Coming up we are going to take a first look at updates to Remote Desktop Services now with deeper cloud integration from endpoints and authentication through to back-end infrastructure. We’re going to show you new service architecture options that will help improve security and authentication. We’re going to show you simplified setup and management that’s going to leverage app services and a very transformative app delivery and user experiences. And I’m joined by Scott Manchester from the RDS team.

– Scott, welcome to Microsoft Mechanics Live.

– Thanks for having me back, Simon, thanks to all you for showing up we got standing-room-only out here.

– It’s nice to get around. Last time you’re on the show you showed us some pretty awesome graphics improvements. What are you and the team been working on since then and since doing all that scale work for you did as well?

– Yeah, Simon, we have not been sitting back on our heels here, we’ve been very busy since the last time we’re out here. We’ve continued our focus on cloud optimizations, we’ve expanded our app and desktop delivery options and we’ve hardened our security posture.

– How cool security is one of the main reasons that people who using Remote Desktop Services?

– Yeah, that’s right and now it gets even better with our latest generation of Remote Desktop Services. We can now take advantage of modern authentication with Azure Active Directory Integration and this gives you advantages like conditional access policies, multi-factor authentication and integration with other SaaS apps like Office or Workday.

– And obviously if anybody is using Office 365 they already have Azure Active Directory setup?

– Yeah, that’s right if you’ve already got an Active Directory setup you can leverage that with this new RDS modern infrastructure. And also we can take inputs from the intelligent security graph. So, if, let’s say, you’re connecting up to a deployment you have a non-enrolled device, we can dynamically assign conditional access policies.

So now let me tell you about how the modern infrastructure changes things. If we take a look at a traditional RDS infrastructure rules, each role, each server role would be joined to the domain and these components would need to be on the same network as your application and desktop host your session hosts and VDI instances. And here because your RD web and RD gateway role are both domain joined and public facing they’re vulnerable to attack. Now with the modern infrastructure roles we can isolate the infrastructure components from the application and desktop hosts in the internet facing roles like RD web and RD gateway are no longer joined to the domain. And because of this we can now support multi-tenant deployments. And notice also in my infrastructure there’s no more RDVH role. We brought the VDI management capabilities directly into our connection broker. But we’ve also added a new role, you’ll notice there’s a diagnostic role. We can now leverage this new diagnostic role to troubleshoot end-to-end connectivity problems. And finally the application and desktop host no longer require inbound ports, so we now establish an outbound port on port 443 to maintain that connectivity between the clients and the endpoints.

– And if I’m hearing all of that right that actually means that those architectural changes are gonna give you a ton more capabilities for running this infrastructure outside of your own on-premises network.

– Yeah, that’s right absolutely… Our hosters are really going to love this because now I can support these multi tenant deployments and they’re really gonna love it when I can deploy this up into Azure. Let’s talk about the clients.

– Yeah, let’s talk about the clients.

– First then I’ll tell you, guys, about all the Azure value problem. So I mentioned in the intro that we’re continuing to vest in a remote desktop clients, so we’re adding new capabilities and functionality to all of our clients: iOS, Android, Mac and Windows. We’re also introducing our new HTML5 client. Now this HTML5 client will work with your traditional RDS 2016 roles, but it will also work with our new RDMI or Remote Desktop Modern Infrastructure roles, it’s actually built-in. We also support the new Windows 10’s edition. Now while we’re talking about the clients also want to mention that we’re going to be bringing in this Azure Active Directory Integration to all of these clients as well and we’ll show you a demo of that in a minute.

– Okay, that’s got a little bit out… So obviously we’ve got all these kind of amazing things that we’ve been working on with clouds go. Can you show us a little bit around what it is that you’ve actually been building here? Sounds great…

– Yeah, absolutely, let’s uh… let’s take a look at that. So first off let me show you a security demo. So what I have set up here is I have a remote desktop client that’s been enlightened with our Azure Active Directory support. So I’m right at the point in time where this would be a one-time process a user would go through to add the subscription to this client. So I’ve got applications and desktops that my IT admin have set up and I’m about ready to add this user to that deployment. So I’ve put in the URL, I’m gonna hit subscribe here. Now just like in a normal deployment. I can provide my username and password so I’ll just provide that. Right… I keep forgetting that I’m so glad that I have people in the audience that know. I’m going to hear… All right. So user name and password or provided here but because my IT admin was savvy, they’d not only set up single factor authentication but they also set up multi factor on things. (Should I click the button here…). So I had a choice of what multi-factor authentication and you’ll see now that it’ll populate the list of applications that I have here. So very cool there it is multi-factor authentication to get access to my Remote Desktop deployment. Think of the possibilities now how you can further secure your remote desktop environments by using these capabilities, so lots of new innovation there…

