Optimizing VMware vMotion

 ESXi, vMotion, VMware, vSphere  1 Response »
Jun 192022
 
VMware vSphere 7 Logo

We all know that vMotion is awesome, but what is even more awesome? Optimizing VMware vMotion to make it redundant and faster!

vMotion allows us to migrate live Virtual Machines from one ESXi host to another without any downtime. This allows us to perform physical maintenance on the ESXi hosts, update and restart the hosts, and also load balance VMs across the hosts. We can even take this a step further use DRS (Distributed Resource Scheduler) automation to intelligently load the hosts on VM boot and to dynamically load balance the VMs as they run.

Picture of VMware vMotion diagram
VMware vMotion

In this post, I’m hoping to provide information on how to fully optimize and use vMotion to it’s full potential.

VMware vMotion

Most of you are probably running vMotion in your environment, whether it’s a homelab, dev environment, or production environment.

I typically see vMotion deployed on the existing data network in smaller environments, I see it deployed on it’s own network in larger environments, and in very highly configured environments I see it being used with the vMotion TCP stack.

While you can preform a vMotion with 1Gb networking, you certainly almost always want at least 10Gb networking for the vMotion network, to avoid any long running VMs. Typically most IT admins are happy with live migration vMotion’s in the seconds, and not the minutes.

VMware vMotion Optimization

So you might ask, if vMotion is working and you’re satisfied, what is there to optimize? There’s actually a few things, but first let’s talk about what we can improve on.

We’re aiming for improvements with:

  • Throughput/Speed
    • Faster vMotion
      • Faster Speed
      • Less Time
    • Migrate more VMs
      • Evacuate hosts faster
      • Enable more aggressive DRS
      • Migrate many VMs at once very quickly
  • Redundancy
    • Redundant vMotion Interfaces (NICs and Uplinks)
  • More Complex vMotion Configurations
    • vMotion over different subnets and VLANs
      • vMotion routed over Layer 3 networks

To achieve the above, we can focus on the following optimizations:

  1. Enable Jumbo Frames
  2. Saturation of NIC/Uplink for vMotion
  3. Multi-NIC/Uplink vMotion
  4. Use of the vMotion TCP Stack

Let’s get to it!

Enable Jumbo Frames

I can’t stress enough how important it is to use Jumbo Frames for specialized network traffic on high speed network links. I highly recommend you enable Jumbo Frames on your vMotion network.

Note, that you’ll need to have a physical switch and NICs that supports Jumbo frames.

In my own high throughput testing on a 10Gb link, without using Jumbo frames I was only able to achieve transfer speeds of ~6.7Gbps, whereas enabling Jumbo Frames allowed me to achieve speeds of ~9.8Gbps.

When enabling this inside of vSphere and/or ESXi, you’ll need to make sure you change and update the applicable vmk adapter, vSwitch/vDS switches, and port groups. Additionally as mentioned above you’ll need to enable it on your physical switches.

You may assume that once you configure a vMotion enabled NIC, that when performing migrations you will be able to fully saturate it. This is not necessarily the case!

When performing a vMotion, the vmk adapter is bound to a single thread (or CPU core). Depending on the power of your processor and the speed of the NIC, you may not actually be able to fully saturate a single 10Gb uplink.

In my own testing in my homelab, I needed to have a total of 2 VMK adapters to saturate a single 10Gb link.

If you’re running 40Gb or even 100Gb, you definitely want to look at adding multiple VMK adapters to your vMotion network to be able to fully saturate a single NIC or Uplink.

You can do this by simply configuring multiple VMK adapters per host with different IP addresses on the same subnet.

One important thing to mention is that if you have multiple physical NICs and Uplinks connected to your vMotion switch, this change will not help you utilize multiple physical interfaces (NICs/Uplinks). See “Multi-NIC/Uplink vMotion”.

Please note: As of VMware vSphere 7 Update 2, the above is not required as vMotion has been optimized to use multiple streams to fully saturate the interface. See VMware’s blog post “Faster vMotion Makes Balancing Workloads Invisible” for more information.

Multi-NIC/Uplink vMotion

Another situation is where we may want to utilize multiple NICs and Uplinks for vMotion. When implemented correctly, this can provide load balancing (additional throughput) as well as redundancy on the vMotion network.

If you were to simply add additional NIC interfaces as Uplinks to your vMotion network, this would add redundancy in the event of a failover but it wouldn’t actually result in increased speed or throughput as special configuration is required.

To take advantage of the additional bandwidth made available by additional Uplinks, we need to specially configure multiple portgroups on the switch (vSwitch or vDS Distributed Switch), and configure each portgroup to only use one of the Uplinks as the “Active Uplink” with the rest of the uplinks under “Standby Uplink”.

Example Configuration

  • vSwitch or vDS Switch
    • Portgroup 1
      • Active Uplink: Uplink 1
      • Standby Uplinks: Uplink 2, Uplink 3, Uplink 4
    • Portgroup 2
      • Active Uplink: Uplink 2
      • Standby Uplinks: Uplink 1, Uplink 3, Uplink 4
    • Portgroup 3
      • Active Uplink: Uplink 3
      • Standby Uplinks: Uplink 1, Uplink 2, Uplink 4
    • Portgroup 4
      • Active Uplink: Uplink 4
      • Standby Uplinks: Uplink 1, Uplink 2, Uplink 3

You would then place a single or multiple vmk adapters on each of the portgroups per host, which would result in essentially mapping the vmk(s) to the specific uplink. This will allow you to utilize multiple NICs for vMotion.

And remember, you may not be able to fully saturate a NIC interface (as stated above) with a single vmk adapter, so I highly recommend creating multiple vmk adapters on each of the Port groups above to make sure that you’re not only using multiple NICs, but that you can also fully saturate each of the NICs.

For more information, see VMware’s KB “Multiple-NIC vMotion in vSphere (2007467)“.

