Nerdio Manager for Enterprise Reference Architecture

The core infrastructure of Nerdio Manager for Enterprise consists of a self-contained Azure application (Web App) and the associated components to support the activities and automation of this application. For details about these components, see the Components section.

Nerdio Manager is designed to manage the following functions and components within your Azure Virtual Desktop environment:

• VM creation and deletion

• Customized Auto- scale activity for desktops, disks, and storage

• Custom scripted actions for desktop management

• Custom runbooks for Azure resource management

• The creation, versioning, and backup of desktop images

• Azure Files for script, profile, and application storage and management

• The deployment and management of applications

• The deployment and management of FSLogix for profile and application management

• Azure NetApp Files for larger and more demanding AVD environments

The diagram below provides a high-level overview of the recommended Nerdio Manager deployment topology. Nerdio Manager's core components should be deployed into a dedicated Nerdio Manager resource group. Furthermore, it is recommended that separate components of the AVD architecture should be deployed into their own dedicated resource groups. This includes:

• Host pools

• Storage accounts

• Other management resources such as Entra Domain Services components, if applicable

Nerdio Manager must be granted specific permissions within your Entra ID (as an Enterprise Application) and against the Azure subscriptions and resource groups to be managed. For details, see the Permissions section.

Typical Deployment Scenarios

The Nerdio Manager application can be deployed in single subscription, multi-subscription, and multi-tenant scenarios.

• Multi-tenant deployments: These are considered "advanced" deployments. If you are considering a multi-tenant deployment, we recommend that you discuss your deployment process with the Nerdio Manager for Enterprise support team. In addition, refer to Advanced Installation Methods for details.

• Single or multi-subscription scenarios: When deploying Nerdio Manager in a single or multi-subscription scenario in combination with Entra Domain Services, line-of-sight connectivity between the AVD desktops and the domain is required. This connectivity facilitates domain join operations, DNS resolution, and other domain services. This requirement is also true for native AVD deployment.

The diagram below provides an overview of a typical multi-subscription deployment. Nerdio Manager orchestrates activities via API integration with the tenant and subscriptions. Direct connectivity is required to the domain and storage services (file shares). As a best practice, VNet peering between networks should be used to enable this connectivity for both single-subscription and multi-subscription deployments. For details about VNet peering configuration, see Create a virtual network peering - Resource Manager, different subscriptions and Microsoft Entra tenants.

Connectivity to an on-premises domain infrastructure is also supported across VPN and Express Route circuits, either directly (for single-subscription scenarios) or via the use of Express Route Authorizations (for a multi-subscription scenario). As a best practice, we recommend that domain services are configured in Azure to support the AVD infrastructure and minimize network traffic, latency, and complexity.

Components

A Nerdio Manager environment is comprised of the following core components:

• The Nerdio Manager Azure App Service plan and Web app

• An Enterprise app registration in Entra ID with associated API permissions

• An Azure SQL database

• An Azure Key vault

• One or more Storage Accounts performing the following functions:

  • Transient storage of scripts

  • Temporary VHD storage

  • Boot diagnostics for created VMs

  • Storage of encryption keys required for the database (Nerdio Manager for Enterprise v5.5 and later)

• An Azure Automation account to facilitate the following automated activities:

  • Manually triggered Nerdio Manager updates from Nerdio Manager

  • Azure runbooks scripted actions

• One or more Log Analytics workspaces

• Application Insights for logging exceptions and API utilization statistics

Permissions

Nerdio Manager runs within the customer's Entra ID and Azure subscription and needs to have a minimum set of permission to be able to perform its day-to-day tasks. The permissions required to apply to Entra ID, and the Azure subscription that Azure Virtual Desktop will be deployed into.

When Nerdio Manager is deployed, an Entra ID Enterprise App is created, which requires Graph API permissions to be configured. If the person performing the installation has Entra ID Global Admin permissions, these are configured automatically. Alternatively, they can be pre-configured. For a full list of the API permissions, see Azure Permissions and Nerdio Manager.

The Enterprise App also requires Contributor permissions against the resource groups that Nerdio Manager is managing. Nerdio Manager applies the following permissions against the subscription for the service principal:

• Backup Reader

• Reader

Any resource groups that contain resources which are managed by Nerdio Manager require Contributor permissions assigned to the service principal.