– That’s pretty cool, but what was actually happening behind the scenes there? What was going on as all of that authentication was doing? Because maybe these folks don’t really know…

– Let’s walk through that process a little bit, so you, guys, understand how this actually works. So in our deployment here in this example it’s in steady state I’ve deployed the infrastructure up into Azure and my application and desktop hosts can live in a separate network. And you can see that we also have set up our AAD, so we can support that secure authentication. And in steady state all of my application desktop hosts maintain an active connection into the deployment, so we can ascertain the resource availability. So let’s go through a typical connection sequence.

So let’s say a user on our client wants to get access to a line of business application that my IT admin has set up for me. So before the user gets access to that list of apps you saw that process that I must provide my credentials. Once I’ve established my authentication I can provide that token to my RD web client I get the list of applications. From there the user can then select a specific application that they want to launch. Once they get that… once they’ve selected the application they want to launch, so here you can see in the diagram that they go through the ADOL Auth, they get that list of apps, they click the one they wanna to execute. Well, then take that a tall token that we get and we’ll present it into the infrastructure, will validate that it’s active and then we’ll convert that token to a certificate. And this is the critical component because this allows me to have single sign-on experience all the way into my application and desktop hosts. And once I’ve provided that connectivity that inbound connection then we’ll be routed through the Gateway to my endpoint and now the user can launch the application. So through simple setup on your part you can now support a single sign-on experience plus all the value-add of AAD and the capabilities you have to enable multi-factor authentication there or other conditional access policies.

– So in this configuration of the application and desktop host domain joyed.

– Yeah, so nothing really changes and the way you set up your session host servers and your VDI instances. They’re still domain joint as they were before, but now you don’t have to have that open inbound port 3389 and I’m sure your CTO’s will be glad that you don’t have to, you know, go beg to open that firewall port anymore. We use that outbound 443 connection now to enable that communication to flow.

– So that’s the security side of things that we said we’re going to cover covered. What about the implement infrastructure that you’ve built on Azure?

– Yeah, so back to that. So we mentioned that hosters are really going to love this because you have the ability now to deploy all of these infrastructure roles into Azure as PA’s roles. So I actually had that on my desktop here if we can bring that up.

So this is actually my personal subscription into Azure and what I have pin to the dashboard here is a resource group which is our new remote desktop modern infrastructure. So let me drill into this a little bit. And what I’m gonna do is I’m gonna sort by type because I want you to notice something here. I want you to notice what’s here but also what’s not here. So this is a full remote desktop modern infrastructure deployment into Azure and there’s not a single VM in it. Everything here is running as Azure pass, so if I go down the list, let’s take a look at what we have, so here’s our new Diagnostics roll, here’s the broker, the gateway, the RD web, all of them running as an Azure app service. I’ve got the policies around those app services, I’ve got a key vault and this is where I store all the certificates from my deployment. And then I’ve got a sequel database that’s running as an Azure PaaS service and as you know the database maintains the state of my deployment which users are assigned to which applications and also what the current state like who’s assigned on which VM.

Now the cool thing is that all of these infrastructure rules are now stateless and this gives me the ability now to have that scalability we talked about right. So I want to drill in and show you example of how scalability works now that these things are running is PaaS roles. So I’m gonna drill into our gateway.

– So I’m guessing that this is gonna let you automatically expand and contract, maybe the size of you deployment?

– You’re stealing my thunder, Simon. That’s exactly right. So let’s drill into this here and I’m gonna scroll down here into this list, I’m gonna find the scale out policies here. So now that this is deployed as a path service in Azure. I can set some very simple policies that allow this thing to scale in and scale out to conserve my cost, because I don’t want to stand up you know the size of the infrastructure I need for the maximum time I want this thing to dynamically adjust as my workloads go up and down.

Some of you, guys, have probably written some really complex PowerShell scripts and have done some complex things to try to support this. I’m gonna make this so easy for you, guys, so you, guys, are gonna have to go find something else to do in that time that you were spending doing that in the past.

So I said two policies here. So the first policy here is basically stating when my gateway role exceeds 70% CPU utilization, add another instance and then after that stabilized and the workloads expand across that if I also… if that ever goes beyond 70%, install another one. And I’ve said a min and max parameters on this, so it minimizes one instance in max is 5, but I could change those things as well. So very simply, I’ve just set these simple parameters and when my Gateway gets, you know, burdened with butt munch users logging in, it just simply adds another instance.

