 Good morning, good afternoon, good evening, wherever you are. Welcome to today's session on Manage Azure Stack HCI Virtual Machine Workloads. My name is Jelene Kijui. I'm a senior cloud security advocate at Microsoft. You can also find me on Twitter at Jelene underscore Kijui. And with me, we have Bathe. Bathe, can you introduce yourself? Hi there, my name is Bert Walters. I'm a cloud solution architect. I'm from the Netherlands. The different color, you see there. And I work on all things in Azure and also on premises if it's related to cloud. And I think today we have one of those topics that you can run in your own data center, but also in Azure, perhaps, don't we? Yeah, if you want to find me on Twitter, it's at Bert Walters. I'm not that creative with names, so I just decided to use my own. No, we should do it any different there. And I think we do have an exciting session for you today on how to manage those VM workloads on Azure Stack HCI. So you can also join the chat, yeah? Oh, good point. Because on the chat, we have our moderator. And that is the esteemed Mr. Flo Fox. And he is a senior customer engineer, fast track for Azure. I'm sure he would love to do his own introduction. But now, Jolene, we can say anything about him. So let's see what kind of backstory can we make up about Flo Fox? I think maybe the fast time, I probably thought he was a bot, a Fox bot. That's true. But yes, he happens to be a human. So Flo, I'm glad to have met you in real life. Well, I saw him move, but that could be AI, right? In this cloud, we cannot be sure of anything. But I think if he was a bot, he would be the best smelling bot ever. Really? I think so. And you can check it out if you want to see how he smells or smell how he smells. This is going to be a strange story already. You can go to Twitter and check out at Flo Klaffenbach. And maybe also ask him a question. What about Fox, if you're a Klaffenbach? Or maybe Klaffenbach is something super interesting in German, which I don't know. But I think enough about Flo right now. He will kick my ass the next time I will see him. I'm sure. All right. What is this? It's just a simple meme for the day. So one is saying Microsoft is fully utilizing the power of the cloud. But what if it's not sunny? What if it rains? So just some bit of humor there. True. And one does simply match Microsoft's investment in the cloud. And that's one thing we'll also see today because of the amount of investment that Microsoft also put in terms of hybrid cloud. Alongside for Azure Arc, we see all the circumstances that are available in Azure Arc. True. Now Joelynn, if people want to join in or read along with us, do we have some place where they can go? Yes. So you can follow along with us on aka.ms.lanlives 2020 0616a. So the module that we are covering is managed Azure Arc. So this module describes how to manage and maintain Microsoft's Azure Arc HCI VM working. Oh, okay. So if they can also scan the code, the QR code. If they follow this URL, they are brought to a web page where in fact all of the information we're sharing today through the technology of PowerPoint. They will find themselves and we'll be able to read through at their own pace. So if they really want to focus on one of these areas, they can. Yeah. Now let's see what we will try and get across today. Would you mind covering our learning objectives Joelynn? Sure. So today we have six learning objectives. The first one being managing Azure Arc HCI VM. So we'll just go through and then we'll go into details in the coming slides as well. So second one being configuring Affinity of Azure Arc HCI VM. So I'm sure you're wondering, okay, what is Affinity? So we'll cover that as well. We're also covering configuring load balancing of Azure Arc HCI VM. Sure. If you don't know what load balancing is, you'll get to know by the end of the session. We'll also cover configuring GPU support for Azure Arc HCI VM and implementing VDI in Azure Arc HCI. And the last one is implementing trusted interface virtualization in Azure Arc HCI. So that's more of security and compliance. Nice. Oh, that's more of your regular data, right? Oh, cool. Oh, really looking forward to this one. But if you want to hear more about this trusted enterprise virtualization stuff, you really need to sit this one out. I think we're about 90 minutes to do this session. So I think you can manage. And if not, pray as pause now and get some coffee. But of course, that can only be done if you're watching the recording and not this live session. So before we start, let's see that we have all of our context right, right? So first of all, we are going to talk today about Microsoft Azure Stack HCI. And if you're really new to the world of abbreviations, HCI is not like a brand or anything, or it is kind of a flavor of Azure Stack, but HCI really means something. HCI stands for Hyper Converged Infrastructure. So in the past, we would have like a server and a storage array, and we would have some networking devices. And now with this Azure Stack HCI, everything comes prepackaged in the same box. So you will have your virtualization platform in a single box or maybe even spread out across boxes for resilience, for instance, maybe for specialized workloads. And Microsoft has their own product for this. So that is Microsoft Azure Stack HCI. And we're just going to go through how we can manage that platform for, for instance, virtual machines. And those virtual machines can be used for virtual desktop infrastructure. Here's another one, a Zinger VDI. And you might have heard of something called AVD. Yes, that's Azure Virtual Desktop. And that's the new way of doing VDI on HCI. Did I lose you already? No? You're still with me? Then we can use another technology to improve the user experience working on those servers. And we call that using GPUs, graphical processing units, with which we can even run the most demanding applications on our VDI platform in our own data center. Cool, right? Later on and Jolyne, of course you find this cool because this is going to be covered by you. We have created this company just for you. And this company is not called Microsoft because Microsoft, you might have known, is around for a little bit longer. But we have this company which we use in all of these sessions. If you followed LearnLive earlier, you might have heard about this company called Compelso. And this is the company we use in our example. And just to give you a little bit of a feel for that company, we thought it would be nice if they were like medium sized, a financial service company. And just to make you really envious of the location, we said, well, let's put it in New York. New York, isn't that like from a song? Yeah, I know, but you're in a concert yesterday for Alicia Keys. Fabulous. That girl can sing. Okay, enough about New York and Alicia Keys because we have to go through the slides, right? So as your company might do as well, they've been currently running on-premises. They still have Windows Server 2012 R2 in production running. Who has that? Every company still has those legacy machines. So this is like a real-world example. And they are also taking