Merge pull request #506 from Azure/avd-agent-install-update

AVD agents, NTFS setup, storage permissions, password espace characters
Azure · Oct 15, 2023 · 863c19a · 863c19a
2 parents f9deb69 + 73617b1
commit 863c19a
Show file tree

Hide file tree

Showing 26 changed files with 672 additions and 1,004 deletions.
diff --git a/readme.md b/readme.md
@@ -37,7 +37,7 @@ If you are having deployment challenges, refer to the [LZA baseline troubleshoot
 
 ## Azure Virtual Desktop - LZA Optional Deployments
 
-### Brownfield scenarios 
+### Brownfield scenarios
 
 The brownfield section contains templates to deploy additional features for Azure Virtual Desktop when existing infrastructure already exists. These templates can be used individually as required. Here is the list of deployment options available:
 

diff --git a/workload/bicep/deploy-baseline.bicep b/workload/bicep/deploy-baseline.bicep
@@ -55,19 +55,14 @@ param avdIdentityServiceProvider string = 'ADDS'
 @sys.description('Required, Eronll session hosts on Intune. (Default: false)')
 param createIntuneEnrollment bool = false
 
-@sys.description('Optional, Identity ID array to grant RBAC role to access AVD application group. (Default: "")')
-param avdApplicationGroupIdentitiesIds array = []
+@sys.description('Optional, Identity ID to grant RBAC role to access AVD application group and NTFS permissions. (Default: "")')
+param securityPrincipalId string = ''
 
-@allowed([
-    'Group'
-    'ServicePrincipal'
-    'User'
-])
-@sys.description('Optional, Identity type to grant RBAC role to access AVD application group. (Default: Group)')
-param avdApplicationGroupIdentityType string = 'Group'
+@sys.description('Optional, Identity name to grant RBAC role to access AVD application group and NTFS permissions. (Default: "")')
+param securityPrincipalName string = ''
 
-@sys.description('AD domain name.')
-param avdIdentityDomainName string
+@sys.description('FQDN of on-premises AD domain, used for FSLogix storage configuration and NTFS setup. (Default: "")')
+param identityDomainName string = ''
 
 @sys.description('AD domain GUID. (Default: "")')
 param identityDomainGuid string = ''
@@ -282,9 +277,6 @@ param avdImageTemplateDefinitionId string = ''
 @sys.description('OU name for Azure Storage Account. It is recommended to create a new AD Organizational Unit (OU) in AD and disable password expiration policy on computer accounts or service logon accounts accordingly.  (Default: "")')
 param storageOuPath string = ''
 
