Windows 10 Experience at Multi-session Cost

WVD: Windows 10 Experience at Multi-session Cost

The first economic benefit for infrastructure is you can have Windows 10 experience at multi-session cost. It matters to you because with today’s VDI solutions you’ll have to either go with Windows Server RDS which compromises on user experience or Windows 10 single-session which compromises on cost; but with WVD, you can get both.

Let’s take a look at a customer migration scenario here.

If you are using Windows 10 single-session on-prem today for better user experience (against Windows Server RDS deployment), WVD is the best solution for you going forward because not only it provides local like Windows 10 experience for your end users but also saves you big bucks via multi-session deployment.

Lets see why.

For a single session deployment on the left hand side, you’ll need 1 small VM per user, which usually ends up with low utilization. In comparison, for a multi-session deployment in the middle pane, you can have a larger shared VM to support multiple users so that you have higher utilization. in addition to that, since you’ll have fewer VMs, you can also expect lower operational costs. As a result, you can expect your multi-session cost to be around 1/6 of your single-session cost as seen on the right hand side. This is the key differentiation of WVD as you will find no other solution in the marketplace that supports Windows 10 multi-session.

Windows 10 Experience at Multi-session Cost

Windows 10 Experience at Multi-session Cost

WVD: Enhanced Security with Simplified Configuration

Enhanced Security with Simplified Configuration
Enhanced Security with Simplified Configuration

WVD customers benefit from all the investment Microsoft has put into Azure Security. And customers can configure familiar Azure Security services, as they build out their deployment, or they can use our managed Security Services!

There are 3 security advantages which belong to the WVD service alone:

 – The attack surface is reduced, because it uses reverse connect technology.  Essentially that means it does not open inbound ports to VMs, so there are fewer places for bad actors to attack

 – The ability to define role-based access means the customer can parse out administration tasks, and also protect their most sensitive user groups and work loads

 – Finally, all the user sessions isolated, even in a multi-session environment!

WVD: Best Virtualized End-user Experience

Best Virtualized End-user Experience
Best Virtualized End-user Experience

The WVD end user experience, is the best user experience out there. 

Lets see why:

  • WVD allows users to connect from any device.  The WVD experience on Mac and other OS is indistinguishable from native. 

Local and remote UI is optimized for the various form factors across all supported platforms: Windows, macOS, iOS, HTML5, and Android

Performance of clients built on Linux SDK is at parity with other non-Windows clients

MacOS client provides integrated RemoteApp experience

iOS, Android, and HTML5 clients provide immersive RemoteApp experience

  • Extremely fast logon times. WVD offers extremely fast logon times…it’s because Microsoft uses containerized user profiles, but the net result is extremely fast logon times.
  • It should be no surprise that Windows devices are advantaged, because Microsoft can do more with Windows devices. Customers with Windows devices will have a “like- local” Windows experience, and the best support we can offer.
  • You’ll notice two of the Core Services called out on this page – 0365 and Teams. Microsoft Engineering is working hard to make sure that customers get the best experience possible, when they use 0365 and Teams in a virtual deployment. Best experience for 0365, for example, means that email, calendar and outlook performance is on par with using 0365 on your windows client.

The difference between traditional VDI/RDS and DaaS

You can see that a PaaS service really enables you to create a repeatable Desktop as a Service Offering.  This aspect allows you to scale your DaaS (or WVD offering) without requiring the in-depth technical knowledge that previous RDS/VDI offerings required.  You can focus on managing your customer’s experience and not have to worry about the IT backend as much.

The difference between VDI-RDS and DaaS
The difference between VDI-RDS and DaaS

The WVD end user experience, is the best user experience out there. 