Use of the vMotion TCP Stack

VMware released the vMotion TCP Stack to provided added security to vMotion capabilities, as well as introduce vMotion over multiple subnets (routed vMotion over layer 3).

Using the vMotion TCP Stack, you can isolate and have the vMotion network using it’s own gateway separate from the other vmk adapters using the traditional TCP stack on the ESXi host.

This stack is optimized for vMotion.

Please note, that troubleshooting processes may be different when Troubleshooting vMotion using the vMotion TCP/IP Stack (click the link for my blog post on troubleshooting).

For more information, see VMware’s Documentation on “vMotion TCP/IP Stack“.

Additional resources:

VMware – How to Tune vMotion for Lower Migration Times?

NVIDIA vGPU VM Freezes during VMware vMotion: vGPU STUN Time

 ESXi, GRID, NVIDIA, vGPU, vMotion, VMware, VMware Horizon View  No Responses »
Jun 182022
 
Nvidia GRID Logo

When performing a VMware vMotion on a Virtual Machine with an NVIDIA vGPU attached to it, the VM may freeze during migration. Additionally, when performing a vMotion on a VM without a vGPU, the VM does not freeze during migration.

So why is it that adding a vGPU to a VM causes it to become frozen during vMotion? This is referred to as the VM Stun Time.

I’m going to explain why this happens, and what you can do to reduce these STUN times.

VMware vMotion

First, let’s start with traditional vMotion without a vGPU attached.

VMware vMotion with vSphere and ESXi
VMware vMotion with vSphere

vMotion allows us to live migrate a Virtual Machine instance from one ESXi host, to another, with (visibly) no downtime. You’ll notice that I put “visibly” in brackets…

When performing a vMotion, vSphere will migrate the VM’s memory from the source to destination host and create checkpoints. It will then continue to copy memory deltas including changes blocks after the initial copy.

Essentially vMotion copies the memory of the instance, then initiates more copies to copy over the changes after the original transfer was completed, until the point where it’s all copied and the instance is now running on the destination host.

VMware vMotion with vGPU

For some time, we have had the ability to perform a vMotion with a VM that as a GPU attached to it.

VMware vSphere with NVIDIA vGPU
VMware VMs with vGPU

However, in this situation things work slightly different. When performing a vMotion, it’s not only the system RAM memory that needs to be transferred, but the GPU’s memory (VRAM) as well.

Unfortunately the checkpoint/delta transfer technology that’s used with then system RAM isn’t available to transfer the GPU, which means that the VM has to be stunned (frozen) to stop it so that the video RAM can be transferred and then the instance can be initialized on the destination host.

STUN Time

The STUN time is essentially the time it takes to transfer the video RAM (framebuffer) from one host to another.

When researching this, you may find examples of the time it takes to transfer various sizes of VRAM. An example would be from VMware’s documentation “Using vMotion to Migrate vGPU Virtual Machines“:

NVIDIA vGPU Estimated STUN Times
Expected STUN Times for vMotion with vGPU on 10Gig vMotion NIC

However, it will always vary depending on a number of factors. These factors include:

  • vMotion Network Speed
  • vMotion Network Optimization
    • Multi-NIC vMotion to utilize multiple NICs
    • Multi-vmk vMotion to optimize and saturate single NICs
  • Server Load
  • Network Throughput
  • The number of VM’s that are currently being migrated with vMotion

As you can see, there’s a number of things that play in to this. If you have a single 10Gig link for vMotion and you’re migrating many VMs with a vGPU, it’s obviously going to take longer than if you were just migrating a single VM with a vGPU.

Optimizing and Minimizing vGPU STUN Time

There’s a number of things we can look at to minimize the vGPU STUN times. This includes:

  • Upgrading networking throughput with faster NICs
  • Optimizing vMotion (Configure multiple vMotion VMK adapters to saturate a NIC)
  • Configure Multi-NIC vMotion (Utilize multiple physical NICs to increase vMotion throughput)
  • Reduce DRS aggressiveness
  • Migrate fewer VMs at the same time

All of the above can be implemented together, which I would actually recommend.

In short, the faster we migrate the VM, the less the STUN Time will be. Check out my blog post on Optimizing VMware vMotion which includes how to perform the above recommendations.

Hope this helps!

Understanding Microsoft Azure AD SSO with VDI

 Azure, Azure AD, VDI, Virtualization, VMware Horizon View  1 Response »
Mar 062022
 
Azure AD SSO with Horizon

Whether deploying VDI for the first time or troubleshooting existing Azure AD SSO issues for an existing environment, special consideration must be made for Microsoft Azure AD SSO and VDI.

When you implement and use Microsoft 365 and Office 365 in a VDI environment, you should have your environment configured to handle Azure AD SSO for a seamless user experience, and to avoid numerous login prompts when accessing these services.

Microsoft Azure Active Directory has two different methods for handling SSO (Single Sign On), these include SSO via a Primary Refresh Token (PRT) and Azure Seamless SSO. In this post, I’ll explain the differences, and when to use which one.

Microsoft Azure AD SSO and VDI

What does Azure AD SSO do?

Azure AD SSO allows your domain joined Windows workstations (and Windows Servers) to have a Single Sign On experience so that users can have an single sign-on integrated experience when accessing Microsoft 365 and/or Office 365.

When Azure AD SSO is enabled and functioning, your users will not be prompted nor have to log on to Microsoft 365 or Office 365 applications or services (including web services) as all this will be handled transparently in the background with Azure AD SSO.

For VDI environments, especially non-persistent VDI (VMware Instant Clones), this is an important function so that users are not prompted to login every time they launch an Office 365 application.

Persistent VDI is not complex and doesn’t have any special considerations for Azure AD SSO, as it will function the same way as traditional workstations, however non-persistent VDI requires special planning.

