Using virtual desktop services enables you to have secure access to work applications and other organizational resources from remote locations. This is something that vastly increases your capabilities beyond the traditional desktop in the office. Microsoft offers Azure Virtual Desktop (AVD) as a desktop and app virtualization service that runs on the cloud.
And as the work environment consistently evolves, desktop virtualization services are becoming an integral part of the way that organizations operate. It can make it easier to have employees working remotely without worrying about the security of your network.
Unlike in the past when running a virtual desktop environment would have been an extremely complex and expensive undertaking, AVD simplifies the process and also makes it affordable. Additionally, you can expect guaranteed, regular updates and new capabilities that continuously improve the service.
Azure Virtual Desktop main features
Azure Virtual Desktop comes with a lot of capabilities, designed to optimize the use of virtual desktops. By using this service, you can have an environment that perfectly meets the needs of your organization, is scalable when necessary, and is flexible. Below are the key capabilities that you will benefit from:
- You can create a full desktop virtualization environment in your Azure subscription. And you can do so without having to run any gateway servers.
- You can publish host pools as you need so that you can adequately accommodate your various workloads.
- Allows you to have your own image for production workloads or test from the Azure Gallery.
- The availability of pooled, multi-session resources is something that will help you to lower your costs. You can see this even more with the new Windows 10 and Windows 11 Enterprise multi-session capability that will enable you to cut down on the number of virtual machines as well as the operating system overhead costs without having to make compromises about the resources that your users have. (This capability is exclusive to Azure Virtual Desktop and Remote Desktop Session Host (RDSH) role on Windows Server).
- Users can get individual ownership through personal (persistent) desktops.
- You can manage costs further by leveraging autoscale to handle the automatic increasing or decreasing of capacity and this can be based on time of day, specific days of the week, or changes in demand.
For the deployment and management of virtual desktops:
- You can do it through the Azure portal, Azure CLI, PowerShell and REST API for the configuration of host pools, the creation of app groups, the assignment of users, and the publishing of resources.
- From a single host pool, it’s possible to publish full desktop or individual remote apps. You can also create individual app groups for different sets of users, and you could even cut down on the number of images by assigning users to multiple app groups.
- You can gather diagnostics that will help you understand the various configuration or user errors by taking advantage of the built-in delegated access when assigning roles.
- Troubleshooting errors is easier when using the new Diagnostics service.
- The infrastructure will not require any managing, only the image and virtual machines will. Unlike with other Remote Desktop Services, you won’t have to personally manage the Remote Desktop roles. You only need to manage the virtual machines in your Azure subscription.
Assigning and connecting users to your virtual desktops is also something you can do:
- Once assigned, users will be able to launch any Azure Virtual Desktop client to connect to their published Windows desktops and applications. Conveniently, you can use any device to connect and you can do so through the native applications on your device or you could use the Azure Virtual Desktop HTML5 web client.
- Opening any inbound ports is not necessary because you can securely establish users through reverse connections to the service.
New multi-session capabilities
The features I’ve gone over above are key in delivering a virtualization experience that eliminates the complexities of traditional virtual desktop solutions. However, Microsoft is adding to those capabilities to give users an even better Windows experience by introducing Azure Virtual Desktop multi-session with Microsoft Intune.
With this addition, you’ll now be able to use Microsoft Intune to manage Windows 10 or Windows 11 Enterprise multi-session remote desktops in the Microsoft Endpoint Manager admin center the same way as you would for your regular shared Windows 10/11 client device.
Consequently, you can now manage these virtual machines using either device-based configurations meant for devices or user-based configurations meant for users. Windows 10 or Windows 11 Enterprise multi-session is a new Remote Desktop Session Host and it is exclusive to AVD on Azure. It has some very attractive features:
- You can have several concurrent user sessions.
- It offers users a familiar Windows 10 or Windows 11 experience.
- It delivers great convenience by allowing you to use existing per-user Microsoft 365 licensing.
