Technical Implementation

This is the technical implementation guide for setting up a Schoolyear AVD implementation for a single Schoolyear environment. You would typically perform this implementation once in your Schoolyear beta environment and once in your Schoolyear production environment. This guide is part of the Project Plan and should be performed by the Service Team.

1. Working towards your first deployment

The first few steps of this guide build up to a technical test. At that point, you should be able to schedule an exam, enable Schoolyear AVD and log into the exam as a student.

1.1 Check prerequisites

Before diving into the rest of this guide, make sure you meet all prerequisites. Most organizations already working with Azure can easily meet the prerequisites. However, if you are unable to meet these prerequisites, we strongly advise against proceeding with the implementation as you will likely reach a dead end.

1.2 Change management approval

Most organizations have a change management procedure. To aid you in drafting a change request, there is an Infrastructure Changes page.

It is recommended to discuss a grace period with your change approval board in which you can experiment and test the changes you need to make. This period will allow your service team to get a better understanding of all the changes that need to be persisted.

1.3 Access to Azure subscription

Each Schoolyear AVD implementation should be done in a dedicated Azure Subscription. In this implementation, you need to deploy resources to this subscription and create IAM role assignments. To do this, you need permissions in the Azure Subscription.

Additionally, you may need extensive permissions on short notice during incident response, as you may need to delete or adjust resources.

If you are not granted the Owner role,make sure you have a process in which you can receive sufficient permissions on short notice in case of an incident.

1.4 AVD Admin role

The members of the service team require AVD Admin access to the Schoolyear tenant. This access is required both during implementation and general operation.

AVD Admin access can be granted by Schoolyear Support personnel and should already have been granted during the implementation project kick-off. Make sure all the Service Team members have AVD admin access to your Schoolyear tenant.

When your Schoolyear tenant is configured with Single Sign-On, these users must first log into Schoolyear once for their account to be created before the role can be granted.

1.5 Add-on installation

At the core of the Schoolyear AVD integration is the Azure Virtual Desktop add-on. Add-ons in Schoolyear allow you to enable and configure integrations.

In this step you will install the Azure Virtual Desktop add-on and with it, all the base infrastructure in Azure. This step requires elevated permissions in both Entra and the Azure Subscription dedicated to this integration.

Follow the Add-on Installation guide and complete the installation.

1.6 Azure Quota for technical test

Azure limits the amount of resources that can be deployed in each Subscription at any given time using Quotas. The user capacity of your Schoolyear AVD implementation is therefore limited by the quota Azure has granted you.

Luckily, you can request Azure to increase your quota. The process to increase your Azure quota may be automatic and take just a few minutes, or it might require some email exchanges with Azure support before approval, depending on the amount of requested quota.

To begin testing your implementation, you need to ensure you have at least a small amount of quota to work with. As the usage of your Schoolyear AVD implementation grows over time, the service team may need to request a quota increase.

For now, follow these steps to ensure you have at least capacity for 10 VMs:

1. Navigate to the Quotas page in the Azure Portal.

2. Select the Subscription you dedicated to this implementation

3. Select the Region you selected for deployments. You can find which region you selected by to the AVD add-on you installed in a previous step, a checking the region of the Base Resource Group shown in the Infrastructure tab.

4. Search for Standard DSv5 Family vCPUs (or a different CPU type if you are planning on using a different VM type).

5. Ensure you have at least 20 capacity for this item. If you do not have this already, request an adjustment by clicking the pencil icon.

Note

As you may have noticed, you needed to request a capacity of 20 for a user capacity of 10. By default, Schoolyear AVD uses 2 CPU cores per student. Azure counts its quotas per CPU. Therefore, you need capacity for 20 cores to host 10 students.

Side note: You may actually find that with a quota of 20 you are only able to schedule an exam with 3 students. Perhaps even less if you are planning multiple exams. This is because Schoolyear AVD overprovisions 2% VMs (at least 5 per exam) to keep room for failures. Additionally, each exam will have 2+ Trusted Proxies that consume quota as well. In practice, it is recommended to maintain 15% more quota than you would need for just the student’s VMs (students * 2.15).

After you requested your quota from Azure, you need to configure this number in the Schoolyear Secure Apps Console as well.

1. Navigate to the Quota page. (Schoolyear -> Profile -> Secure Apps Console -> Quota)

2. Click Add quota.

3. Subscription ID: Fill in the ID of the Subscription you dedicated to this implementation.

4. Resource ID: Fill in azurevms.

5. Value: Fill in the quota you have available from Azure. This is the number that was shown on the Quotas page in the Azure Portal. Tip: Subtract 10 cores to reserve some capacitity for testing in the Azure Portal and the Azure Image Builder.

6. Click Add.

1.7 Configure default app

For your first image, you should keep it simple and stick to building the default Office 365 image. You can customize and enhance the image according to your needs later, but first you need to verify that your implementation works correctly up to this point.

