Create custom session host images by using image templates

This lab guide outlines the process of creating custom session host images for Azure Virtual Desktop using image templates. Here's a breakdown of the key steps involved:

Instructions

1. Register Required Resource Providers

   • Start a PowerShell session in the Azure Cloud Shell.

   • Run the following command to register the necessary resource providers:

PowerShell

    Register-AzResourceProvider -ProviderNamespace Microsoft.DesktopVirtualization
    Register-AzResourceProvider -ProviderNamespace Microsoft.VirtualMachineImages
    Register-AzResourceProvider -ProviderNamespace Microsoft.Storage
    Register-AzResourceProvider -ProviderNamespace Microsoft.Compute
    Register-AzResourceProvider -ProviderNamespace Microsoft.Network
    Register-AzResourceProvider -ProviderNamespace Microsoft.KeyVault
    Register-AzResourceProvider -ProviderNamespace Microsoft.ContainerInstance

Task 2: Create a User-Assigned Managed Identity

1. In the Azure portal, search for and select "Managed Identities" and Click "+ Create."

2. On the "Basics" tab, configure the following and then click on create:

   • Subscription: Your Azure subscription

   • Resource group: Create a new resource group: az140-15a-RG

   • Name: az140-<random>-uami

Task 3: Create a Custom RBAC Role

1. Open PowerShell in Azure Cloud Shell.

2. Run the following command to get your subscription ID:

$subscriptionId = (Get-AzSubscription).Id

3. Run the following command, to define the custom role:

$jsonContent = @"{
  "Name": "Desktop Virtualization Image Creator (<random>)",
  "IsCustom": true,
  "Description": "Create custom image templates for Azure Virtual Desktop images.",
  "Actions": [
    "Microsoft.Compute/galleries/read",
    "Microsoft.Compute/galleries/images/read",
    "Microsoft.Compute/galleries/images/versions/read",
    "Microsoft.Compute/galleries/images/versions/write",
    "Microsoft.Compute/images/write",
    "Microsoft.Compute/images/read",
    "Microsoft.Compute/images/delete"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/$subscriptionId",
    "/subscriptions/$subscriptionId/resourceGroups/az140-15b-RG"
  ]
}"@

4. Save the role definition to a file:

$jsonContent | Out-File -FilePath 'CustomRole.json'

5. Create the custom role:

New-AzRoleDefinition -InputFile ./CustomRole.json

6. Close the Cloud Shell.

Task 4: Set Permissions on Host Image Provisioning Resources

1. Create a new resource group: az140-15b-RG and select "Access control (IAM)." on the created resource group.

2. Click "+ Add" and then "Add role assignment."

3. On the "Role" tab, search for and select your custom role: "Desktop Virtualization Image Creator “

4. On the "Members" tab, select "Managed identity," click "+ Select members," choose "User-assigned managed identity," select az140-<random>-uami, and click "Select."

5. Click "Review + assign" and then "Review + assign."

Task 5: Create Azure Compute Gallery and Image Definition

1. Search for and select "Azure compute galleries." and Click "+ Create."

2. On the "Basics" tab:

   • Resource group: az140-15b-RG

   • Name: az14015computegallery

3. On the "Sharing" tab, leave the default "Role based access control (RBAC)" selected.

4. Click "Review + create" and then "Create."

5. Navigate to the az14015computegallery instance.

6. Click "+ Add" and then "+ VM image definition."

7. On the "Basics" tab:

   • Region: Your preferred region

   • VM image definition name: az14015imagedefinition

   • OS type: Windows

   • Security type: Trusted launch supported

   • OS state: Generalized

   • Publisher: MicrosoftWindowsDesktop

   • Offer: Windows-11

   • SKU: win11-23h2-avd-m365

8. Click "Create."

Task 6: Create a Custom Image Template

1. Search for and select "Azure Virtual Desktop."

2. In the "Manage" section, select "Custom image templates."

3. Click "+ Add custom image template."

4. On the "Basics" tab:

   • Template name: az140-15b-imagetemplate

   • Import from existing template: No

   • Resource group: az140-15b-RG

   • Managed identity: az140-<random>-uami

5. On the "Source image" tab:

   • Source type: Platform image (marketplace)

   • Select image: Windows 11 Enterprise multi-session, Version 23H2 + Microsoft 365 Apps

6. On the "Distribution targets" tab:

   • Azure Compute Gallery: Enabled

   • Gallery name: az14015computegallery

   • Gallery image definition: az14015imagedefinition

   • Gallery image version: 1.0.0

   • Run output name: az140-15-image-1.0.0

   • Replication regions: Your preferred region

   • Exclude from latest: No

   • Storage account type: Standard_LRS

7. Task 7 :Create a custom image template

   1. Navigate to the "Create custom image template" page in the Azure portal.

   2. On the "Build properties" tab, configure the following settings:

      • Build timeout: 120

      • Build VM size: Standard_DC2s_v3

      • OS disk size (GB): 127

      • Staging group: az140-15c-RG (This resource group will store build resources and logs. If not specified, it will be auto-generated.)

