Unified Application Management: Service Accounts

Unified Application Management: Service Accounts

Service Accounts are not required in the majority of circumstances. To discuss this matter further, please contact Nerdio support.

The Unified Application Management feature in Nerdio Manager uses the Winget Microsoft package manager tool to install, remove, and manage applications within your Azure Virtual Desktop instance. In rare circumstances, to function optimally, this tool requires a service account to perform install and uninstall actions. This service account must have local administrative rights on the desktops where it is managing applications. Additionally, this service account must have multi-factor authentication disabled.

This document provides guidance for the creation and assignment of permissions to the service account in Active Directory (AD), Entra Domain Services, and Hybrid join scenarios. It is recommended that an Azure conditional access policy to restrict access to a set of predefined networks is also assigned.

Note: Active Directory Domain Administrator permissions is required to perform these tasks.

Configure your Organizational Units (OUs)

  1. Within your Active Directory Users and Computers (ADUC) console, ensure that your Azure Virtual Desktop (AVD) session hosts are contained within a dedicated AVD Organizational Unit (OU). If your AVD desktops are currently mixed with the wider estate, a nested OU should be created and the AVD desktops moved into this location. This allows existing group policies to be applied, but also allows us to target a new policy to our AVD desktops. If your AVD desktops are spread across multiple dedicated OUs, target all policies described in this document to all AVD OUs.

  2. Within you ADUC console, ensure that a dedicated OU for service accounts exists. This allows us to target a new policy to deny interactive logon to our service account.

    Note: This restriction can also be applied to a group of service accounts. If this already exists in your environment, please add the new service account to the group, and apply the existing policy to you AVD desktops OU.

Create the Service Account for Application Management

  • Within the dedicated OU for service accounts, create a new user account, following your internal naming conventions. Specify a highly complex password and enable ‘password never expires’ as the only creation option. Record the account and password pair in your corporate key management system.

Create the Local Administrator Policy

The first policy to create is assigned local administrative permissions to the service account on AVD desktops.

To create the Local Administrator policy:

  1. Open the domain Group Policy management console.

  2. Right click Group Policy Objects and select New.

  3. Provide a suitable name in line with your corporate naming conventions. We use COMP_ManageAVDLocalAdministrator.

  4. Once created, right click and select Edit.

  5. Navigate to Computer Configuration > PreferencesControl Panel SettingsLocal Users and Groups.

  6. Within the central section, right click and select New > Local Group.

  7. Within the pop up, enter the following information:

    • Action: Set to Update.

    • Group name: Select "..." and then select Administrators (built-in).

  8. Once you have entered all the necessary information, select Add and then select OK.

    The first policy is created.

  9. Return to the main page of Group policy main page.

  10. Navigate to the AVD OU container where AVD desktop objects are located.

  11. Right click this OU and select Link an Existing GPO….

  12. Select the policy created above and click OK.

    The first policy is now linked.

Create the Deny Local Logon Policy

This policy prevents the service account from being used to logon directly to a desktop. It is an optional but recommended step.

To create the policy, the steps are similar to the previous process.

  1. Open the domain Group Policy management console. Right-click Group Policy Objects and select New. Provide a suitable name in line with your corporate naming conventions. We will use COMP_DenyAppServiceAccountInteractiveLogon.

  2. Right click Group Policy Objects and select New.

  3. Provide a suitable name in line with your corporate naming conventions. We use COMP_DenyAppServiceAccountInteractiveLogon.

  4. Once created, right click and select Edit.

  5. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

  6. Edit the settings for Deny log on through Remote Desktop Services and Deny log on locally. Specify your newly created service account in both instances.

  7. Close the open policy window and return to the main Group policy management console.

  8. Return to the Group policy main page, navigate to the AVD OU container where AVD desktop objects are located. Right click this OU and select Link an Existing GPO… Select the policy created above and click OK. The second policy has now been linked.

  9. Navigate to the AVD OU container where AVD desktop objects are located.

  10. Right click this OU and select Link an Existing GPO….

  11. Select the policy created above and click OK.

    The second policy has now been linked.

This completes the tasks required to configure a service account for the Nerdio Manager Application Management feature. See Configure Nerdio Manager for Unified Application Management for details about how link Nerdio Manager to this service account.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Please sign in to leave a comment.