Images for Schoolyear AVD are built using the avdcli tool. Building images for Schoolyear AVD using other tools is possible but explicitly not supported.

1. Navigate to the AVD add-on you installed earlier (Schoolyear > profile > Secure Apps console -> Add-ons > Select your add-on).

2. Click Add Application. A new app appears, ready for you to configure.

3. Enter a name for the app (e.g. Office 365).

4. Click on Build a new image and follow the steps below to build the standard Office 365 image.

5. Once the build is completed, enter the name of the selected Image Definition in the Session Hosts section. You can leave the version number to latest.

6. Change the prefilled VM size if you are unable to use this VM size. In that case, make sure you requested quota for your custom VM size. In fact, you may need to change the Proxy VM size hidden under Advanced as well.

7. Under Quota, select the Quota you created earlier (azure.microsoft.com/[[subscription-id]]/azurevms), and configure 2*(n + max(5, int(ceil(n*0.02)))) + min(max(2, int(ceil(n / 10))), 10). This is the calculation used to determine how much quota each exam will reserve. This is a formula with parameter n, since the amount of quota each exam needs, depends on the number of students in the exam.

8. Click Save Changes.

Tip

It takes time to deploy the resources in Azure required for a Schoolyear AVD exam. Therefore, Schoolyear AVD automatically starts deploying a while before the start of an exam. This page explains the configurable settings for this in more detail.

Build the standard Office 365 image

The Image Building popup will show you the main steps involved in building images. For more information, there is an entire chapter on building images.

For now, you should build the standard Office 365 image to test your AVD implementation up to this point.

1. Install or update the avdcli tool as instructed in the popup.

2. Download, or ideally fork and clone, the avd-image-community repository from Github.

3. Run avdcli bundle layers -l ./layers/com.schoolyear.win10-office365.

4. In the Azure portal, find the image building storage account in the image building resource group. Use the Access Control (IAM) tab to add a role assignment, to assign yourself the role: Storage Blob Data Contributor.

5. Copy the avdcli bundle autobuild... command from the Image Building popup and execute it. This requires you to have the Azure CLI installed and be logged into it.

6. The autobuild command will prompt you to create an Image Definition in Azure. Click the link to create one. For more information on how to create an Image Definition, follow these steps. After creating the Image Definition, restart the command.

7. Wait for the command to finish and use the link in the last step of the popup to follow the progress of the build.

1.8 Technical test

Now it is time for your first technical test to make sure all you did up until now works as expected. This test cannot be done on a ChromeOS device yet because that hasn’t been set up yet. For this test, you must use a Windows or macOS device instead.

To schedule the exam to test with, follow these steps:

1. Go to New Exam in the top-left of Schoolyear and click + Custom Exam.

2. Give the exam a name and select a start time at least 35 min in the future and an end time 2 hours thereafter. Click next.

3. Add a website to the exam: https://example.com. Click Add, then Next.

4. You can skip the File step and click Next.

5. Select Yes for desktop applications.

6. Toggle the override button. (It allows you to ignore the minimum reservation time of an app. Only Admins and AVD Admins can do this, it should only be used in emergencies or testing situations. It removes the time to respond to incidents and assumes the Azure deployment can finish instantly.)

7. Select the App you created in a previous step. In our example, it was called Office 365. Click Next.

8. Enter 2 for the number of students and click Next, then Create.

9. Wait for the exam to start. You can monitor the progress of the deployment from the Orchestration Jobs page (Schoolyear -> Profile -> Secure Apps Console -> Exam Orchestration Jobs). On that page, you can see the scheduled Deployment and Deletion job for the exam you just created. Once a job starts, you can view the log or trigger a retry from this page.

Once the exam is deployed and has started, you can log into the exam as if you were a student. It is recommended to use a dummy student account for this instead of your own Azure account. This way, you can simulate the access a student would normally have.

To start the exam you just created, follow these steps:

1. Navigate to the exam you created.

2. Follow the Student instructions visible on the screen. When prompted for name and student ID, you can enter dummy values.

3. Follow the onboarding procedure for students and start the Schoolyear Safe Exam Workspace application.

4. When prompted for a Microsoft account, preferably use the dummy student account.

The Safe Exam Workspace should start up and settle on a Windows desktop with the Schoolyear VDI browser running on it. The website you configured earlier should be visible on the screen.

Verify that this first technical test is successful before proceeding with the rest of the implementation. Troubleshooting any issues at this early stage is simpler compared to doing so later when custom configurations are applied.

Now that you know your current implementation is working, make sure to test the changes you make from now on. Troubleshooting an issue after making many changes will prove difficult.

2. Optional configuration

With a working AVD addon and the first technical test completed, there may be some optional configurations that you need to do. Discuss with the key users of the service whether these are applicable.

