1. Home
  2. Guidance
  3. General Guidance
  4. Windows Virtual Desktop Onboarding Guide

Windows Virtual Desktop Onboarding Guide


This article provides a reference guide for Trusts’ to onboard to the WVD Service which utilises the NHSMail identity with Windows Virtual Desktop (WVD) infrastructure deployed within a Trust’s Azure subscription.

The intended audience for this document is the Local Admins and are assumed to be fluent with the concepts of Windows Virtual Desktop and Azure Infrastructure workloads.

This document will cover the following steps:

  1. Request to Onboard
  2. Provision of WVD Components
  3. Network setup
  4. Host Pool Creation

This document will not cover the following as it will be the responsibility of the Trusts to develop as part of the WVD service build out for their individual Trust:

  • Windows OS Image
  • Application packaging or consumption
  • User access

Request to Onboard

To begin the onboarding process a Request will need to be logged via the NHSMail Self-service portal: https://support.nhs.net/knowledge-base/access-hss/

Once on the NHSMail Support site click on Raise a Request then select show more

Click on Virtual Desktop (WVD)

Please provide the following information: (all fields must be populated)

  • Azure Subscription ID

You can find your subscription ID by simply going to portal.azure.com and searching for “Subscriptions” within the search bar on the home page – from there a list of subscriptions will be shown with a column displaying the Subscription ID.

  • NHS.net AAD group that contains administrators to delegate permissions to, within AAD DS

This can be any group that is currently synchronised to AAD or a newly created group for the purpose of delegating management – these can be created through the portal.

  • Trust ODS Code

This code is unique to the Trust and will be used as the unique identifier for your Trust.

  • Subnet choice

A list of private subnets will be made available to choose from. This will be the range of IP addresses that your Trust will assign to WVD within their Azure subscriptions – this is chosen as part of the request process to ensure that Trusts that are onboarded do not have overlapping address ranges.

  • Gateway Address

This is the public IP of the VPN device in the Trust which the tunnel will use to set-up the connection between Azure and the Trust’s subscription

Once completed submit the form. The Requested will be routed to the WVD Support team to process.

Provision of WVD Components

The information you provided in the Request will be used to provision the following components:

  • WVD Tenant
  • Service Principal with Tenant Owner Rights within WVD
  • OU within AAD DS with delegated rights to Trust Administrators
  • VNet for Trust authentication traffic allowed through to AAD DS Vnet
  • S2S VPN Tunnel

Once provisioned the following information will be provided back to your Trust to allow the setup of host pools within your Trust’s own Azure subscription:

  1. WVD Tenant Name – This will be in the form NHS-WVD-TRUSTODSCODE and will be used later when creating resources
  2. Service Principal App ID
  3. Service Principal Credential
  4. net AAD Tenant ID
  5. DN for OU within AAD DS
  6. Pre-Shared Key for VPN Gateway
  7. Network information (VPN Gateway IP, VNet for Trust, AAD DS DNS IP’s)

This information will enable your Trust to provision WVD application pools as well as manage the deployed resources.

Network Setup

In order to deploy the WVD workloads they need network access to join the auth.nhs.net domain.

The standard setup will see your Trust set up a new Vnet for the address range chosen as part of their initial request. This will then be connected by a Site to Site connection (S2S) to the AAD DS managed domain, auth.nhs.net, within the NHS.net environment.

The process below shows the steps to setup the network within your Trust’s subscription – for ease the VNet and subnets are created as part of the creation of the VPN Gateway.

  1. Open the Azure Portal and search for Virtual Network Gateway and click Add

2. This will bring up the wizard for creating the Virtual Network Gateway.

a) Enter a new gateway a name

b) Select a SKU from the drop-down list (we recommend VPNGw2 for most implementations)

c) Ensure the gateway type is VPN and type as route-based

d) Under Virtual Network select Create Virtual Network from the drop-down list

The below blade window will open:

e) Enter the Name of the new VNet and the Resource group you wish to deploy it to

f) In the Address space box enter the Address range (chosen in the request process)

g) Under subnets create a subnet for the WVD workloads (the gateway subnet will be created automatically)

h) Click OK.