Please Note: Organizations often associate the Office 365 login prompts to activation issues when in fact activation is functioning fine, however Azure AD SSO is either not enabled, incorrect configured, or not functioning which is why the users are being prompted for login credentials every time they establish a new session with non-persistent VDI. After reading this guide, it should allow you to resolve the issue of Office 365 login prompts on VDI non-persistent and Instant Clone VMs.

Azure AD SSO methods

There are two different ways to perform Azure AD SSO in an environment that is not using ADFS. These are:

  • Azure AD SSO via Primary Refresh Token
  • Azure AD Seamless SSO

Both accomplish the same task, but were created at different times, have different purposes, and are used for different scenarios. We’ll explore this below so that you can understand how each works.

Screenshot of a Hybrid Azure AD Joined login
Hybrid Azure AD Joined Login

Fun fact: You can have both Azure AD SSO via PRT and Azure AD Seamless SSO configured at the same time to service your Active Directory domain, devices, and users.

Azure SSO via Primary Refresh Token

When using Azure SSO via Primary Refresh Token, SSO requests are performed by Windows Workstations (or Windows Servers), that are Hybrid Azure AD Joined. When a device is Hybrid Azure AD Joined, it is joined both to your on-premise Active Directory domain, as well registered to your Azure Active Directory.

Azure SSO via Primary Refresh token requires the Windows instance to be running Windows 10 (or later), and/or Windows Server 2016 (or later), as well the Windows instance has to be Azure Hybrid AD joined. If you meet these requirements, SSO with PRT will be performed transparently in the background.

If you require your non-persistent VDI VMs to be Hybrid Azure AD joined and require Azure AD SSO with PRT, special considerations and steps are required:

This includes:

  • Scripts to automatically unjoin non-persistent (Instant Clone) VDI VMs from Azure AD on logoff.
  • Scripts to cleanup old entries on Azure AD

If you properly deploy this, it should function. If you don’t require your non-persistent VDI VMs to be Hybrid Azure AD joined, then Azure AD Seamless SSO may be better for your environment.

Azure AD Seamless SSO

Microsoft Azure AD Seamless SSO after configured and implemented, handles Azure AD SSO requests without the requirement of the device being Hybrid Azure AD joined.

Seamless SSO works on Windows instances instances running Windows 7 (or later, including Windows 10 and Windows 11), and does NOT require the the device to be Hybrid joined.

Seamless SSO allows your Windows instances to access Azure related services (such as Microsoft 365 and Office 365) and provides a single sign-on experience.

This may be the easier method to use when deploying non-persistent VDI (VMware Instant Clones), if you want to implement SSO with Azure, but do not have the requirement of Hybrid AD joining your devices.

Additionally, by using Seamless SSO, you do not need to implement the require log-off and maintenance scripts mentioned in the above section (for Azure AD SSO via PRT).

To use Azure AD Seamless SSO with non-persistent VDI, you must configure and implement Seamless SSO, as well as perform one of the following to make sure your devices do not attempt to Hybrid AD join:

  • Exclude the non-persistent VDI computer OU containers from Azure AD Connect synchronization to Azure AD
  • Implement a registry key on your non-persistent (Instant Clone) golden image, to disable Hybrid Azure AD joining.

To disable Hybrid Azure AD join on Windows, create the registry key on your Windows image below:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin: "BlockAADWorkplaceJoin"=dword:00000001

Conclusion

Different methods can be used to implement SSO with Active Directory and Azure AD as stated above. Use the method that will be the easiest to maintain and provide support for the applications and services you need to access. And remember, you can also implement and use both methods in your environment!

After configuring Azure AD SSO, you’ll still be required to implement the relevant GPOs to configure Microsoft 365 and Office 365 behavior in your environment.

Additional Resources

Please see below for additional information and resources:

The Tech Journal – Vlog Episode 04

 VDI, Video Posts, Vlog, VMware, VMware Horizon View, VMware Unified Access Gateway, YouTube  No Responses »
Jan 162022
 

Welcome to Episode 04 of The Tech Journal Vlog at www.StephenWagner.com

The Tech Journal Vlog Episode 04

In this episode

Updates

  • VMware Horizon
    • Apache Log4j Mitigation with VMware Products
  • Homelab Update
    • HPE MSA 2040 vs Synology DS1621+
    • Migrating from MSA 2040 to a Synology DS1621+
    • Synology Benchmarking NVME Cache
  • DST Root CA X3 Expiration
    • End of Life Operating Systems

New Blog/Video Posts

Life Update/Fun Stuff

  • Work
  • Travel
  • Move

Current Projects

  • Synology DS1621+

Don’t forget to like and subscribe!
Leave a comment, feedback, or suggestions!

DUO MFA Radius Issues with VMware Horizon 8 Version 2111 UAG (Unified Access Gateway)

 Duo MFA, VMware Horizon View  8 Responses »
Dec 022021
 

In a VMware Horizon environment with DUO MFA configured via RADIUS on the VMware Horizon Connection Server, you may notice authentication issues when logging in through a UAG (Unified Access Gateway) after upgrading to VMware Horizon 8 Version 2111.

During this condition, you can still login and use the connection server directly with MFA working, however all UAG connections will get stuck on authenticating.

Horzion 8 Version 2111 UAG Stuck on Authenticating using DUO MFA (RADIUS)

Disabling MFA and/or RADIUS on the connection server will allow the UAG to function, however MFA will be disabled. This occurs on upgrades to version 2111 of the UAG both when configuring fresh, and importing the JSON configuration backup.

Temporary Fix

Update January 26 2022: VMware has now released version 2111.2 of the Unified Access Gateway which resolves this issue. You can download it here, or view the release notes here.

Update January 12 2022: It appears VMware now has a KB on this issue at: https://kb.vmware.com/s/article/87253.

Temporary workaround/fix: To fix this issue, log on to the UAG and under “Horizon Edge Settings”, configure “Client Encryption Mode” to “Disabled”.

“Client Encryption Mode” is a new setting on UAG 2111 (and UAG 2111.1) that enables new functionality. Disabling this reverts the UAG to the previous behavior of older Unified Access Gateway versions.