the plunge, taking the step into Azure. They're talking about solver-defined data-centered technologies, maybe going for network virtualization, SDN, solver-defined networking, which you can do with HEI, hyper-converged infrastructure. So they are on a path towards this holistic way of managing their environment. And today, we're going to explore how to do that with HEI. So if we go into this whole Azure Stack HEI and VMs, let's see what kind of operational tasks we do every day in our environment. We could streamline with tools on top of HEI. So Jolin, if you think about managing this VM environment, what are some of the tasks you think we could expect? So I definitely want to have some administrative tools. Administrative tools? Okay, I'll use my good pen. All right, you need administrative tool, yes? What, any other thing else? Being a security person at once, visibility of, maybe, security vulnerabilities may be there. Okay, I'll just shorten it to visibility. I want to have insights in my environment. Is that okay? Maybe people on YouTube, Twitch, LinkedIn, where is everybody? Join in, help us. What kind of administrative stuff do you do, which you would like Microsoft to be helpful, right? So do you often join VMs to a domain, maybe? Yeah. Oh, okay, visibility, domain join. Let me see. All right, let's just use this small list, and maybe some other answers will come in throughout the session. And let's just see what stuff we can do. Now, Azure Stack HCI is a platform. And of course, you can manage it through the native tools, but that might be a little bit difficult. And you might need to switch to do one certain thing to this tool. And then for task B, you'll have another tool. And wouldn't it be great if we would just have a single tool? Surprise, surprise. We have a growing tool for that. And this tool is being extended almost monthly by Microsoft. And it's called Windows Admin Center. Windows Admin Center covers a lot of the things in the operation we do on a daily basis. And you know, I'm a big fan of abbreviations. And I'm a big fan of music. And in the 90s, we had this group called Crisscross. And anyone remember those Crisscross? Those small guys doing the rap thing? No? Okay, then that's my deformation. And they had this song called Jump. And I do have a point with this. Bear with me. Somewhere in the song, they said wiggity, wiggity, wiggity, whack. And now Windows Admin Center, if you abbreviate that, that is whack. So every time when I talk about Windows Admin Center, I hear like the song in the back of my head, wiggity, wiggity, wiggity, wiggity, whack. On point. Yes, let's get back on point. Yes. So we have this platform, HCI, and that is storage, networking, compute in the box. And we have then this tool next to it called Windows Admin Center. And if you know how to install this, if you want to know how you should set this up, Microsoft has some excellent documentation on this. But for now, just believe me when I say this is the tool to manage. Windows Admin Center. And it can be used for a lot of tasks, as you currently see on the screen already. But I always feel bad when I'm just reading out loud some slides I've been provided by the best organization in the world, of course. So let's just take you into the GUI and show you how it looks when you do create and configure a VM, manage the state, move a VM, et cetera, et cetera. Of course, we also have our good old friend, Windows PowerShell. And yes, I know if you've been managing Windows servers in the past, you might have already built your own automation on PowerShell to do all these kind of things. And normally that shouldn't break, maybe with an upgrade of PowerShell once in a while, but hey, those are the fun things, right? That's why they pay us the money to fix those scripts again. Yes. But again, your own PowerShell scripts next to Windows Admin Center will still work. But Windows Admin Center will make your life easier. And this morning, I'm sorry, Jarlene, I made this change without consulting you. My deepest apologies, but it came from an earlier remark from you. I thought I should put a disclaimer in here. A small disclaimer so people cannot sue me, Bert Wolters, that Windows Admin Center is updated at the speed of cloud. And depending on when you will be viewing this video, your screens you will be shown in the portal in Windows Admin Center may look slightly different. Yes, so now we're all free. No one can sue us. Jarlene, I did this for you too. Oh, we're good, right? No, let's take a look at the tasks. If you want to create and configure a VM, you can of course use your own PowerShell magic and make sure that you run all your code and it's created for you. Or if you're like more like me and you like user interfaces, you could just go into Windows Admin Center and use this nice GUI. In this case, we are controlling a cluster, an HCI cluster, so a group of HCI servers. And there if you look into the inventory of that cluster, we can create virtual machines and you get just ask the bare minimum. So what do you want your VM to be called? Quite essential information, I guess. What kind of virtual machine do you want? Which generation? Where do you want to place it? And of course, sizing information. And after that, you can of course go into the settings as well and customize everything to your likings. Then it will be just the provision, just like you filled in all of your information in the user interface. No coding, no hassle, no... Oh, this version doesn't work. Where is the right version? Let's look at my departmental disk. No, this is there. This manages your cluster. So you can run with this. All right. So that's step one, creating a virtual machine. But then you might want to log into that virtual machine. So you'll need to connect to that virtual machine. And of course, you go to hit your start button. You go to MSTSC. For all your nerds out there, that's the RDP application. Or you could just connect to that virtual machine using VMConnect. And then you might say, yeah, of course, I'll wait until the VM is provisioned, until the VM is running. And then I'll log into the VM. But if you're skeptical like me, you say, no, no, no. I want to see the installation process. So I want to connect to the virtual machine before there is an operating system. And I'm sure you cannot do that. But we can. So if you go into Windows Admin Center, in your context menu, there's something called VMConnect. So you go into the properties of your virtual machine, you select it, and then you say, connect. Now, if you use VMConnect, you go through the Hyper-V host. So the host where your virtual machine is running on. And through that connection, which doesn't require direct network connectivity to the VM, but it does something smart in combination with your host and the client, you can connect before there's even a running operating system on them. You like? The expression is, you like, you pay. Windows Admin Center can just be downloaded. So there is no pay there. And if you're just like me, you like free stuff. So of course, you want to be able to shut it down, reboot it. And of course, that can be done as well. It