Host pool VM deployment

Nerdio Manager enables you to customize the way session host VMs are deployed in a host pool. This is a feature-rich facility that is detailed below.

To configure host pool VM deployment:

1. Locate the host pool you wish to work with.

2. From the action menu, select Settings > Virtual Machines.

3. Enter the following information:

4. Enter the following Operating System options:

   • Set time zone: Enable this option, and from the drop-down list select the time zone, to set the time zone on the VM when it is provisioned.

   • Time zone redirection: Enable this option to allow users to see their local device's time zone inside of their session.

   • Always prompt for password: Select this option to always prompt the user for a password.

     Note: This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users signing in to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.

     By default, Remote Desktop Services allows users to automatically sign in by entering a password in the Remote Desktop Connection client.

     • If you select this option, users cannot automatically sign in to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to sign in.

     • If you do not select this option, users can always sign in to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.

   • Automatically deallocate powered-off VMs: Select this option to have a periodic task check if any session host VMs are in a powered off, but not deallocated, state and automatically deallocate them to save on Azure compute costs.

   • Boot diagnostics: Enable this option to apply the Boot Diagnostics feature to desktops in this pool.

     Note: This setting only applies to newly created desktops.

     • Storage accounts for boot data: Optionality, from the drop-down list, select an available storage account to be used to store boot data.

       Note: By default, Azure uses an automatic managed storage account for screen shots and other data. To use the default setting, leave this empty

   • Patch orchestration options: From the drop-down list, select the patch orchestration option, which allows you to control how patches are applied to your virtual machine.

     Note: Nerdio Manager honors the Azure default setting, which is Automatic by OS (Windows Automatic Updates).

   • Accelerated networking (if supported): Enable this option to enable Accelerated Networking, if available.

     Note: The Azure VM accelerated networking feature is available in some of the larger Azure VMs. This feature is useful for enterprise organizations and IT professionals who need to deploy, manage, and optimize large amounts of Azure Virtual Desktops. It speeds up networking performance of individual VMs.

     If this feature is not supported on your Azure VM, it is not enabled. See this Microsoft document for more information.

   • NVMe (if supported): Enable this option to enable NVMe, if available.

     Note: NVMe is a storage protocol that offers higher IOPs and throughput providing your workload with overall greater performance. See this Microsoft document for more information.

   • GPU drivers (if supported): Enable this option to install either NVidia or AMD drivers.

     Note: GPU drivers can be installed on N-series VMs.

   • H.265 encoding (if supported): Enable this option to enable H.265 High Efficiency Video Coding hardware acceleration.

     Note: H.265 hardware acceleration is available only on N-series VM sizes using NVidia GPUs.

   • Deploy VMs to Capacity reservation groups: Enable this option to place the VMs in a capacity reservation group.

     Note: See Manage Capacity Reservations Groups for full details.

     • Capacity Reservation Groups: From the drop-down list, select the capacity reservation group(s).

   • Deploy VMs across availability zones: Enable this option to automatically distribute newly created or re-imaged session host VMs across Availability Zones in the selected Azure region.

     Notes:

     • To ensure that Nerdio Manager considers all possible availability zones when reinstantiating VMs, ensure that Availability Zone Awareness is turned on in Host Pool Azure Capacity Extender Configuration.

     • See this Microsoft article for more details about Azure Regions and Availability Zones.

     • Availability zone: From the drop-down list, select the availability zone(s).

   • Deploy VMs on dedicated hosts: Enable this option to deploy the VMs to physical servers.

     Note: See this Microsoft article for more details about Azure dedicated hosts.

     • Dedicated Host Group: From the drop-down list, select the dedicated host group.

     • Dedicated Host: From the drop-down list, select the dedicated host for the VMs.

       Note: If Automatic assignment is selected, the VMs are automatically assigned to the appropriate hosts when powered on.

   • Deploy VMs in a proximity placement group: Enable this option to deploy VMs in a proximity placement group.

     Note: VMs placed in a proximity group are located physically close to each other in an Azure data center, ensuring the lowest possible network latency between the VMs. See Learn Microsoft: Proximity placement groups for details.

     • Proximity placement group: From the drop-down list, select the proximity placement group.

     • Note: The selected group is automatically assigned to the VM at creation. If no suitable resource is found, VMs creation fails.

   • Restart VM after deployment: Select this option to restart the VM after it is created.

