Skip to content
Schoolyear AVD

Exam-Ready image

To run Azure Virtual Desktop, you need a Virtual Machine image. This guide assumes you are familiar with VM images for AVD, but if you want to learn more, see this Microsoft article.

This guide will help you create an image with Office 365 using an AVD Image Template. This automates the image building process, making it easily reproducible.

Create Image Resource Group

Start by creating a new Resource Group to put all our image building resources in. Name it imagebuilding and put it in the same region as you want to put your Schoolyear AVD resources to be deployed in.

Next, you need to create an Azure Compute Gallery. This gallery will hold all your Schoolyear AVD images. Navigate to Azure Compute Gallery > New and name it schoolyear_avd_gallery.

VM Image definition

Create a new VM Image Definition in the Image Gallery you just created (Add > VM Image Definition).

  1. Basic

    • VM image definition name: office365
    • OS type: Windows
    • Security type: Trusted launch supported
    • OS state: Generalized
    • Publisher: avd-deployments
    • Offer: office365
    • SKU: standard

  2. Version, Publishing options, Tags: leave empty

  3. Click Review & Create to create the VM Image Definition

  4. On the newly created Definition, go to Settings > Properties and copy the Resource ID. You will need this in a later step.

Storage Account

You need to create a Storage Account to store resources, such as MSI packages, for use during image building.

  1. Create a Storage Account in the imagebuilding Resource Group and configure it as such:

    • Name: imageresources
    • Region: same as your imagebuilding Resource Group
    • Performance: Standard
    • Redundancy: LRS
    • Leave all other options & tabs as is

  2. Create a new Container in the newly created Storage Account.

    • Name: resources
    • Leave all other options as is

Grant yourself permissions

As you will be uploading files to this Storage Container in a later step, you need to grant yourself access to this Container.

This is required, even if you have an Owner role and are able to upload files through the Azure Portal.

  1. Navigate to the Storage Account (Storage Accounts > imageresources > Access Control (IAM))

  2. Click Add > Add role assignment

  3. Role: Storage Blob Data Contributor

  4. Members: Select your own account

  5. Create the Role Assignment

Managed Identity

You need to create a new Managed Identity that will perform the automation steps during the image building process.

Custom Role

Create a new custom role with the following configuration. This role will be assigned to the Managed Identity in the next step.

Go to Subscriptions > [subscriptionName] > Access Control (IAM) > Add > Add Custom Role

Do not forget to replace the placeholders in this JSON example.

{
    "properties": {
        "roleName": "schoolyearavd-imagebuilder",
        "description" : "",
        "assignableScopes": [
            "/subscriptions/[subscriptionId]/resourceGroups/imagebuilding"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Compute/galleries/read",
                    "Microsoft.Compute/galleries/images/read",
                    "Microsoft.Compute/galleries/images/versions/write",
                    "Microsoft.Compute/galleries/images/versions/read",
                    "Microsoft.Compute/images/read",
                    "Microsoft.Compute/images/write",
                    "Microsoft.Compute/images/delete"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions: []
            }
        ]
    }
}

Create Managed Identity

Create the new Managed Identity in the imagebuilding resource group and name it imagebuilder. Deploy it in the same region as the Resource Group.

Assign the two roles to the Managed Identity:

  1. Navigate to the newly created Managed Identity (Managed Identities > imagebuilder, Azure role assignments).

  2. Click Add role assignment and configure the following and click Save:

    • Scope: Resource Group
    • Subscription: Select your Schoolyear AVD Subscription
    • Resouce Group: imagebuilding
    • Role: Select the custom role you just created (schoolyearavd-imagebuilder)

  3. Click Add role assignment again and configure the following and click Save:

    • Scope: Storage
    • Subscription: Select your Schoolyear AVD Subscription
    • Resource: Select the Storage Account you created in a previous step
    • Role: Storage Blob Data Reader

Schoolyear AVD CLI

Schoolyear provides a CLI tool for building your Exam-Ready images in AVD. You can download the binary from our public Github repository.