saves you a little bit of more coding and creating PowerShell. But you said something about, I want visibility. I want information about that virtual machine. And there's a bunch of information there. We can look at the inventory, performance, and operational status of VMs. And, yes, I know, you also want to know, I don't only want to know the inventory and performance operational status of my VMs. Now, I want to know that about my hosts as well. Well, the answer there is, you're in the wrong course. What? No, we're talking about managing VMs today. And yet, of course, we can review the inventory, performance, and operational status of hosts. But that's another course. Today, we're talking about VMs. So yes, we can get this information for virtual machines. Here, you see all kinds of cool information, like how much memory, how much CPU. And in the future, there might be more information here. And if you want to have more information here, engage with Microsoft. I, from experience, and you see that from my residing hairline, have been interacting already quite some time with Microsoft. And I really see a change from a couple of years back. Before, it was more like this closed thing. And every three years, they would come out with a new server OS. But now they're really working with the community, with partners, to create this kind of ecosystem for enhancements. So if you are working with this platform, if you want to have great ideas, just contact Microsoft. Then you're really open. So that is all information about your performance, operational status of VMs. You can get that for sure. I know there are these weekends where you have this maintenance thing going on. You might need to move a virtual machine between a server, or maybe even between clusters. So you have multiple groups of hosts, and you want to transport a virtual machine from one to another host or cluster. And of course, you can do that as well. You no need to switch back to Hyper-V management user interfaces. Do that from admin center as well. The same as exporting, importing, or cloning a virtual machine, creating checkpoints. All can be done with this admin center. And yes, even when you need to join a virtual machine to an ADDS domain. Now, in the past, we would have three-letter acronyms. I think they're all taken now because we're now switching to four-letter acronyms. ADDS Active Directory Domain Services Domains. So this isn't Azure Active Directory because they use a different methodology of authentication. This is either Azure ADDS or Windows Server ADDS. And of course, that Windows Server ADDS can reside in your own data center. And joining a virtual machine to these domain services can be done using Windows Admin Center. So Windows Admin Center is truly that becoming truly that one-stop shop to manage all of your VMs running on Azure Stack HCI. Microsoft was kind enough to also create a video about this. Now, again, I don't believe in sharing content that isn't really mine. So if you want to look at that video, and the video is narrated as well for your convenience, you can go to microsoft.com slash video player slash embed R-W-D-H-M-U. Now, I do not hope this is an abbreviation. And if you're really quick with English and you found a very cool meaning for this, be sure to share it in the chat. Read, write, distribute it, host, and new. I don't know. If you have a cool meaning for this abbreviation or this URL, let us know in the chat. And if it's funny enough, we'll be sure to mention it in this session. And with this video, we come to the end of the first session already. I hope your head doesn't hurt too much from all the abbreviations and my rapping out 90s top 40 hits. But let's see how much has stuck to your memory. Let's do a quick knowledge check. And if you want to vote with us, you can either go to aka.ms slash polls, or maybe because we just did a piece on what we call this HTTPS aka WAC polls. I like that one. So the question is, while evaluating the use of windows admin center in Azure Stack HCI at Contoso, you decide the destination of the operating system on a clustered VM in Azure Stack HCI. I should explain this. A clustered VM does not mean the VM is clustered. So the VM is highly available on two VMs. No, a clustered VM means a VM running on top of an HCI cluster. So that's straight, right? You create a virtual machine with a mounted windows serve 2019 ISO file. And now you can need to connect it to using VM connect. What should you do first from windows admin center? Hmm. Okay. Should we download the RDP file? RDP goes through networking. So if there's no fiend yet, that will be hard. Okay. Enable hard beat integration service. Hard beat. That's based on an agent. The agent is there after OS deployment. Yeah. But what did Burt say? We're traveling through the Hyper-V host through some magic from Microsoft directly to the VM. Then it must be answered. Wait, wait, wait. So maybe we can just let them vote. Oh, I didn't show anything. I didn't show anything. Okay. No answer. So you can vote. So what's your answer? So by elimination. I might go for answer A. Maybe. Are you convinced that's the answer? Yes. I'm very much convinced because I saw the slides previous. Yes. Okay. So I see guys are voting at aka.ms slash poll. And yes, most guys have it correct. So it's enabling RDP access on the other side. We have the best audience in the world. 100%. Nice. So this concludes our bit on Windows Admin Center. Now, I think I do feel some affinity towards you, Jolyne. Yes. And since you feel some affinity, so let's just get into configuring affinity of Azure Stack HCI VM. Yeah, definitely. So remember the scenario that you've been working with, the Contoso IT team. So as you're progressing with the evaluation of the Azure Stack HCI, remember you're supposed to make a decision for the control IT leadership. So we're beginning to recognize its significance, the significance of Azure Stack HCI in implementing data center organization and consolidation initiative. So they're already planted in place to migrate some of the business critical work, work loads, the new platform. So however, one of the concerns you need to address is the ability to control their placement within Azure Stack HCI classes. So it's required to ensure that more resource intensive, for example, more resource intensive SQL servers instances run on separate class nodes to prevent resource contamination. So to accomplish this task, you decided to explore the affinity and anti-affinity settings available in Work, available in Windows Server failover classes. So it is in which serves as one of the foundational technologies of Azure Stack HCI. So that's what you're going to cover. So you might be wondering, so what is affinity and anti-affinity in Azure Stack HCI? So back, you'll go next. So let's just go right into affinity. So affinity is a rule that establishes a relationship between two or more cluster roles and resources. So for example, if you have VMs and storage indicators that you prefer to host them on a particular cluster together, so that's when you use affinity roles. And the purpose of the anti-affinity means to indicate