Azure Virtual Desktop
Azure Virtual Desktop
e OVERVIEW
Terminology
g TUTORIAL
b GET STARTED
Prerequisites
c HOW-TO GUIDE
Publish applications
e OVERVIEW
Azure Virtual Desktop for users
Windows App
b GET STARTED
b GET STARTED
More information
d TRAINING
i REFERENCE
Pricing calculator
Reference
i REFERENCE
Azure CLI
PowerShell
REST API
e OVERVIEW
Azure Virtual Desktop (classic)
What is Azure Virtual Desktop?
Article • 05/13/2024
Azure Virtual Desktop is a desktop and app virtualization service that runs on Azure.
Here's some of the key highlights:
Deliver a full Windows experience with Windows 11, Windows 10, or Windows
Server. Use single-session to assign devices to a single user, or use multi-session
for scalability.
Present Microsoft 365 Apps for enterprise and optimize it to run in multi-user
virtual scenarios.
Install your line-of-business or custom apps you can run from anywhere, including
apps in the formats Win32, MSIX, and Appx.
Manage desktops and apps from different Windows and Windows Server
operating systems with a unified management experience.
Host desktops and apps on-premises in a hybrid configuration with Azure Stack
HCI.
Introductory video
Learn about Azure Virtual Desktop (formerly Windows Virtual Desktop), why it's unique,
and what's new in this video:
https://www.youtube-nocookie.com/embed/aPEibGMvxZw
You can find more videos about Azure Virtual Desktop from Microsoft Mechanics .
Key capabilities
With Azure Virtual Desktop, you can set up a scalable and flexible environment:
Bring your own image for production workloads or test from the Azure Gallery.
Reduce costs with pooled, multi-session resources. With the new Windows 11 and
Windows 10 Enterprise multi-session capability, exclusive to Azure Virtual Desktop,
or Windows Server, you can greatly reduce the number of virtual machines and
operating system overhead while still providing the same resources to your users.
Use the Azure portal, Azure CLI, PowerShell and REST API to create and configure
host pools, application groups, workspaces, assign users, and publish resources.
Publish a full desktop or individual applications from a single host pool, create
individual application groups for different sets of users, or even assign users to
multiple application groups to reduce the number of images.
As you manage your environment, use built-in delegated access to assign roles
and collect diagnostics to understand various configuration or user errors.
Get key insights and metrics about your environment and the users connecting to
it with Azure Virtual Desktop Insights.
Only manage the image and virtual machines you use for the sessions in your
Azure subscription, not the infrastructure. You don't need to personally manage
the supporting infrastructure roles, such as a gateway or broker, like you do with
Remote Desktop Services.
Connect users:
Once assigned, users can connect to their published Windows desktops and
applications using Windows App or the Remote Desktop client. Connect from any
device through either a native application on your device or using a web browser
with the HTML5 web client.
Securely establish users through reverse connections to the service, so you don't
need to open any inbound ports.
Next steps
Here are some other articles to learn about Azure Virtual Desktop:
) Important
This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.
Azure Virtual Desktop is a service that gives users easy and secure access to their
virtualized desktops and applications. This article tells you a bit more about the
terminology and general structure of Azure Virtual Desktop.
Host pools
A host pool is a collection of Azure virtual machines that are registered to Azure Virtual
Desktop as session hosts. All session host virtual machines in a host pool should be
sourced from the same image for a consistent user experience. You control the
resources published to users through application groups.
Personal, where each session host is assigned to an individual user. Personal host
pools provide dedicated desktops to end-users that optimize environments for
performance and data separation.
Pooled, where user sessions can be load balanced to any session host in the host
pool. There can be multiple different users on a single session host at the same
time. Pooled host pools provide a shared remote experience to end-users, which
ensures lower costs and greater efficiency.
The following table goes into more detail about the differences between each type of
host pool:
ノ Expand table
Load User sessions are always load-balanced to User sessions are load balanced to
balancing the session host the user is assigned to. If session hosts in the host pool based
the user isn't currently assigned to a on user session count. You can
session host, the user session is load choose which load balancing
Feature Personal host pools Pooled host pools
User Users can either be directly assigned to Users aren't assigned to session
assignment session hosts or be automatically assigned hosts. After a user signs out and
process to the first available session host. Users signs back in, their user session
always have sessions on the session hosts might get load balanced to a
they're assigned to. different session host. To learn more,
see Configure personal desktop
assignment.
