired public certificates serverless, using an Azure Function App. Magically run the required PowerShell script directly at the Portal without deploying VMs or App Services. At this post I combine Azure Function Apps, with a PowerShell script to check the certificate expirations and the Send-MailMessage PowerShell function for sending emails directly from the PowerShell script.

Setup the Azure Function App

At the Azure Portal, create a new Function App. Select Consumption Plan and .NET Runtime Stack

Once the Function App is created, we need to enable PowerShell language support. To do so, open it, select the Function App and at the Platform features tab, open the Application Settings

Change the FUNCTIONS_EXTENSION_VERSION to ~1 and delete the FUNCTIONS_WORKER_RUNTIME line

Before:

After:

Create the Function

Once you click Save, go back to the Function App, select the “Functions” and press “New function”

If we change the application settings correctly, the “Experimental Language Support” option will appear. Enable it and the templates will be able to support PowerShell (And more languages). To get started click the “Time trigger” template.

At the window, select “PowerShell” for language and set the schedule. “Enter a cron expression of the format ‘{second} {minute} {hour} {day} {month} {day of week}’ to specify the schedule.”

Entering 0 0 0 1 * * the function will run once per day

Add the PowerShell script

Once the Function is created, you will be directed to the “Function Name” run.ps1 file. There we can run PowerShell scripts.

Below is the script, change the required variables to fit your needs and paste it to the Function run.ps1 file. The variables that you need to change is:

$WebsiteURLs | This is the list, comma separated, of the URLs you want to check for certificate expiration
$From | The email address of the Sender
$To | The email address of the Recipient
$Cc | The email address of the CC Recipient
$Subject | The subject of the email
$SMTPServer | The email server you will use to send the emails. You can Use the SendGrid service from Azure that currenlty provides 25000 email per month for free. More details here: https://sendgrid.com/docs/API_Reference/SMTP_API/getting_started_smtp.html 
$SMTPPort | The port that the SMTP service requires
$username | The username to authenticate to the SMTP Service
$password = ConvertTo-SecureString “here you need to add the password in plain text” -AsPlainText -Force

$WebsiteURLs= @("e-apostolidis.gr","azureheads.gr")
$WebsitePort=443
$Threshold=120
$Severe=30
$ID=0

$body +=  "<html><body><br>"
$body +=  "<font color =""darkblue"">"
$body += "#	Website_URL:	Current Certificate:	Expiration Date:	Days Remaining:	Errors:"
foreach ($WebsiteURL in $WebsiteURLs){
$CommonName=$WebsiteURL
$ID+=1
Try{
$Conn = New-Object System.Net.Sockets.TcpClient($WebsiteURL,$WebsitePort) 
Try {
$Stream = New-Object System.Net.Security.SslStream($Conn.GetStream(),$false, {
param($sender, $certificate, $chain, $sslPolicyErrors) 
return $true
})
$Stream.AuthenticateAsClient($CommonName) 

$Cert = $Stream.Get_RemoteCertificate()
$CN=(($cert.Subject -split "=")[1] -split ",")[0]
$ValidTo = [datetime]::Parse($Cert.GetExpirationDatestring())

$ValidDays = $($ValidTo - [datetime]::Now).Days
if ($ValidDays -lt $Threshold) {
$fontcolor +=  "<font color =darkgreen>"
} 
if ($ValidDays -lt $Severe) {
$fontcolor +=  "<font color =darkred>"
}
$body += "<br />"
$body += $fontcolor
$body += "$ID	$WebsiteURL	$CN	$ValidTo	$ValidDays"
}
Catch { Throw $_ }
Finally { $Conn.close() }
}
Catch {
$body += "<br />"
$body +="<font color=red> gest </font>"
$body += " $ID	$WebsiteURL"
$body +=  "</body></html>"
}

}

$From = "alias@domain.gr"
$To = "alias@domain.gr"
$Cc = "alias@domain.gr"
$Subject = "check the certificates"

$SMTPServer = "mail.mailserver.gr"
$SMTPPort = "587"


$username = "username"
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$mycred = New-Object System.Management.Automation.PSCredential($username, $password)
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { return $true }
Send-MailMessage -From $From -to $To -Cc $Cc -Subject $Subject -SmtpServer $SMTPServer -UseSSL -port $SMTPPort -Credential ($mycred) -Body $body -BodyAsHtml

Press SAve & Run and you are ready. Now on, once per day the script will run and it will sent an email with the certificates. Something like this:

Feel free to play with the colors on the script. I have added Dark Green for the valid certificates and Red for those that is about to expire.

