Unified Application Management: Service Accounts
The Unified Application Management feature in Nerdio Manager uses the Winget Microsoft package manager tool to install, remove, and manage applications within your Azure Virtual Desktop instance. All actions are performed in the administrative user context, therefore a service account must be available to perform these actions. This is required for Winget deployments to both AVD and Intune devices. By default, Nerdio Manager uses a local user account, which is created automatically by the Nerdio application deployment task. Alternatively, customers using Active Directory and Group Policy may provision a dedicated service account, if required. Guidance for this is provided in the section Active Directory Service Account.
Default Credential Management Process - Local Account (Nerdio Manager v6.5 and onwards)
By default, Nerdio Manager creates and makes use of a local user account to facilitate the deployment of Winget applications via the UAM feature. When created, the credential is assigned with a randomly generated 30-character password, including 10 special characters. The password is unique per desktop, ensuring that the credential cannot be used to access other desktops in the environment.
When an application deployment task occurs, the service account is:
Enabled
Has its password rotated
Is added to the local administrator group to perform the installation task
Once the task is complete, the service account is:
Disabled
Is removed from the local administrators group
Has its password rotated
The credentials for the service account are not stored in any locations and are refreshed before use.
Credential Manager Service Account (Prior to Nerdio Manager v6.5)
Prior to v6.5, Nerdio Manager manages the creation and use of a local administrative account on the target VM using the Credential Manager tool, which stores credential details securely on the target desktop. These credentials may only be read by a member of the local administrators group.
When created, the credential is assigned with a randomly generated 30-character password, including 10 special characters. The password is unique per-desktop, ensuring that the credential cannot be used to access other desktops in the environment.
These credentials are called directly on the desktop from Credential Manager when an action has been assigned (install, update, remove). The credentials remain on the target desktop and are not included in any scripts used to manage the application.
Active Directory Service Account
A Customer Created Active Directory Service Account is not required in the majority of circumstances. To discuss this matter further, please contact Nerdio support.
In rare circumstances, to function optimally, Unified Application Management requires a domain service account to perform Winget install and uninstall actions. This service account must have local administrative rights on the desktops where it is managing applications. Additionally, this service account must have multi-factor authentication disabled.
This document provides guidance for the creation and assignment of permissions to the service account in Active Directory (AD), Entra Domain Services, and Hybrid join scenarios. It is recommended that an Azure conditional access policy to restrict access to a set of predefined networks is also assigned.
Note: Active Directory Domain Administrator permissions is required to perform these tasks.
Configure your Organizational Units (OUs)
-
Within your Active Directory Users and Computers (ADUC) console, ensure that your Azure Virtual Desktop (AVD) session hosts are contained within a dedicated AVD Organizational Unit (OU). If your AVD desktops are currently mixed with the wider estate, a nested OU should be created and the AVD desktops moved into this location. This allows existing group policies to be applied, but also allows us to target a new policy to our AVD desktops. If your AVD desktops are spread across multiple dedicated OUs, target all policies described in this document to all AVD OUs.
-
Within you ADUC console, ensure that a dedicated OU for service accounts exists. This allows us to target a new policy to deny interactive logon to our service account.
Note: This restriction can also be applied to a group of service accounts. If this already exists in your environment, please add the new service account to the group, and apply the existing policy to you AVD desktops OU.
Create the Service Account for Application Management
-
Within the dedicated OU for service accounts, create a new user account, following your internal naming conventions. Specify a highly complex password and enable ‘password never expires’ as the only creation option. Record the account and password pair in your corporate key management system.
Create the Local Administrator Policy
The first policy to create is assigned local administrative permissions to the service account on AVD desktops.
To create the Local Administrator policy:
Open the domain Group Policy management console.
Right click Group Policy Objects and select New.
-
Provide a suitable name in line with your corporate naming conventions. We use COMP_ManageAVDLocalAdministrator.
-
Once created, right click and select Edit.
Navigate to Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups.
-
Within the central section, right click and select New > Local Group.
-
Within the pop up, enter the following information:
Action: Set to Update.
Group name: Select "..." and then select Administrators (built-in).
-
Once you have entered all the necessary information, select Add and then select OK.
The first policy is created.
Return to the main page of Group policy main page.
Navigate to the AVD OU container where AVD desktop objects are located.
-
Right click this OU and select Link an Existing GPO….
-
Select the policy created above and click OK.
The first policy is now linked.
Create the Deny Local Logon Policy
This policy prevents the service account from being used to logon directly to a desktop. It is an optional but recommended step.
To create the policy, the steps are similar to the previous process.
Open the domain Group Policy management console. Right-click Group Policy Objects and select New. Provide a suitable name in line with your corporate naming conventions. We will use COMP_DenyAppServiceAccountInteractiveLogon.
Right click Group Policy Objects and select New.
Provide a suitable name in line with your corporate naming conventions. We use COMP_DenyAppServiceAccountInteractiveLogon.
Once created, right click and select Edit.
Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
-
Edit the settings for Deny log on through Remote Desktop Services and Deny log on locally. Specify your newly created service account in both instances.
Close the open policy window and return to the main Group policy management console.
Return to the Group policy main page, navigate to the AVD OU container where AVD desktop objects are located. Right click this OU and select Link an Existing GPO… Select the policy created above and click OK. The second policy has now been linked.
Navigate to the AVD OU container where AVD desktop objects are located.
-
Right click this OU and select Link an Existing GPO….
-
Select the policy created above and click OK.
The second policy has now been linked.
This completes the tasks required to configure a service account for the Nerdio Manager Application Management feature. See Configure Nerdio Manager for Unified Application Management for details about how link Nerdio Manager to this service account.
Comments (0 comments)