2.1 MFA

If students are required to log into their Microsoft account with Multi-factor authentication (MFA), it is common to configure an exception for exams. MFA during exams can disrupt students by requiring them to access their phones, which is not ideal for maintaining exam integrity.

If students are not prompted for MFA when using Schoolyear AVD, you can skip this step.

Follow the Entra MFA Exception guide to configure the exception.

2.2 License servers

Some applications require a LAN connection to a license server. If you need such an application during your pilot, you need to set up this connection. You can always revisit this step later once the need for such an application surfaces.

Follow the License Server Peering guide to set up the connection.

2.3 ChromeOS

The prerequisites mention an isolated network for ChromeOS devices. If you are going to use ChromeOS devices, you need to configure the public IP ranges of this network in the AVD add-on. This configuration only applies to new deployment jobs, so it cannot be changed after the deployment job of an exam started.

To configure these public IPs, follow these steps:

1. Navigate to the AVD add-on.

2. Open the Deployment config tab.

3. Find the Chromebook IP ranges field and add the IP ranges of the isolated network(s). If you want to add a single IP address, use the /32 suffix. Only IPv4 addresses are supported.

4. Click Save Changes.

5. Schedule a new exam with Schoolyear AVD enabled and test if it the exam can be started on the Chromebooks.

Note

This step assumes the Schoolyear Safe Exam Workspace kiosk app is already working on the Chromebook.

3. Prepare for use

At this point, you have the core of the implementation running and tested. Now, it is time to prepare the Schoolyear AVD implementation for use with students. This includes scaling up quota, setting up failure monitoring, and adding the images for the environments in which students will take their exam.

3.1 Increase quota

Earlier in this guide, you requested a quota of 20 from Azure. This gave you a user capacity of just under 10.

Now, you need to increase your Azure quota to have enough user capacity for general use. Discuss with your key users what the user capacity requirement is and follow the Azure Quotas guide to make sure you have enough user capacity. If the user capacity requirement ever changes, you can revisit this guide to update your quota.

Tip

The user capacity requirement of the beta implementation is usually much lower than for the production implementation.

3.2 Configure job failure alerts

Schoolyear AVD will run a deployment job before each AVD exam and a deletion job after the AVD exam. These jobs are called Orchestration Jobs. These jobs may fail, and it is the responsibility of the service team to respond to these failures and resolve them.

Since these failures should be rare, it is important to be notified quickly when they do occur. Schoolyear provides a feature to receive an email notification in case of a job failure.

You can configure up to three email addresses that receive these notifications. You can also set it up so that all AVD Admins and/or all regular Admins receive an e-mail.

1. Go to the Alerts page (Secure Apps console -> Alerts)

2. Click on Configure Alerts in the top-right.

3. Configure the email addresses you want to receive these alerts.

4. Click Update to store the configuration.

3.2 Support channels & incident response setup

Set up operations for incident response and key‑user support.

Incident response

• Maintain an on‑call rotation that guarantees at least one service team member is reachable during all exam and deployment windows. Target an initial response within 30 minutes during these time‑sensitive periods.
• Publish a single, reliable contact method for on‑call (e.g., phone number, Microsoft Teams channel, or shared mailbox) and share it with your key users.
• Monitor for alerts from Schoolyear. Ensure the on‑call person receives these alerts.
• Document an escalation path and designate backups when the primary on‑call is unavailable.
• Prepare short runbooks for common incidents, such as failed deployments, failed cleanup, or issues during an exam (e.g., unresponsive session hosts).

Key user support

• Identify 3–5 key users in/near the education department who can contact the service team directly.
• Provide a clear support channel and target a response within 2 business days.
• Maintain a simple rotation (with a backup) so requests are handled reliably.
• Track requests in a ticketing system for traceability and handovers.
• Keep a lightweight knowledge base/FAQ for recurring questions and decisions.

Tip

Keep these processes simple (a shared calendar or Excel sheet is fine to start) and review them annually or after significant incidents. For details and examples, see Service Controls — especially C.2 and C.3 — and the technical guidance on Responding to incidents.

3.3 Implement other images

Discuss with the key users which exam environments they need and which applications/configurations need to be included in those.

The Image Building chapter has all the information on building these images and configuring them as Schoolyear AVD Apps.

Make sure to review the exam environments with the key users to check whether they meet their requirements.

3.4: Implement the remaining service controls

At this point, the Service Team should proactively start managing all the service controls and schedule the periodic maintenance work. They should coordinate with key users to ensure these are scheduled during periods of low usage.

The Service Controls page details which controls should be acted upon; when and how frequently.

To maintain service, it is now important the service team acts on these service controls when they “trigger.” Service controls have three possible triggers:

• Initial: By following this implementation guide, you already acted on all these controls.
• Periodically: These are periodic jobs. Create a schedule or calendar so you don’t forget about them.
• Event: Sometimes you need to act when something happens. For example, in case of an emergency patch.