Firewall Requirements

When VNet integration is applied to the Nerdio Manager app, the network connectivity flow changes. In most cases, the subnet has outbound access restricted. To overcome that, the following addresses must be allowed access for Nerdio Manager to function as required.

See VNet Integration Firewall Requirements for more information.

Data Flow

The diagram below provides the data flow information for a simple single-subscription deployment scenario.

For detailed information, see:

1. Service Overview and Network Port Requirements for Windows

2. Hybrid Identity Required Ports and Protocols

3. Firewall Requirements

4. Port 445 is Blocked

5. Connection Policy

6. Application Insights and Log Analytics APIs

Deployment

Nerdio Manager is deployed directly from the Azure Marketplace.

The installation is split into the following components:

• Azure Marketplace Deployment, which deploys the resources required to use Nerdio Manager. The resources that are deployed into the Azure subscription are:

  • Automation account

  • SQL Server + SQL Database

  • Key Vault

  • App Service + App Service Plan

  • Application Insights

  • DPS storage account for encryption keys (Nerdio Manager for Enterprise v5.5 and later)

• The second part of the deployment requires a PowerShell script that is dynamically created within CloudShell. This requires the person running the script to have Entra ID Global Admin and Azure Subscription Owner rights because it creates the Entra ID Enterprise Application and App Registrations.

If this is not possible, you can pre-create the Entra ID Enterprise App. For details, see Advanced Installation Methods.

Using the split installation method, the person performing the Entra ID configuration requires Entra ID Global Admin rights. In addition, the person performing the Azure subscription configuration needs Owner permissions against the subscription.

For deployments that require high availability (HA) for users and session hosts, follow recommendations in Business Continuity and Disaster Recovery (BCDR) Guidance for AVD Environments with Nerdio Manager.

Nerdio Manager now supports multiple Disaster Recovery (DR) options for the management (WebApp) layer. For more details, see:

• For Azure Zonal DR scenarios: Configure the Application for Zone Resilient Mode

• For Azure Regional DR and HA scenarios: Configure the Nerdio Manager Web App for High Availability (HA) or Disaster Recovery (DR) Scenarios

Deployment Customization

Nerdio Manager for Enterprise provides a number of advanced installation methods for situations where a deployment must be customized, or where security policies dictate that elements must be created manually or by different users. For supported scenarios, see Advanced Installation Methods.

Nerdio Manager must use a newly created dedicated PaaS SQL instance.

The following is not supported:

• Creating a new database for Nerdio Manager within an existing PaaS SQL instance.

• Hosting additional non-Nerdio Manager databases within the dedicated PaaS SQL instance.

By default, Nerdio Manager creates a S1 SQL PaaS database instance with properties described in Standard service tier.

The collation for the PaaS SQL database must be configured as: Latin1_General_CP1_CI_AS.

Servicing

Nerdio Manager is managed via the Application web console, which includes the end-user update mechanism. When a new version is released, the update is displayed as available under the Updates menu item. For details, see Update the Nerdio Manager Application.

Nerdio Manager updates are released monthly, with a public preview version released approximately 1-2 weeks prior to General Availability (GA). Hotfixes may be supplied if issues with a release that require immediate resolution are identified. In this case, the customer should contact the Nerdio Manager for Enterprise support team to discuss their requirement. Hotfixes are applied by selecting the Redeploy option for the current release from the update menu.

Best Practices

Nerdio Manager is an API-driven application. Therefore, as we scale, we need to ensure that the API requests are kept within the documented limits.

Consider the following notes:

• The number of API requests per Nerdio Manager deployment can vary depending on how many host pools and session hosts are being managed. It is recommended that host pools should be created in a dedicated resource group per pool.

• Microsoft recommends that no more than 2500 VMs per Azure subscription are deployed when Auto-scaling is enabled.

• For details about how to optimize the API requests, see Azure API Limits and Throttling Overview.

• For larger environments, we also recommend scaling up the App Service plan and the SQL database tier.

• We recommend scaling up to a SQL database with 100 DTUs and the App Service plan to at least an S3 or P2V2 when you are managing 200+ AVD session hosts.

• Nerdio Manager must use a newly created dedicated PaaS SQL instance.

