Virtual Desktops

Provide secure and flexible desktops to your workforce incorporating the apps and services needed to get their jobs done.


Virtual Desktops provide a desktop computing experiences from cloud-based infrastructure. These can support multiple sessions (many users using the same compute resource) or be dedicated to a specific user.

An Image management component can be used to create the desktop experience for specific user roles, bringing together standard applications and tools. The Virtual Desktop component is responsible for:

  • Delivery of a desktop experience to users.
  • A reliable and secure process for updating apps and desktops.
  • Persisting user settings and data between sessions.
Architecture for Windows Virtual Desktop in Microsoft Azure

Key components

The general architecture of an Azure Windows Virtual Desktop solution is outlined in the diagram. The following narrative additions identify a range of decision points.

Bastion hosts (Optional)
Not strictly part of the WVD solution, a typical hub infrastructure will include jumpboxes loaded with administrative tooling and accessed via the Azure Bastion service.
Windows Virtual Desktop Pools
Virtual Desktops can be dedicated to individuals (personal) or utilise shared virtual infrastructure in a pool. Application groups are used to publish apps to workspaces for users to consume. New pools can be brought online with updated applications.
FSLogix User Profiles
Host user profiles in Premium Azure Storage account with File Share via a Private Endpoint and using AADDS (or equivalent IaaS solution) for authentication. NetApp Files may also be used and may fit some scenarios with requirements for high availability.
Lighthouse Managed Services (Optional)
Safely grant third-parties access to your infrastructure to provide management and maintenance services using Azure Lighthouse.
Image Management
Golden images can be built from templates using technologies like Packer in Pipelines, or as part of the Azure Image Builder service, and deployed to Shared Image Galleries.
Directory Services
Directory Services are currently a required component of the WVD stack, and can be provisioned through PaaS-based AADDS or a self-hosted IaaS VM (which may suit regional HA scenarios). Additionally, provisioning ADFS can address a known issue with multiple required logins.

Updates, patches, and release management

The recommended approach to delivering new updates into a Virtual Desktop environment is using blue-green deployment of new desktops as part of a strangler pattern. An example process involves:

  1. Creating a new base image containing OS updates, refreshed middleware, or application patches.
  2. Deploying the new image to a new pool with a limited set of users (perhaps a champions group or test team).
  3. For mature environments, running automated tests to verify app functionality.
  4. Publishing the new Virtual Desktop experience once verification is complete.
  5. Disabling new connections to the current/legacy Virtual Desktop experience.
  6. When all connections are drained, decommissioning the legacy Virtual Desktops or refreshing them with the next set of updates.


Cloudmarque workload components use a service locator pattern to identify the services they provide and specify dependencies. This component provides and relies on the following services:

  • Capabilities

    • Virtual Desktop Services do not provide any capabilities which are leveraged by other cloud resources.
  • Dependencies

    • Logging - A logging service is required as a target for network alerts.
    • Networks - Provides connectivity for each desktop host.
Edit this page on GitHub

The content on this page is published under Open Source licenses via GitHub. To submit issues or provide feedback please visit the repository.