Tag Archives: AVD

AVD – The Flexible Solution for Remote Work and Business Continuity

Posted on by
2

One thing that we cannot deny is that remote work is a huge topic in business circles everywhere. It’s something that plenty are trying to evaluate so they can see whether it would be good for them or not. Although opinions and experiences may vary, there’s no denying the potential advantages that remote work could offer businesses. But, for you to get the most out of it, you need solutions with a proven track record. This includes Azure Virtual Desktop (AVD). It’s a solution that can offer employees greater flexibility in how they do their work. Additionally, it provides you with a solid business continuity strategy. Today, we’ll be discussing AVD and what you need to know about it.

Azure Virtual Desktop

A virtual desktop offers you the full desktop experience while running on a remote server. This means that you can access work applications and other organizational resources while working remotely. Azure Virtual Desktop is an app and virtualization service that runs on the cloud.

With this Azure cloud-based service, businesses can offer their employees an efficient and secure way of working remotely. It also allows for capabilities to deploy and manage desktops without too much difficulty. Some of the things you’ll get when running AVD include the following:

  • The ability to set up a multi-session Windows 11 or Windows 10 deployment that can give you the full Windows experience and scalability.
  • Presenting Microsoft 365 Apps for enterprise and optimizing it to run across multi-user virtual scenarios.
  • Bringing your existing Remote Desktop Services (RDS) and Windows Server desktops along with apps to any computer.
  • The ability to virtualize not only desktops but apps as well.
  •  Provides you with a unified management experience that simplifies the management of desktops and apps from different Windows and Windows Server operating systems.

Importance of remote work

Understandably, plenty of businesses may ask themselves why they would even need to be considering remote work. If what you’re currently doing is working well, then why change it right? Although this assertion may be true, we only have to look back a couple of years to a situation where people couldn’t go to work and were required to stay home.

In these kinds of scenarios, being able to leverage virtual desktop services means employees can remain productive, and your business suffers significantly less.

In addition, the greater flexibility that remote work can offer employees is something that can contribute to increased job satisfaction. Employees who have the option for a better work/life balance are likely to be more efficient in how they do their jobs.

Furthermore, this can also change the way businesses operate for the better. You can have the option of hiring people from anywhere, giving you access to the best talent available.

Features of Azure Virtual Desktop

There’s no question that there are several benefits that businesses can gain from utilizing virtual desktop services. But why pick Azure Virtual Desktop? After all, it’s not even the only option that Microsoft offers.

However, AVD does have several features that can make it the remote work solution of choice for many businesses. It’s going to provide you with the following capabilities:

  • It allows you to create a full desktop virtualization environment in your Azure subscription. And you won’t need to run any gateway servers to do it.
  • You can accommodate your diverse workloads by publishing host pools as and when you need them.
  • Bring along your own images for production workloads or test from the Azure Gallery.
  • The option to have pooled, multi-session resources is going to enable you to cut down on costs. Clients will benefit from Windows 11 and Windows 10 Enterprise multi-session capabilities, exclusive to Azure Virtual Desktop or Windows Server. By giving you this option, AVD allows you to massively reduce the number of virtual machines and operating system overhead. Additionally, it continues to provide the same resources to your user.
  • You’ll also get personal (persistent) desktops, and this will provide you with individual ownership.
  • There is an auto-scale feature that allows you to automatically increase or decrease the capacity based on variable factors. These include changing certain days of the week or a specific time of day. And all of which can help you keep expenditures under control.

DEPLOYMENT AND THE MANAGEMENT OF VIRTUAL DESKTOPS AND APPLICATIONS

  • You can create application groups, assign users, and publish resources by using the Azure portal, Azure CLI, PowerShell, and REST API for configuring the host pools.
  • Reduce the number of images by publishing a full desktop or individual apps from a single host pool, creating individual application groups for different sets of users, or even assigning users to multiple application groups.
  • In addition, Azure Virtual Desktop also recommends the use of built-in delegated access to assign roles and collect diagnostics to understand various configurations or user errors.
  • Another recommendation for environment management requires the use of built-in delegated access. This assigns roles and collects diagnostics to understand various configurations or user errors.
  • Whenever issues arise, and you need to troubleshoot errors, you can use the new diagnostics service.
  • Lastly, only the image and virtual machines should be managed and not the infrastructure. It’s not going to be necessary to personally manage the Remote Desktop roles as you do with Remote Desktop Services. Instead, just manage the virtual machines in your Azure subscription.

CONNECTED USERS

  • As soon as users have been assigned, they can launch any AVD client to connect to their published Windows desktops and applications. This scenario allows you to connect from any device using either a native application on your device or the Azure Virtual Desktop HTML5 web client.
  •  Furthermore, you can eliminate the need for opening inbound ports by securely establishing users through reverse connections to the service.