Scaling Autoscale for personal host pools starts Autoscale for pooled host pools
session host virtual machines according to turns VMs on and off based on the
schedule or using Start VM on Connect capacity thresholds and schedules
and then deallocates/hibernates session the customer defines.
host virtual machines based on the user
session state (log off/disconnect).
User data Each user only ever uses one session host, Users can connect to different
so they can store their user profile data on session hosts every time they
the operating system (OS) disk of the VM. connect, so they should store their
user profile data in FSLogix.
Session host configuration (preview), where Azure Virtual Desktop manages the
lifecycle of session hosts in a host pool for you using a combination of native
features.
Standard, where you manage creating, updating, and scaling session hosts in a
host pool.
To ensure your apps work with the latest updates, the validation environment should be
as similar to host pools in your non-validation environment as possible. Users should
connect as frequently to the validation environment as they do to the production
environment. If you automate testing on your host pool, you should include automated
testing on the validation environment.
Application groups
An application group controls access to a full desktop or a logical grouping of
applications that are available on session hosts in a single host pool. Users can be
assigned to multiple application groups across multiple host pools, which enable you to
vary the applications and desktops that users can access.
Desktop: users access the full Windows desktop from a session host. Available with
pooled or personal host pools.
RemoteApp: users access individual applications you select and publish to the
application group. Available with pooled host pools only.
With pooled host pools, you can assign both application group types to the same host
pool at the same time. You can only assign a single desktop application group per host
pool, but you can also assign multiple RemoteApp application groups to the same host
pool.
Host pools have a preferred application group type setting. If an end user has both a
desktop and RemoteApp application groups assigned to them on the same host pool,
they only see the resources from the preferred application group type. Users assigned to
multiple RemoteApp application groups assigned to the same host pool have access to
an aggregate of all the applications in the application groups they're assigned to.
To learn more about application groups, see Preferred application group type behavior
for pooled host pools.
Workspaces
A workspace is a logical grouping of application groups. Each application group must be
associated with a workspace for users to see the desktops and applications published to
them. An application group can only be assigned to a single workspace.
End users
After you assign users to their application groups, they can connect to an Azure Virtual
Desktop deployment with any of the Azure Virtual Desktop clients.
User sessions
In this section, we cover each of the three types of user sessions that end users can
have.
Next step
Learn about Azure Virtual Desktop service architecture and resilience.
Feedback
Was this page helpful? Yes No
Azure Virtual Desktop is designed to provide a resilient, reliable, and secure service for
organizations and users. The architecture of Azure Virtual Desktop comprises many
components that make up the service connecting users to their desktops and apps.
Most components are Microsoft-managed, but some are customer-managed or
partner-managed.
Microsoft provides the virtual desktop infrastructure (VDI) components for core
functionality as a service. These components include:
Web service: the user-facing web site and endpoint, and returns the connection
information to the user's device.
Broker service: orchestrates incoming connections.
Gateway service: a websocket service that provides the Remote Desktop Protocol
(RDP) connectivity from a user's device wherever they're connecting from to the
session hosts providing their desktops and apps.
Resource directory: provides information to instruct the web service which of the
multiple geographical databases hosts the connection information required for
each user.
Geographical database: contains the connection files ( .rdp ) and icons for every
resource that a user has been provisioned.
In addition, Azure Virtual Desktop uses other global Azure services, such as Azure Traffic
Manager and Azure Front Door to direct users to their closest Azure Virtual Desktop
entry points.
You're responsible for creating and managing session hosts, including any operating
system image customizations and applications, virtual network connectivity, the
resiliency, and the backup and recovery of those session hosts. You also provide and
manage user identities and control access to the service. You can use other Azure
services to help you meet your requirements, such as:
Web service
Broker service
Resource directory
Geographical database
Session hosts
Customer-managed
User identities
User connections
When a user wants to access their desktops and apps in Azure Virtual Desktop, multiple
components are involved in making that connection successful. There are two separate
sequences:
1. Feed discovery. The feed is the list of desktops and apps that are available to the
user.
