Step by Step Installation and Configuration of Nerdio Manager for Enterprise 7.4 – Part Four

by | Jan 5, 2026 | Nerdio, Nerdio Manager for Enterprise | 0 comments

Share this post!

Step by Step Installation and Configuration of Nerdio Manager for Enterprise 7.4 – Part Four

Published January 2026 at blog.youngtech.com

Click Here to Download this Full Guide as a PDF

Back in November I published the Full Guide linked above, which includes 165+ pages of Step by Step instructions for Installation and Configuration of Nerdio Manager for Enterprise 7.4. Part One of this Blog Series can be found here:

A couple weeks later, I published Part Two of this Blog Series, which can be found here:

In December, I published Part Three of this Blog Series, which can be found here:

This post is Part Four (of Four), all sections of which can be found in the Full Guide linked above.

As mentioned previously, this guide is not a replacement for the excellent documentation available at https://nmehelp.getnerdio.com. I highly recommend checking out the official Implementation Guide, which I’ve linked here.

What This Guide Covers

This walkthrough is designed to help you lay the foundation for a successful Proof of Concept (PoC) or initial deployment of Nerdio Manager for Enterprise. In the previous Blog Posts, I shared the first five section out of six outlined below. In this Part Four of the series, I’ll be sharing the sixth and final section from the 165+ page guide.

If you want to review the entirety of the content that I’ve released over the last two months in multiple parts, you may: Click Here to Download this Full Guide as a PDF

Reminder of Prerequisites for a Smooth Deployment

To ensure a time-efficient engagement, I always confirm the following basics are in place before starting:

  • Nerdio Engineer Account: The engineer (typically the PoC contact) should have Owner privileges on at least one Azure subscription. In this case, my account dane@youngtechavd.com serves as the Nerdio Engineer, with the subscription PAYGO-SPOKE-NER-INFRA designated for deployment.
  • Azure Virtual Network (VNET): Pre-staged with subnets and configured to allow:
    • Internet access for Azure Portal connectivity
    • Access to Active Directory Domain Controllers for AVD domain join
    • Custom DNS pointing to AD DCs for private DNS resolution
    • A Private DNS Zone to restrict App Service access from the public internet
  • Global Admin Access: Required at specific stages for elevated privileges.
  • Entra ID Synchronization: Ensures Workspaces can be provisioned to MFA-enabled AD domain users.

For this blog post (Part Four), let’s jump back in where we left off!

Section 6: Lock Down Nerdio Manager for Enterprise to an Azure Private Endpoint

Now that we have successfully created a Desktop Image and IT Workspace, we can effectively lock down Nerdio Manager for Enterprise to an Azure Private Endpoint. While this can technically be completed during the initial import and configuration of NME from the Marketplace, I’ve found that in most cases it’s more practical to create an Azure Virtual Desktop host pool, then tie the Azure Private Endpoint into the new Workspace or Host Pool.

For example, using the steps outlined above, the first Desktop Image and first Workspace created were specifically for IT Administration and Management. This provides an ideal location to lock down access to NME using a Private Endpoint. Here’s a brief description of Private Endpoints, and why this is always a recommended security technique to secure any new NME environments.

What is an Azure Private Endpoint for an App Service?

According to Copilot, an Azure Private Endpoint for an App Service allows you to securely access your web app over a private IP address within your Azure Virtual Network (VNet), rather than exposing it to the public internet. This is part of Azure’s Private Link feature, which enhances security and network isolation.

Key Concepts:

  • Private Endpoint: A network interface that connects you privately to a service powered by Azure Private Link.
  • App Service: A fully managed platform for building, deploying, and scaling web apps.

What It Does for App Service:

When you configure a Private Endpoint for an App Service, it:

  • Maps a private IP from your VNet to the App Service.
  • Allows traffic to flow privately from your VNet to the App Service.
  • Blocks public access (if configured), ensuring only traffic from your VNet can reach the app.

Benefits:

  • Enhanced security: No need to expose your app to the public internet.
  • Compliance: Helps meet regulatory requirements for data privacy.
  • Network isolation: Keeps traffic within your Azure environment.

Limitations:

  • Only supported for Premium V2 and Premium V3 App Service plans.
  • Requires DNS configuration to resolve the app’s hostname to the private IP.
  • You can’t use Private Endpoint with App Service Environments (ASE) because ASE already provides VNet integration.

From within the IT Workspace open Edge and click Start without your data:

Click Confirm and continue:

Click Continue without Google data:

Click Confirm and start browsing:

Click Continue:

Click Continue:

Click Finish:

From the Edge Browser running within the IT Workspace, navigate to the Azure Portal, portal.azure.com, as shown:

A computer screen shot of a rose AI-generated content may be incorrect.

Authenticate with the same account that’s been used, representing the Nerdio Engineer (Global Admin not required), for example dane@youngtechavd.com:

Enter the credentials:

Perform the Entra ID Multi-Factor Authentication steps:

Stay signed in:

Now we have an Azure Portal login from within the IT Workspace, that can be used to validate the Private Endpoint once configured.

Navigate to App Services by selecting it from the Home page, or searching from the top. Click the Hyperlink for our NME App Service (wu2-nme-appservice):

Expand Settings on the left blade menu:

Navigate to Settings \ Networking as shown below:

By default, you’ll see Public Network Access set to Enabled with 0 private endpoints. Click the 0 Private Endpoints hyperlink:

Click Add to create a Private Endpoint for this NME App Service:

Under the Add menu, select Express as shown:

Enter a meaningful Name for the Private Endpoint, along with a Subscription, Virtual Network and Subnet that will be used to connect to the App Service:

Integrate with private DNS zone is important to leave toggled to the Yes position (Default). Review the settings and click OK

The Private Endpoint is being created, as shown in the Notifications area in the top right:

Now the Settings \ Networking section shows 1 Private Endpoint as shown. Next, we’ll disable Public Network Access by clicking the link to the right:

By default Public Network Access is set to Enabled from all networks as shown.