Why choose Azure Virtual Desktop?

As previously mentioned, AVD is not the only virtual desktop solution available for businesses to choose from. We’ve already discussed what AVD is and what features it can bring to your organization. But some may still be asking why this particular solution. The reality is, there are several reasons why you may want to choose AVD as your flexible remote work solution of choice.

SEVERAL USE CASES

AVD allows you to take advantage of several use cases to get the most out of your subscription. Arguably, the biggest of these benefits is that remote workers will get virtual desktops that they can securely access from anywhere using your existing Active Directory for authentication.

Additionally, if you want to publish legacy applications to certain users, you can install them on an AVD host and publish them to those users. To ensure a truly comprehensive remote working experience, you can deploy an AVD host in various regions across the world, thus enabling you to support your users globally.

DEVICE REFRESH EXPENDITURE

From our experiences of using personal devices, most of us are already aware that every few years, we’ll need to upgrade our devices. At a certain point, our devices will stop getting updates, the hardware will slow down, the battery may need replacing, etc. As one can imagine, the cost of refreshing devices for a business is going to be significant.

This is why taking advantage of solutions like AVD and shifting your computing model to the cloud can help businesses start reducing the money spent on hardware. With this solution, your business can use any number of devices, from tablets, laptops, and other mobile devices, for work-related purposes. Not only that, but even some so-called outdated devices may potentially be used to access virtual desktops.

Additionally, Azure Virtual Desktop is a cost-effective alternative to scaling a traditional virtual desktop environment within your own data center. This reduction in expenses leads to better ROI.

AVD can be an invaluable tool as well for companies because of how it lets organizations control various apps and data while still allowing employees access to those resources on their own unique devices. This means that you can also offer your workers greater flexibility in how they work. And you can still retain overall control and keeping security standards high.

Although you could expect some of these benefits from a traditional VDI environment. The service you get from Microsoft comes at a better price point with better security.

IMPROVED SECURITY

Anyone looking to migrate to the cloud will want to know how secure the platform is going to be. Fortunately, for Azure Virtual Desktop clients, you can rest assured that you’ll get the identity management, backup, and database security benefits that the Microsoft Cloud provides.

We already know that Microsoft spends over a billion dollars a year in developing its industry-leading security measures and has a few thousand security experts working hard to enhance the security of the Microsoft ecosystem. As a result, employees will get to have virtual desktops that they can access in a highly secure manner, regardless of where they’re working.

SIMPLIFIED MANAGEMENT

Another great reason to choose Azure Virtual Desktop is that it will allow IT admins to only manage users, applications, and virtual machines without having to worry about the RDS infrastructure. This is because the latter will be managed by the AVD service.

Therefore, since RDS components like Gateways, Brokers, and Licenses are provided by the AVD service, the task of managing them is undertaken by AVD.

Furthermore, clients will be happy to learn that the AVD infrastructure is set up in such a way as to provide a simplified experience, with everything being centrally stored, managed, and secured.

So, what the virtual desktop environment gives you is an easier management system where there is no need to install, update, and patch applications. In addition to the above, the need for backing up files or scanning for malware on individual client devices is negated.

Multi-session attraction

One of the great features of WVD infrastructure is its multi-session environment. This is something that goes a long way in drastically reducing the resources that are required when using single-user methods. With single-user sessions, there are two main disadvantages that can arise.

Firstly, when the machine is not running at peak, a lot of resources are going to waste, and secondly, when multiple users are working on single-user sessions, this is going to be extremely demanding in terms of resources. 

Getting set up

As we look at setting up Azure Virtual Desktop for your business, there are few requirements that you’ll need to consider before proceeding:

  • You need to have an active Azure account and subscription.
  • You need access to a global administrator Azure AD role within the Azure tenant that you plan on using.
  • Lastly, for your Azure subscription, you need to have a contributor and a user access administrator.

DEPLOYMENT STEPS

  • Log in with your administrator account in the Azure portal. Then, search for Azure Virtual Desktop and select it.
  • Proceed to set up host pools that contain virtual machines, application groups to assign the Remote Apps to users, the workspaces as logical groupings of application groups, scaling plans, and users to scope access to running AVD resources.

