Nerdio Manager for Enterprise Reference Architecture

Nerdio Manager for Enterprise Reference Architecture

This article contains the following sections:


Nerdio Manager's core infrastructure is comprised of a self-contained Azure application (Web App) and the associated components to support the activities and automation of this application. Please see the Components section for full details.

Nerdio Manager is designed to manage the following functions and components within your Azure Virtual Desktop environment:

  • VM creation and deletion.

  • Customized auto- scale activity for desktops, disks, and storage.

  • Custom scripted actions for desktop management.

  • Custom Azure Runbooks for Azure resource management.

  • The creation, versioning, and backup of desktop images.

  • Azure Files for script, profile, and application storage and management.

  • The deployment and management of applications.

  • The deployment and management of FSLogix for profile and application management.

  • Azure NetApp Files for larger and more demanding AVD environments.

The diagram shown below provides a high-level overview of the recommended Nerdio Manager deployment topology. Nerdio Manager's core components should be deployed into a dedicated Nerdio Manager resource group. Furthermore, it is recommended that separate components of the AVD architecture should be deployed into their own dedicated resource groups. This includes:

  • Host Pools

  • Storage Accounts

  • Other Management Resources (for example, Entra Domain Services components, if applicable)

Nerdio Manager must be granted specific permissions within your Entra ID (as an Enterprise Application) and against the Azure Subscriptions and Resource Groups to be managed. See the Permissions section for full details.

Typical Deployment Scenarios

The Nerdio Manager application can be deployed in single subscription, multi-subscription, and multi-tenant scenarios.

Multi-tenant deployments are considered "advanced" deployments. Please refer to the documentation below for details. If you are considering a multi-tenant deployment, we recommend that you discuss your deployment process with the Nerdio support team. In addition, please refer to this article about advanced installation methods.

When deploying Nerdio Manager in a single or multi-subscription scenario in combination with Entra Domain Services, it is a requirement that line-of-sight connectivity between the AVD desktops and the domain is possible. This connectivity facilitates domain join operations, DNS resolution, and other domain services. This requirement is also true for native AVD deployment.

The diagram below provides an overview of a typical multi-subscription deployment. Nerdio Manager orchestrates activities via API integration with the tenant and subscriptions. Direct connectivity is required to the domain and storage services (file shares). As a best practice, VNet peering between networks should be used to enable this connectivity for both single-subscription and multi-subscription deployments. Please refer to this Microsoft article about VNet peering configuration.

Connectivity to an on-premises domain infrastructure is also supported across VPN and Express Route circuits, either directly (for single-subscription scenarios) or via the use of Express Route Authorizations (for a multi-subscription scenario). As a best practice, we recommend that the domain services are configured in Azure to support the AVD infrastructure and minimize network traffic, latency, and complexity.


A Nerdio Managerenvironment is comprised of the following core components:

  • The Nerdio Manager Azure App Service plan and Web app.

  • An Enterprise app registration in Entra ID with associated API permissions.

  • An Azure SQL database.

  • An Azure Key vault.

  • One or more Storage Accounts performing the following functions:

    • Transient storage of scripts.

    • Temporary VHD storage.

    • Boot diagnostics for created VMs.

  • An Azure Automation account to facilitate the following automated activities:

    • Manually triggered Nerdio Manager updates from the Nerdio Manager console.

    • Azure Runbooks scripted actions.

  • One or more Log Analytics Workspaces.

  • Application Insights for logging of exceptions and API utilization statistics.


Nerdio Manager runs within the customer's Entra ID and Azure subscription and needs to have a minimum set of permission to be able to perform its day-to-day tasks. The permissions required to apply to Entra ID , and the Azure Subscription which Azure Virtual Desktop will be deployed into.

When Nerdio Manager is deployed, an Entra ID Enterprise App is created which requires Graph API Permissions to be configured. If the person performing the install has Entra ID Global Admin permissions, these are configured automatically. Alternatively, they can be pre-configured. Please refer to this article for a full list of the API permissions.

The Enterprise App also requires Contributor permissions against the resource groups that Nerdio Manager is managing. Nerdio Manager applies the following permissions against the subscription for the service principal:

  • Backup Reader

  • Reader

Any resource groups that contain resources which are managed by Nerdio Manager require Contributor permissions assigned to the service principal.

Firewall Requirements

When VNet integration is applied to the Nerdio Manager app, the network connectivity flow changes. In most cases, the subnet has outbound access restricted. To overcome that, the following addresses need to have access allowed in order for Nerdio Manager to work as required.

See VNet Integration Firewall Requirements for more information.

Data Flow

The diagram below shows the data flow information for a simple single-subscription deployment scenario.