preference of the opposite arrangement. So if you don't want them to be in the same cluster node, so with two or more cluster roles and resources distributed across different cluster nodes. So affinity is same cluster nodes, anti-affinity is different cluster nodes. So you also need to note that affinity rules not enforce placement of VMs, but only indicate your preferences regarding their placement. So in addition, they are considered by the built-in load balancing mechanism, but do not have any impact on administratively initiated VM more. So in the short, we're also going to see how we can be able to configure our affinity and anti-affinity on work. So it's pretty straightforward. So in work, to review the existing rules and to create new rules, so you browse to the cluster second pane and then in the cluster section, you select affinity role menu item and then after that the anti-affinity role is referred to as a pack or different services and the affinity role type is referred as together, which is same type. So remember affinity is the same, anti-affinity is different. I think that sums it up here. So it's pretty straightforward, you just go to settings, you can go to affinity roles and set it up under the role name, role type, and then you set it to apply to the particular VM and yeah, and have it like that. Pretty straightforward on work. I think I can use my hands. So Jolyne, did you have like one of these fancy chairs on wheels? Yes. Yes? Okay. Let's make it more graphical. If you can move your chair to the left. Okay. Yes, then I will do the same. So this is affinity. If you move the other way, that would be anti-affinity. Yes. So we're in different regions. So you are on the left, you're in the right. Yes. So with that, we'll go into our knowledge check. Coming up. So we have this second question. While evaluating the use of work in Contoso's anti-STAR KPI environment, you decided to test affinity and anti-affinity roles. So you deploy two VMs, hosting resource-intensive SQL server instances, and want to ensure that they run on separate cluster nodes to prevent resource contention. So what should you do? Your solution must minimize the number of roles you need to create. These kind of questions are always so hard because the minimize the number of rules. You know, during exams, which questions I also love using the least amount of administrative overhead. Okay. So let me see. An anti-affinity rule create one affinity rule. And I think one is really a lone number and two anti-affinity rules. So how should people think? I'm wondering. So you can go on over to aka.ms slash polls and post your answer. Let's see what the guy is saying. What does the world think about this problem? I think I should create a Learn Live event for every time I have an issue with one of my customers. I can just present the problem to everyone in the call and then everyone can come up with an answer for me. That would be cool. Yeah, that should be cool. Yeah. So maybe you can give like 30 more seconds for guys to just answer. But remember here we're looking at, so you want to deploy only two VMs, posting resource intensive SQL server instances, and you want to ensure that they run on separate cluster nodes to event resource contentions. So you're just looking at two VMs. Okay. And you want them on separate cluster nodes. Do you remember? I was with the left. That's a good hint. So the answer should be straight forward. So I hope people in online have found the right answer already. Oh, there we go. Someone just tipped the skill. Should we go ahead and show them the right answer? Yes. It is anti-affinity. Yes. Because we're on the sides of the desk. Yes. And you're only looking at deploying two VMs. So it doesn't make sense for us to create two anti-affinity roles. True. True. Yeah. Super cool. Yeah, back over to you. Yeah, because you already mentioned this load balancing thing. And I guess we are super spoiled now with Azure, right? Because in Azure, the public cloud thing, I can just click on anything and it will be magically deployed into my subscription. And I can have a virtual machine. I can have an application gateway. And I can have load balancers. And you might think, oh, load balancing in Azure Stack HCI. So I can have load balancers there. Yes. But we're not talking about that today. I know I'm very strict now, but I have to draw a line somewhere. And we're talking about sharing the load together. We are load balancing virtual machines across our Azure Stack HCI cluster. And why would we want to do that? Well, because if we just deploy our resources next, next finish, they might all end up on one cluster node. For instance, CN01, cluster node 01. And the next server will be deployed on CN01 again. Until that thing is all overloaded and it will crumble and then the fillover system will ensure that node two will get the full load. Then that will crash and it will fill over to node number three, et cetera, et cetera. So instead of that, Microsoft thought of this load balancing mechanism inside Azure Stack HCI. So if we look on that functionality, it is for us as users of the platform, super simple. If we provision a virtual machine on top of Azure Stack HCI, we do not have the choice where that workload will run. We just deploy to the cluster and every 30 minutes and upon deployment, Microsoft Azure Stack HCI will then balance the load across cluster nodes. Okay, that's fancy. But are you sure this is in the user phase of Admin Center? Yes, it is. If we look at the user interface, we're back in Windows Admin Center in our cluster manager environment. We're looking at this cluster and here under virtual machine load balancing, we see we have three settings. Of course, you can set it to never and never meaning never ever. This is basically the setting. No, no, no. I know my stuff better than Microsoft knows. Good. Really? You're really thinking, okay, that's your prerogative. You can think you know better. And of course, then you have the opportunity to break the cluster. I mean set it accordingly. You can also do it on server joins of putting it on always and always meaning the 30 minute schedule, right? And of course, when a new node is added, the system will do a recalculation of the availability of resources underneath the virtual machines and then do an automatic load balancing or maybe you could say redistribution of virtual machines in that space. So this is cool. This is like a measure taken to guide you in not to overload the system because it will always be load balanced across nodes. And I know I could talk for another 30 minutes about this, but Jolyne is very strict with me. We cannot go over time today. So let's just dive right into the knowledge check of this topic, right? Again, mapping it back to our made up company Contoso. So you're evaluating Windows Admin Center in Contoso. You want to test out the virtual machine load balancing behavior and you want the load balancing mechanism to take effect whenever the utilization levels on individual cluster nodes, so all the nodes within your HCI cluster exceed 70%. Oh, wow, there's a threshold there. What should you configure in Windows Admin