PROVISIONING

  • Select ‘Getting started‘ in the top left area and then check that the correct subscription is selected.
  • Then, for the identity provider, you’ll find that using an existing on-premises active directory or an existing Azure AD Domain Services instance is something that will be presented as a different option.
  • Select Azure AD domain services for identity service type.
  • Create a resource group with a unique name.
  • For the location, select a region that is closest to your users.
  • You can use your account for the Azure admin username if it has the necessary permissions to deploy resources and to grant access to them.
  • Enter a password for the account.
  • Use the next account to join virtual machines to the domain.
  • Go to the virtual machines tab and create your first session hosts.
  • The users for each virtual machine will determine whether you want more than one user simultaneously logged into a single VM. The multi-session capability, unique to Azure Virtual Desktop, is going to help you save costs and is compatible with both Windows 11 or Windows 10 client operating systems.
  • You also have the option of a single dedicated virtual machine for one user at a time.
  • Next, from Image, you can select from a number of supported Windows client and server virtual machine images for AVD.
  • In addition, you have the option to create and manage your own virtual machine images. You can also choose them in addition to the standard gallery images.
  • When it comes to virtual machine size, you can choose from hundreds of supported VM sizes in Azure.
  • Once you have configured host pool VMs, create an initial user assignment for this host pool in the assignments tab.
  • Once the core steps have been completed, the user will validate everything. You can then create all the necessary resources for AVD.
  • With this done, several resources and services will deploy including:
  • * 4 new Azure resource groups.
  • * Azure AD domain service that will be used for authentication.
  • * Storage account to store data.
  • * FSLogix profile containers to support multi-session environments.
  • * Host pool and virtual machines.

Accessing your virtual desktop

Once your virtual desktops have been set up, users will want to know how they can access them. For virtual desktop services to provide an attractive option, they need to be easy to access. Azure Virtual Desktop allows users additional access their virtual desktops with any modern device as long they have internet access.

This also means that it won’t matter what operating system you are using. Users can stick with the devices they prefer and don’t need to purchase new devices to access AVD.

For the best experience, however, Microsoft recommends using the Remote Desktop client app. Fortunately, this app is available on multiple platforms, including Windows, macOS, iOS, and Android. Apart from this app, users may also access their virtual desktops using any modern HTML5-compatible browser. 

Using the web client, users can access any session desktop or remote application inside of a browser window or tab. Also, be aware that the app you use to access RDS is a different one from the AVD remote desktop client. All this means is that you need to verify that you download the right version of the app.

Furthermore, users can access full desktop sessions and individual published applications when using the Remote Desktop client. This will be in addition to the automatic addition of remote apps and desktops to the local computer’s Start Menu for easier access.  

Enhance your business operations

Azure Virtual Desktop will not only give you an alternative technology solution. But it can also enhance the way your company operates. Plenty of businesses are looking at ways to increase revenue streams. And virtual desktops can help you achieve that by extending productivity to employees’ PCs, phones, tablets, or browsers. These devices might not be under the direct control of the IT team. Moreover, of the measures that Azure puts in place, users will have highly secure access to organizational resources from their various devices.

Another great thing that AVD will help you with is the level of support that end users will receive. When businesses are migrating workloads to the cloud, users are going to need increased support for a low-latency, optimized experience.

Fortunately, with AVD, you get a business-critical platform, and a cloud adoption plan can directly or indirectly impact cloud adoption for all the concerned workloads.

Run a greener operation

In today’s marketplace, it should not be news to anyone that our environment has suffered significantly. All of us to pitch in to start addressing the issues. Regardless of where you may stand on the matter, eco-friendly operations matter. One thing you can’t deny is that plenty of people are now choosing which businesses they deal with based on how sustainable they are.

We’ve already talked about how using virtual desktops will impact your device refresh cycle. However, needing to purchase fewer devices also means that your business will produce less electronic waste.

Because of the use of Microsoft’s highly efficient data centers, your business can potentially cut down massively on energy consumption. Coupled with the fact that you can have some employees working remotely, the total energy savings will be significant, especially when you also factor in commuting to work.

With virtual desktop users being able to work remotely, your business can improve productivity and efficiency. Users can access their virtual desktops wherever they are, allowing your business to run more sustainably while simultaneously increasing productivity.

Wrap up

When looking at remote work, we need to consider that there are plenty of advantages that both employer and employee can gain from this. Considering how virtual desktop services have grown in popularity over the last few years, businesses should at least be looking at these solutions to see what they can bring to their organizations. If there’s anything we’ve learned in that time, it’s that we need to be prepared for the worst. Otherwise, businesses may be forced to shut down.

The freedom and flexibility that a service like Azure Virtual Desktop can offer employees is something that can massively boost staff morale. Virtual Desktop users can maintain high levels of productivity whether they are in the office or working remotely.

In addition, Azure guarantees you industry-leading security measures, meaning that businesses don’t need to worry about where their employees are working. Ultimately, AVD can be the solution to take your business to the next level.

Azure Virtual Desktop’s Latest Capabilities

Posted on by
3

Using virtual desktop services enables you to have secure access to work applications and other organizational resources from remote locations. This is something that vastly increases your capabilities beyond the traditional desktop in the office. Microsoft offers Azure Virtual Desktop (AVD) as a desktop and app virtualization service that runs on the cloud.