You can either store this binary in your PATH or use it locally. For the rest of this guide, it is assumed you have the avd-cli command available in your terminal.

Azure CLI

The Schoolyear AVD CLI depends on your locally installed Azure CLI for authentication. Make sure you are logged into to that CLI tool by running az login.

AVD-deployments & deploy image

Schoolyear hosts an Open Source Community so customers can share images publicly. In this guide you will use the office365 image from that repository.

  1. Check out the repository to your local machine.

    Terminal window
    git clone https://github.com/schoolyear/avd-deployments
    cd avd-deployments

  2. If you are building an image for use with Schoolyear Beta, edit the vdiBrowserMsiUrl URL in the .env file of the repository. Change the domain to beta.install.exams.schoolyear.app.

  3. Build the image package. The CLI allows you to combine multiple image layers into a single “Image Package”.

    Terminal window
     avd-cli image package                   \
         -l default_layers/common_config     \
         -l default_layers/clean             \ # clean up the Windows image
         -l default_layers/windows_update    \ # Apply Windows Updates during the image build process
         -l default_layers/vdi_browser       \ # Install the Schoolyear VDI browser
         -l default_layers/scripts_setup     \ # Copy session scripts to the image
         -l default_layers/network_lockdown  \ # Block network connectivity during the exam
         -l images/office365                 \ # Configure Office 365
         --overwrite

  4. Deploy the Image Package to Azure and start the image building process.

    Terminal window
     avd-cli package deploy                                              \
         -n office365                                                    \
         -s [[subscriptionid]]                                           \
         -rg imagebuilding                                               \
         -r "https://imageresources.blob.core.windows.net/resources"     \
         --start

    The command will prompt you for a few resource IDs.

    • userAssignedIdentityResourceId: the Resource ID of the Managed Identity you created in a previous step
    • targetGalleryImageId: The Resource ID of the Image Definition you created in a previoius step
    • location: The location in which you deployed the imagebuilding resource group. E.g. westeurope.

  5. It may take up to 2 hours for the image building process to complete. You can track the progress in the Azure Portal (AVD > Manage > Custom image templates).

Deployment Template

The final piece of an image deployment in AVD is the “Deployment Template”. This is the ARM template that gets deployed for each exam using a specific image. This Deployment Template should be stored in the imagebuilding Resource Group as a Deployment Spec resource.

If you look in the out/ folder that was created by avd-cli in the previous step, you will find a deployment_template.json.

Before you can upload this template, you must first fill in the placeholders that are still left in the JSON. Open the file in a text editor of your choice and replace any placeholder that looks like [[[param:*]]].

If you followed this guide, you can fill in the following values:

  • vmCustomImageSourceId: 
    /subscriptions/[subscriptionId]/resourceGroups/imagebuilding/providers/Microsoft.Compute/galleries/schoolyear-avd-gallery/images/office365/versions/latest
  • proxyRSAPublicKey: Your SSH public key (must be RSA) with which you can access the proxy servers for debugging purposes (user is syproxy).
  • keyVaultResourceGroup: schoolyear-base
  • keyVaultName: sykeyvault
  • keyVaultCertificateName: proxycertificate
  • dnsZoneResourceGroup: schoolyear-base
  • dnsZoneName: syproxy.contoso.com

Once you have replaced all placeholders in the JSON document, you can upload it as a Deployment Spec in Azure.

  1. Create a new Template Spec resource through the Azure Portal.

    • Resource Group: imagebuilding
    • Name: office365
    • Version: v1

  2. In the Edit Template step, upload the JSON document.

  3. Click Review + Create to create the Template Spec.

  4. Navigate to the newly created version (Template Spec > office365 > Versions > v1 > Properties).

  5. Note down the Resource ID. It is important you use the Resource ID of a specific version, not of the Template Spec itself. You will need this Resource ID in the next chapter.