Center? Okay, we can set something in aggressiveness in virtual machine load balancing. Could it be medium, high or low? So is a higher aggressiveness, meaning it will load balance sooner or later? I think that is the question behind the question here. Yes, and this is really starting out to be a psychological show. So when do you think when utilization levels on individual cluster nodes exceed 70%, what type of aggressiveness will match that? Medium, high or low? Hmm, that's a good one. And if you think, well, I didn't see that one because it was covered. But I'll think about this question for a second and I'll show you the user interface that goes with this. So you saw this one, right? Never server joints always on balanced virtual machines. The checkbox underneath states aggressiveness. So how soon do you want your VM to be load balanced? How aggressive do you want this to be? All right, do we already have some answers, Sir Jordan? I have a please wait. Yeah, so let's give them like 30 more seconds. So the specified exceed 70%. So how would I know if it's actually medium, high or low? I would say it's definitely not low. Okay. And again, these are servers, right? So servers get to work for their money. So if a server is working really, really hard and it's working at 80% of capacity all day, I say, no worries, it's a server. Okay, if it's running for 95% of capacity for three hours, you might need to take a look. But if it's working at 80%, all good, everything in the green. But maybe you want to play around with it, you're evaluating this Windows Admin Center thing, and you say, let's lower that threshold. And then indeed, the load balancing setting should be set to medium. Now, I noticed two people have the right answer, and one not so much. They voted for B. But again, these are servers, so they're really meant to work hard. And of course, I cannot blame you if you just voted B because you would really love that letter. Yeah, it's a super good letter if your name starts with it. I can only talk for myself, Jolyne, so. That concludes our whole segment on load balancing virtual machines in Azure, sorry, in Windows Admin Center. Now for the fun stuff. Now we get graphical with you. Yes. So, in our scenario for Contoso, so you find that some of the applications that are more powerful, so currently what they have, they rely on third party hardware that is nearing its end of life. So you want to check if the support for GPU in Azure Stack HCI can provide a viable replacement for the legacy hardware. So in this case, you want to use Azure Stack HCI GPU to replace your legacy hardware, which is going to end of life. So maybe let's just see. So what are some of the benefits for GPU in Azure Stack HCI scenarios? So, I'm sure you all know, like GPU is a specialist electronic secondary optimized for specialized workloads that requires, yeah, I'm sure you can read through, but so what are the actual benefits? So we want to do app and desktop remoting, so including VDI and desktop as a service scenario. So these are quite resource intensive, so they require a lot of more processing power. And then you also have another scenario for remote rendering and coding and visualization. So you can imagine even if you're using your own local machine and you're actually doing most of the things, but your visualization rendering, they require a huge, like a lot of power. And then another one is high performance computing, HPC and machine learning, so it is common in financial modeling scenarios. And remember for our control, so it's a financial execution. So you can, yeah. So GPU supports visualization, which helps in using GPU for virtualized workloads. So in Azure Stack HCI, you can implement virtualization by using DDA. But do you remember what DDA stands for? Dynamic Duo, no, not with Dynamic Duo. Not even close. Denial of no. No, no, no. So it stands for discrete device assignment. Oh yeah, I was going for that after this. So DDA, which is district device assignment, allows you to assign one or more physical GPUs to a VM using Windows or Linus operating system. So this DDA is quite important in this scenario. We have to take note that with DDA, a physical GPU provides acceleration to a single VM only. To only one VM. So to maximize DDA benefits in multi-user environment, consider hosting multiple specialized workloads per VM. So by implementing RDP remote desktop services, you can then use multiple session capabilities of Windows Server to host multiple user sessions of the same VM. So one thing that's quite important to note is that for DDA, a physical GPU provides acceleration to only a single VM, only a single VM. So going on further, yes. So going on further on how to configure GPU acceleration for Azure Stack HCI VM. So the process of configuring DDA-based GPU acceleration on Azure Stack consists of four main tasks which are highlighted here. I'll just go through. So the first task is to configure the VM for discrete device assignment. And the second task after you've configured the VM is to dismount the GPU from the cluster nodes. So we'll go through that again. So the third one is to assign the device to the VM. So you remember you've already dismounted the one that was already existing for the GPU. And then now you have to assign the device to the VM. And then after that, the last step is to install the GPU driver in the guest OS. So those are the four steps that you need to remember to configure GPU acceleration for Azure Stack HCI VM. Yeah, because those GPUs are like physical cards, right? In your host. So if the host boots up, the host will recognize it. I've got new hardware and it's a GPU. Now, step two is okay, host, you have some new hardware, like a movie frozen, let it go, right? Then you assign the device directly to the VM and install the GPU drivers in the guest operating system. Now, there are a couple of manufacturers out there and NVIDIA is one of them. And they provide their own set of drivers with those GPUs. And a question came up from Andri Afmat or they need to use the NVIDIA drivers for that. So we'll cover which drivers are supported. Yeah. So when you install the GPU drivers and you're using an NVIDIA GPU, I am not an expert on GPUs and I know there are a couple of them out there. I would say to install the NVIDIA drivers in the VM, but of course, do that first in your test environment before go live, especially with these kind of GPU acceleration. I as a company would imagine you would not allow just anyone to log on to those specific virtual machines because these GPUs are quite expensive. So you might want to map out virtual machines of this category to certain financial modelers, people that make cat drawings, make people that produce a video on a VDI workplace, which I don't think there are many, I hope, because I do my video rendering physically, but okay, you can do that using these kind of technologies. Now, specifically to configure that VM for DDA. Yes. So you have to make a couple of changes on your VM level in order to for DDA to actually work. So you have to make these two changes. So setting the automatic stop action to turning off the VM for the target