More information on “Client Encryption Mode” can be found at https://docs.vmware.com/en/Unified-Access-Gateway/2111/uag-deploy-config/GUID-1B8665A2-485E-4471-954E-56DB9BA540E9.html.

Another workaround is to deploy an older version of the UAG, version 2106. After downgrading, the UAG functions with DUO and RADIUS even though the Connection Server is at version 2111.

If you use an older version of the UAG, please make sure that you mitigate against the Apache log4j vulnerabilities on the UAG using information from the following post: https://kb.vmware.com/s/article/87092.

vCSA Update – Backup and Restore Tips and Tricks

 Backup, vCenter vCSA, Video Posts, VMware  1 Response »
Oct 102021
 
VMware vSphere 7 Logo

In this post, I wanted to go over some Backup and Restore tips and tricks when it comes to VMware vCSA Updates and Upgrades.

We’ve almost all been there, performing an update or upgrade of the VMware vCenter Server Appliance when it fails, and we must restore from a backup. There’s also times where the update or upgrade has been successful, however numerous issues occur afterwards prompting for the requirement of a restore from backup.

In this post, I wanted to briefly go over the methods of backups (and restores) for the vCSA, as well as some Tips and Tricks which might help you out for avoiding failed updates or upgrades in the future!

We all want to avoid a failed update or upgrade! 🙂

vCSA Update Installation
vCSA Update Installation

VMware vCSA Update Tips and Tricks for Backup and Restore

Please enjoy this video version of the blog post:

vCSA Update and Upgrade – Tips and Tricks for Backup and Restore

vCSA Backup methods

There are essentially two backup methods for backing up the vCenter Server Appliance:

  1. vCSA Management Interface Backup
  2. vSphere/ESXi Virtual Machine Snapshot

vCSA Management Interface Backup

If you log in to the vCSA Management Interface, you can configure a scheduled backup that will perform a full backup of your vCSA (and vCenter Server) instance.

This backup can be automatically ran and saved to an HTTP, HTTPS, FTP, FTPS, SFTP, NFS, or SMB destination. It’s a no-brainer if you have a Windows File Server or an NFS datastore.

vCSA Backup Screenshot
vCSA Backup

In the event of a failed update/upgrade or a disaster, this backup can be restored to a new vCSA instance to recover from the failure.

For more information on backups from the vCSA Management Interface, please see https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vcenter.install.doc/GUID-8C9D5260-291C-44EB-A79C-BFFF506F2216.html.

For information on restoring a vCSA file based backup, please see https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vcenter.install.doc/GUID-F02AF073-7CFD-45B2-ACC8-DE3B6ED28022.html.

vSphere/ESXi Virtual Machine Snapshot

In addition to the scheduled automatic backups configured above, you should snapshot your vCSA appliance VM prior to initiating an update or upgrade. In the event of a failure, you can easily restore the vCSA VM snapshot to get back to a running state.

vCSA Snapshot Screenshot
vCSA Snapshot

Only after you test and confirm the upgrade or update was successful should you delete the snapshot.

You should also have your Backup application or suite performing regularly snapshot based backups of your vCSA.

Additional Tips and Tricks

I have a few very important tips and tricks to share which may help you either avoid a failed update or upgrade, or increase the chances of a successful restore from backup.

  1. Gracefully Shutdown and Restart the vCSA Appliance before Upgrading
  2. Application Consistent Snapshot – Snapshot after graceful shutdown

Let’s dive in to these below.

Gracefully Shutdown and Restart the vCSA Appliance before Upgrading

I noticed that I significantly reduced the amount of failed upgrades by simply gracefully shutting down and restarting the vCenter Server Appliance prior to an upgrade.

This allows you to clear out the memory, virtual memory, and restart all vCenter services prior to starting the upgrade.

Please Note: Make sure that you give the vCSA appliance enough time to boot, start services, and let some of the maintenance tasks run before initiating an upgrade.

Application Consistent Snapshot – Snapshot after graceful shutdown

Most VMware System Administrators I have talked to, usually snapshot the running vCSA appliance and do not snapshot the memory. This creates a crash consistent snapshot.

If you follow my advice above and gracefully shutdown and restart the vCSA appliance, you can use this time to perform a VM snapshot after a graceful shutdown. This will provide you with an application consistent snapshot instead of a crash consistent snapshot.

If you perform an application consistent snapshot by gracefully shutting down the VM prior to creating the snapshot, the virtual machine and database inside of it will be in a cleaner state.

Conclusion

Some of the Tips and Tricks in this post definitely aren’t necessary, however they can help you increase the chance of a successful upgrade, and a successful restore in the event of a failed upgrade.

For more information on upgrading the vCenter Server Appliance, please visit https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vcenter.upgrade.doc/GUID-30485437-B107-42EC-A0A8-A03334CFC825.html.

The Tech Journal – Vlog Episode 03.1 – VMware Horizon 8 Version 2106 (Live Stream)

 VDI, Video Posts, Vlog, VMware, VMware Horizon View, YouTube  No Responses »
Sep 202021
 

Welcome to Episode 03.1 of The Tech Journal Vlog (Special Episode on VMware Horizon 8 Version 2106)

In this episode – VMware Horizon 8 Version 2106

This is a special episode dedicated to the release of VMware Horizon View 8, version 2106.

What’s new

In the video, I cover what’s new in the 2106 release.