Microsoft has introduced user configuration in Microsoft Intune for Windows 11 multi-session VMs and this will mean that:
- You’ll be able to use the Settings catalog for the configuration of user scope policies and then assign them to groups of users. To simplify this, there is a search bar that you can use to locate all the configurations with scope set to “user”.
- You can configure user certificates and then assign them to users.
- You’ll also be able to configure PowerShell scripts. These are installable in the user context and then assigned to users.
- For Windows 10 multi-session, you need to be running version 1903 or later, or you should be running Windows 11 multi-session.
- Your Azure Virtual Desktop agent needs to be version 1.0.2944.1400 or later.
- You need to have the right Azure Virtual Desktop and Microsoft Intune license if the user is benefitting whether directly or not from the Microsoft Intune service. This includes access to the Intune service through a Microsoft API.
- You’ll need to set up the VMs as remote desktops in pooled host pools. And deployment is through Azure Resource manager.
- The VMs should also be Hybrid Azure AD-joined, as well as enrolled in Microsoft Intune via the methods below:
- Configuration done with Active Directory group policy and then set to use Device credentials. Also, be sure to set credentials to enroll devices that are Hybrid Azure AD-joined automatically.
- Configuration Manager co-management.
- In addition, the VMs should also be Azure AD-joined and enrolled in Microsoft Intune by enabling Enroll the VM with Intune in the Azure portal.
You’ll need to remember that Windows 10 or Windows 11 Enterprise multi-session VMs are essentially different editions of the OS. Therefore, you can expect some Windows 10 or Windows 11 Enterprise configurations that aren’t supported for this edition. However, using Intune won’t interfere with AVD management of that VM nor does it depend on it.
Create the configuration profile
The Settings catalog in the MEM admin center is what you are going to have to use for configuring the configuration policies for Windows 10 or Windows 11 Enterprise multi-session VMs. Additionally, the following device configuration profile templates receive support for the Windows 10 or Windows 11 Enterprise multi-session VMs:
- Trusted certificate – when targeting devices, it’s Device (machine) and when targeting users, it’s User.
- SCEP certificate – when targeting devices, it’s Device (machine) and when targeting users, it’s User.
- PKCS certificate – when targeting devices, it’s Device (machine) and when targeting users, it’s User.
- VPN – Device Tunnel only
Except for the template above, the rest of the existing device configuration profile templates won’t have support. Unsupported templates will not be delivered to multi-session devices. And they will appear as Not applicable in reports.
Also, you’ll need to set the workload slider for Resource Access Policies to Intune or Pilot Intune. This applies if you use co-management for Intune and Configuration Manager. This is a necessary step that will enable Windows 10 and Windows 11 clients to begin the process of requesting the certificate.
- Navigate to the MEM admin center and sign in. Then, proceed to select Devices > Windows > Configuration profiles > Create Profile.
- Next, you’ll want to choose Windows 10 and later for Platform.
- For Profile type, you should select Settings catalog. However, you’ll need to select Templates as well as the name of the supported template if you’ll be deploying settings with a template.
- Select Create.
- Next, you’ll get to the Basics page where you need to give a Name and (optionally) Description > Next.
- And when you get to the Configuration settings page, choose Add settings.
- Next, we get to the Settings picker . Here you need to select Add filter and then pick the options below:
- Key: OS edition
- Operator: ==
- Value: Enterprise multi-session
- Select Apply. With this done, all the configuration profile categories that support Windows 10 or Windows 11 Enterprise multi-session will now appear on the filtered list.
- You can now choose the categories that you want from this filtered list.
- Every category you select will require you to choose the settings. These settings will apply to your new configuration profile.
- In addition, you need to pick the value that you want for this configuration profile for each of your chosen settings.
- After you’ve finished adding all the settings you want, select Next.
- When you get to the Assignments page, you have to select the Azure AD groups that have the devices to which you want this profile assigned > Next.
- Additionally, on the Scope tags, you have the option to add the scope tags you want > Next.
- With all the above configured, you’ll then go to the Review + create page and select Create to create the profile.