VM. And the second change that you have to do on the VM level is assigning values that enable an optimized communication between the physical GPU and the target VM. I'm with you. So you can perform all these tasks absolutely on work and also using Windows partial. So running on the plus nodes that host the target VM. So automatic stop action settings are also configurable from Windows Admin Center. So remember for most of these, it's either on PowerShell, Windows PowerShell and Windows Admin Center as well. True. I think we covered this. Yes. We've already covered this as well, but just to emphasize on this. So some of the supported graphic devices in the VM. So for other NV series, which we're talking about, like NVV3 series, more NC series as well, VM. So only NVIDIA grade drivers and not NVIDIA Tudor or Cudder drivers are supported. So support GPU acceleration for most apps and the Windows user interface. So you'd rather now use NVIDIA grid drivers for most of these Azure, NV series, NV3 series VMs. And for other NVV4 series, so it installed AMD drivers provided by Azure. So that's quite important to know. Yeah. If you get to talk about Azure, I can talk about Azure too, right? Yeah, because this is an equal opportunity world. Now let me quickly find what I wanted to discuss in Azure. So we're talking about this Windows Admin Center, right? And we can install that on HCI. But if after today you say, well, I want to have a look at Windows Admin Center, can't I just do like a test run or isn't there something I can try it out? Well, there is a preview in Azure. This is just public old Azure. And if you deploy a virtual machine there, Windows Admin Center is in preview. So you can connect to your own virtual machine with Windows Admin Center hosted by Microsoft. And if you sign in to Windows Admin Center, now I'm using credentials of my virtual machine. I get most of the Windows Admin Center goodness we can also have on-prem. So I can get my visibility. I can see what apps are installed. I can power shell into the virtual machine, all kinds of fun things. So if you just want to play around with it, so how does it feel? Well, you can. It's not just part of public Azure. So if you go to your virtual machine and then in the settings portion, you go to Windows Admin Center. There you go. You can play around with it today. No download, no hassle, hosted by your most favorite company in the world, Microsoft. Sure. But then all this knowledge you just shared. Let's see if it's stuck. And again, you know this works, right? Go to aka.mswackpolls and there you can find our question, which is? So you want to evaluate the usage of Contoso's financial applications by using a Linux VM running on Azure Stack HCI. So your Azure Stack HCI cluster hardware includes NVIDIA GPUs. So what should you do before you assign the NVIDIA GPU to the Linux VM? So remember we had four steps. So your solution must minimize the number of configuration changes. So you're asking, so what should you do before you actually assign the NVIDIA GPU to the Linux VM? Let's see if there is a following. So can we actually do this to a Linux VM? Yes. Remember that we had four steps. Do you remember the steps? Brush my teeth, comb my hair. No? Other steps? Yes. So remember the first step was to configure the VM for DDA, which is this great device assignment. And then the second step was to dismount the GPU for cluster node. And then the third step was to assign the device to the VM. And the fourth is to install the GPU drivers in the guest operating system. So they're asking us what should you do before you assign the NVIDIA GPU to the Linux VM? Then I would say it could be fun. Let's see how guys are posting on the poll. So heading over to aka.ms slash polls and post your answer. Okay. We're basically following this section. I'm seeing very wrong answers. But what do you think the answer is, maybe by elimination? Yeah. Well, I think A would be fun. And I think A would be super easy with PowerShell for each and Force. But I think that's a little bit overkill. Because there's this one on one relationship I learned this morning between a GPU and a VM. So maybe I just need one GPU that's dismounted for specifically the Linux VM. But yeah. Difficult. So since you're the expert, what is the right answer? So it's definitely not A. As you say, it's an overkill. So C will be the correct answer because the GPU will be used exclusively by the VM. So you have to disable and dismount it from the cluster node. Nice. All right. Well, I was getting in the right direction. Maybe I should watch this recording again. Yes. So that's over to you. Oh yeah. Because we had to do some practical stuff with this GPU thing. Because the whole reason why we want to be able to do this GPU thing is to offer more people this virtual workplace on top of Azure Stack HCI. And I'm sure your organization, even my organization went through this in the last two years. And my organization has one employee. We're working from everywhere right now, right? So we are working from home. We're working from this coffee bar and meeting friends. No, we're heavily concentrating in the coffee bar, not doing anything else, right? But our life is much more dynamic. And we're working from the cafeteria while our son is doing soccer practice. We're working from an airport just before we run into our plane. And for that, you could just let everyone run around with data on their laptops. Or you could try and centralize most of that work. And that is by providing a VDI environment in Azure Stack HCI. And you heard me talk about a little bit this morning about another abbreviation, which was AVD, Azure Virtual Desktop, which is coming to HCI, which is still in preview. And again, to be fair for you, just to be able to give you solid information, we're not talking about previews or things that might be happening in the future. We're talking about things you can do today or tomorrow on your Azure Stack HCI. And that is running HCI VDI. And just a couple of reasons, and I already dropped one of them just now, why you'd want Azure Stack HCI VDI is to have all of your resources inside your data center. And your data center can be a physical thing with walls around it and locks on doors and cooling systems and power and someone deciding and thinking about licenses. How are we going to do licenses? Or it could be just VMs running in Azure. Even our server rooms are now dynamic things. So these data centers don't need to be on premises. They can be anywhere. If you do that, if you centerify that solution, you can also mitigate the risk of data exfiltration because you try and keep as much data as you can inside the data center. If people need access to the data, first log into a VDI and then you can have access to the data. Of course, you eliminate the use of personal devices for direct contact, but you can use personal devices as a sort of stepping stone into your VDI workplace, which you can provide a consistent user interface because you can really control how that user interface will appear, which colors, which applications are deployed. And if someone can use one of those fancy virtual machines