     Note: If certain extensions are installed during deployment (FSLogix, Sepago, Virtual Desktop Optimizations, or User Sessions Time Limits), the VM is automatically rebooted even if this option is not selected.

   • Install App Attach certificates: Select this option to install all stored certificates if the App Attach packages are added to this host pool.

   • App-v client service: Enable this option to enabled the App-V client service, which is required if the VM uses App Attach packages containing an App-V package.

   • Install Applications: Enable this option to install applications configured by recurrent UAM policies before moving the host out of drain mode.

   • Entra ID group(s): From the drop-down list, select the default Entra ID group(s) to add the session hosts to.

   • Entra connect replication timeout (minutes): For hybrid enrollments, type a maximum delay for machine account replication from active directory via Entra Connect.

     Note: By default, this is 30 minutes. A value up to 120 minutes can be specified.

   • Enforce Intune compliance : From the drop-down list, select this option to make hosts unavailable to users until the Intune compliance requirements are met.

     Notes:

     • Optionally, select Compliance policies only or All policies. The All policies option also requires that Intune managed apps are installed successfully before the host is released from drain mode.

     • Intune integration must be enabled to make use of this feature, with the following options:

       • The Compliance polices only setting requires Intune managed devices read permissions.

       • The All policies setting additionally requires Device Policies & App policies read permissions.

     • Enabling either option may result in significant increase in provisioning time, depending on the configured Intune compliance requirements.

   • Allow non-admin users to shadow sessions: Enable this option to allow selected non-admin users or groups to shadow sessions.

     Note: Session shadowing is only available with multi-session versions of Windows OS. This feature does not work with Windows 10 Enterprise (single session).

     • User or Group Name: From the drop-down list, select the users or groups to allow to shadow sessions.

   • Security Type: From the drop-down list, select the security type.

     Note: Security type refers to the different security features available for a virtual machine. Security features like Trusted Launch and Confidential virtual machines improve the security of Gen2 VMs. However, additional security features have some limitations, which include not supporting back up, managed disks, and ephemeral OS disks.

   • Encryption at host: Select this option so that data stored on the session host VMs is encrypted at rest and flows encrypted to the Storage service.

     Notes:

     • This setting only applies to newly created desktops.

     • Encryption sets are per subscription/region. You can create hosts in different subscriptions/regions, and based on the host's subscription/region we select the appropriate encryption set.

     • See this Microsoft article to learn more about the encryption at host feature.

   • Disk encryption sets: From the drop-down list, select the disk encryption sets to be used to provide customer-managed key functionality.

     Note: By default, Nerdio Manager uses platform-managed keys. To use the default setting, leave the disk encryption sets blank. If disk encryption sets are required, create these from the Azure portal, in the same region as the desktop pool. Available disk encryption sets can be selected from the drop-down list. To learn more about key options, see Server-side encryption of Azure Disk Storage.

   • Application security group: From the drop-down list, select the Application Security Groups (ASGs) that enable you to configure network security as a natural extension of an application's structure.

     Note: This allows you to group virtual machines and define network security policies based on those groups. This feature allows you to reuse your security policy at scale without manual maintenance of explicit IP addresses. VMs with network interfaces in different regions than the ASG are created without ASG support. The maximum number of supported ASGs is 10.

     See Application Security Groups for more information.

   • Watermarking: Enable this option to enable watermarking.

     Note: Watermarking helps prevent sensitive information from being captured on client endpoints. When you enable watermarking, QR code watermarks appear as part of the remote desktops. The QR code contains the connection ID of a remote session that admins can use to trace the session.

     • Scale: Select the scale, which is the size in pixels of each QR code dot. This value determines the number of squares per dot in the QR code.

     • Opacity: Select the opacity, which is how transparent the watermark is, in percent, where 0 is fully transparent.

     • Width factor: Select the width factor which determines the distance between the QR codes in percent. When combined with the height factor, a value of 0 would make the QR codes appear side-by-side and fill the entire screen.

     • Height factor: Select the scale, which determines the distance between the QR codes in percent. When combined with the width factor, a value of 0 would make the QR codes appear side-by-side and fill the entire screen.

   • Scripts signing: Enable this option to enable script signing.

     Note: Nerdio Manager can automatically sign all PowerShell extensions and scripted actions running on session host VMs using a specified signing certificate. Please note that the selected certificate must be installed on the VMs for the scripts to work.

5. Once you have entered all the desired information, select Save or Save & close.