And as the work environment consistently evolves, desktop virtualization services are becoming an integral part of the way that organizations operate. It can make it easier to have employees working remotely without worrying about the security of your network.

Unlike in the past when running a virtual desktop environment would have been an extremely complex and expensive undertaking, AVD simplifies the process and also makes it affordable. Additionally, you can expect guaranteed, regular updates and new capabilities that continuously improve the service.

Azure Virtual Desktop main features

Azure Virtual Desktop comes with a lot of capabilities, designed to optimize the use of virtual desktops. By using this service, you can have an environment that perfectly meets the needs of your organization, is scalable when necessary, and is flexible. Below are the key capabilities that you will benefit from:

  • You can create a full desktop virtualization environment in your Azure subscription. And you can do so without having to run any gateway servers.
  • You can publish host pools as you need so that you can adequately accommodate your various workloads.
  • Allows you to have your own image for production workloads or test from the Azure Gallery.
  • The availability of pooled, multi-session resources is something that will help you to lower your costs. You can see this even more with the new Windows 10 and Windows 11 Enterprise multi-session capability that will enable you to cut down on the number of virtual machines as well as the operating system overhead costs without having to make compromises about the resources that your users have. (This capability is exclusive to Azure Virtual Desktop and Remote Desktop Session Host (RDSH) role on Windows Server).
  • Users can get individual ownership through personal (persistent) desktops.
  • You can manage costs further by leveraging autoscale to handle the automatic increasing or decreasing of capacity and this can be based on time of day, specific days of the week, or changes in demand.

For the deployment and management of virtual desktops:

  • You can do it through the Azure portal, Azure CLI, PowerShell and REST API for the configuration of host pools, the creation of app groups, the assignment of users, and the publishing of resources.
  • From a single host pool, it’s possible to publish full desktop or individual remote apps. You can also create individual app groups for different sets of users, and you could even cut down on the number of images by assigning users to multiple app groups.
  • You can gather diagnostics that will help you understand the various configuration or user errors by taking advantage of the built-in delegated access when assigning roles.
  • Troubleshooting errors is easier when using the new Diagnostics service.
  • The infrastructure will not require any managing, only the image and virtual machines will. Unlike with other Remote Desktop Services, you won’t have to personally manage the Remote Desktop roles. You only need to manage the virtual machines in your Azure subscription.

Assigning and connecting users to your virtual desktops is also something you can do:

  • Once assigned, users will be able to launch any Azure Virtual Desktop client to connect to their published Windows desktops and applications. Conveniently, you can use any device to connect and you can do so through the native applications on your device or you could use the Azure Virtual Desktop HTML5 web client.
  • Opening any inbound ports is not necessary because you can securely establish users through reverse connections to the service.

New multi-session capabilities

The features I’ve gone over above are key in delivering a virtualization experience that eliminates the complexities of traditional virtual desktop solutions. However, Microsoft is adding to those capabilities to give users an even better Windows experience by introducing Azure Virtual Desktop multi-session with Microsoft Intune.

With this addition, you’ll now be able to use Microsoft Intune to manage Windows 10 or Windows 11 Enterprise multi-session remote desktops in the Microsoft Endpoint Manager admin center the same way as you would for your regular shared Windows 10/11 client device.

Consequently, you can now manage these virtual machines using either device-based configurations meant for devices or user-based configurations meant for users. Windows 10 or Windows 11 Enterprise multi-session is a new Remote Desktop Session Host and it is exclusive to AVD on Azure. It has some very attractive features:

  • You can have several concurrent user sessions.
  • It offers users a familiar Windows 10 or Windows 11 experience.
  • It delivers great convenience by allowing you to use existing per-user Microsoft 365 licensing.  

Microsoft has introduced user configuration in Microsoft Intune for Windows 11 multi-session VMs and this will mean that:

  • You’ll be able to use the Settings catalog for the configuration of user scope policies and then assign them to groups of users. To simplify this, there is a search bar that you can use to locate all the configurations with scope set to “user”.
  • You can configure user certificates and then assign them to users.
  • You’ll also be able to configure PowerShell scripts. These are installable in the user context and then assigned to users.

Pre-requisites

  • For Windows 10 multi-session, you need to be running version 1903 or later, or you should be running Windows 11 multi-session.
  • Your Azure Virtual Desktop agent needs to be version 1.0.2944.1400 or later.
  • You need to have the right Azure Virtual Desktop and Microsoft Intune license if the user is benefitting whether directly or not from the Microsoft Intune service. This includes access to the Intune service through a Microsoft API.
  • You’ll need to set up the VMs as remote desktops in pooled host pools. And deployment is through Azure Resource manager.
  • The VMs should also be Hybrid Azure AD-joined, as well as enrolled in Microsoft Intune via the methods below:
  • Configuration done with Active Directory group policy and then set to use Device credentials. Also, be sure to set credentials to enroll devices that are Hybrid Azure AD-joined automatically.
  • Configuration Manager co-management.
  • In addition, the VMs should also be Azure AD-joined and enrolled in Microsoft Intune by enabling Enroll the VM with Intune in the Azure portal.