Toggle this to Disabled now that we have a Private Endpoint configured. Click Save to perform the change:

Check the checkbox and confirm the access is going to be limited. Click Continue.

The change is being performed as shown in the top right and in the notifications section:

Now, the Settings \ Networking section of the App Service shows the 1 private endpoint as configured with Public network access set to Disabled:

A computer screen shot of a computer AI-generated content may be incorrect.

To validate the App Service is locked down from the outside world, attempt to navigate to the appservice.azurewebsites.net page from another system. Notice the Error 403 – Forbidden page is displayed, indicating that the NME Console is now strictly available from the Private Endpoint or from within the Azure network.

A blue screen with white text AI-generated content may be incorrect.

Another situation that may display the Error 403 – Forbidden message shown above, is when the organization’s Azure Private Link DNS Forwarder is not functioning properly. From within the IT Workspace, attempt to nslookup or ping the NME App Service record as shown below.

If the address resolves to a public IP address (not 10.10.32.4 in my example), most likely public DNS is being used to resolve the outside interface address of the App Service. This can be solved using the processes outlined in the next several steps.

If Active Directory Domain Controllers are being used as Custom DNS for the Azure VNET, ensure there is a Conditional Forwarder setup to direct azurewebsites.net to resolve against 168.63.129.16 as shown below. This is a global IPv4 address managed by Microsoft for the purpose of resolving Private Link DNS addresses, as are used by the Private Endpoints in the example above.

For more information see: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration

Once Conditional Forwarders and DNS are functioning properly, from within the IT Workspace, nslookup and ping should resolve to the Inbound address shown on the App Service (10.10.32.4 for example):

Launch the App Service using the hyperlink on the Overview page, and authenticate from within the IT Workspace as shown:

If the Private Endpoint and DNS Conditional Forwarder is configured properly, from within the IT Workspace, the Error 403 – Forbidden error will not be displayed, and the authentication will be successfully completed.


Navigating to the Dynamic Host Pools section will now show there is at least 1 active User Session (the session we’re using to validate the Private Endpoint):

Section 7: Conclusion and Next Steps

Having followed the steps outlined in this Step by Step guide, new Nerdio Manager for Enterprise deployments will have a solid foundation for deploying additional configurations. As a recap, during this guide, the following has been completed:

  • Initial Deployment of Nerdio Manager for Enterprise from the Azure Marketplace
  • Grant Consent using Global Administrator (Global Admin) account
  • Creating Initial Desktop Image
  • Creating Resource Group and IT Workspace
  • Assign the IT Workspace and Login
  • Lock Down Nerdio Manager for Enterprise to an Azure Private Endpoint

As mentioned initially, this guide is not a replacement for the excellent documentation available at https://nmehelp.getnerdio.com. I highly recommend checking out the official Implementation Guide, which I’ve linked here.

While this was my own spin on a ‘Getting Started’ style blog post, I wanted to share the basics that provide a foundation for any Proof of Concept or Nerdio Manager for Enterprise initial deployment, along with some general prerequisites that make the engagement most time efficient. If you’ve read this far, as a reminder, to ensure a time-efficient engagement, I always confirm the following basics are in place before starting:

  • Nerdio Engineer Account: The engineer (typically the PoC contact) should have Owner privileges on at least one Azure subscription. In this case, my account dane@youngtechavd.com serves as the Nerdio Engineer, with the subscription PAYGO-SPOKE-NER-INFRA designated for deployment.
  • Azure Virtual Network (VNET): Pre-staged with subnets and configured to allow:
    • Internet access for Azure Portal connectivity
    • Access to Active Directory Domain Controllers for AVD domain join
    • Custom DNS pointing to AD DCs for private DNS resolution
    • A Private DNS Zone to restrict App Service access from the public internet
  • Global Admin Access: Required at specific stages for elevated privileges.
  • Entra ID Synchronization: Ensures Workspaces can be provisioned to MFA-enabled AD domain users.

Click Here to Download this Full Guide as a PDF

To compliment this Blog Post, I have created a 165+ page PDF with the remaining steps in the following sections:

  • Initial Deployment of Nerdio Manager for Enterprise from the Azure Marketplace
  • Grant Consent using Global Administrator (Global Admin) account
  • Creating Initial Desktop Image
  • Creating Resource Group and IT Workspace
  • Assign the IT Workspace and Login
  • Lock Down Nerdio Manager for Enterprise to an Azure Private Endpoint

This PDF guide is available free of charge to Subscribers of the YOUNGTECH BLOG. To continue reading, please request access to this free resource using the following link: https://lp.constantcontactpages.com/sl/CJIeeLI/nme74

Click Here to Download this Full Guide as a PDF

A screenshot of a computer AI-generated content may be incorrect.

By completing the form above, you will receive an e-mail to download a PDF of the full guide and continue reading from this section. Once you’ve received the link, you can unsubscribe from the blog at any time, but it’s our way of staying connected to our audience. Please advise if you have any challenges reaching the link provided in the e-mail.

I trust this will be a useful resource to you and that you’ve enjoyed this Step by Step Installation and Configuration of Nerdio Manager for Enterprise 7.4 guide. Best of luck in your NME deployments! If you need any help along the way, don’t hesitate to reach out.

Thank you so much!

Dane Young, MBA
My X | My LinkedIn

Share this post!

Submit a Comment

Your email address will not be published. Required fields are marked *