Credits

Use this line to ignore the certificate check on the email server when sending the email

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { return $true }

https://social.technet.microsoft.com/Forums/windows/en-US/d9e9af2b-3bb9-4cb4-8046-dd0a092bc456/send-email-by-powershell?forum=winserverpowershell

The basic script for checking for certificate revocation:

https://isc.sans.edu/forums/diary/Assessing+Remote+Certificates+with+Powershell/20645/

At his blog is the idea for sending emails with powershell with html:

http://www.techtrek.io/send-automated-email-with-powershell/

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Serverless Computing | Check your expired public certificates appeared first on Apostolidis Cloud Corner.

In this post series we will go through some basic steps on how to start with Microsoft Azure. At this post we will see how we can create Point-to-Site VPN connection with Azure.

If you don’t have an Azure Subscription, you can easily create a free trial by just going to https://azure.microsoft.com/en-us/free/

Create typical a VIrtual Network

In order to create Point-to-Site VPN connection it needs a Virtual Network Gateway. Go to the Virtual Network, Subnets and add a Gateway Subnet.

FInally we can add the Virtual Network Gateway. From the portal, create a Virtual Network Gateway resource and add it to the previously created Virtual Network.

The Virtual Network Gateway can take up to 45 minutes to be created.

Once the Virtual Network Gateway is created we need one more step. To configure Point-to-site. Open the Virtual Network Gateway and press configure.

We will need a root and a client self-signed certificate to complete the setup. Using a WIndows 10 or Windows Server 2016 machine we can make use of the New-SelfSignedCertificate cmdlet that makes the process easy. The whole process is described here: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

For the root certificate run the below PowerShell using ISE:

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=prodevrootcert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

For the client certificate run the below PowerShell using ISE:

New-SelfSignedCertificate -Type Custom -DnsName ProDevChildCert -KeySpec Signature `
-Subject "CN=ProDevChildCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

Export the root certificate in cer format using MMC, open the Certificates snap-in and select “current user”. Find the root certificate under Personal –> Certificates and right click –> All Tasks export

Select to “not export the private key” and use Base64 encoded.

Now you have the prodevrootcert.cer

After that, export the client certificate by selecting “export the private key” , select the “include all certificates in the certification path” and the “enable certificate privacy”. Add a password and export it to pfx file.

Now you have the prodevchildcert.pfx. This pfx file must be installed to all the client computers that will use this Point-to-Site connection.

Now lets go back to the Point-to-Site configuration page. Add an address pool that the VPN clients will use. This subnet must be different from the Virtual Network address space.

Then open the root certificate, the cer file, using notepad, copy the text between the Begin and End marks.

Paste the certificate text to the “Root certificated” –> Public certificate data” field and add a name to the “Name” field.

Press Save and the “Download VPN Client” button will be enabled and we can download the VPN client.

In order to establish the VPN connection we need to install the VPN Client and the Client “pfx” certificate to the workstation.

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Azure Start Point | Point-to-Site VPN appeared first on Apostolidis Cloud Corner.

A complete guide on how to create a pfSense VM on a local Hyper-V server, prepare it for Microsoft Azure, upload the disk to Azure and create a multi-NIC VM.

Download the latest image from https://www.pfsense.org/download/

Open Hyper-V Manager create a Generation 1 VM. I added 4096 ram, 2 cores, use VHD, add an extra NIC (for second interface)  and select the downloaded ISO. (create a fixed VHD as Azure supports only fixed VHDs for custom VMs)

Start the VM and at the first screen press enter.

At all screens I accepted the default settings. Finally at the reboot prompt remove the installation ISO.

There is no need to setup VLANs, select the second interface for WAN and the first for LAN.

Once the pfSense is ready press 2 and change the LAN (hn0) interface IP to one at your network. Then select the option 14 to enable SSH.

Now we can login with putty, with username admin password pfsense and press 8 for Shell access.

The first thing is to update the packages running:

pkg upgrade

Python

Then install Python, as it is requirement for the Azure Linux Agent.