Lets explore why:

  • WVD allows users to connect from any device.  The WVD experience on Mac and other OS is indistinguishable from native. 
  • Extremely fast logon times. WVD offers extremely fast logon times…it’s because it uses containerized user profiles, but the net result is extremely fast logon times.
  • It should be no surprise that Windows devices are advantaged, because we can do more with Windows devices. Customers with Windows devices will have a “like- local” Windows experience
  • Microsoft Engineering is working hard to make sure that customers get the best experience possible, when they use 0365 and Teams in a virtual deployment. Best experience for 0365, for example, means that email, calendar and outlook performance is on par with using 0365 on your windows client.
Windows Virtual Desktop Customer Benefits

Windows Virtual Desktop FAQ

What is Windows Virtual Desktop?
Windows Virtual Desktop is a comprehensive desktop and app virtualization service running on the cloud. It is the only service that delivers simplified management, multi-session Windows 10, optimization for Office 365 ProPlus, and support for Remote Desktop Services Environments. With Windows Virtual Desktop you can deploy and scale your Windows desktops and apps on Azure in minutes, with built-in security and compliance.
What are the key benefits of Windows Virtual Desktop?
• Multi-session Windows 10 that delivers the cost advantages of server-based virtualization
• The best service to virtualize Office 365 ProPlus running in multi-user virtual scenarios
• The only service to provide Windows 7 virtual desktop with free Extended Security Updates, giving you more options to support legacy applications while you transition to Windows 10
• Bring your existing Remote Desktop Services (RDS) and Windows Server desktops and apps
• Manage Windows 10, Windows Server, and Windows 7 desktops and apps all with a unified management experience on Azure
• Seamlessly virtualize both desktops and apps
What is the new Windows 10 multi-session?
Windows Virtual Desktop enables a capability of Windows 10 Enterprise multi-session available only in Azure. This allows full fidelity access to a Windows 10 experience – including the user experience, Office ProPlus support, Microsoft Edge, Cortona, per user search index and access to the Microsoft store – while taking advantage of the cost efficiency of shared compute resources previously only available with server-based virtualization.
What operating systems are supported by WVD?
Windows 10 multi-session, Windows 10 single-session, Windows 7 single-session, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019

How does the WVD solution reduce costs?
WVD reduces customer costs by reducing Infrastructure, Licensing, and Labor costs. Multi-session Windows 10 allows significant savings in compute resources, and WVD service now replaces complex management requirements of RDS/VDI solutions. WVD is free to use with many existing licenses and you no longer have to pay for RDS CAL licenses. Finally, labor savings are realized by the shift from IaaS to PaaS removing the need to manage core services like broker/gateway/web access etc. reducing management overhead.
Will WVD support Microsoft Office?
Yes. The best experience of Office is with Office 365 ProPlus, which is supported by Windows 10 multi-session. Perpetual versions of Office will not be supported by Windows 10 multi-session but will be supported on Windows Server operating systems with Windows Virtual Desktop.
What is required to run WVD?
You need an Azure Tenant and a Subscription with enough resource creation permissions.
That’s all!

Can we try WVD out now as a POC?
Yes! WVD is in General Availability since September 2019.

Contact us today for all your Windows Virtual Desktop requirements!

Windows Virtual Desktop Customer Benefits
Windows Virtual Desktop Customer Benefits

Microsoft 365 Business: Comprehensive security against advanced cyberthreats

Microsoft 365 Business can help you consolidate some of the point solutions across productivity and security that create risk and complexity for any small business.

Here is a comparison between various third party tools/services and Microsoft 365 Business suite of products:

Third party security tools cost
  • Cloud identity management — Jumpcloud
  • Azure Information Protection for Information Rights Management
  • Barracuda Essentials for email anti virus and DLP
  • Airwatch Express for the endpoint management system for SMB.
Microsoft 365 Business cost

As a trusted Microsoft partner, we can help you subscribe and set up all the advanced security features of Microsoft 365 Business: contact us today!

Business continuity strategy

To enable a proper business continuity strategy, you need to have all the various parts that form a well designed game plan for when things go wrong.

In the cloud-enabled model of application and data availability and resiliency, costs—across the board—are lower for a holistic backup, disaster recovery, and archive plan.