  • Refer to the links beneath the diagram for detailed information.

  • Select this link to download an interactive PDF version of this diagram.

Footnotes: Select the desired links for detailed information.

1. Service Overview and Network Port Requirements for Windows

2. Hybrid Identity Required Ports and Protocols

3. Firewall Requirements

4. Port 445 is Blocked

5. Connection Policy

6. Connection Policy

7. Application Insights and Log Analytics APIs


Nerdio Manager is deployed directly from the Azure Marketplace.

Note: Please see the Nerdio Manager Implementation Guide for full details.

The installation is split into the following components:

  • Azure Marketplace Deployment, which deploys the resources required to use Nerdio Manager. The resources that are deployed into the Azure Subscription are:

    • Automation Account

    • SQL Server + SQL Database

    • Key Vault

    • App Service + App Service Plan

    • Application Insights

  • The second part of the deployment requires a PowerShell script that is dynamically created within CloudShell. This requires the person running the script to have Entra ID Global Admin and Azure Subscription Owner rights because it creates the Entra ID Enterprise Application and App Registrations.

If this is not possible, then please refer to this article about how to pre-create the Entra ID Enterprise App.

Using the split install method, the person performing the Entra ID Configuration requires Entra ID Global Admin. In addition, the person performing the Azure Subscription configuration needs Owner permissions against the Subscription.

Please refer to this article for recommendations for deployments that require high availability.

Deployment Customization

Nerdio Manager offers a number of advanced installation methods for situations where a deployment must be customized or where security policies dictate that elements must be created manually, or by different users. Please refer to this article for details about supported scenarios.

Note: Please contact Nerdio support to discuss these options prior to deployment.


Nerdio Manager is managed via the Application web console, which includes the end-user update mechanism. When a new version is release, the update is shown as available under the Updates menu item. Please refer to this article for details about updating Nerdio Manager.

Nerdio Manager updates are released monthly, with a public preview version released approximately 1-2 weeks prior to General Availability (GA). Hotfixes may be supplied if issues with a release that require immediate resolution are identified. In this instance, the customer should contact the Nerdio support team to discuss their requirement. Hotfixes are applied by choosing the Redeploy option for the current release from the update menu.

Best Practices

Nerdio Manager is an API-driven application. Therefore, as we scale, we need to ensure that the API requests are kept within the documented limits.

  • The number of API requests per Nerdio Manager deployment can vary depending on how many hosts pools and session hosts are being managed. It is recommended that host pools should be created in a dedicated resource group per pool.

  • Microsoft recommends no more than 2500 VMs per Azure subscription are deployed when auto-scaling is enabled.

  • Please refer to this article for details about how to optimize the API requests.

  • For larger environments, we also recommend scaling up the App Service Plan and the SQL Database Tier.

  • We recommend scaling up to a SQL database with 100 DTUs and the App Service plan to at least a S3 or P2V2 when you are managing 200+ AVD session hosts. Please refer to this article for details about scaling up Nerdio Manager in large deployments.

Image Management

Nerdio Manager automates the Microsoft best practices for Azure Virtual Desktop image management.

  • Nerdio Manager can import the customer's existing images from VHD format, or create new images.

  • Nerdio Manager automates the entire process, including taking snapshots of images, performing a sysprep of the images, and publishing to Azure Compute Galleries.

  • The updating of images with Windows security patches and applications can also be fully automated using Nerdio Manager with a combination of scripted actions and scheduled image update capability.

  • Nerdio Manager can fully manage the creation and publishing of images to the Azure Compute Gallery, including versioning control and publishing to multiple regions.

  • Nerdio Manager can automate the deployment of images to existing AVD session hosts, including the options to customize the scheduling to satisfy the customer's requirements.

  • Nerdio Manager allows you to perform “image staging.” We recommend when automating your image management and deployment, that it is fully tested using staging host pools, and only when validation has occurred do we push the image to production.

Tip: It is recommended to not have the Azure Virtual Desktop Agent or FSLogix Agent installed on your master image, because Nerdio Manager installs the latest version for you when hosts are deployed and re-imaged.

Profile Management

Nerdio Manager allows for easy management of the FSLogix profile management solution, which is offered by Microsoft. Please refer to this article for full details about configuring FSLogix user profiles in Nerdio Manager.

  • Nerdio Manager can automate the process of creating the FSLogix profile shares by creating the storage accounts, shares, share permissions, NTFS permissions, and performing the domain join.

  • Nerdio Manager enables you to create FSLogix profiles, which can be assigned to host pools from within the Nerdio Manager console. This enables us to create multiple FSLogix profile shares without having to apply any group policies to the session hosts.