Administrative Templates for Windows 10 or Windows 11 are supported for Windows 10 or Windows 11 Enterprise multi-session through the Settings catalog. Addtionally, there are some limitations worth noting.
- There are certain policies not available in the Settings catalog. However, ADMX-backed policies do have support.
- ADMX-ingested policies also have support. And this includes the settings for Office and Microsoft Edge that are available in the administrative template files of both Office and Microsoft Edge. It’s also important to note that not all ADMX-ingested settings are applicable to Windows 10 or Windows 11 Enterprise multi-session. You can view the complete list of ADMX-ingested policy categories in the Win32 and Desktop Bridge app policy configuration.
- At the time of writing, ADMX-ingested policies are supported for user targeting, only on Windows 11.
Compliance and Conditional access with Azure Virtual Desktop
Protecting your Windows 10 or Windows 11 Enterprise multi-session VMs will be of great importance to everyone. And to secure these VMs, you can go to the Microsoft Endpoint Manager admin center. There, you can configure the appropriate compliance as well as Conditional Access policies. Below is the list of compliance policies, supported on Windows 10 or Windows 11 Enterprise multi-session VMs:
- Minimum OS version
- Maximum OS version
- Valid operating system builds
- Simple passwords
- Password type
- Minimum password length
- Password Complexity
- Password expiration (days)
- Number of previous passwords to prevent reuse
- Microsoft Defender Antimalware
- Microsoft Defender Antimalware security intelligence up-to-date
- Real-time protection
- Microsoft Defender Antimalware minimum version
- Defender ATP Risk score
These are the only policies you can use. And those not on this list will not be applicable.
Without a doubt, endpoint security is one of the greatest concerns for most organizations today. Cyberattacks are growing in number and sophistication meaning that endpoints can easily become the weak point in your network. For multi-session VMs, you’ll have the ability to configure profiles under Endpoint security by choosing Platform Windows 10, Windows 11, and Windows Server. Any Platform that you will find unavailable will be for a profile that does not have support on multi-session VMs.
Deployment of applications
Having access to the applications that you need is essential to maintaining productivity and working efficiently. So naturally, I would want to know whether Windows 10 or Windows 11 apps will work for multi-session. Fortunately, all Windows 10 or Windows 11 apps are deployable to Windows 10 or Windows 11 Enterprise multi-session. However, it does come with certain limitations:
- You should install the configuration of the apps within the system/device context. And aim to target specific devices. Additionally, web apps won’t apply to multi-session VMs because of how by default they always apply in the user context.
- The next requirement involves the configuration of all the apps. They must indicate Required or Uninstall app assignment intent. As far as the Available apps deployment intent goes, it’s not going to have support on multi-session VMs.
- For any Win32 apps with configuration to install in the system context, and have dependencies relationships on any apps configured, to install in the user context, their installation is not possible. Instead, you’ll need to create a separate instance of the system context app if you intend to apply to a Windows 10 or Windows 11 Enterprise multi-session VM. Alternatively, you must verify all the app dependencies are configured to install in the system context.
- At present, there is no support in Microsoft Intune for MSIX app attach and Azure Virtual Desktop RemoteApp.
When it comes to script deployment, those configured to run in the system context, with assignment to devices, will have support on Windows 10 or Windows 11 Enterprise multi-session.
To configure this, navigate to Script settings and turn the Run this script using the logged on credentials to No. On the other hand, scripts configured to run in the user context and with assignment to users, will have support on Windows 11 Enterprise multi-session. Similarly, you can configure this by going over to Script settings. But this time, turn the Run this script using the logged on credentials to Yes.