with a graphical processing unit, a GPU. So all kinds of benefits of using VDI in Azure Stack HCI. Well, at Contoso, they thought it was a good idea. So they went ahead and started to evaluate that. And what you can do, if you're not sure on, okay, so I'm not going to just use any old virtual machine. I really want to have good virtual machines specifically in our HCI environment. There is something called the HCI catalog. So if you go there and I just did a really simple Google, sorry Bing, can I say Google now? I use both, I use Bing and Google. To find the catalog, let me see, let me pull it up here. And then it took me here. And I think this is a little bit too long to share with you. Azure Stack HCI solutions.azure.microsoft.com. Okay. And then you get here. You can browse through the catalog. Let's just do that for a second. And then you get this overview of all kinds of certified HCI hardware. So Bert, do I really need certified hardware? Well, there's a truthful answer and there's the politically correct answer. And I'm fine with both. Yes, you can run Azure Stack HCI on everything, including NUC devices, everything. But if you are working with a vendor and you want vendor support, yes, you need a certified device because that vendor can only certify that it will run on certain devices. So if you're fooling around and you want to see what it does, order a couple of NUCs, just don't run production on it. If you want to see, can I really low balance what Bert said? Do it on a NUC. I'm not sure if you can fit a GPU in there. Maybe you want an expansion bracket for that. Hey, go wild, but don't use it for production. Now, again, looking into this catalog, you see a whole lot of hardware. But I wanted something specifically for VDI. Now, if you take this route, help me choose, you'll go through like a checklist. You want an integrated system, or do you want to have a single validated node? Now, for me, I want an integrated system. I want everything inside the box. You have certain hardware vendors you like. You already have a relationship with maybe or maybe you want to try something new. That can be as well. So for this time, I don't have any preferences. I'll just go through next. And this is a super handy page. What would you like your service to be optimized for? Are you into BI? Are you doing lots and lots of SQL? Choose this one. See what happens. Are you like a financial institution and you want to run trusted enterprise virtualization more like a generic virtualization platform? Is that what you're looking for? Choose that route. For us, we go the virtual desktop infrastructure way. And here you get to choose your form factor. Now, if you're in a war zone, you might choose rugged. You might want it in a single rack or in a tower. For me, I'm a super professional company, so I'll choose the rack. And finally, I get my selection here. These are all optimized for VDI workloads. Easy as that. And this can help you in your choice in that big wood we call hardware. So trying to make life easier for you with this website where you can go through the catalog, even with some nice scenarios for you to choose from. And if we talk about VDI workloads on Azure Stack HCI, of course, we get something called pools. We get pools of virtual machines providing desktop services. We have pooled desktop collections, managed pooled desktop collections, personal desktop collections, et cetera, et cetera. And it's for you to make a choice in that direction. Now, let's quickly skip over the knowledge chat for now, because I see we have about 15 more minutes to enjoy the presence of Jolin in this session. So I think you wanted to talk a little bit about security today. Yes, I did. So for those who, it's important just for all of us to note that security is everyone's responsibility. And for our case, since Contoso is a financial institution, it does financial operations. They want to ensure that their data running on Azure Stack HCI is actually protected from cyber threats. So the case remains the same. It varies with a successful exploit. So normally you have a vulnerability, and then that vulnerability is exploited, and then someone gains access to your system or defaces your whole operation. So what if it's a successful exploit of the operating system? So running on the cluster node. So to address this demand, you want to use the trusted enterprise virtualization in Azure Stack HCI. So these capabilities are built in within the Azure Stack HCI hardware and hyperviper. So you want to maximize the use of these completely. So we want to see the benefits of trusted enterprise virtualization in Azure Stack HCI. But next. So basically what you're saying, HCI is built on Hyper-V, which is an enterprise virtualization platform. And because Microsoft has built that so rugged, they secure it that well, you have benefits from running it on that hypervisor. Yes. So if anything was successful, the chances of it like you being compromised are very low because you've enabled trusted enterprise virtualization. So some of the benefits are this. So HCI provides the trusted enterprise virtualization. So through the built-in support for virtualization, which is VBS. So you can use this to hypervisor enforce code integrity. So it is HVCI. So for VBS, allows you to implement HVCI and credential guard as well, which help protect Azure Stack HCI based workload. So HVCI code integrity policy enforcement enhances code integrity. So which identifies and remediates unauthorized changes to device drivers and operating system files. Cool, right? And then also HCI runs on code integrity systems. So inside the virtual secure mode. So protecting it from operating system based malware. So the other angle is credential guard. So credential guard protects cache sign-in credentials by storing them in the virtual secure mode. So both of these features use the trusted platform module inside the Azure Stack HCI hardware. So that would be the most in-depth layer of the operating system. So it is very secure. That is the trusted platform module. They can imagine this is built in. So you can use HVCI and the credential guard to make sure that you are fully secure. True. And this also ties back into our discussion on hardware, right? Do you really need certified hardware? If you want to use these kind of technologies, yes you do. Because having that certified hardware means that, yes, you will have a TPM chip in your server hardware where your NUC device or whatever hardware you're using in your test environment might not have this TPM chip. So also again, if you want to do it right, do it right from the bottom up. So get certified hardware, get your hardware with a TPM chip, check your hardware for the scenario and secure it like it are your organization's crown jewels. I still see organizations which do not believe in role separation because if we can combine roles on top of one server, we save out on a license. And what do you think an attacker will say in that case? Oh, joy. Two roles for the price of one or for the heck of one. So role separation isn't just a financial game Microsoft is playing. Oh, I get to sell more server-wise. No, it's