Creating a gold image from scratch (Windows 11)

Owned by Jameson Schildroth, created
Last updated: Apr 09, 2024 by Scott Paterson
7 min read

This article will go through the steps for creating and optimizing a new gold image to be used in Azure Virtual Desktop (AVD).

 Creating the Virtual Machine

  1. Open and log into Microsoft Azure Portal

  2. In the top search box, search for “Virtual Machines”. Under Services, click on Virtual Machines.

  3. In the Virtual machines section, click on Create > Azure virtual machine from the tool bar.

  4. In the Create a virtual machine wizard go through the steps using the suggested options below:

    1. Basics Tab

      1. Subscription: Arts Subscription

      2. Resource Group: Arts-ACO-WVD (or create a new resource group if needed)

      3. Virtual machine name: <insert vm name here> (should use the following format vm-arts-avd-unique name/description)

      4. Region: East US

      5. Availability Options: Leave as default option (No infrastructure redundancy required)

      6. Security Type: Standard

      7. Image: Click on See all images

        1. Search for Windows 11

        2. Click on Select under Windows 11 and find Windows 11 Enterprise multi-session with the most current version(i.e. 22H2)

      8. VM Architecture: x64

      9. Run with Azure Spot discount: Leave unchecked

      10. Size: Standard_D2as_v4 – 2 vcpus, 8 GiB memory (Should be the default option, but depends on specs needed and use)

      11. Administrator Account:

        1. Username: acoadmin [it is possible the userid is artsadmin as well]

        2. Password: <default ACOAdmin PW>

        3. Confirm Password: <default ACOAdmin PW>

      12. Public inbound ports: None.

      13. I confirm I have an eligible Windows 10/11 license with multi-tenant hosting rights: Check the box.

      14. Click Next.

    2. Disks Tab

      1. OS disk type: Premium SSD (Locally-redundant storage)

      2. Delete with VM: Check

      3. Leave the rest of the settings as default and click on Next.

    3. Networking Tab

      1. Virtual network: Arts-ACO-WVD-Network/Arts-ACO-WVD-vnet

      2. Subnet: Arts-ACO-WVD-subnet(10.16.6.128/26)

      3. Public IP: None

      4. NIC network security group: Basic

      5. Public inbound ports: none

      6. Delete NIC when VM is deleted: Check

      7. Enable accelerated networking: Check

      8. Place the machine behind an existing load balancing solution? Leave unchecked

      9. Click Next.

    4. Management Tab

      1. Leave all settings as they are.

    5. Monitoring Tab

      1. Leave all settings as they are.

    6. Advanced Tab

      1. Leave all settings as they are.

    7. Tags Tab

      1. Set the following tags:

        1. Created On: Set the current date

        2. Created By: Put who created the VM

        3. Owner: ACO

        4. Click Next.

    8. Review + Create Tab

      1. Check over the settings and ensure everything is set correctly. Correct any errors if there are any.

      2. Click Create.

    9. Wait for the deployment to complete.

 Connecting to the Virtual Machine

  1. Open and log into Microsoft Azure Portal.

  2. In the top search box, search for “Virtual Machines”. Under Services, click on Virtual Machines.

  3. Click on the newly created virtual machine. On the Overview tab locate the Network section under properties. Note the Private IP address.

  4. On your PC, open Microsoft Remote Desktop and connect to the server called arts-mgmt.

  5. Once the desktop has loaded, open Microsoft Remote Desktop again in the VM and then connect to the IP address noted in step 3.

  6. Log in with the admin account that was set up when the VM was created.

 Prepping the Virtual Machine

Once connected to and logged into the Azure virtual machine, various settings will need to be set to optimize the VM for use on Azure Virtual Desktop.

Map a drive to //fileapps.uwaterloo.ca/winapps$/wvd/arts

  1. Open Explorer.

  2. Right click on “This PC” and click on Map network drive.

  3. Set the drive to N:.

  4. Set the folder to \\fileapps.uwaterloo.ca\winapps$\wvd\arts

  5. Check both Reconnect at sign-in and Connect using different credentials

  6. Log in using your Nexus credentials that have appropriate permissions for this share (Bang account).

Run the PowerShell code below or go to the N: drive and load up and run the PrepAzureVM.ps1 script found \\fileapps.uwaterloo.ca\winapps$\wvd\arts\

Configure Windows Defender exclusions

#Virtual Hard Disk File add-MpPreference -ExclusionExtension .vhd #Virtual Hard Disk v2 file add-MpPreference -ExclusionExtension .vhdx #Virtual Hard Disk snapshot file add-MpPreference -ExclusionExtension .avhd #Virtual Hard Disk v2 snapshot file add-MpPreference -ExclusionExtension .avhdx #VHD set file add-MpPreference -ExclusionExtension .vhds #FSLogics directory add-MpPreference -ExclusionPath "C:\Program Files\FSLogix"

