Step-by-Step Guide to AVD Custom Image Templates: Prerequisites, Common Build Failures and Solutions
1. Prerequisites
1. The following resource providers should be registered on your Subscription:
- Microsoft.DesktopVirtualization
- Microsoft.VirtualMachineImages
- Microsoft.Storage
- Microsoft.Compute
- Microsoft.Network
- Microsoft.KeyVault
- Microsoft.ContainerInstance
2. Copy the resource provider names one by one and search for it in the search bar as shown below. Click on 3 vertical dots against each resource provider and click on Register.
3. Once the registration process is completed, the status changes to Registered as shown below:
2. Create an user assigned Managed Identity:
1. Search for Managed Identity in the global search and click on +Create
2. Select the appropriate Subscription, Resource Group and the Region.
3. Give a suitable name.
4. Click Next.
5. Give meaningful tags.
6. Click Review +Create.
7. Click on Create.
8. Managed Identity is created successfully.
3. Create a Custom role in Azure role-based access control (RBAC):
NOTE: You need to have an Owner Role on the Subscription to create and add Custom Role to the Managed Identity.
1. Below permissions to be added to the Custom Role as Actions:
"Microsoft.Compute/galleries/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/galleries/images/versions/read",
"Microsoft.Compute/galleries/images/versions/write",
"Microsoft.Compute/images/write",
"Microsoft.Compute/images/read",
"Microsoft.Compute/images/delete"
2. Go to the Subscription-->Access Control (IAM)-->Add-->Add custom role
3. Give a suitable name and description for the Custom role.
4. For Baseline permissions select Search from scratch.
5. Click Next.
6. Click on Add Permissions.
7. Copy each permissions from point 1 and search for it one by one. Click on it.
8. Select the permission and click on Add.
9. Once all the permissions are added, you will see the screen below.
10. Click Next.
12. Click Next.
13. Click on Create.
4. Create a new Resource Group:
1. Create a new resource group to store the custom image templates. Ensure that this resource group does not contain any resources and is empty.
5. Assign the Custom Role to the Managed Identity at the Resource Group level.
1. Go to the Resource Group-->Access Control (IAM)-->Add-->Add role assignment
4. Click on +Select members.
5. Chose the managed identity that has been created and click on Select.
6. Click Next.
4. Give a suitable template name.
7. Keep the defaults as is. Click Next.
8. Click on Review +Assign.
2. Create a Custom Image Template:
1. Search for Azure Virtual Desktop in the global search.
2. Under Manage->Click on custom image templates.
3. Click on +Add custom image template
5. Select No for Import from existing template.
6. Select the Subscription.
7. Select the Resource Group we created.
8. Select the appropriate location.
9. Select the Managed identity we created.
10. Click Next.
11. In the Source Type- you would see options such as Platform image (marketplace), Managed Image, Azure Compute Galley. If you already have an existing image or an image version in the Azure Compute Gallery you can select these options. Here, we are going with Platform image (marketplace).
12. Select the image as per the Customer requirement.
13. Click Next.
14. You can either create a managed image or Azure compute gallery out of it. Here, we have selected Managed Image.
NOTE: If you select Azure Compute Gallery, ensure that it is already created before you start the custom image template process. Additionally, the Managed Identity should have the same level of access to the resource group that contains this Azure Compute Gallery.
15. Select the Resource Group we created.
16. Give a suitable image name.
17. Select the appropriate location.
18. Give a run output name.
19. Click Next.
20. Keep the defaults as is. Click Next.
22. Select all the required options according to the customer’s request. Once done, click on Save.
24. Click on Create.
25. Once the deployment is successful, select the image template and click on 'Start Build.' The process will take approximately 1 hour
27. You can go to the 'Images' section in the Azure Portal, where you will find the created image. You can then use this image to deploy session hosts.
3. Troubleshooting AVD Custom Image Build Failures: Common Scenarios and Solutions:
1. Scenario:
In the customer environment, if you use an existing managed image or source it from the Azure Compute Gallery, the custom image build process may fail with an error related to Windows Update when you add this image as the source.
Solution:
The solution is to update the image before performing the Sysprep, as shown below:
2. Scenario:
As of now, Trusted Launch is not supported by Custom Image Template Deployment. If you select Trusted Launch as the security type during the image VM build process and use this image as the source, you will encounter the following error:
Solution:
The solution is to select 'Standard' as the Security Type during the image VM build process, as shown below:
3. Scenario:
If the Managed Identity used for the Custom Image template does not have adequate permissions, the template status may show as failed
Solution:
If possible, grant the Managed Identity access at the subscription level. If this is not feasible, ensure that the Managed Identity has access to the resource groups containing the Azure Compute Gallery or managed image, as well as the new resource group created for storing the custom image template.
4. Scenario:
In the second step of creating a custom image template, you encounter a validation failure.
Solution:
If this happens, click on the 'Previous' tab and then click on 'Next' again. The validation should then be successful.
5. Scenario:
Deployment fails with an authorization error of Azure Container Groups operation.
Solution:
Make sure you register the below resource provider: Microsoft.ContainerInstance.
Deployment fails with the below error:
Solution:
This error may specifically occur for users on a Free Trial account, where there is a limit on the CPU quota. Ensure that there is sufficient CPU quota available in the intended region.