You’ll need to remember that Windows 10 or Windows 11 Enterprise multi-session VMs are essentially different editions of the OS. Therefore, you can expect some Windows 10 or Windows 11 Enterprise configurations that aren’t supported for this edition. However, using Intune won’t interfere with AVD management of that VM nor does it depend on it.

Create the configuration profile

The Settings catalog in the MEM admin center is what you are going to have to use for configuring the configuration policies for Windows 10 or Windows 11 Enterprise multi-session VMs. Additionally, the following device configuration profile templates receive support for the Windows 10 or Windows 11 Enterprise multi-session VMs:

  • Trusted certificate – when targeting devices, it’s Device (machine) and when targeting users, it’s User.
  • SCEP certificate – when targeting devices, it’s Device (machine) and when targeting users, it’s User.
  • PKCS certificate – when targeting devices, it’s Device (machine) and when targeting users, it’s User.
  • VPN – Device Tunnel only

Except for the template above, the rest of the existing device configuration profile templates won’t have support. Unsupported templates will not be delivered to multi-session devices. And they will appear as Not applicable in reports.

Also, you’ll need to set the workload slider for Resource Access Policies to Intune or Pilot Intune. This applies if you use co-management for Intune and Configuration Manager. This is a necessary step that will enable Windows 10 and Windows 11 clients to begin the process of requesting the certificate.

Policy configuration

  • Navigate to the MEM admin center and sign in. Then, proceed to select Devices > Windows > Configuration profiles > Create Profile.
  • Next, you’ll want to choose Windows 10 and later for Platform.
  • For Profile type, you should select Settings catalog. However, you’ll need to select Templates as well as the name of the supported template if you’ll be deploying settings with a template.
  • Select Create.
  • Next, you’ll get to the Basics page where you need to give a Name and (optionally) Description > Next.
  • And when you get to the Configuration settings page, choose Add settings.
  • Next, we get to the Settings picker . Here you need to select Add filter and then pick the options below:
  • Key: OS edition
  • Operator: ==
  • Value: Enterprise multi-session
  • Select Apply. With this done, all the configuration profile categories that support Windows 10 or Windows 11 Enterprise multi-session will now appear on the filtered list.
  • You can now choose the categories that you want from this filtered list.
  • Every category you select will require you to choose the settings. These settings will apply to your new configuration profile.
  • In addition, you need to pick the value that you want for this configuration profile for each of your chosen settings.
  • After you’ve finished adding all the settings you want, select Next.
  • When you get to the Assignments page, you have to select the Azure AD groups that have the devices to which you want this profile assigned > Next.
  • Additionally, on the Scope tags, you have the option to add the scope tags you want > Next.
  • With all the above configured, you’ll then go to the Review + create page and select Create to create the profile.

Administrative templates

Administrative Templates for Windows 10 or Windows 11 are supported for Windows 10 or Windows 11 Enterprise multi-session through the Settings catalog. Addtionally, there are some limitations worth noting.

  • There are certain policies not available in the Settings catalog. However, ADMX-backed policies do have support.
  • ADMX-ingested policies also have support. And this includes the settings for Office and Microsoft Edge that are available in the administrative template files of both Office and Microsoft Edge. It’s also important to note that not all ADMX-ingested settings are applicable to Windows 10 or Windows 11 Enterprise multi-session. You can view the complete list of ADMX-ingested policy categories in the Win32 and Desktop Bridge app policy configuration.
  • At the time of writing, ADMX-ingested policies are supported for user targeting, only on Windows 11.

Compliance and Conditional access with Azure Virtual Desktop

Protecting your Windows 10 or Windows 11 Enterprise multi-session VMs will be of great importance to everyone. And to secure these VMs, you can go to the Microsoft Endpoint Manager admin center. There, you can configure the appropriate compliance as well as Conditional Access policies. Below is the list of compliance policies, supported on Windows 10 or Windows 11 Enterprise multi-session VMs:

  • Minimum OS version
  • Maximum OS version
  • Valid operating system builds
  • Simple passwords
  • Password type
  • Minimum password length
  • Password Complexity
  • Password expiration (days)
  • Number of previous passwords to prevent reuse
  • Microsoft Defender Antimalware
  • Microsoft Defender Antimalware security intelligence up-to-date
  • Firewall
  • Antivirus
  • Antispyware
  • Real-time protection
  • Microsoft Defender Antimalware minimum version
  • Defender ATP Risk score

These are the only policies you can use. And those not on this list will not be applicable.

