Blog_Image_Title.jpg

5 Things You Need to Know from Microsoft Ignite

Brian Garoutte

Microsoft Ignite Title.jpg
1. Better Security
In today’s world, we are faced with constant security threats and Microsoft continues to make enhancements to increase the security of their customers infrastructure. Overall, their enhancements with RDMI will allow administrators to enforce new policies to increase their security posture while providing new innovations. 

A few notable security announcements are:

Integration with Azure Active Directory Domain Services enables multi-factor authentication and conditional access
Azure Active Directory currently does not have multi-factor authentication or conditional access native to the platform, meaning they must be setup separately. Microsoft is integrating both capabilities into the platform. This means that both solutions can be easily enabled without having to go through another setup and integration process.  Multi-factor authentication will move the logon process from just the username / password combination to a username / password combination and then a second factor of confirmation like a text to your cell phone with a code, or even a phone call, before the user is authenticated. 
 
Conditional access to Azure Active Directory will allow you to enforce policies with access to content based on user rights and even the user’s location or device.  This means that from my desktop machine, I can access all content, but if I connect from an unusual location or uncommon device, conditional access can restrict access to certain more sensitive information that I would usually be able to access from an approved device.

No inbound connections to Session Hosts
Currently, a company can have a strong security posture, but sometimes public IP addresses and open ports have to exist on your session hosts. With the new RDMI infrastructure, there is no longer a need to open inbound ports on the session hosts, the sessions hosts communicate with the connection broker via an agent that is installed on the session host. This prevents someone on the Internet from accessing session hosts without going through the defined login process, like leveraging multi-factor authentication. By eliminating the need for inbound ports this will improve the security posture of your RDS implementation. 

Session Host Agent will communicate via Port 443 directly to PaaS Services
Similar to the previous announcement, instead of communicating through an inbound port, the communication will be between the PaaS Services and Port 443. Microsoft is grouping RD Web, RD Gateway, RD Broker, RD Diagnostics, and Azure SQL Database into Web Services (PaaS). This means that Microsoft will now host these services, as opposed to hosting them within Virtual Machines.  By Microsoft hosting these services, they will be able to provide a more elastic infrastructure that will be able to scale up and down as needed while reducing the overall cost of your deployment.
 

The image below is from a recent Microsoft Ignite presentation that discussed these updates. You can see the whole presentation here: https://myignite.microsoft.com/videos/53834.

2. Improved End User Experience
Microsoft announced the HTML5 web browser experience, which is already in private preview. This means that users will not have to install the RDP client on the end user devices, the full RDS experience will be available from any HTML5 compliant web browser. Once this feature is released, users will would be able to log in from any device via a secure connection over HTML5.

So what does this mean? It now opens up new opportunities for kiosks and users because they can access desktops and apps from any device without downloading RDP files, which reduces the amount of IT overhead when giving users access to their RDS environments from any device. They no longer have to worry about the settings or configuration of the RDP client. You simply give the user a URL and have them use their credentials to login. 

3. Multi-Tenancy
Multi-tenancy will allow customers to build multiple deployments in a single tenant without compromising security. Microsoft does not support true multi-tenancy today, but with this update, they will be able to, plus enhance security. With RDMI, multi-tenancy was one of the design goals, therefore, when you need to add more users, even from a different company, you can add additional web services and sessions hosts to support the new users. 

4. VDI in Azure
Microsoft announced that Windows 10 (VDI) with nested virtualization is available now. Instead of Windows Server based sessions hosts, you can have a Windows 10 client OS running via the cloud. This would allow you to run Windows 10 with dedicated sessions for each user. For apps that require the Windows client OS, you can run now run Windows 10 in the cloud. In most instances, session based (Server based) environments will work, and be more cost effective, but Microsoft has now made both options available to the end user. Once RDMI ships, it will be easier and less expensive to deploy Windows 10 instances in Azure. 

5. Lower Cost
Lastly, lower costs are always a goal. By creating the Web Services (PaaS), you would no longer pay for VM run time costs for all the RDS roles. Microsoft will now host these services as shared services with the goal of reducing the overall cost per user.