also a way to segregate functions, to secure each individual resource, each individual virtual machine to avoid foster penetration by hackers. It's really a thought. It's not just some mindless money game. It's a security thing. Sorry for my rant. Yes, so finally, so how do you implement trusted enterprise for Azure Stack HCI workloads? So you first need to identify what is the Azure Stack HCI hardware which is optimized for trusted enterprise virtualization. So whatever we were looking at before. So Azure Stack HCI catalog includes trusted enterprise virtualization as one of the filtering material for integrated systems and validated nodes. And then next, you enable HVCI. So remember what we said HVCI stands for? So HVCI is hypervisor and for code integrity. So it's not enabled by default. So you have to enable it. It is not automatically enabled. So enable it and use group policy or direct registry changes to make sure that you enable HVCI. So additionally on top of that, you can integrate Azure Stack HCI with Microsoft Defender. So Defender provides cloud-based advanced security management and threat detection benefits. So for on-premises workloads, including workloads running on Azure Stack HCI VM. So you can use, you can leverage the security features that are available on Azure, even for your on-prem resources. So if it's Defender for cloud, you can be able to see the zones that are actually not compliant and the secure score as well. So we can leverage all the benefits of security features in the cloud. Cool. All right. Let's see if we were clear enough with our last knowledge check. So again, if you just clicked away the page because you thought, well, after module four, they won't do any knowledge checks anymore. You got a surprise. You can go to aka.mswackpolls and you can play along with this little game. That's called question and answer. Okay. So our question, our last question for today's session is, so you're planning Azure Stack HCI based deployment of control of business switch call workloads. So this is a business switch call workload that must be protected from cyber threats, even if they are successful exploit of the operating system running on the cloud nodes. So you really purchased Azure Stack HCI hardware that supports trusted enterprise virtualization. So what should you do next? So pass A, integrate Azure Stack HCI with Azure Defender. B, enable credential guard. C, enable HVCI. What? You just threw the abbreviation in there. Enable hypervisor and forth code. And I'm missing D. Get some coffee. I know, but you said the answer is B because it's B for but. B is always a good answer. I'm not saying the right answer. It's a good answer. Okay. So remember this scenario. So when it is successful exploit on the OS, they want to still be protected. So they've already done both hardware and it means that they had a support trusted enterprise virtualization. So the question is, so what should you do next? Yeah, that's a tough one for me. Let me see if I can get some help from the esteemed audience. Let me refresh my page here. Oh, oh, God. I think we have a unanimous answer right now. So are all of our viewers your fans now that they're only to security or what's this? People at home voted for answers B, Jolin. That is very correct. So remember the first point was to make sure that the hardware is compliant. It supports trusted enterprise virtualization. And then the second one is to make sure that you enable HBCI because it's not enabled by default. And then the third is if I integrate with Microsoft Defender, but also if you want to do some credential that you can also do that on the side of the but the next step should be enabling HBCI. So with that, we go into a recap. Yeah, let's just just quickly go through the stuff we talked about this couple of hours, really. So all the way in the beginning, if you skip back to recording, you hear us talk about manage Azure Stack HCI VM. So that's a very generic story on how you can do that. Of course, we have PowerShell, which we know we love. But we also have this wiggity wiggity wiggity whack Windows Admin Center, which is getting more whack every installation. And I don't mean crazy, but I mean, great. It's a super tool. Then we talked about affinity. And we also discussed anti-affinity. So running multiple instances close together or separate. And we already heard that it's not a binding thing. It's more like your advice. So if you really need to clear out a node and there's some anti-affinity between two virtual machines, yes, you can still let them run together on a single node and using load balancing. If the other node returns, it will be spread out again. So it's more of like your advice for affinity. Then we talked about that load balancing stuff, which can be done upon adding a virtualization host, a virtualization node, or every 30 minutes. Or if you know best, you don't do that at all. And you see your nodes falling over after a nice time of time. We talked about GPU support, giving those people who are really demanding that graphical user interface on a VDI environment. That's the next topic. The right to work as well. And we talked a little bit, and I could listen to this talking about a trusted enterprise virtualization for days. I love this stuff. So we might need to do some sequel on this. But okay, that's just for our producer and our bosses, right? So this is the entire session we had for you today. Now, if there are things that are not yet clear, that you want to dive a little bit deeper in on your own, don't forget you can go to the friends at Learn Live, Microsoft Docs, where we have this module for you as well. So you go to aka.ms, whack, learn live, dash, 2022, 0616. Oh, wait, that's today. And we're still on the A version. So that's the primal version. This is all the goodness we're talking about today. You can use this shorted URL, of course, or through means of modern technique, you can also use the phone and take a picture of this. And you'll be referred to with it as well. Now, Jaleen, this was the almost last session of the series. Yes. So we've been running a series on Azure Arc. So today, later on today, we have the Managed Azure Kubernetes Service on Azure Stack HCI. So looking forward to that. So that will be the very last episode of the full series on Azure Arc. So don't miss out. Cool. Then I'd like to thank you very much, Jaleen. It was a pleasure. And before I forget, I told you I was going to bring this up in the preparations. You are one of the trendsetters, you know that, right? In fashion, in the world, because people, this is all high definition. Did you see Jaleen's eyebrow? Did you see it? I know people are now making cuts in their eyebrows to look cool. Jaleen has that by nature. So I think they just took that from you. Yeah, definitely. Oh, thank you. Thank you very much. Signing off for Jaleen and for myself and for Flo and Laura and all the people behind the scenes. Thank you for watching this. Of course, use this knowledge that you acquired only for good and not for evil. And maybe we'll see each other in the next episode of Microsoft Learn Live. Have a great day. Bye.