My Favorite Changes & Enhancements:

  • Audio recording support for 48Khz Audio via RTAV, defaults to 16Khz
    • Persistence on Audio quality recording settings across sessions
    • Sample Rate can be configured via GPO
  • VMware Horizon Linux Client supports Microsoft Teams Optimization
    • Linux Based Zero Clients should add functionality shortly (10ZiG already has!)
  • Raspberry Pi 4 Support!!!!
    • Also supports RTAV

Other interesting changes and enhancements:

  • UI Change on VMware Horizon Client
  • Instant Clones now support SysPrep: Instant Clones with Parent
    • No duplicate SIDs when using SysPrep
  • Ability to use 6 x 4K Displays
  • No Longer have to re-install VMware Horizon Agent after VMware Tools Upgrade
  • Forgot to mention: Support added for USB Redirection with Xbox Gaming Controllers

Additional Items:

  • VMware OSOT Optimization tool Versioning now matches Horizon
    • Removal of Custom Templates
  • VMware VDI Base Image Creation Guide has been updated
    • New guide on automating the VMware VDI Base Image Creation added

Links Mentioned in this post:

Don’t forget to like and subscribe!

Leave a comment, feedback, or suggestions!

The Tech Journal – Vlog Episode 03 (Live Stream)

 10ZiG, Homelab, Storage, VDI, Video Posts, Vlog, VMware, VMware Horizon View, YouTube  No Responses »
Sep 182021
 

Welcome to Episode 03 of The Tech Journal Vlog at StephenWagner.com

In this episode

Fun Stuff

  • Homelab Video Demo (https://youtu.be/oaZv2hpQKac)
  • Telus Fiber 1G Internet (for Business)
    • Sophos UTM Dual WAN Balancing
  • Synology
    • Synology Diskstation DS1621+
    • DSM 7.0
    • Synology C2 Cloud Backup

Work Update

  • VDI Consulting
    • VDI Golden Images for Non-Persistent VDI
  • DUO MFA/2FA
    • Implementations of DUO with Horizon
  • Exchange Projects
  • IT Director as a Service 🙂

Life Update

  • Back at the Gym
  • Travel is Back (Regina, Vancouver)

New Blog Posts

Current Projects

  • Synology DS1621+
  • AMD S7150 x2 MxGPU
  • NVME Storage Server Project
  • 10ZiG Thin Clients

Don’t forget to like and subscribe!
Leave a comment, feedback, or suggestions!

Deploy, Install, and Configure Microsoft Office 365 in a VDI Environment

 Microsoft 365, Office 365, VDI, VMware Horizon View  43 Responses »
Aug 062021
 
Office 365 Logo

When you deploy and install Microsoft Office 365 to a VDI environment, especially with non-persistent VDI (such as VMware Horizon Instant clones), special considerations must be followed.

In this guide I will teach you how to deploy Office 365 in a VDI environment, both with persistent and non-persistent (Instant Clones) VDI Virtual Machines. This guide was built using VMware Horizon, however applies to all VDI deployments including Citrix XenServer and WVD (Windows Virtual Desktops).

By the time you’re done reading this guide, you’ll be able to fully deploy Office 365 to your VDI environment.

I highly recommend reading Microsoft’s Overview of shared computer activation for Microsoft 365 apps.

Guide Index

What’s required

To deploy Office 365 in a VDI Environment, you’ll need:

  • VMware Horizon deployment (or equivalent other product)
  • Microsoft Office 365 ProPlus licensing (See below for specifics on licensing)
  • Microsoft Azure SSO (via PRT or Seamless SSO) for Microsoft 365 and Office 365 Single sign-on
  • Microsoft Office Deployment Tool (Available here)
  • Microsoft Office Customization Tool (Available here)
  • Microsoft Office 365 GPO ADMX Templates (Available here)
  • Roaming Profiles or Profile Management software (like FSLogix)

Licensing

In order to properly use Shared Computer Activation with Office 365 in your VDI environment you’ll need one of the following products:

  • Microsoft 365 Apps for Enterprise (formerly known as Office 365 ProPlus)
  • Office 365 E3
  • Office 365 E5
  • Microsoft 365 Business Premium

All 4 of these products include and support “Shared Computer Activation“.

Microsoft 365 Standard, Office 365 Business, Office 365 Business Premium, and Office 365 Business Essentials cannot be used as they do not include or support Shared Computer Activation.

An exception is made for Microsoft 365 Business Premium which actually includes Microsoft 365 Apps for Business, but doesn’t support enabling “Shared Computer Activation” via Group Policy Object and SCA must be enabled using the XML configuration file method.

What is Shared Computer Activation (SCA)

Shared computer activation is an optional activation method built inside of Office 365 and Microsoft 365, designed to control and manage activations on shared computers. Originally this technology was used for Office 365 on RDS (Remote Desktop Servers) to handle multiple users since Office 365 is activated and licensed per user.

Later, this technology was modified to handle Office 365 activations in non-persistent VDI environments. When utilizing SCA (Shared Computer Activation), when a user runs and activates Office 365, an activation token is generated and saved. These activation tokens are saved to a network location that the users has access to which allows the user to roam.

Due to the nature of non-persistent VDI, a user will always be logging in to a system they have never logged in to before. When Office 365 is deployed properly, it will call out to and look for the roaming activation token to automatically activate Office 365 without calling out to Microsoft’s servers.

This is also handy with persistent VDI, where you can have a roaming activation token be used on multiple desktop pools as it follows the users.

These activation tokens once generated are valid for 30 days and remove the need to activate Office during that timeframe. As expiration nears, Office will automatically reach out to Microsoft’s servers and attempt to renew the licensing activation token.

You’ll want to make sure that you have implemented Azure AD Connect and SSO (Single Sign-On) properly along with the correct GPOs (covered later in this post) for auto-activation to function without prompting users to sign-in to activate. For more information, check out my post on Understanding Microsoft Azure AD SSO with VDI.

If you have not using SCA, you’ll need to follow additional special steps to have roaming profiles include the licensing directory, however I do not recommend using that method. The licensing information (and activation) without SCA is stored in the following directory:

%localappdata%\Microsoft\Office\16.0\Licensing

You can configure Shared Computer Activation and the location of the roaming activation token using Group Policy, the local registry, or the configuration.xml file for the Office Deployment Tool.