Search for Python packages running:

pkg search python

Install the latest Python package, setup tools and bash:

pkg install -y python27-2.7.14

pkg search setuptools

pkg install py27-setuptools-36.2.2

ln -s /usr/local/bin/python /usr/local/bin/python2.7

pkg install -y bash

Azure Linux Agent

ref: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/classic/freebsd-create-upload-vhd

pkg install git

git clone https://github.com/Azure/WALinuxAgent.git

cd WALinuxAgent

git tag

git checkout WALinuxAgent-2.1.1

git checkout WALinuxAgent-2.0.16

python setup.py install

ln -sf /usr/local/sbin/waagent /usr/sbin/waagent

check the agent is running:

waagent -Version

One final step before uploading the VHD to Azure is to set the LAN interface as dhcp.

This can be done by the web interface, go to https://lanaddress, login using admin / pfsense, and go to interfaces / LAN and select DHCPas ipv4 configuration.

Now, shutdown the pfSense and upload it to Azure Storage.

I use the Storage Explorer, https://azure.microsoft.com/en-us/features/storage-explorer/ a free and powerful tool to manage Azure Storage. Login to your Azure Account and press Upload. Select as Blob type: “Page blob”

After the upload is completed we can create a multiple NIC VM. This cannot be accomplished from GUI. We will create this using PowerShell.

$ResourceGroupName = "******"
$pfresourcegroup = "*******"
$StorageAccountName = "******"
$vnetname = "*****"
$location = "West Europe"
$vnet = Get-AzureRmVirtualNetwork -Name $vnetname -ResourceGroupName $ResourceGroupName
$backendSubnet = Get-AzureRMVirtualNetworkSubnetConfig -Name default -VirtualNetwork $vnet
$vmName="pfsense"
$vmSize="Standard_F1"
$vnet = Get-AzureRmVirtualNetwork -Name $vnetname -ResourceGroupName $ResourceGroupName
$pubip = New-AzureRmPublicIpAddress -Name "PFPubIP" -ResourceGroupName $pfresourcegroup -Location $location -AllocationMethod Dynamic
$nic1 = New-AzureRmNetworkInterface -Name "EXPFN1NIC1" -ResourceGroupName $pfresourcegroup -Location $location -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pubip.Id
$nic2 = New-AzureRmNetworkInterface -Name "EXPFN1NIC2" -ResourceGroupName $pfresourcegroup -Location $location -SubnetId $vnet.Subnets[0].Id
$VM = New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize
$VM | Set-AzureRmVMOSDisk `
            -VhdUri https://********.blob.core.windows.net/vhds/pfsensefix.vhd `
            -Name pfsenseos -CreateOption attach -Linux -Caching ReadWrite
$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic1.Id
$vm = Add-AzureRmVMNetworkInterface -VM $vm -Id $nic2.Id
$vm.NetworkProfile.NetworkInterfaces.Item(0).Primary = $true
New-AzureRMVM -ResourceGroupName $pfresourcegroup -Location $locationName -VM $vm -Verbose

Once the VM is created, go to the VM’s blade and scroll down to “Boot diagnostics”. There you can see a screenshot of the VM’s monitor.

Then go to the Networking section and SSH to the Public IP.

and also we can login to the Web Interface of the pfSense

In my case I have added both NICs at the same Subnet, but at a production environment add the LAN interface to the backend subnet and the WAN interface to the DMZ (public) subnet.

Of course more NICs can be added to the VM, one for each Subnet at our environment.

Route external traffic through the pfSense

We cannot change the gateway at an Azure VM, but we can use routing tables to route the traffic through the pfSense.

From the Azure Portal, select New and search for Route table.

We need to configure two things. One is to associate the Route table to a Subnet and the second is to create a Route.

Open the “Route table” and click the “Routes”. Press “Add route” and in order to route all outbound traffic through the pfSense then add for Address prefix “0.0.0.0”, next hop type Virtual appliance” and Net hop address the ip address of the pfSense’s LAN interface IP.

Then go to the “Subnets” and associate the required subnets.

One final thing to do is to enable IP Forwarding at the LAN interface of the pfSense, in order to be able to receive and forward traffic not originated for it.

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Custom pfSense on Azure Rm | a complete guide appeared first on Apostolidis Cloud Corner.