Endpoint security

Without a doubt, endpoint security is one of the greatest concerns for most organizations today. Cyberattacks are growing in number and sophistication meaning that endpoints can easily become the weak point in your network. For multi-session VMs, you’ll have the ability to configure profiles under Endpoint security by choosing Platform Windows 10, Windows 11, and Windows Server. Any Platform that you will find unavailable will be for a profile that does not have support on multi-session VMs.

Deployment of applications

Having access to the applications that you need is essential to maintaining productivity and working efficiently. So naturally, I would want to know whether Windows 10 or Windows 11 apps will work for multi-session. Fortunately, all Windows 10 or Windows 11 apps are deployable to Windows 10 or Windows 11 Enterprise multi-session. However, it does come with certain limitations:

  • You should install the configuration of the apps within the system/device context. And aim to target specific devices. Additionally, web apps won’t apply to multi-session VMs because of how by default they always apply in the user context.
  • The next requirement involves the configuration of all the apps. They must indicate Required or Uninstall app assignment intent. As far as the Available apps deployment intent goes, it’s not going to have support on multi-session VMs.       
  • For any Win32 apps with configuration to install in the system context, and have dependencies relationships on any apps configured, to install in the user context, their installation is not possible. Instead, you’ll need to create a separate instance of the system context app if you intend to apply to a Windows 10 or Windows 11 Enterprise multi-session VM. Alternatively, you must verify all the app dependencies are configured to install in the system context.
  • At present, there is no support in Microsoft Intune for MSIX app attach and Azure Virtual Desktop RemoteApp.

Script deployment

When it comes to script deployment, those configured to run in the system context, with assignment to devices, will have support on Windows 10 or Windows 11 Enterprise multi-session.

To configure this, navigate to Script settings and turn the Run this script using the logged on credentials to No. On the other hand, scripts configured to run in the user context and with assignment to users, will have support on Windows 11 Enterprise multi-session. Similarly, you can configure this by going over to Script settings. But this time, turn the Run this script using the logged on credentials to Yes.

Windows Update for Business

Managing the Windows Update settings for quality (security,) updates for Windows 10, or Windows 11, Enterprise multi-session VMs uses the settings catalog. Finding the supported settings that are necessary is pretty straightforward. You’ll first need to configure a settings filter for Enterprise multi-session. After that, you can expand the Windows Update for Business category. See the settings you can find in the catalog below:

Remote actions

When it comes to Windows 10 or Windows 11 remote actions, there are several that will not be supported. As a result, they will appear grayed out in the UI as well as disabled in Graph for Windows 10 or Windows 11 Enterprise multi-session VMs. These remote actions are as follows:

  • Autopilot reset
  • BitLocker key rotation
  • Fresh Start
  • Remote lock
  • Reset password
  • Wipe

Retirement

If you decide to delete certain VMs, then you can do so. But the device records will still remain in the Microsoft Endpoint Manager admin center. However, depending on the cleanup rules configured for the tenant, they will still automatically clean up.

Security baselines

Although security baselines are currently not available for Windows 10 or Windows 11 Enterprise multi-session, it’s still a good idea to go over those available. Having done that, you can then go to the Settings catalog and configure the recommended policies and values. This is vitally important as Windows security baselines intend to reinforce security for users and devices.

Using security baselines means that you can leverage the best practices and recommendations for enhanced security. And even though these security baselines come as groups of pre-configured Windows settings, you get the option of customizing each baseline that you deploy to enforce only the settings and values needed.

This is particularly important because the vast majority of the time the default settings in the security baselines are very restrictive. So, it would be good practice to adapt the baselines to meet your needs so that they do not conflict with any of your other pre-existing settings or features.

Unsupported configurations

There are some additional configurations that are not supported on Windows 10 or Windows 11 Enterprise multi-session VMs. Hopefully, this will change sooner rather than later. But currently Out of Box Experience (OOBE) enrollment isn’t available nor does it have support.

The unavailability of this option means that both Commercial OOBE and Windows Autopilot are not supported. And the same also applies to the Enrollment status page. Furthermore, as for the China Sovereign Cloud, Windows 10 or Windows 11 Enterprise multi-session is not as yet supported.