-@sys.description('If OU for Azure Storage needs to be created - set to true and ensure the domain join credentials have priviledge to create OU and create computer objects or join to domain. (Default: false)')
-param createOuForStorage bool = false
-
 // Custom Naming
 // Input must followe resource naming rules on https://docs.microsoft.com/azure/azure-resource-manager/management/resource-name-rules
 @sys.description('AVD resources custom naming. (Default: false)')
@@ -536,17 +528,18 @@ var varStorageManagedIdentityName = 'id-storage-${varComputeStorageResourcesNami
 var varFslogixFileShareName = avdUseCustomNaming ? fslogixFileShareCustomName : 'fslogix-pc-${varDeploymentPrefixLowercase}-${varDeploymentEnvironmentLowercase}-${varSessionHostLocationAcronym}-001'
 var varMsixFileShareName = avdUseCustomNaming ? msixFileShareCustomName : 'msix-pc-${varDeploymentPrefixLowercase}-${varDeploymentEnvironmentLowercase}-${varSessionHostLocationAcronym}-001'
 var varFslogixStorageName = avdUseCustomNaming ? '${storageAccountPrefixCustomName}fsl${varDeploymentPrefixLowercase}${varDeploymentEnvironmentComputeStorage}${varNamingUniqueStringThreeChar}' : 'stfsl${varDeploymentPrefixLowercase}${varDeploymentEnvironmentComputeStorage}${varNamingUniqueStringThreeChar}'
+var varFslogixStorageFqdn = '${varFslogixStorageName}.file.${environment().suffixes.storage}'
+var varMsixStorageFqdn = '${varMsixStorageName}.file.${environment().suffixes.storage}'
 var varMsixStorageName = avdUseCustomNaming ? '${storageAccountPrefixCustomName}msx${varDeploymentPrefixLowercase}${varDeploymentEnvironmentComputeStorage}${varNamingUniqueStringThreeChar}' : 'stmsx${varDeploymentPrefixLowercase}${varDeploymentEnvironmentComputeStorage}${varNamingUniqueStringThreeChar}'
 var varManagementVmName = 'vmmgmt${varDeploymentPrefixLowercase}${varDeploymentEnvironmentComputeStorage}${varSessionHostLocationAcronym}'
 var varAlaWorkspaceName = avdUseCustomNaming ? avdAlaWorkspaceCustomName : 'log-avd-${varDeploymentEnvironmentLowercase}-${varManagementPlaneLocationAcronym}' //'log-avd-${varAvdComputeStorageResourcesNamingStandard}-${varAvdNamingUniqueStringSixChar}'
 var varZtKvName = avdUseCustomNaming ? '${ztKvPrefixCustomName}-${varComputeStorageResourcesNamingStandard}-${varNamingUniqueStringTwoChar}' : 'kv-key-${varComputeStorageResourcesNamingStandard}-${varNamingUniqueStringTwoChar}' // max length limit 24 characters
 var varZtKvPrivateEndpointName = 'pe-${varZtKvName}-vault'
 //
-var varFsLogixScriptArguments = (avdIdentityServiceProvider == 'AAD') ? '-volumeshare ${varFslogixSharePath} -storageAccountName ${varFslogixStorageName} -identityDomainName ${avdIdentityDomainName}' : '-volumeshare ${varFslogixSharePath}'
 var varFslogixSharePath = '\\\\${varFslogixStorageName}.file.${environment().suffixes.storage}\\${varFslogixFileShareName}'
 var varBaseScriptUri = 'https://raw.githubusercontent.com/Azure/avdaccelerator/main/workload/'
-var varFslogixScriptUri = (avdIdentityServiceProvider == 'AAD') ? '${varBaseScriptUri}scripts/Set-FSLogixRegKeysAAD.ps1' : '${varBaseScriptUri}scripts/Set-FSLogixRegKeys.ps1'
-var varFsLogixScript = (avdIdentityServiceProvider == 'AAD') ? './Set-FSLogixRegKeysAad.ps1' : './Set-FSLogixRegKeys.ps1'
+var varSessionHostConfigurationScriptUri = '${varBaseScriptUri}scripts/Set-SessionHostConfiguration.ps1'
+var varSessionHostConfigurationScript = './Set-SessionHostConfiguration.ps1'
 var varDiskEncryptionKeyExpirationInEpoch = dateTimeToEpoch(dateTimeAdd(time, 'P${string(diskEncryptionKeyExpirationInDays)}D'))
 var varAvdAgentPackageLocation = 'https://wvdportalstorageblob.blob.${environment().suffixes.storage}/galleryartifacts/Configuration_09-08-2022.zip'