  • High availability: When your applications have a catastrophic failure, run a second instance. Ensuring high availability (99.999% uptime) while the most expensive resiliency plan, is significantly more affordable in the cloud. With hyper-scale cloud, like Microsoft Azure, a spike in demand or traffic isn’t something to worry about. Now the scale you need is a few clicks away. With Azure, you’re able to scale up or down based on demand, in just a few minutes. Cloud also gets rid of the need for multiple or offsite datacenters. Workloads running in Azure are powered by always up Azure global datacenters. Azure is also pay-as-you-go, so you’ll only be charged for what you need. With cloud, high availability is available to everyone. Make sure that you’re always up and avoid the negative impact on your productivity, brand, and profits.
Business continuity strategy
High availability
  • Disaster recovery: When your applications have a catastrophic failure, run them in Azure or a secondary datacenter. Like high availability efforts, traditional disaster recovery (DR) is very expensive. Similarly, a cloud-based model for DR is significantly less expensive and more efficient than the traditional approach. No one can predict the future and even an hour of downtime can spell disaster for a business. Azure democratizes DR efforts and makes them a reality for every business. With Azure, businesses can rid themselves of the cost and overhead associated with the necessary redundant and offsite datacenters that come with traditional DR plans. No more servers to maintain, and no more taking assigning mundane service tasks to your IT talent. Azure’s global datacenters make it easy to house apps and data where it makes the most business sense to you, keeping mission-critical workloads stored in remote and secured. With Azure, you’re always prepared for when disaster strikes, able to get back to business in minutes, not hours or days.
Business continuity strategy
Disaster recovery
  • Backup: When your data is corrupted, deleted or lost, you can restore it. Backups are best thought of like a snapshot. They are a moment in your business’s life that is captured for the sake of continuity. In the event that all of your company’s data is lost, you can simply revert to a backup of the previous day, week, month, etc. depending on how often you back up information. With Azure backup, you can further lower the costs associated with already inexpensive backup. Azure backup is extremely affordable, so even small businesses with fixed IT budgets can afford it. It grants users anytime, anywhere access to their data from neatly any device. Backup data is housed safely offsite, in the event of a natural or human disaster.
Business continuity strategy
Backup

Our Managed Azure Services can help with all of them!

Google Cloud Platform CIS security controls

This security configuration benchmark covers foundational elements of Google Cloud Platform. The security controls detailed here are important security considerations when designing your infrastructure on Google Cloud Platform. Most of the security controls provided with this release of the benchmark (1.0.0) covers security considerations only at individual Project level and not at the organization level.