Now what I’ve done also is I’ve set the scale in policy, so that was my scale out my scale in policy says: however many instances I have of that app service running, when the average workload across all of them gets below 30%, remove one and then it stabilizes and if it’s still below 30, you can remove another. So what happens now, you know, 2:00 am in the morning everybody’s done working the system will stabilize down to a single instance of these roles. Monday morning 9 o’clock everybody is logging in as that log in storm happens, we simply just install more instances of the Gateway and the broker, and web role and then as that stabilizes it just shrinks back down. And this gives you the most optimal cost model now for your deployment and this becomes so simple for you now to manage and maintain. You set these parameters once and you’re done. The system will simply take care of itself and because they’re all running is as your path services you’re not patching these VMs anymore either, just simply just runs on its own from this point forward.

– It’s pretty incredible you’ve taken all of the cool stuff that we can do in the cloud about removing the patching, making things much easier and simpler to run and scale all by moving from I as instances over to pass instances. That’s the kind of thing that’s really going to change the way that people are able to use Remote Desktop Services.

– That’s right, that really leverages the power of the cloud and the power of the web as well. So with that maybe there’s to be a good time to show one of the new innovations we’ve done as well?

So I mentioned that we’ve been making investments in the road desktop clients. What I’d like to show you now is our new HTML5 experience. So what I have here is any… it could be any HTML5 browser running on any device and I’m accessing remote desktop 2016 deployment that I have in my Azure service. So I’ve installed this client now. Know, if you’ve already got a 2016 deployment there was a patch that was released a number of months ago to your gateway that enables this capability and will provide these bits that allow you now to host an HTML5 client experience in your deployment. We’ll make those available to you early next year. So I’ve got this set up now, I’ve got a handful of apps that I’ve made available through this feed and I could have also enabled if this was an RDMI deployment our next generation I could have enabled multi-factor authentication through this HTML5 client as well. So here’s all the apps that I’ve made available even a full desktop. But I want to show you a little bit of what the experience is I just navigate around. So I even got things like be able to pin the apps to the sides. It works pretty well. Now you can see we’re running in a pretty low resolution here and I’m taking up a lot of the Chrome or a lot of the work space with the Chrome of the desktop and such, so let me do this, let me go into full-screen mode and I can even hide this little app bar here by just hitting this little up arrow. And now I get the full, you know, desktop experience running inside of a browser and if you just walked up to this machine, you’d probably be hard-pressed even though this is actually just running in a browser. Now imagine the scenario where this could be useful for you.

Imagine if you had a kiosk type situation and you had a lot of workers rotating through accessing that kiosk, they can simply login to the browser here provide their credentials and then had this great remoting experience.

Another scenario, Simon, I were talking about, if I… Simon, I went on a vacation somewhere and I forgot my laptop, I could just grab his machine, open up his browser and get access to a line of business app. So if there was some work I needed to get done, log into the browser, get that work done real quick and in my session. So very cool and in terms of deployment obviously there’s no work on your side now. If you have seasonal workers people that, you know, you spend a lot of time getting them all set up only to have them leave a couple months later, really great solution there for seasonal workers since there’s really no setup, no touch points for you, guys. Thank you. Definitely some people in the real native they work through that before…

– Oh yeah, that’s a big thing for anybody this morning audience is a… it is a very impactful thing. You have made some amazing changes that phenomenal HTML5 client just really works well. I think we’re about done and we need to start thinking about wrapping up and you, and I need to go and plan that vacation.

– That’s right.

– Is there anything that these folks need to know so that they can maybe get involved and learn a little bit more?

– Yeah, absolutely. I’m sure, you, guys, are excited to get your hands on this. I can tell by the audience here there’s a lot of interest in this space, so we want to make this available to you, guys, as soon as possible, we want you, guys, to start building out your own dev environments, start experimenting with this and playing with this, and giving us feedback. So we’re gonna make all of these both the remote desktop modern infrastructure roles and the HTML5 client available through the Windows Insider program for Business, so if you, guys, haven’t already signed up for the WIB or Windows Insider for Business program, please, do that. We’ll make these things available, sometime early next year we’ll make all of this accessible to you, guys.

– Cool, ok, that is about all we have time for on Microsoft Mechanics Life. Thank you all very much for being in here in person and thank you very much for watching. We will see you next time.