  • Nerdio Manager is able to leverage the use of Cloud Cache automatically for DR scenarios.

  • Nerdio Manager can perform maintenance on VHD File Locks, enabling you to unlock file handles without having to reboot hosts.


Nerdio Manager manages applications using several different methods, including native methods or third-party integration.

  • Applications can be deployed into the image using normal servicing methods. That is, either direct installation on to the master VM or via the scripted installation tools built into the Nerdio Manager console.

  • Nerdio Manager has a Scripted Actions capability, which uses automation to deploy applications onto the session hosts or images. These can use package repositories like winget for complete automation of application management and deployment.

  • Nerdio Manager extends the capability of MSIX App Attach by automating the VHD conversation process and installing the certificates onto the images and session hosts.

  • Nerdio Manager publishes the applications on to the session hosts, and manages the creation of App Groups for assigning MSIX Applications to specific groups of users.

  • Nerdio Manager fully integrates with third-party vendors including Rimo3, Liquidware, FlexApp One, and AppCURE, for advanced capabilities and flexibility.

Please refer to the following articles for guidance about configuring various types of applications.

Cost Optimization

Nerdio Manager offers significant benefits to organizations looking to optimize their costs associated with Azure Virtual Desktop. These include:

Host Pool Auto-scaling

Nerdio Manager offers a range of auto-scaling options including RAM, CPU, and Available Session based automation. Additionally, these auto-scaling rules may be combined to allow multiple triggers for scale-in or -out operations. In order to enable auto-scaling, a pool must be created as, or converted to, a dynamic pool within the Nerdio Manager console.

  • Please refer to this article for details about personal host pool auto-scaling.

  • Please refer to this article for details about pooled desktops auto-scaling.

As part of the auto-scaling function, Nerdio Manager can be instructed to convert the desktop’s OS disk to a cheaper alternative when the desktop is not running. This feature is part of the auto scale function detailed in the articles above. The configuration of this feature differs between schedule-based and user-driven auto scaling modes. If using user-driven mode, disks must be pre-staged.

Nerdio Manager also offers advanced auto-scaling history reporting to assist you in making decisions around the sizing of host pools.

Storage Auto-scaling

Nerdio Manager allows for the dynamic auto-scaling of Azure premium file shares and Azure NetApp File shares (ANF) based on usage and performance to ensure that maximum cost savings are achieved, while simultaneously maintaining the performance required to support your users.

  • Please refer to this article for details about Azure Files Storage Premium auto-scaling.

  • Please refer to this article for details about Azure NetApp Files auto-scaling.

Log Analytics Optimization

Nerdio Manager can quickly and easily configure the Log Analytics retention and performance counter sample rate. These changes can greatly reduce the costs associated with storing and monitoring host pool performance data. To maximize cost savings, data should be retained for 30 days, and counters should be set to low. If this data is required for historical reporting or audit purposes, please configure these settings as required by your organization. Please refer to this article for details about configuring your Log Analytics data.

Reports and Alerts

The Nerdio Manager console offers detailed reporting for all activities performed. Relevant information is presented on all category pages, including workspaces, host pools, hosts, images, applications, and scripted actions. Additional information and historical activities can be found under Logs menu, which is available in the sidebar of the Nerdio Manager console.

Custom notification conditions (rules) can be created on the Notifications > Conditions page. A number of preconfigured notification conditions are provided for use. The Notifications > Actions page allows administrators to create alerts based on these conditions. For example, an email can be generated for all failed host creation tasks and delivered to a specified recipient.

Source mailboxes for sending alerts should be configured from the Settings > Nerdio environment > Email notifications page. Nerdio Manager supports the addition of multiple source mailboxes, which can be used for the delivery of different alert types.

Tip: To provide visibility of potential service degradation for users, Nerdio Manager recommends that all host creation and start errors should be flagged via the use of conditions and actions. Alerts should be forwarded to a monitored, shared IT mailbox so that the appropriate remediation actions may be performed.

Considerations and Limitations

The following details should be considered when implementing AVD with automation. Nerdio Manager adheres to Microsoft’s Azure guidance for automation enabled AVD deployments. Please refer to this Microsoft article for details.

  • Nerdio Manager supports a maximum of 2,500 VMs per subscription per region, in line with Microsoft guidance.

  • For best performance, host pools should be created in a dedicated resource group per pool.

  • Large operations (start, stop, create, refresh, delete) should be batched using the in-built Nerdio Manager group processing function, in order to avoid API throttling errors.

  • For large environments, increasing the size and performance of the database and app service plan will result in improved performance. Additionally, some changes to the operation of API requests may provide improved performance. Please refer to this article for details about scaling up Nerdio Manager in large deployments.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Please sign in to leave a comment.