 var varCreateStorageDeployment = (createAvdFslogixDeployment || createMsixDeployment == true) ? true : false
@@ -766,7 +759,6 @@ var varStorageToDomainScript = './Manual-DSC-Storage-Scripts.ps1'
 var varOuStgPath = !empty(storageOuPath) ? '"${storageOuPath}"' : '"${varDefaultStorageOuPath}"'
 var varDefaultStorageOuPath = (avdIdentityServiceProvider == 'AADDS') ? 'AADDC Computers' : 'Computers'
 var varStorageCustomOuPath = !empty(storageOuPath) ? 'true' : 'false'
-var varCreateOuForStorageString = string(createOuForStorage)
 var varAllDnsServers = '${customDnsIps},168.63.129.16'
 var varDnsServers = empty(customDnsIps) ? [] : (split(varAllDnsServers, ','))
 var varCreateVnetPeering = !empty(existingHubVnetResourceId) ? true : false
@@ -785,7 +777,7 @@ var varCustomResourceTags = createResourceTags ? {
     CostCenter: costCenterTag
 } : {}
 var varAllComputeStorageTags = {
-    DomainName: avdIdentityDomainName
+    DomainName: identityDomainName
     IdentityServiceProvider: avdIdentityServiceProvider
 }
 var varAvdDefaultTags = {
@@ -968,8 +960,7 @@ module managementPLane './modules/avdManagementPlane/deploy.bicep' = {
         startVmOnConnect: (avdHostPoolType == 'Pooled') ? avdDeployScalingPlan : avdStartVmOnConnect
         workloadSubsId: avdWorkloadSubsId
         identityServiceProvider: avdIdentityServiceProvider
-        applicationGroupIdentitiesIds: avdApplicationGroupIdentitiesIds
-        applicationGroupIdentityType: avdApplicationGroupIdentityType
+        securityPrincipalIds: array(securityPrincipalId)
         tags: createResourceTags ? union(varCustomResourceTags, varAvdDefaultTags) : varAvdDefaultTags
         alaWorkspaceResourceId: avdDeployMonitoring ? (deployAlaWorkspace ? monitoringDiagnosticSettings.outputs.avdAlaWorkspaceResourceId : alaExistingWorkspaceResourceId) : ''
         hostPoolAgentUpdateSchedule: varHostPoolAgentUpdateSchedule
@@ -996,7 +987,7 @@ module identity './modules/identity/deploy.bicep' = {
         enableStartVmOnConnect: avdStartVmOnConnect
         identityServiceProvider: avdIdentityServiceProvider
         createStorageDeployment: varCreateStorageDeployment
-        appGroupIdentitiesIds: avdApplicationGroupIdentitiesIds
+        securityPrincipalIds: array(securityPrincipalId)
         tags: createResourceTags ? union(varCustomResourceTags, varAvdDefaultTags) : varAvdDefaultTags
     }
     dependsOn: [
@@ -1132,7 +1123,7 @@ module managementVm './modules/storageAzureFiles/.bicep/managementVm.bicep' = if
         domainJoinUserName: avdDomainJoinUserName
         wrklKvName: varWrklKvName
         serviceObjectsRgName: varServiceObjectsRgName
-        identityDomainName: avdIdentityDomainName
+        identityDomainName: identityDomainName
         ouPath: varMgmtVmSpecs.ouPath
         osDiskType: varMgmtVmSpecs.osDiskType
         location: avdSessionHostLocation
@@ -1165,6 +1156,7 @@ module fslogixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if
         fileShareMultichannel: (fslogixStoragePerformance == 'Premium') ? true : false
         storageSku: varFslogixStorageSku
         fileShareQuotaSize: fslogixFileShareQuotaSize
+        storageAccountFqdn: varFslogixStorageFqdn
         storageAccountName: varFslogixStorageName
         storageToDomainScript: varStorageToDomainScript
         storageToDomainScriptUri: varStorageToDomainScriptUri
@@ -1174,12 +1166,12 @@ module fslogixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if
         managementVmName: varManagementVmName
         deployPrivateEndpoint: deployPrivateEndpointKeyvaultStorage
         ouStgPath: varOuStgPath
-        createOuForStorageString: varCreateOuForStorageString
         managedIdentityClientId: varCreateStorageDeployment ? identity.outputs.managedIdentityStorageClientId : ''