Troubleshooting common issues

Enrollment IssuesDetail
Failure to enroll hybrid Azure AD-joined virtual machineNormally, auto-enrollment is set up to use user credentials. However, for Windows 10 or Windows 11 Enterprise multi-session virtual machines, the enrollment requires using device credentials. You need to use an Azure Virtual Desktop agent that is version 2944.1400 or later. Another issue is having more than a single MDM provider, which isn’t supported. You’ll also have issues with Windows 10 or Windows 11 Enterprise multi-session VMs configured outside of a host pool. This is because Microsoft Intune only supports VMs that are provisioned as part of a host pool. If your Azure Virtual Desktop host pool hasn’t been created through the Azure Resource Manager template, then that will present a problem. 
Failure to enroll Azure AD-joined virtual machineIt could be as simple as you using an Azure Virtual Desktop agent that is not updated. You should be using an agent that is version 2944.1400 or later.If your Azure Virtual Desktop host pool hasn’t been created through the Azure Resource Manager template then that will  present a problem. 

More about configuration

Configuration issuesDetail
Failure of Settings catalog policyStart by verifying whether the VM is enrolled using device credentials because at present enrollment with user credentials is not supported for Windows 10 or Windows 11 Enterprise multi-session.  
Configuration policy didn’t applyWith the exception of Certificates, know that templates aren’t supported on Windows 10 or Windows 11 Enterprise multi-session. Therefore, the creation of all policies must be done via the settings catalog.
Configuration policy reports as Not applicableIt’s not all policies that are applicable to Azure Virtual Desktop VMs.
When applying the filter for Windows 10 or Windows 11 Enterprise multi-session edition, the Microsoft Edge/Microsoft Office ADMX policy is not showing upThe application of these settings is dependent on having those apps installed on the device, not on the Windows version or edition. In addition, the removal of filters applied in the settings picker may be necessary if you want to add these settings to your policy.  
App configured to install in system context didn’t applyStart by checking that the app doesn’t have a dependency or supersedence relationship on any of the apps configured to install in the user context. As of yet, Windows 10 or Windows 11 Enterprise multi-session doesn’t support user context apps.
Update rings for Windows 10 and later policy didn’t applyAt the time of writing, Windows Update for Business policies aren’t yet supported.

Availability of FSLogix Profiles

Another exciting new feature recently announced, is the availing of FSLogix Profiles for Azure AD-joined VMs for hybrid users in Azure Virtual Desktop. You can make use of Azure AD Kerberos with Azure Files to access file shares from Azure AD-joined VMs. This means you can then use to store your FSLogix profile containers. This new feature is going to provide you with the following capabilities:

  • You can now configure Azure Files with Azure AD Kerberos by using only a single checkbox.
  • Azure AD-joined Session Hosts can now achieve configuration with Azure AD Kerberos.
  • You can leverage Azure AD Kerberos to store FSLogix profile containers in Azure Files shares.
  • Access permissions for hybrid users, managed in Active Directory are also configurable.
  • The network line-of-sight from the Session Host to the Domain Controller can now be removed.

Getting started with Azure Virtual Desktop

This new release will be available on Windows 10, Windows 11, and Windows Server 2022 session hosts. Before you proceed, you first need to check the requirements to configure Azure Files with Azure AD Kerberos authentication.

A network line-of-sight from the session host to the domain controller is not necessary for FSLogix profiles in Azure Virtual Desktop. It will still be a requirement for configuring the permissions on the Azure Files share.

Configure your Azure storage account and file share

You will need to follow the steps given below to store your FSLogix profiles on an Azure file share:

  1. Start by creating an Azure Storage account if you don’t already have one.
  2. Next, you go to your storage account and create an Azure Files share where you can store your FSLogix profiles.
  3. To enable access from Azure AD-joined VMs you need to enable Azure AD Kerberos authentication on Azure files.
  • For the configuration of the directory and file-level permissions you need to go to Configure the storage permissions for profile containers. And go through the recommended list of permissions for FSLogix profiles.
  • It’s possible for users to accidentally delete the user profile or access the personal information of different users. This is common if you do not put in place adequate directory-level permissions. Such mishaps are costly and need to be avoided by ensuring all users have the proper permissions.

Configure the session hosts

Configuring the session hosts is required for you to be able to access Azure file shares from an Azure AD-joined VM for FSLogix profiles. To do this, you can follow the steps below:

  1. You first need to enable the Azure AD Kerberos functionality and there are a few methods you can use to do this:
  2. Configure this Intune Policy CSP and apply it to the session host Kerberos/CloudKerberosTicketRetrievalEnabled.
  3. You can also configure the Group policy and use it for the session host: AdministrativeTemplates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon
  4. Lastly, you can create the following registry value on the session host: reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /vCloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1 
  • If you want to use Azure AD with a roaming profile solution such as FSLogix, then the credential keys in Credential Manager should be from the currently loading profile. Having it set up this way means that you’ll be able to load your profile on many different VMs. By simply running the command below, you can create a new registry value. This enables the setting: reg add HKLM\Software\Policies\Microsoft\AzureADAccount /v SLoadCredKeyFromProfile /t REG_DWORD /d 1   