3. You will be returned to Create virtual networks gateway window. See that the Virtual network and gateway subnet are now populated.

a) Assign a new public IP address to the Gateway and give this a name

b) Click Review + Create to validate the settings and then click Create

c) Once created search the Virtual Network Gateway

d) Note the public IP address and share with the WVD support team in order to complete the VPN connection quoting your original Request ID.

4. Next we need to create a “local network gateway” which uses the information you shared in the previous step (3.d)

a) Name the Gateway

b) Enter the public IP returned by the WVD support team

c) Enter the address space returned by the WVD support team

d) Add to the same resource group and location as the other resources created as part of this                   process.

e) Click Create

5. From the Local network gateway just created select the Connections page

a) Click Add and you will be presented with the blade below

b) Name the Connection

c) Select the Virtual Network Gateway created earlier

d) Enter the PSK shared by the WVD support team

e) Click OK to create the connection

The status of the connection can be seen on the Local Gateway connections page as below:

This will update to connected once the public IP of your Virtual Network Gateway has been updated by WVD support team.

If you are not using your own DNS infrastructure to forward requests to auth.nhs.net you can set the DNS servers on the Vnet created as part of this section to point to the AAD DS DNS servers.

The image below shows the DNS settings for IP’s on a VNet within Azure:

Host Pool Creation

As your Trust will rely on the NHS.net directory for authentication the host pools you create will have to utilise the Fall 2019 release of WVD so they can provide the tenant information.

  1. From the Azure portal homepage click Create A Resource
  2. Then search for Windows Virtual Desktop – Provision a host pool

Important Note

Searching in the search bar at the top of the Azure portal can return the Spring 2020 public preview of WVD which does not allow you to specify Tenant details within the wizard.

3.  The landing page for the wizard is shown below click Create

4. On the first page Basics, complete information around the host pool

a) The Subscription and Release group should be the same as the one the network resources where deployed to in the previous section

b) The Region is where your virtual machines will reside within the Azure infrastructure.

c)The Hostpool name should be set to a unique value but only needs to be unique within the Trust.

d) The Default desktop users here specifies a comma separated list of users to be allowed to access this pool.

5. Navigate to the next page Configure virtual machines

a) This page allows you to specify the usage required for the host pool. Select Usage Profile and Total users as appropriate.

b) The Virtual machine name prefix can be anything but will need to be unique across host pools within your Trust otherwise domain join’s will fail due to name conflicts.

6. The next page details the Virtual Machine settings. Select your Image source (for a custom image select either Blob storage or Managed image, for a default gallery image select gallery).

Important Note

Image creation will not be covered in this guide.

a) Enter the AD domain Joins UPN and Admin Password which was provided as part of the initial request

b) Select Yes on the Specify domain or OU

c) On the Domain to join enter “auth.nhs.net”

d) In the (Optional) OU Path enter the OU provided as part of the initial request (see Provision of WVD Components section)

e) In Configure Virtual Networks select the Vnet and subnet created in the Network Setup section.

7. The next page is Windows Virtual Desktop Information which allows you to specify the WVD tenant.

a)  Leave the Windows Virtual Desktop tenant group name as “Default Tenant Group”

b) Under Windows Virtual Desktop tenant name enter the tenant name provided as part of the initial request in the Provision of WVD Components section.

c) Select Service principal in the “Windows Virtual Desktop tenant RDS Owner” toggle

d) Enter the Application ID and Password for the service principal provided

e) Enter the Azure AD tenant ID as provided (this is the nhs.net ID and not related to the Trust subscription)

8. The next page then lets you review your configuration and confirm before deploying. Review and then click Review and create.

Updated on 15/02/2021

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top