Shared Computer Activation is ONLY required for non-persistent VDI. If you are using persistent VDI where users are assigned a desktop they are frequently using, shared computer activation is not necessary and does not need to be used.

Even though Shared Computer Activation is not required for persistent desktops, I might still recommend using it if you have users using multiple desktop pools, or you’re regularly changing your persistent desktop golden image and refreshing the environment.

Later in the document, we’ll cover configuring Share Computer Activation.

Deploying and Installing Office 365 to the VDI Environment

The steps to deploy and install Office 365 to VDI vary depending if you’re using persistent or non-persistent VDI. In both types of deployments you’ll want to make sure that you use the Office Deployment Tool which uses an XML file for configuration to deploy the application suite.

You can either modify and edit the Office 365 configuration.xml file manually or you can use the “Office Customization Tool” available at: https://config.office.com/

Office Deployment Tool and Office Customization Tool

Using the Office Deployment Tool and the Office Customization Tool, you can customize your Office 365 installation to your specific needs and requirements.

Using the tool, you can create a configuration.xml and control settings like the following:

  • Architecture (32-bit or 64-bit)
  • Products to install (Office Suites, Visio, Project, and additional products)
  • Products to exclude
  • Update Channel
  • Language Settings and Language Packs
  • Installation Options (Installation Source and configurable items)
  • Upgrade Options
  • Licensing and Activation (EULA acceptance, KMS/MAK, User based vs Shared Computer Activation vs Device Activation)
  • Application Preferences

Once you have a configuration.xml file from the Office Customization Tool, you can use the Office Deployment Tool to deploy and install Office 365 using those customizations and configuration.

The configurations you use will vary depending on your VDI deployment type which I will get in to below.

Installing Office 365 with Persistent VDI

To deploy Office 365 with persistent VDI, Shared Computer Activation is not required.

You will however, want to use the Office Deployment Tool to prepare the base image for automated pools, or manually install Office 365 in to the VDI Virtual Machine.

See below for the instructions on Installing Office 365 on Persistent VDI:

  1. First you’ll need to download the Office Deployment Tool from this link: https://go.microsoft.com/fwlink/p/?LinkID=626065. You save this wherever.
  2. Create a directory that you can work in and store the Office 365 installation files.
  3. Open the file you downloaded from the Microsoft Download site, extract the files in to the working directory you created in step 2.
  4. Open a Command Prompt, and change in to that working directory.
  5. You can either use the included XML files as is (for default settings), modify them manually, or use the Office ustomization Tool.
  6. If you want to use SCA (Shared Computer Activation) make sure the following lines are added to the file right above the final line (right above):
    <Display Level="None" AcceptEULA="True" />
    <Property Name="SharedComputerLicensing" Value="1" />
    These variables enable Shared Computer Activation and disable automatic activation. Save the XML file.
  7. We’re now going to run the tool and download the Office installation files using the xml from above by running the following command (if you modified the XML file and/or changed the filename, use the filename you saved it as):
    setup.exe /download configuration.xml
  8. There will be no output and it will take a while so be patient.
  9. We can now install Office 365 using your XML configuration by running the following command (if you modified the XML file and/or changed the filename, use the filename you saved it as):
    setup.exe /configure configuration.xml

Office 365 should now install silently, and then afterwards you should be good to go!

If you did not use SCA, the product will need to be activated manually or automatically via GPO.

If you did use SCA, you’ll want to use the GPOs to configure first-run activation, as well as the location of the roaming activation tokens.

In both scenarios above, after installation is successful you’ll want to configure Office 365 for VDI.

Please note: With persistent VDI, you’ll want to make sure that you leave the Office 365 updating mechanism enabled as these VMs will not be destroyed on logoff. The behavior will match that of a typical workstation as far as software updates are concerned.

Even if you are using persistent VDI, I highly recommend you read the notes below on installing Office 365 on non-persistent VDI as you may want to incorporate that configuration in to your deployment.

Installing Office 365 with Non-Persistent (Instant Clones) VDI

To deploy Office 365 with non-persistent VDI, things are a little different than with persistent. Shared Computer Activation is recommended and required if you’re not using profile capture software like FSLogix. You can however still use SCA with FSLogix.

We’ll use the Office Deployment Tool to prepare the base image. Using the tool, we’ll want to make sure we exclude the following applications from the XML file:

  • Microsoft Teams
  • OneDrive

Using the Office 365 installer for the above products will cause issues as the software gets installed in the user profile instead of the operating system itself.

These applications have their own separate special “All User” installation MSI files that we need to use to install to the base image.

We’ll use the Office Customization Tool (OCT) at https://config.office.com/ to create a configuration XML file for our Non-Persistent Office 365 deployment.

Below is an example of the XML file generated from the Office Customization Tool for Instant Clones (Non-Persistent VDI) Virtual Machines:

<Configuration ID="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX">
  <Add OfficeClientEdition="64" Channel="Current">
    <Product ID="O365ProPlusRetail">
      <Language ID="en-us" />
      <ExcludeApp ID="Groove" />
      <ExcludeApp ID="Lync" />
      <ExcludeApp ID="OneDrive" />
      <ExcludeApp ID="Publisher" />
      <ExcludeApp ID="Teams" />
      <ExcludeApp ID="Bing" />
    </Product>
  </Add>
  <Property Name="SharedComputerLicensing" Value="1" />
  <Property Name="SCLCacheOverride" Value="0" />
  <Property Name="AUTOACTIVATE" Value="0" />
  <Property Name="FORCEAPPSHUTDOWN" Value="FALSE" />
  <Property Name="DeviceBasedLicensing" Value="0" />
  <Updates Enabled="FALSE" />
  <Display Level="None" AcceptEULA="TRUE" />
</Configuration>

You’ll notice I chose not to include Groove, Lync, Publisher, and Bing Search. This is because these are not used in my environment. I’d recommend excluding applications you don’t require in your base image.