Configure FSLogix on the session host

  • Configuring a VM with FSLogix is possible by following a set of instructions whenever you configure a session host. You have several options available to make sure that the registry keys are set on all session hosts. These images can be set in an image or you could configure a group policy. See the steps for configuring FSLogix below:
  • If necessary, start by updating or installing FSLogix on your session host. In instances where you want to create the session host using the Azure Virtual Desktop service, you’ll need to have FSLogix already pre-installed.
  • To create the Enabled and VHDLocations registry values you should follow the instructions in Configure profile container registry settings. The value of VHDLocations should be set to: \\<Storage-account-name>.file.core.windows.net\<file-share-name>

Test your deployment

The final step, after completing the necessary steps for the installation and configuration, is to test the deployment. This allows you to verify everything is working properly. You can do this by signing in with a user account with assignment to an application group on the host pool.

Before you sign in, make sure that the account that you are going to use has the necessary permission to use the file share. For any users that have previously signed in, you’ll find available existing local profiles that the service is going to use during the session.

If you don’t want to create a local profile, then you can create a new user account to use for your tests. Alternatively, you can enable the DeleteLocalProfileWhenVHDShouldApply setting by using the configuration methods that you can find in Tutorial: Configure profile container to redirect user profiles.         

With these steps complete and the user sign-in successful, you can go ahead and check the profile in Azure Files.

Directions

  • Navigate to the Azure portal and sign in with an administrative account.
  • Next, go to the sidebar and choose Storage accounts.
  • You’ll need to then select the storage account that you had configured for your session host pool.
  • Once again, go to the sidebar and this time choose File shares.
  • Find the file share that you configured to store the profiles and select it.
  • What you should now see depending on whether everything has been configured correctly is a directory with a name formatted in the following manner: <user SID>_<username>.   

In addition to testing your deployment, you may occasionally encounter issues with FSLogix products. Below is a table demonstrating some actions you can take, should you encounter challenges.

Issues

IssueActions you can take
Profile ContainerPerform a comparative analysis between the data from this documentation and the current values of Status, Reason, and Error. Identify non-zero codes by looking at the log files. Verify you’ve met all requirements. The FSLogix Profiles product can only work properly if this patch is installed for users of Windows 7 or Windows Server 2008 R2. Additionally, check that the Enabled setting is set to 1. Check the ‘VHDLocations’ setting for a valid file system location. Check on the file server to see if the user has the necessary permissions to the VHD(X). Verify that the user is on the local FSLogix Profiles Include group rather than the Exclude groups there a pre-existing local profile for the user?
Office ContainerPerform a comparative analysis between the data from this documentation and the current values of Status, Reason, and Error. Check for non-zero codes being returned by looking at the log files. Check that you’ve met all requirements. Check that the Enabled setting is set to 1. Check the ‘VHDLocations’ setting for a valid file system location. Verify that the user is on the local FSLogix ODFC Include group rather than the Exclude group. You should expect to NOT see OneDrive icons when using Windows Server 2016 as this is intended. When FSLogix is virtualizing Outlook Search you should also expect to NOT see Outlook in the windows indexing options.
Application MaskingCheck that the rules have been moved to the Rules folder. Using sc query frxsvc and sc query frxdrv verify that the service and driver are running.  Check for non-zero codes being returned by looking at the logs. Verify in the assignment files that the user is included in the assignment: Open the rule in the rule editor. Next, click the manage assignments button. Check that the concerned user is on the list and that the rule applies. In cases where folders or files are hidden from an excluded user then check that the Apply Rules to System button is not clicked.
Java Version ControlVerify that rules are loading properly by checking the IE Plugin for errors. From Tools > Manage Add-ons, check that FSLogix Internet Explorer Plugin is installing and enabling. Also, check that the rules move to the Rules folder. Additionally, check that you’re using 32-bit Java. Ensure that the Service and Driver are running.

Wrap Up About Azure Virtual Desktop

Organizations are witnessing a rapid change in the work environment as well as the preferences of employees. And as the popularity of cloud-based solutions grows organizations are having to invest in technology that supports a hybrid working model. This has plenty of potential benefits for any organization. Also, these include employee satisfaction garnered from some now preferring to work from home when possible.

By leveraging Azure Virtual Desktop, you can get a secure and cost-effective solution that eliminates the complexities of legacy virtualization infrastructure. This means no more fretting over managing licensing, RDS gateways, load balancing, and more.

In addition to the already extensive list of capabilities, Microsoft is now introducing Azure Virtual Desktop multi-session with Microsoft Intune and FSLogix Profiles for Azure AD-joined VMs. These new capabilities are going to further enhance the user experience and potentially increase productivity. Users will get an improved experience that gives them the familiar Windows 10 or Windows 11 experience. Without a doubt, these new features will help your organization to have a more efficient hybrid environment.