  The following is not supported:

  • Creating a new database for Nerdio Manager within an existing PaaS SQL instance.

  • Hosting additional non-Nerdio Manager databases within the dedicated PaaS SQL instance.

• For details about scaling up Nerdio Manager in large deployments, see Scale Up Nerdio Manager for Large Deployments.

Image Management

Nerdio Manager for Enterprise automates the Microsoft best practices for Azure Virtual Desktop image management.

Consider the following notes:

• Nerdio Manager can import the customers' existing images from VHD format, or create new images.

• Nerdio Manager automates the entire process, including taking snapshots of images, performing a sysprep of the images, and publishing to Azure Compute Galleries.

• Image updates with Windows security patches and applications can also be fully automated using Nerdio Manager with a combination of scripted actions and scheduled image update capability.

• Nerdio Manager can fully manage the creation and publishing of images to the Azure Compute Gallery, including versioning control and publishing to multiple regions.

• Nerdio Manager can automate the deployment of images to existing AVD session hosts, including the options to customize the scheduling to satisfy the customers' requirements.

• Nerdio Manager allows you to perform “image staging". When automating your image management and deployment, fully test your image using the staging host pools, and push the image to production only after validation has occurred.

Profile Management

Nerdio Manager simplifies management of the FSLogix profile management solution, which is offered by Microsoft.

Consider the following notes:

• Nerdio Manager can automate the process of creating the FSLogix profile shares by creating the storage accounts, shares, share permissions, NTFS permissions, and performing the domain join.

• Nerdio Manager allows you to create FSLogix profiles, which can be assigned to host pools in Nerdio Manager. This lets you create multiple FSLogix profile shares without having to apply any group policies to the session hosts.

• Nerdio Manager can leverage the use of Cloud Cache automatically for DR scenarios.

• Nerdio Manager can perform maintenance on VHD File Locks, allowing you to unlock file handles without having to reboot hosts.

For more details about configuring FSLogix user profiles in Nerdio Manager, see FSLogix Settings and Configuration.

Applications

Nerdio Manager manages applications using several different methods, including native methods or third-party integration.

Consider the following notes:

• Applications can be deployed into the image using typical servicing methods. That is, either direct installation on to the source VM or via the scripted installation tools built into Nerdio Manager.

• Nerdio Manager has a Scripted Actions capability, which uses automation to deploy applications onto the session hosts or images. These can use package repositories like WinGet for complete automation of application management and deployment.

• The Nerdio Manager Unified Application Management feature allows you to leverage functionality similar to scripted actions, but with the ability to manage application deployments via application policies, and review the status of these applications in the UAM console. For more details, see Unified Application Management: Manage Applications.

• Nerdio Manager extends the capability of MSIX App Attach and App Attach by automating the VHD conversation process and installing the certificates onto the images and session hosts.

• Nerdio Manager publishes the applications onto the session hosts, and manages the creation of App Groups for assigning MSIX applications to specific groups of users.

• Nerdio Manager fully integrates with third-party vendors including Rimo3, Liquidware, FlexApp One, and AppCURE, for advanced capabilities and flexibility.

For guidance about configuring various types of applications, see Unified Application Management.

Cost Optimization

Nerdio Manager offers significant benefits to organizations looking to optimize their costs associated with Azure Virtual Desktop. These include:

Host Pool Auto-scaling

Nerdio Manager offers a range of auto-scaling options including RAM, CPU, and Available Session-based automation. Additionally, these auto-scaling rules may be combined to allow multiple triggers for scale-in or -out operations. To enable auto-scaling, a pool must be created as, or converted to, a dynamic pool within Nerdio Manager.

• For details about personal host pool auto-scaling, see Enable Personal Host Pool Auto-scaling.

• For details about pooled desktops auto-scaling, see Enable Dynamic Host Pool Auto-scaling.

As part of the auto-scaling function, Nerdio Manager can be instructed to convert the desktop’s OS disk to a cheaper alternative when the desktop is not running. This feature is part of the auto-scale function detailed in the articles above. The configuration of this feature differs between schedule-based and user-driven auto scaling modes. If using user-driven mode, disks must be pre-staged.

Nerdio Manager also offers advanced auto-scaling history reporting to assist you in making decisions around the sizing of host pools.