Windows Update for Business
Managing the Windows Update settings for quality (security,) updates for Windows 10, or Windows 11, Enterprise multi-session VMs uses the settings catalog. Finding the supported settings that are necessary is pretty straightforward. You’ll first need to configure a settings filter for Enterprise multi-session. After that, you can expand the Windows Update for Business category. See the settings you can find in the catalog below:
- Active Hours End
- Active Hours Max Range
- Active Hours Start
- Block “Pause Updates” ability
- Configure Deadline Grace Period
- Defer Quality Updates Period (Days)
- Pause Quality Updates Start Time
- Quality Update Deadline Period (Days)
When it comes to Windows 10 or Windows 11 remote actions, there are several that will not be supported. As a result, they will appear grayed out in the UI as well as disabled in Graph for Windows 10 or Windows 11 Enterprise multi-session VMs. These remote actions are as follows:
- Autopilot reset
- BitLocker key rotation
- Fresh Start
- Remote lock
- Reset password
If you decide to delete certain VMs, then you can do so. But the device records will still remain in the Microsoft Endpoint Manager admin center. However, depending on the cleanup rules configured for the tenant, they will still automatically clean up.
Although security baselines are currently not available for Windows 10 or Windows 11 Enterprise multi-session, it’s still a good idea to go over those available. Having done that, you can then go to the Settings catalog and configure the recommended policies and values. This is vitally important as Windows security baselines intend to reinforce security for users and devices.
Using security baselines means that you can leverage the best practices and recommendations for enhanced security. And even though these security baselines come as groups of pre-configured Windows settings, you get the option of customizing each baseline that you deploy to enforce only the settings and values needed.
This is particularly important because the vast majority of the time the default settings in the security baselines are very restrictive. So, it would be good practice to adapt the baselines to meet your needs so that they do not conflict with any of your other pre-existing settings or features.
There are some additional configurations that are not supported on Windows 10 or Windows 11 Enterprise multi-session VMs. Hopefully, this will change sooner rather than later. But currently Out of Box Experience (OOBE) enrollment isn’t available nor does it have support.
The unavailability of this option means that both Commercial OOBE and Windows Autopilot are not supported. And the same also applies to the Enrollment status page. Furthermore, as for the China Sovereign Cloud, Windows 10 or Windows 11 Enterprise multi-session is not as yet supported.
Troubleshooting common issues
|Failure to enroll hybrid Azure AD-joined virtual machine||Normally, auto-enrollment is set up to use user credentials. However, for Windows 10 or Windows 11 Enterprise multi-session virtual machines, the enrollment requires using device credentials. You need to use an Azure Virtual Desktop agent that is version 2944.1400 or later. Another issue is having more than a single MDM provider, which isn’t supported. You’ll also have issues with Windows 10 or Windows 11 Enterprise multi-session VMs configured outside of a host pool. This is because Microsoft Intune only supports VMs that are provisioned as part of a host pool. If your Azure Virtual Desktop host pool hasn’t been created through the Azure Resource Manager template, then that will present a problem.|
|Failure to enroll Azure AD-joined virtual machine||It could be as simple as you using an Azure Virtual Desktop agent that is not updated. You should be using an agent that is version 2944.1400 or later.If your Azure Virtual Desktop host pool hasn’t been created through the Azure Resource Manager template then that will present a problem.|
More about configuration
|Failure of Settings catalog policy||Start by verifying whether the VM is enrolled using device credentials because at present enrollment with user credentials is not supported for Windows 10 or Windows 11 Enterprise multi-session.|
|Configuration policy didn’t apply||With the exception of Certificates, know that templates aren’t supported on Windows 10 or Windows 11 Enterprise multi-session. Therefore, the creation of all policies must be done via the settings catalog.|
|Configuration policy reports as Not applicable||It’s not all policies that are applicable to Azure Virtual Desktop VMs.|
|When applying the filter for Windows 10 or Windows 11 Enterprise multi-session edition, the Microsoft Edge/Microsoft Office ADMX policy is not showing up||The application of these settings is dependent on having those apps installed on the device, not on the Windows version or edition. In addition, the removal of filters applied in the settings picker may be necessary if you want to add these settings to your policy.|
|App configured to install in system context didn’t apply||Start by checking that the app doesn’t have a dependency or supersedence relationship on any of the apps configured to install in the user context. As of yet, Windows 10 or Windows 11 Enterprise multi-session doesn’t support user context apps.|
|Update rings for Windows 10 and later policy didn’t apply||At the time of writing, Windows Update for Business policies aren’t yet supported.|
Availability of FSLogix Profiles
Another exciting new feature recently announced, is the availing of FSLogix Profiles for Azure AD-joined VMs for hybrid users in Azure Virtual Desktop. You can make use of Azure AD Kerberos with Azure Files to access file shares from Azure AD-joined VMs. This means you can then use to store your FSLogix profile containers. This new feature is going to provide you with the following capabilities:
- You can now configure Azure Files with Azure AD Kerberos by using only a single checkbox.