+        securityPrincipalName: securityPrincipalName
         domainJoinUserName: avdDomainJoinUserName
         wrklKvName: varWrklKvName
         serviceObjectsRgName: varServiceObjectsRgName
-        identityDomainName: avdIdentityDomainName
+        identityDomainName: identityDomainName
         identityDomainGuid: identityDomainGuid
         sessionHostLocation: avdSessionHostLocation
         storageObjectsRgName: varStorageObjectsRgName
@@ -1207,6 +1199,7 @@ module msixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if (cr
         fileShareMultichannel: (msixStoragePerformance == 'Premium') ? true : false
         storageSku: varMsixStorageSku
         fileShareQuotaSize: msixFileShareQuotaSize
+        storageAccountFqdn: varMsixStorageFqdn
         storageAccountName: varMsixStorageName
         storageToDomainScript: varStorageToDomainScript
         storageToDomainScriptUri: varStorageToDomainScriptUri
@@ -1216,12 +1209,12 @@ module msixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if (cr
         managementVmName: varManagementVmName
         deployPrivateEndpoint: deployPrivateEndpointKeyvaultStorage
         ouStgPath: varOuStgPath
-        createOuForStorageString: varCreateOuForStorageString
         managedIdentityClientId: varCreateStorageDeployment ? identity.outputs.managedIdentityStorageClientId : ''
+        securityPrincipalName: securityPrincipalName
         domainJoinUserName: avdDomainJoinUserName
         wrklKvName: varWrklKvName
         serviceObjectsRgName: varServiceObjectsRgName
-        identityDomainName: avdIdentityDomainName
+        identityDomainName: identityDomainName
         identityDomainGuid: identityDomainGuid
         sessionHostLocation: avdSessionHostLocation
         storageObjectsRgName: varStorageObjectsRgName
@@ -1280,13 +1273,13 @@ module sessionHosts './modules/avdSessionHosts/deploy.bicep' = [for i in range(1
         wrklKvName: varWrklKvName
         serviceObjectsRgName: varServiceObjectsRgName
         hostPoolName: varHostPoolName
-        identityDomainName: avdIdentityDomainName
+        identityDomainName: identityDomainName
         avdImageTemplateDefinitionId: avdImageTemplateDefinitionId
         sessionHostOuPath: avdOuPath
         diskType: avdSessionHostDiskType
         location: avdSessionHostLocation
         namePrefix: varSessionHostNamePrefix
-        size: avdSessionHostsSize
+        vmSize: avdSessionHostsSize
         enableAcceleratedNetworking: enableAcceleratedNetworking
         securityType: securityType == 'Standard' ? '' : securityType
         secureBootEnabled: secureBootEnabled
@@ -1298,10 +1291,10 @@ module sessionHosts './modules/avdSessionHosts/deploy.bicep' = [for i in range(1
         encryptionAtHost: diskZeroTrust
         createAvdFslogixDeployment: createAvdFslogixDeployment
         storageManagedIdentityResourceId: (varCreateStorageDeployment) ? identity.outputs.managedIdentityStorageResourceId : ''
-        fslogixScript: varFsLogixScript
-        fslogixScriptUri: varFslogixScriptUri
-        fslogixSharePath: '\\\\${varFslogixStorageName}.file.${environment().suffixes.storage}\\${varFslogixFileShareName}'
-        fslogixScriptArguments: varFsLogixScriptArguments
+        fslogixSharePath: varFslogixSharePath
+        fslogixStorageFqdn: varFslogixStorageFqdn
+        sessionHostConfigurationScriptUri: varSessionHostConfigurationScriptUri
+        sessionHostConfigurationScript: varSessionHostConfigurationScript
         marketPlaceGalleryWindows: varMarketPlaceGalleryWindows[avdOsImage]
         useSharedImage: useSharedImage
         tags: createResourceTags ? union(varCustomResourceTags, varAvdDefaultTags) : varAvdDefaultTags