      • VNet: Leave unset (A temporary VNet and public IP will be created for the build VM.)

Important: Ensure you have sufficient vCPU quota for the chosen Build VM size. If not, select a different size or request a quota increase.

3. Click "Next."

4. On the "Customization" tab, click "+ Add built-in script."

5. In the "Select built-in scripts" pane, choose the following scripts:

   • Time zone redirection

   • Disable Storage Sense

   • Enable screen capture protection (with "Block Screen capture on client and server" selected)

6. Click "Save." (You can add custom scripts later, referencing the built-in scripts for examples.)

7. Click "Next."

8. On the "Tags" tab, click "Next."

9. On the "Review + create" tab, click "Create." (Template creation may take a few minutes. Monitor the status on the "Azure Virtual Desktop | Custom image templates" page.)

Task 8: Build a custom image (Optional - time intensive)

1. On the "Azure Virtual Desktop | Custom image templates" page, select az140-15b-imagetemplate.

2. Click "Start build." (The build process can take up to 45 minutes. Monitor the "Build run state" on the template page, refreshing periodically.)

   • The state will progress from "Running - Building" to "Running - Distributing" and finally "Succeeded."

3. (Optional) While waiting, explore the az140-15c-RG resource group. This group contains the auto-provisioned build resources: build VM, VNet, network security group, key vault, snapshot, container instance, and storage account. You can view these by searching for "Resource groups" and selecting az140-15c-RG.

4. Monitor the build progress on the az140-15b-imagetemplate page or use the Activity Log (search for "Execute a VM image template to produce its output" and check its status).

5. Once the build completes, navigate to "Azure compute galleries" and select az14015computegallery.

6. On the "Definitions" tab, select az14015imagedefinition.

7. On the "Versions" tab, review the 1.0.0 (latest version) image information.

Task 9: Deploy session hosts using the custom image (Optional)

1. Search for and select "Virtual networks," then click "Create +."

2. On the "Basics" tab, configure:

   • Subscription: Your Azure subscription

   • Resource group: Create a new resource group named az140-15d-RG

   • Virtual network name: az140-vnet15d

   • Region: eastus2

3. Click "Next" through the "Security" tab.

4. On the "IP addresses" tab:

   • IP address space: 10.30.0.0/16

   • Edit the "default" subnet:

     • Name: hp1-Subnet

     • Starting address: 10.30.1.0

     • Enable private subnet (no default outbound access): Disabled

5. Click "Save," then "Review + create," and finally "Create."

6. Search for and select "Azure Virtual Desktop." Navigate to "Host pools" and click "+ Create."

7. On the "Basics" tab, configure:

   • Subscription: Your Azure subscription

   • Resource group: az140-15d-RG

   • Host pool name: az140-15-hp1

   • Location: eastus2

   • Validation environment: No

   • Preferred app group type: Desktop

   • Host pool type: Pooled

   • Create Session Host Configuration: No

   • Load balancing algorithm: Breadth-first

8. On the "Session hosts" tab:

   • Add virtual machines: Yes

   • Resource group: (Defaulted to the host pool's resource group)

   • Name prefix: (Important) Find the string between "User1-" and "@" in your lab session window's Resources tab and use it here. Example: sh048577130

   • Virtual machine type: Azure virtual machine

   • Virtual machine location: eastus2

   • Availability options: No infrastructure redundancy required

   • Security type: Trusted launch virtual machines

9. On the "Virtual machines" tab:

   • Image: Click "See all images," select "Shared images," and choose az14015imagedefinition.

   • Virtual machine size: Standard_DC2s_v3

   • Number of VMs: 1

   • OS disk type: Standard SSD

   • OS disk size: Default size (128 GiB)

   • Boot Diagnostics: Enable with managed storage account (recommended)

   • Virtual network: az140-vnet15d

   • Subnet: hp1-Subnet

   • Network security group: Basic

   • Public inbound ports: No

   • Select which directory you would like to join: Microsoft Entra ID

   • Enroll VM with Intune: No

   • User name: Student

   • Password: A strong password (at least 12 characters, mixed case, numbers, and special characters).

   • Confirm password: (Re-enter the password)

10. On the "Workspace" tab, confirm "Register desktop app group" is set to "No" and click "Review + create."

11. On the "Review + create" tab, click "Create." (Deployment may take 10-15 minutes.)

Remember, this is a concise summary of the lab instructions. For detailed steps and specific settings, please refer to the complete lab manual here.