- Azure AD-joined Session Hosts can now achieve configuration with Azure AD Kerberos.
- You can leverage Azure AD Kerberos to store FSLogix profile containers in Azure Files shares.
- Access permissions for hybrid users, managed in Active Directory are also configurable.
- The network line-of-sight from the Session Host to the Domain Controller can now be removed.
Getting started with Azure Virtual Desktop
This new release will be available on Windows 10, Windows 11, and Windows Server 2022 session hosts. Before you proceed, you first need to check the requirements to configure Azure Files with Azure AD Kerberos authentication.
A network line-of-sight from the session host to the domain controller is not necessary for FSLogix profiles in Azure Virtual Desktop. It will still be a requirement for configuring the permissions on the Azure Files share.
Configure your Azure storage account and file share
You will need to follow the steps given below to store your FSLogix profiles on an Azure file share:
- Start by creating an Azure Storage account if you don’t already have one.
- Next, you go to your storage account and create an Azure Files share where you can store your FSLogix profiles.
- To enable access from Azure AD-joined VMs you need to enable Azure AD Kerberos authentication on Azure files.
- For the configuration of the directory and file-level permissions you need to go to Configure the storage permissions for profile containers. And go through the recommended list of permissions for FSLogix profiles.
- It’s possible for users to accidentally delete the user profile or access the personal information of different users. This is common if you do not put in place adequate directory-level permissions. Such mishaps are costly and need to be avoided by ensuring all users have the proper permissions.
Configure the session hosts
Configuring the session hosts is required for you to be able to access Azure file shares from an Azure AD-joined VM for FSLogix profiles. To do this, you can follow the steps below:
- You first need to enable the Azure AD Kerberos functionality and there are a few methods you can use to do this:
- Configure this Intune Policy CSP and apply it to the session host Kerberos/CloudKerberosTicketRetrievalEnabled.
- You can also configure the Group policy and use it for the session host: AdministrativeTemplates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon
- Lastly, you can create the following registry value on the session host: reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /vCloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1
- If you want to use Azure AD with a roaming profile solution such as FSLogix, then the credential keys in Credential Manager should be from the currently loading profile. Having it set up this way means that you’ll be able to load your profile on many different VMs. By simply running the command below, you can create a new registry value. This enables the setting: reg add HKLM\Software\Policies\Microsoft\AzureADAccount /v SLoadCredKeyFromProfile /t REG_DWORD /d 1
Configure FSLogix on the session host
- Configuring a VM with FSLogix is possible by following a set of instructions whenever you configure a session host. You have several options available to make sure that the registry keys are set on all session hosts. These images can be set in an image or you could configure a group policy. See the steps for configuring FSLogix below:
- If necessary, start by updating or installing FSLogix on your session host. In instances where you want to create the session host using the Azure Virtual Desktop service, you’ll need to have FSLogix already pre-installed.
- To create the Enabled and VHDLocations registry values you should follow the instructions in Configure profile container registry settings. The value of VHDLocations should be set to:
Test your deployment
The final step, after completing the necessary steps for the installation and configuration, is to test the deployment. This allows you to verify everything is working properly. You can do this by signing in with a user account with assignment to an application group on the host pool.
Before you sign in, make sure that the account that you are going to use has the necessary permission to use the file share. For any users that have previously signed in, you’ll find available existing local profiles that the service is going to use during the session.