Configure FSLogixs

#Create registry keys to configure FSLogixs new-item -path "HKLM:\Software\FSLogix\Profiles" new-itemproperty -path "HKLM:\Software\FSLogix\Profiles" -Name "VHDLocations" -Value "\\uwwvdprofilesa.file.core.windows.net\profiles" -PropertyType STRING -Force new-itemproperty -path "HKLM:\Software\FSLogix\Profiles" -Name "Enabled" -Value "1" -PropertyType DWORD -Force new-itemproperty -path "HKLM:\Software\FSLogix\Profiles" -Name "PreventLoginWithFailure" -Value "1" -PropertyType DWORD -Force new-itemproperty -path "HKLM:\Software\FSLogix\Profiles" -Name "DeleteLocalProfileWhenVHDShouldApply" -Value "1" -PropertyType DWORD -Force #Add accounts to FSLogixs profile exclude list Add-LocalGroupMember -Group "FSLogix ODFC Exclude List" -Member "Artsadmin" Add-LocalGroupMember -Group "FSLogix ODFC Exclude List" -Member "ACOAdmin" Add-LocalGroupMember -Group "FSLogix ODFC Exclude List" -Member "Administrators" Add-LocalGroupMember -Group "FSLogix Profile Exclude List" -Member "Artsadmin" Add-LocalGroupMember -Group "FSLogix Profile Exclude List" -Member "Administrators" Add-LocalGroupMember -Group "FSLogix Profile Exclude List" -Member "ACOAdmin"

Disable Automatic Updates

#Disables Windows Automatic Update new-itemproperty -path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate" -Value "1" -PropertyType DWORD -Force

Configure Timezone Redirection

Disables Storage Sense

For feedback hub collection of telemetry data on Windows 11 Enterprise multi-session

Fix 5k resolution support

Set TLS Settings

Set UTC Time Settings

Set Environment Variables

Check Windows Services

Set RDP Settings

Set Firewall Settings

Sets Dump Log settings

Sets the power configuration

Sets Diskpart SAN policy

Remove WinHTTP proxy

System File Checker

Check disk

Boot Configuration Data settings

Windows Management Instrumentation repository settings

Netstat check for port 3389

Set the pagefile to go to D: drive

Disables Store auto updates

Disables content delivery auto download apps that they want to promote to users

Local GPO Settings to apply

Note: Applying these setting with PowerShell will not show the settings being applied within Local Group Policy Editor. This is by design.

  1. Click on Start and start typing Edit group policy.

  2. Open the Local Group Policy Editor.

  3. Navigate to the paths noted below and set as required:

Remote Desktop Settings

 Set RDP Access settings

  • Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Remote Desktop Services

    • Check to make sure that administrator's group is added

  • Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network

    • Check to make sure there are no settings set for this

  • Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on through Remote Desktop Services

    • Check to make sure there are no settings set for this

  • Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access this computer from the network

    • Check to make sure that the following groups are listed

      • Administrators

      • Backup Operators

      • Everyone

      • Users

Set RDP Session Timeouts

Sets the timeout settings for RDP. 15 mins for disconnect when idle, 2 hours for ending session.

  • Computer configuration\administrative templates\windows components\remote desktop services\remote desktop session host\session time limits

    • set time limit for active but idle Remote Desktop Services Sessions

      • enable and set to 15 minutes

    • End Session when time limits reached

      • Enable

    • Set time limit for disconnected sessions

    • enable and set for 2 hours

or through PowerShell

Windows Explorer Settings

Hide all drive in Windows Explorer except for personal folders (i.e. Documents, downloads, desktop, etc)

  • User Configuration\Administrative Templates\Windows Components\File Explorer\

    • Hide these specific drives in My Computer

      • Select Restrict All drives 

Or through PowerShell

Group Policy Settings

Enable group policy loop back in replace mode

  • Computer Configuration \ Administrative Templates\system\Group Policy

    • Configure User Group Policy loopback processing mode

      • Select Enabled and Select Replace

Or through PowerShell

Windows Store Settings

Sets settings to remove access to Windows Store

  • Computer Configuration\Administrative Templates\Windows Components\Store

    • Turn off store applications

      • Select Enable

Or through PowerShell

Sets Start Menu settings

Prevent users from shutting down/reboot/sleeping the VM’s

  • Computer Configuration\Administrative Templates\Start Menu and Task Bar\

    • Remove and prevent the access to the shutdown, restart, and sleep

      • Select and set to Enabled

Or through PowerShell

Run the Virtual Machine Optimization script

This will run and set various settings to optimize the VM.

Download from GitHub - The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool: The script and configuration files in this repository provide an easy method to customize and apply performance related settings to virtual desktop environments.

  1. Extract and copy to \\fileapps.uwaterloo.ca\winapps$\wvd\arts. If the folder exists, overwrite.

  2. On the VM, copy the folder Virtual-Desktop-Optimization-Tool-main to the vm and place it in C:\Temp.

  3. Open PowerShell and navigate to C:\Temp\Virtual-Desktop-Optimization-Tool-main\

  4. Run .\Windows_VDOT.ps1 -WindowsVersion 2009 -Optimizations All -Verbose -AcceptEula

 

When done, proceed to Installing Software.