diff --git a/workload/bicep/modules/avdManagementPlane/deploy.bicep b/workload/bicep/modules/avdManagementPlane/deploy.bicep
@@ -16,10 +16,7 @@ param computeTimeZone string
 param identityServiceProvider string
 
 @sys.description('Identity ID to grant RBAC role to access AVD application group.')
-param applicationGroupIdentitiesIds array
-
-@sys.description('Identity type to grant RBAC role to access AVD application group.')
-param applicationGroupIdentityType string
+param securityPrincipalIds array
 
 @sys.description('AVD OS image source.')
 param osImage string
@@ -236,11 +233,11 @@ module applicationGroups '../../../../carml/1.3.0/Microsoft.DesktopVirtualizatio
     hostpoolName: hostPoolName
     tags: tags
     applications: (applicationGroup.applicationGroupType == 'RemoteApp')  ? varRAppApplicationGroupsApps : []
-    roleAssignments: !empty(applicationGroupIdentitiesIds) ? [
+    roleAssignments: !empty(securityPrincipalIds) ? [
       {
       roleDefinitionIdOrName: 'Desktop Virtualization User'
-      principalIds: applicationGroupIdentitiesIds
-      principalType: applicationGroupIdentityType
+      principalIds: securityPrincipalIds
+      principalType: 'Group'
       }
     ]: []   
     diagnosticWorkspaceId: alaWorkspaceResourceId

diff --git a/workload/bicep/modules/avdSessionHosts/.bicep/configureFslogixOnSessionHosts.bicep b/workload/bicep/modules/avdSessionHosts/.bicep/configureFslogixOnSessionHosts.bicep
diff --git a/workload/bicep/modules/avdSessionHosts/.bicep/configureSessionHost.bicep b/workload/bicep/modules/avdSessionHosts/.bicep/configureSessionHost.bicep
@@ -0,0 +1,88 @@
+// ========== //
+// Parameters //
+// ========== //
+
+@sys.description('Extension deployment name.')
+param name string
+
+@sys.description('The service providing domain services for Azure Virtual Desktop.')
+param identityServiceProvider string
+
+@sys.description('Identity domain name.')
+param identityDomainName string
+
+@sys.description('Location where to deploy compute services.')
+param location string
+
+@sys.description('URI for AVD session host configuration URI path.')
+param baseScriptUri string
+
+@sys.description('URI for AVD session host configuration script.')
+param scriptName string
+
+@sys.description('Deploy FSlogix configuration.')
+param fslogix bool
+
+@sys.description('File share path for FSlogix storage.')
+param fslogixFileShare string
+
+@sys.description('FSLogix storage account FDQN.')
+param fslogixStorageFqdn string
+
+@sys.description('Session host VM size.')
+param vmSize string
+
+@sys.description('AVD Host Pool registration token')
+@secure()
+param hostPoolToken string
+
+// =========== //
+// Variable declaration //
+// =========== //
+// var ScreenCaptureProtection = true
+var varScriptArguments = '-IdentityDomainName ${identityDomainName} -AmdVmSize ${varAmdVmSize} -IdentityServiceProvider ${identityServiceProvider} -Fslogix ${fslogix} -FslogixFileShare ${fslogixFileShare} -FslogixStorageFqdn ${fslogixStorageFqdn} -HostPoolRegistrationToken ${hostPoolToken} -NvidiaVmSize ${varNvidiaVmSize} -verbose' // -ScreenCaptureProtection ${ScreenCaptureProtection} -verbose'
+var varAmdVmSizes = [
+  'Standard_NV4as_v4'
+  'Standard_NV8as_v4'
+  'Standard_NV16as_v4'
+  'Standard_NV32as_v4'
+]
+var varAmdVmSize = contains(varAmdVmSizes, vmSize)
+var varNvidiaVmSizes = [
+  'Standard_NV6'
+  'Standard_NV12'
+  'Standard_NV24'
+  'Standard_NV12s_v3'
+  'Standard_NV24s_v3'
+  'Standard_NV48s_v3'
+  'Standard_NC4as_T4_v3'
+  'Standard_NC8as_T4_v3'
+  'Standard_NC16as_T4_v3'
+  'Standard_NC64as_T4_v3'
+  'Standard_NV6ads_A10_v5'
+  'Standard_NV12ads_A10_v5'
+  'Standard_NV18ads_A10_v5'
+  'Standard_NV36ads_A10_v5'
+  'Standard_NV36adms_A10_v5'
+  'Standard_NV72ads_A10_v5'
+]
+var varNvidiaVmSize = contains(varNvidiaVmSizes, vmSize)
+// =========== //
+// Deployments //
+// =========== //
+resource sessionHostConfig 'Microsoft.Compute/virtualMachines/extensions@2022-08-01' = {
+  name: '${name}/SessionHostConfig'
+  location: location
+  properties: {
+    publisher: 'Microsoft.Compute'
+    type: 'CustomScriptExtension'
+    typeHandlerVersion: '1.10'
+    autoUpgradeMinorVersion: true
+    settings: {
+      fileUris: array(baseScriptUri)
+    }
+    protectedSettings: {
+      commandToExecute: 'powershell -ExecutionPolicy Unrestricted -File ${scriptName} ${varScriptArguments}'
+    }
+  }
+}