If you don’t want to create a local profile, then you can create a new user account to use for your tests. Alternatively, you can enable the DeleteLocalProfileWhenVHDShouldApply setting by using the configuration methods that you can find in Tutorial: Configure profile container to redirect user profiles.
With these steps complete and the user sign-in successful, you can go ahead and check the profile in Azure Files.
- Navigate to the Azure portal and sign in with an administrative account.
- Next, go to the sidebar and choose Storage accounts.
- You’ll need to then select the storage account that you had configured for your session host pool.
- Once again, go to the sidebar and this time choose File shares.
- Find the file share that you configured to store the profiles and select it.
- What you should now see depending on whether everything has been configured correctly is a directory with a name formatted in the following manner: <user SID>_<username>.
In addition to testing your deployment, you may occasionally encounter issues with FSLogix products. Below is a table demonstrating some actions you can take, should you encounter challenges.
|Issue||Actions you can take|
|Profile Container||Perform a comparative analysis between the data from this documentation and the current values of Status, Reason, and Error. Identify non-zero codes by looking at the log files. Verify you’ve met all requirements. The FSLogix Profiles product can only work properly if this patch is installed for users of Windows 7 or Windows Server 2008 R2. Additionally, check that the Enabled setting is set to 1. Check the ‘VHDLocations’ setting for a valid file system location. Check on the file server to see if the user has the necessary permissions to the VHD(X). Verify that the user is on the local FSLogix Profiles Include group rather than the Exclude groups there a pre-existing local profile for the user?|
|Office Container||Perform a comparative analysis between the data from this documentation and the current values of Status, Reason, and Error. Check for non-zero codes being returned by looking at the log files. Check that you’ve met all requirements. Check that the Enabled setting is set to 1. Check the ‘VHDLocations’ setting for a valid file system location. Verify that the user is on the local FSLogix ODFC Include group rather than the Exclude group. You should expect to NOT see OneDrive icons when using Windows Server 2016 as this is intended. When FSLogix is virtualizing Outlook Search you should also expect to NOT see Outlook in the windows indexing options.|
|Application Masking||Check that the rules have been moved to the Rules folder. Using sc query frxsvc and sc query frxdrv verify that the service and driver are running. Check for non-zero codes being returned by looking at the logs. Verify in the assignment files that the user is included in the assignment: Open the rule in the rule editor. Next, click the manage assignments button. Check that the concerned user is on the list and that the rule applies. In cases where folders or files are hidden from an excluded user then check that the Apply Rules to System button is not clicked.|
|Java Version Control||Verify that rules are loading properly by checking the IE Plugin for errors. From Tools > Manage Add-ons, check that FSLogix Internet Explorer Plugin is installing and enabling. Also, check that the rules move to the Rules folder. Additionally, check that you’re using 32-bit Java. Ensure that the Service and Driver are running.|
Wrap Up About Azure Virtual Desktop
Organizations are witnessing a rapid change in the work environment as well as the preferences of employees. And as the popularity of cloud-based solutions grows organizations are having to invest in technology that supports a hybrid working model. This has plenty of potential benefits for any organization. Also, these include employee satisfaction garnered from some now preferring to work from home when possible.
By leveraging Azure Virtual Desktop, you can get a secure and cost-effective solution that eliminates the complexities of legacy virtualization infrastructure. This means no more fretting over managing licensing, RDS gateways, load balancing, and more.
In addition to the already extensive list of capabilities, Microsoft is now introducing Azure Virtual Desktop multi-session with Microsoft Intune and FSLogix Profiles for Azure AD-joined VMs. These new capabilities are going to further enhance the user experience and potentially increase productivity. Users will get an improved experience that gives them the familiar Windows 10 or Windows 11 experience. Without a doubt, these new features will help your organization to have a more efficient hybrid environment.
Pingback: Virtual Desktops Community Newsletter 2nd February – 9th February 2023 – Virtual Desktops Community
Pingback: Intune Newsletter - 10th February 2023 - Andrew Taylor
Pingback: AVD Community Newsletter – 1st March 2023 – AVD Community