You’ll also notice that I chose to disable Office 365 updates as these get managed and handled inside of the base image and we don’t want the instant clones attempting to update Office as the VMs are deleted on logoff. We also choose to accept the EULA for users so they are not prompted.

After we have our configuration XML file, we’ll proceed to installing Office 365 on the non-persistent base image:

  1. Create a directory that you can work in and store the Office 365 installation files.
  2. Open the file you downloaded from the Office Deployment Tool on the Microsoft Download site, extract the files in to the working directory you created in step 2.
  3. Copy the XML file created above from the Office Customization Tool in to this directory.
  4. Open a Command Prompt, and change in to that working directory.
  5. Confirm that SCA (Shared Computer Activation) is enabled by viewing the XML configuration file. You should see the following text:
    <Display Level="None" AcceptEULA="True" />
    <Property Name="SharedComputerLicensing" Value="1" />
  6. We’re now going to run the tool and download the Office installation files using the xml from above by running the following command:
    setup.exe /download non-persistentVDI.xml
  7. There will be no output and it will take a while so be patient.
  8. We can now install Office 365 using your XML configuration by running the following command:
    setup.exe /configure non-persistentVDI.xml

Office 365 should now install silently.

For the skipped applications (Teams, OneDrive) we’ll install these applications separately. Go ahead and download the MSI installers from below and follow the instructions below:

Installers:

Installing Microsoft Teams on VDI

I have created a guide that covers how to install Microsoft Teams in a VDI environment and how to enable Microsoft Teams Optimization.

To Install Microsoft Teams on non-persistent VDI using the MSI file above, run the following command on the base image:

msiexec /i C:\Location\Teams_windows_x64.msi ALLUSER=1 ALLUSERS=1

Installing OneDrive on VDI

Microsoft has a guide on how to install the OneDrive Sync app per machine (for use with non-persistent VDI).

To install Microsoft OneDrive on non-persistent VDI using the EXE file above, run the following command on the base image:

OneDriveSetup.exe /allusers

Updating Office 365 in a VDI Environment

In persistent VDI environments, the auto-update mechanism will be enabled and activated (unless you chose to disable it), and Office will update as it does with normal windows instances. You can modify and/or control this behavior using the Microsoft Office ADMX Templates and Group Policy.

In non-persistent VDI environments the updating mechanism will be disabled (as per the XML configuration example above). To update the base image you’ll need to run the “setup.exe” again with the “download” and “configure” switch, so make sure you keep your configuration XML file.

Here is an example of the Office 365 Update process on a non-persistent VDI base image. We run the following commands on the base image to update Office 365:

  1. setup.exe /download non-persistentVDI.xml
  2. setup.exe /configure non-persistentVDI.xml

The commands above will download and install the most up to date version of Office 365 using the channel specified in the XML file. You then deploy the updated base image.

Configuring Microsoft Office 365 for the VDI Environment

Once Office 365 is installed in the base image (or VM), we can begin configuring Office 365 for the VDI environment.

To configure and centrally manage your O365 deployment, we’ll want to use GPOs (Group Policy Objects). This will allow us to configure everything including “first run configuration” and roll out a standardized configuration to users using both persistent and non-persistent VDI.

In order to modify GPOs, you’ll need to either launch the Group Policy Management MMC from a domain controller, or Install RSAT (Remote Server Administration Tools) on Windows 10 to use the MMC from your local computer or workstation.

You’ll probably want to create an OU (Organizational Unit) if you haven’t already for your VDI VMs (separate for persistent and non-persistent VDI) inside of Active Directory, and then create a new Group Policy Object and apply it to that OU. In that new GPO, we’ll be configuring the following:

We’ll be configuring the following “Computer Configuration” items:

  1. Microsoft Office – Licensing Configuration
  2. Microsoft Office – Update Configuration
  3. Microsoft OneDrive – Known Folders, Use OneDrive Files On-Demand
  4. Windows – Group Policy Loopback Processing Mode

We’ll also be configuring the following “User Configuration” items:

  1. Microsoft Office – First Run Configuration
  2. Microsoft Office – Block Personal Microsoft Account Sign-in
  3. Microsoft Office – Subscription/Licensing Activation
  4. Microsoft Outlook – Disable E-Mail Account Configuration
  5. Microsoft Outlook – Exchange account profile configuration
  6. Microsoft Outlook – Disable Cached Exchange Mode

Below we’ll cover the configuration

We’ll start with the Computer Configuration Items.

Microsoft Office – Licensing Configuration

If you’re using SCA (Shared Computer Activation) for licensing, we need to specify where to store the users activation tokens. You may have configured a special location for these, or may just store them with your user profiles.

First we need to enable Shared Computer Activation. Navigate to:

Computer Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Licensing Settings

And set “Use shared computer activation” to Enabled.

If you’re using FSLogix and redirecting the profile to a VHD file, you don’t need to perform the steps below. If you’re not using FSLogix and are not using a profile redirection mechanism, we’ll need to set “Specify the location to save the licensing token used by shared computer activation”. We’ll set this to the location where you’d like to store the roaming activation tokens. As an example, to store to the roaming User Profile share, I’d set it to the following:

\\PROFILE-SERVER\UserProfiles$\%USERNAME%

Microsoft Office – Update Configuration

If you’re usBecause this is a VDI environment, we want automatic updating disabled since IT will manage the updates.

We’ll want to disable updated by navigating to:

Computer Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Updates

And set “Enable Automatic Updates” to Disabled.

We’ll also set “Hide option to enable or disable updates” to Enabled to hide it from the users.

Microsoft OneDrive – Known Folders, Use OneDrive Files On-Demand

There’s some basic configuration for OneDrive that we’ll want to configure as we don’t want our users profile folders being copied or redirected to OneDrive. We also want OneDrive to be used with Files On-Demand so that users OneDrive contents aren’t cached/copied to the VDI user profiles.

This configuration is ONLY if you are using OneDrive and/or have it installed.

