Merge pull request #202119 from dknappettmsft/avd-cert-urls

AVD updating URLs and separating out intents

Author: v-regandowner

articles/virtual-desktop/TOC.yml

@@ -317,9 +317,11 @@
     href: drain-mode.md
   - name: Network connectivity
     items:
+    - name: Check access to required URLs
+      href: required-url-check-tool.md
     - name: Use Azure Firewall to protect Azure Virtual Desktop
       href: ../firewall/protect-azure-virtual-desktop.md?context=%2fazure%2fvirtual-desktop%2fcontext%2fcontext
-  - name: Azure Virtual Desktop for Azure Stack HCI (preview)
+  - name: Azure Virtual Desktop for Azure Stack HCI
     href: azure-stack-hci.md
 - name: Troubleshoot
   items:

articles/virtual-desktop/agent-overview.md

@@ -22,7 +22,7 @@ This article will give you a brief overview of the agent installation and update
 The Azure Virtual Desktop agent is initially installed in one of two ways. If you provision virtual machines (VMs) in the Azure portal and Azure Marketplace, the agent and agent bootloader are automatically installed. If you provision VMs using PowerShell, you must manually download the agent and agent bootloader .msi files when [creating a Azure Virtual Desktop host pool with PowerShell](create-host-pools-powershell.md#register-the-virtual-machines-to-the-azure-virtual-desktop-host-pool). Once the agent is installed, it installs the Azure Virtual Desktop side-by-side stack and Geneva Monitoring agent. The side-by-side stack component is required for users to securely establish reverse server-to-client connections. The Geneva Monitoring agent monitors the health of the agent. All three of these components are essential for end-to-end user connectivity to function properly.
 
 >[!IMPORTANT]
->To successfully install the Azure Virtual Desktop agent, side-by-side stack, and Geneva Monitoring agent, you must unblock all the URLs listed in the [Required URL list](safe-url-list.md#virtual-machines). Unblocking these URLs is required to use the Azure Virtual Desktop service.
+>To successfully install the Azure Virtual Desktop agent, side-by-side stack, and Geneva Monitoring agent, you must unblock all the URLs listed in the [Required URL list](safe-url-list.md#session-host-virtual-machines). Unblocking these URLs is required to use the Azure Virtual Desktop service.
 
 ## Agent update process
 
@@ -44,6 +44,6 @@ The agent update normally lasts 2-3 minutes on a new VM and shouldn't cause your
 Now that you have a better understanding of the Azure Virtual Desktop agent, here are some resources that might help you:
 
 - If you're experiencing agent or connectivity-related issues, check out the [Azure Virtual Desktop Agent issues troubleshooting guide](troubleshoot-agent.md).
--  To schedule agent updates, see the [Scheduled Agent Updates (preview) document](scheduled-agent-updates.md).
+- To schedule agent updates, see the [Scheduled Agent Updates (preview) document](scheduled-agent-updates.md).
 - To set up diagnostics for this feature, see the [Scheduled Agent Updates Diagnostics guide](agent-updates-diagnostics.md).
 - To find information about the latest and previous agent versions, see the [Agent Updates version notes](whats-new-agent.md).

articles/virtual-desktop/required-url-check-tool.md

@@ -0,0 +1,57 @@
+---
+title: Use the Required URL Check tool for Azure Virtual Desktop
+description: The Required URL Check tool enables you to check your session host virtual machines can access the required URLs to ensure Azure Virtual Desktop works as intended.
+author: dknappettmsft
+ms.topic: how-to
+ms.date: 06/20/2022
+ms.author: daknappe
+manager: femila
+---
+
+# Required URL Check tool
+
+In order to deploy and make Azure Virtual Desktop available to your users, you must allow specific URLs that your session host virtual machines (VMs) can access them anytime. You can find the list of URLs in [Required URL list](safe-url-list.md). The Required URL Check tool will validate these URLs and show whether your session host VMs can access them. If not, then the tool will list the inaccessible URLs so you can unblock them and then retest, if needed.
+
+> [!NOTE]
+> - You can only use the Required URL Check tool for deployments in the Azure public cloud, it does not check access for sovereign clouds.
+> - The Required URL Check tool can't verify URLs that wildcard entries are unblocked, only specific entries within those wildcards, so make sure the wildcard entries are unblocked first.
+
+## Prerequisites
+
+You need the following things to use the Required URL Check tool:
+
+- Your session host VM must have a .NET 4.6.2 framework
+- RDAgent version 1.0.2944.400 or higher
+- The `WVDAgentUrlTool.exe` file must be in the same folder as the `WVDAgentUrlTool.config` file
+
+## Use the Required URL Check tool
+
+To use the Required URL Check tool:
+
+1. Open a command prompt as an administrator on one of your session host VMs.
+
+1. Run the following command to change the directory to the same folder as the current build agent (RDAgent_1.0.2944.1200 in this example):
+
+    ```console
+    cd "C:\Program Files\Microsoft RDInfra\RDAgent_1.0.2944.1200"
+    ```
+
+1. Run the following command:
+
+    ```console
+    WVDAgentUrlTool.exe
+    ```
+ 
+1. Once you run the file, you'll see a list of accessible and inaccessible URLs.
+
+    For example, the following screenshot shows a scenario where you'd need to unblock two required non-wildcard URLs:
+
+    > [!div class="mx-imgBorder"]
+    > ![Screenshot of non-accessible URLs output.](media/noaccess.png)
+    
+    Here's what the output should look like once you've unblocked all required non-wildcard URLs:
+
+    > [!div class="mx-imgBorder"]
+    > ![Screenshot of accessible URLs output.](media/access.png)
+
+1. You can repeat these steps on your other session host VMs, particularly if they are in a different Azure region or use a different virtual network.