Storage Auto-scaling

Nerdio Manager allows for the dynamic auto-scaling of Azure Files Premium shares and Azure NetApp File shares (ANF) based on usage and performance to ensure that maximum cost savings are achieved, while simultaneously maintaining the performance required to support your users.

• For details about Azure Files Storage Premium auto-scaling, see Auto-scale for Azure Files Storage Premium.

• For details about Azure NetApp Files auto-scaling, see Auto-scale for Azure NetApp Files.

Log Analytics Optimization

Nerdio Manager can quickly configure the Log Analytics retention and performance counter sample rate. These changes can greatly reduce the costs associated with storing and monitoring host pool performance data. To maximize cost savings, data should be retained for 30 days, and counters should be set to low. If this data is required for historical reporting or audit purposes, please configure these settings as required by your organization.

For details about configuring your Log Analytics data, see Log Analytics Management.

Intune Integration

Nerdio Manager allows you to integrate Intune management. This provides a range of benefits for the review and management of Intune-enrolled devices, including:

• A list of all managed devices with their policy compliance status.

• The ability to review and edit all details on a per-device basis.

• Comprehensive RBAC controls to ensure that access to Intune device details can be fully restricted.

• Functional enhancements including:

  • Automatic policy backup and versioning.

  • Side-by-side policy comparison tool.

  • Policy conflict dashboard with graphical diagrams.

To enable this feature, see Unified Endpoint Management: Enable and Configure Intune.

For all documents related to this feature, see Unified Endpoint Management.

Reports and Alerts

Nerdio Manager provides detailed reporting for all activities performed. Relevant information is presented on all category pages, including workspaces, host pools, hosts, images, applications, and scripted actions. you can find additional information and historical activities under the Logs menu, available from Nerdio Manager's sidebar.

You can create custom notification conditions (rules) on the Notifications > Conditions page. A set of pre-configured notification conditions is available for use. The Notifications > Actions page allows you to create alerts based on these conditions. For example, an email can be generated for all failed host creation tasks and delivered to a specified recipient.

Source mailboxes for sending alerts should be configured from the Settings > Nerdio environment > Email notifications page. Nerdio Manager supports the addition of multiple source mailboxes, which can be used for the delivery of different alert types.

Windows 365 Integration

Integrated with Windows 365, Nerdio Manager enables dual management of both Azure Virtual Desktop and Windows 365 through a single pane of glass.

You can perform the following actions in Nerdio Manager:

• Create and manage Windows 365 provisioning policies

• Manage user settings

• Use advanced RBAC control for Windows 365 and Intune

• Access advanced image management capabilities

• Deliver application easily using Nerdio Manager’s Unified Application Management

• Manage Intune effectively using Nerdio Manager’s Unified Endpoint Management

• Manage Windows 365 Frontline

AI Integration

Nerdio Manager integrates with various Azure AI services to enhance the capabilities of the product. Currently, these capabilities include:

• Nerdio Copilot

• Personally Identifiable Information Detector

• AI-powered description generation

• AI-powered auto-scale insights intelligent recommendations

Nerdio Manager can integrate with any existing OpenAI deployments within your subscription, or it can automatically deploy them for you. For more details, see AI and Nerdio Manager.

Considerations and Limitations

The following details should be considered when implementing AVD with automation. Nerdio Manager adheres to Microsoft’s Azure guidance for automation-enabled AVD deployments. For details, see Azure Virtual Desktop limitations.

Consider the following notes:

• Nerdio Manager supports a maximum of 2,500 VMs per subscription per region, in line with Microsoft guidance.

• For best performance, you should create host pools in a dedicated resource group per pool.

• Nerdio Manager must use a newly created dedicated PaaS SQL instance.

  The following is not supported:

  • Creating a new database for Nerdio Manager within an existing PaaS SQL instance.

  • Hosting additional non-Nerdio Manager databases within the dedicated PaaS SQL instance.

• To avoid API throttling errors, you should batch large operations (such as start, stop, create, refresh, and delete) using the in-built Nerdio Manager group processing function.

• For large environments, increasing the size and performance of the database and app service plan results in improved performance. Additionally, some changes to the operation of API requests may provide improved performance. For details about scaling up Nerdio Manager in large deployments, see Scale Up Nerdio Manager for Large Deployments.