We’ll navigate over to:

Computer Configuration -> Policies -> Administrative Templates -> OneDrive

And set the following GPO objects:

  • “Prevent users from moving their Windows known folders to OneDrive” to Enabled
  • “Prevent users from redirecting their Windows known folders to their PC” to Enabled
  • “Prompt users to move Windows known folders to OneDrive” to Disabled
  • “Silently move Windows known folders to OneDrive” to “Disabled”
  • “Silently sign in users to the OneDrive sync app with their Windows credentials” to “Enabled”
  • “Use OneDrive Files On-Demand” to Enabled

We’ve new configured OneDrive for VDI Users.

Windows – Group Policy Loopback Processing Mode

Since we’ll be applying the above “Computer Configuration” GPO settings to users when they log on to the non-persistent Instant Clone VDI VMs, we’ll need to activate Loopback Processing of Group Policy (click the link for more information). This will allow use to have the “Computer Configuration” applied during User Logon and have higher precedence over their existing User Settings.

We’ll navigate to the following:

Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy

And set “Configure user Group Policy loopback processing mode” to Enabled, and “Mode” to Merge.

We’ve fully configured the Computer Configuration in the GPO. We will now configure the User Configuration items.

Microsoft Office – First Run Configuration

As most of you know, when running Microsoft Office 365 for the first time, there are numerous windows, movies, and wizards for the first time run. We want to disable all of this so it appears that Office is pre-configured to the user, this will allow them to just log on and start working.

We’ll head over to:

User Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 -> First Run

And set the following items:

  • “Disable First Run Movie” to Enabled
  • “Disable Office First Run on application boot” to Enabled

Microsoft Office – Block Personal Microsoft Account Sign-in

Since we’re paying for and want the user to use their Microsoft 365 account and not their personal M365/O365 accounts, we’ll stop them from being able to add personal Microsoft Accounts to Office 365.

Head over to:

User Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 -> Miscellaneous

And set “Block signing into Office” to Enabled, and then set the additional option to “Organization ID only”

Microsoft Office – Subscription/Licensing Activation

We don’t want the activation window being shown to the user, nor the requirement for it to be configured, so we’ll configure Office 365 to automatically activate using SSO (Single Sign On).

Navigate to:

User Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 -> Subscription Activation

And then set “Automatically activate Office with federated organization credentials” to Enabled.

This will automatically activate Office 365 for the VDI user.

Microsoft Outlook – Disable E-Mail Account Configuration

We’ll be configuring the e-mail profiles for the users so that no initial configuration will be needed. Again, just another step to let them log in and get to work right away.

Inside of:

User Configuration -> Policies -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> E-mail

And we’ll set the following:

  • “Prevent Office 365 E-mail accounts from being configured within a simplified Interface” to Disabled
  • “Prevent Outlook from interacting with the account settings detection service” to Enabled

Microsoft Outlook – Exchange account profile configuration

When using Exchange, we’ll want your users Outlook Profile to be auto-configured for their Exchange account so we’ll need to configure the following setting.

Navigate to:

User Configuration -> Policies -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> Exchange

And set “Automatically configure profile based on Active Directory Primary SMTP address” to Enabled.

After setting this, it will automatically add the Exchange Account when they open Outlook and they’ll be ready to go! Note, that there is an additional setting with a similar name appended with “One time Only”. Using the One time Only will not try to apply the configuration on all subsequent Outlook runs.

Microsoft Outlook – Disable Cached Exchange Mode

If you’re using persistent VDI, hosted exchange, or FSLogix, you won’t want to configure this item.

When using on-premise Exchange with VDI, we don’t want users cached Outlook mailboxes (OST files) stored on the roaming profile, or the Instant Clone. We can stop this by disabling Exchange caching.

Navigate to:

User Configuration -> Policies -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> Exchange -> Cached Exchange Mode

And we’ll set the two following settings:

  • “Cached Exchange Mode (File | Cached Exchange Mode)” to Disabled
  • “Use Cached Exchange Mode for new and existing Outlook profiles” to Disabled

This will configure Exchange to run in “Online Mode”.

Microsoft Office Common Identity Registry – For Roaming Profiles

If you’re using Roaming profiles and folder redirection with non-persistent VDI and instant clones, the user may be prompted repeatedly on new logins to log in to their Office 365 account (with a login prompt) even though SCA is configured and working.

When troubleshooting this, one may think that the issue is related to SCA, when it is actually not. This prompt is occurring because of authentication issues with Office 365.

To correct this issue, we’ll need to add a registry configuration to the GPO that will delete a key on login.

User Configuration -> Preferences -> Windows Settings -> Registry

We’ll create a new registry GPO item, that will “delete” the key path below inside of “HKEY_CURRENT_USER”:

SOFTWARE\Microsoft\Office\16.0\Common\Identity

This will delete the Identity key on login, and allow Office 365 to function. This may not be needed if using FSLogix or other profile management suites.

Deploying the Base Image

At this point you can push and deploy the base image and have users log in to the VDI environment and Office 365 should be fully functioning.

Please keep in mind there are different methods for deploying and configuring Office 365 depending on what application delivery and profile management software you may be using. This is just a guide to get you started!

Microsoft Teams Optimization for VMware Horizon Linux Client

 VDI, VMware, VMware Horizon View, Zero Clients/Thin Clients  1 Response »
Jul 162021
 

Well, it’s official, according to the release notes for VMware Horizon 2106, VMware now supports Media Optimization for Microsoft Teams on the VMware Horizon Linux Client.

This is great news for zero clients, as most VDI Zero Clients are based of embedded Linux. As soon as major vendors update their firmware to the latest VMware Horizon Client, we should start seeing Microsoft Teams Optimization on VDI Zero Clients.

To support this, you’ll need to have the proper configuration implemented. Make sure you check out my guide on Microsoft Teams VDI Optimization for VMware Horizon.

For the full release notes, click here.

 Older Entries