1 Identity and Access Management
1.1 Ensure that corporate login credentials are used instead of Gmail accounts  
1.2 Ensure that multi-factor authentication is enabled for all non-service accounts  
1.3 Ensure that there are only GCP-managed service account keys for each service account  
1.4 Ensure that ServiceAccount has no Admin privileges. 
1.5 Ensure that IAM users are not assigned Service Account User role at project level  
1.6 Ensure user-managed/external keys for service accounts are rotated every 90 days or less  
1.7 Ensure that Separation of duties is enforced while assigning service account related roles to users  
1.8 Ensure Encryption keys are rotated within a period of 365 days  
1.9 Ensure that Separation of duties is enforced while assigning KMS related roles to users  
1.10 Ensure API keys are not created for a project 
1.11 Ensure API keys are restricted to use by only specified Hosts and Apps 
1.12 Ensure API keys are restricted to only APIs that application needs access 
1.13 Ensure API keys are rotated every 90 days  
2 Logging and Monitoring 
2.1 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project  
2.2 Ensure that sinks are configured for all Log entries 
2.3 Ensure that object versioning is enabled on log-buckets  
2.4 Ensure log metric filter and alerts exists for Project Ownership assignments/changes  
2.5 Ensure log metric filter and alerts exists for Audit Configuration Changes  
2.6 Ensure log metric filter and alerts exists for Custom Role changes  
2.7 Ensure log metric filter and alerts exists for VPC Network Firewall rule changes  
2.8 Ensure log metric filter and alerts exists for VPC network route changes 
2.9 Ensure log metric filter and alerts exists for VPC network changes  
2.10 Ensure log metric filter and alerts exists for Cloud Storage IAM permission changes  
2.11 Ensure log metric filter and alerts exists for SQL instance configuration changes  
3 Networking 
3.1 Ensure the default network does not exist in a project  
3.2 Ensure legacy networks does not exists for a project  . 96
3.3 Ensure that DNSSEC is enabled for Cloud DNS  
3.4 Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC  
3.5 Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC 
3.6 Ensure that SSH access is restricted from the internet 
3.7 Ensure that RDP access is restricted from the internet 
3.8 Ensure Private Google Access is enabled for all subnetwork in VPC Network 
3.9 Ensure VPC Flow logs is enabled for every subnet in VPC Network  
4 Virtual Machines 
4.1 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs 
4.2 Ensure “Block Project-wide SSH keys” enabled for VM instances 
4.3 Ensure oslogin is enabled for a Project  
4.4 Ensure ‘Enable connecting to serial ports’ is not enabled for VM Instance 
4.5 Ensure that IP forwarding is not enabled on Instances  
4.6 Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)  
5 Storage
5.1 Ensure that Cloud Storage bucket is not anonymously or publicly accessible 
5.2 Ensure that there are no publicly accessible objects in storage buckets  
5.3 Ensure that logging is enabled for Cloud storage buckets  
6 Cloud SQL Database Services 
6.1 Ensure that Cloud SQL database instance requires all incoming connections to use SSL 
6.2 Ensure that Cloud SQL database Instances are not open to the world  
6.3 Ensure that MySql database instance does not allow anyone to connect with administrative privileges. 
6.4 Ensure that MySQL Database Instance does not allows root login from any Host 
7 Kubernetes Engine 
7.1 Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters 
7.2 Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters 
7.3 Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters  
7.4 Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters  
7.5 Ensure Kubernetes Clusters are configured with Labels 
7.6 Ensure Kubernetes web UI / Dashboard is disabled 
7.7 Ensure `Automatic node repair` is enabled for Kubernetes Clusters  
7.8 Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes 
7.9 Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image 
7.10 Ensure Basic Authentication is disabled on Kubernetes Engine Clusters 
7.11 Ensure Network policy is enabled on Kubernetes Engine Clusters  
7.12 Ensure Kubernetes Cluster is created with Client Certificate enabled  
7.13 Ensure Kubernetes Cluster is created with Alias IP ranges enabled 
7.14 Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters 
7.15 Ensure Kubernetes Cluster is created with Private cluster enabled 
7.16 Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets 
7.17 Ensure default Service account is not used for Project access in Kubernetes Clusters  
7.18 Ensure Kubernetes Clusters created with limited service account Access scopes for Project access 

Our managed Google Cloud Platform security services can enable your environment to be fully compliant with this security standard.

NSG and forced tunneling

Azure Network Security- Network Security Groups (NSG) and Forced Tunneling

Network Security Groups (NSG) :

  • Enables network segmentation & DMZ scenarios
  • Access Control Lists & Network traffic rules as security group
  • Security groups associated with Virtual machines, Network Interfaces, or virtual machine subnets (not GW subnet)
  • Rules define a 5-tuple
  • Rules are separated into Inbound and Outbound rules
  • Rules applied in order of priority
  • Network traffic rules updated independent of Virtual machines
  • Controlled access to and from Internet

Network Security Group Models : At the subnet level and at the VM level.

  • Subnet Level NSGs: An NSG rule is applied to a subnet is logically more like a firewall rule that is applied at the switch and affects inbound and outbound traffic on every port in the switch. Any VM connected to the switch port would be affected by the NSG rule applied to the subnet.
  • VM/NIC Level NSGs: Apply NSGs at the VM or NIC of a virtual machine.  This allows greater flexibility in how traffic is filtered.

Forced Tunneling

  • “Force” or redirect customer Internet-bound traffic to an on premises site via default route
  • VPN – done per subnet
  • ExpressRoute – at BGP level
  • Can override with more specific routes via UDR
NSG and forced tunneling
NSG and forced tunneling