2. A connection over the Remote Desktop Protocol to a session host.
Feed discovery
During feed discovery, the desktops and apps available to the user are populated in the
app on their local device. The feed contains all the information needed to connect.
1. The user might be located anywhere in the world. Azure Traffic Manager routes the
user's device to the closest instance of the Azure Virtual Desktop web service
based on the geographic traffic-routing method, which uses source IP address of
the user's device.
2. The web service connects to the Azure Virtual Desktop broker service in the same
Azure region to retrieve the RDP files and application icons for the user's feed. The
broker service connects to the Azure Virtual Desktop geographical database and
resource directory in the same region to retrieve the information.
3. The broker service returns the RDP files and application icons to the web service,
which returns the information to the user's device.
Here's a high-level diagram showing the feed discovery process in a single Azure
region:
Region 1
1 Resource
directory
Client
2
Web service Broker service
Geographical
database
Azure Traffic
Manager
The geographical database only contains the information required for desktops
and apps from host pools in the same Azure regions covered by the geography. If
the user is assigned to desktops or apps from a host pool that is covered by a
different geography, the resource directory tells the web service to connect to the
broker service and geographical database in the correct Azure region.
Here's a high-level diagram showing the feed discovery process for a host pool in
an Azure region that's covered by a different geography:
Region 1
Client 1
Resource
Web service Broker service
directory
Azure Traffic
Manager Region 2
Geographical
Broker service
database
RDP connection
When a user connects to a desktop or app from their feed, the RDP connection is
established as follows:
1. All remote sessions begin with a connection to Azure Front Door, which provides
the global entry point to Azure Virtual Desktop. Azure Front Door determines the
Azure Virtual Desktop gateway service with the lowest latency for the user's device
and directs the connection to it
2. The gateway service connects to the broker service in the same Azure region. The
gateway service enables session hosts to be in any region and still be accessible to
users.
3. The broker service takes over and orchestrates the connection between the user's
device and the session host. The broker service instructs the Azure Virtual Desktop
agent running on the session host to connect to the same gateway service that the
user's device has connected through.
a. Reverse connect transport: after both client and session host connected to the
gateway service, it starts relaying the RDP traffic using Transmission Control
Protocol (TCP) between the client and session host. Reverse connect transport is
the default connection type.
Region 1
UDP
RDP Shortpath
(managed networks)
UDP
Client
TCP
Tip
You can find more detailed technical information about network connectivity at
Understanding Azure Virtual Desktop network connectivity and RDP Shortpath
for Azure Virtual Desktop.
Service resilience
Azure Virtual Desktop is designed to be resilient to failures and provide a reliable service
to users. The service is designed to be resilient to failures of individual components, and
to be able to recover from failures quickly.
Azure Traffic Manager directs traffic for the web service and Azure Front Door
directs traffic for the gateway service. If there's an outage that causes the web
service or gateway service to be unavailable from one Azure region, or there's a full
region outage, traffic is redirected to the next closest available instance in the
nearest region. Redirection of the traffic enables users to still make new
connections.
The geographical database uses Azure SQL Database failover and data
replication capabilities within each geography. If there's a database outage, the
database fails over to the secondary replica and normal operation resumes. During
failover, there's a short period of time where new connections fail until failover is
complete, however this failover doesn't affect existing connections.
The resource directory, broker service, web service, and gateway service are all
available in each of the Azure regions where the Microsoft-managed components
for Azure Virtual Desktop are located. Each component has multiple instances so
that there isn't a single point of failure. Within each Azure region, there are at least
six distinct and separate instances or clusters of each component that operates
independently to withstand instance failures.
For example, a region has enough instances of the gateway service to meet
demand, but also with enough capacity to also accommodate failures of those
instances. If an instance of the gateway service fails, any TCP-based RDP
connections that are being relayed through that particular instance of the gateway
service are dropped. When those disconnected users reconnect, the remaining
instances handle requests and reconnect each user to their existing session. All
other sessions handled by other instances of the gateway service are unaffected.
UDP
RDP Shortpath
(managed networks)
UDP
RDP Shortpath
(public networks)
TCP
Geographical
Broker service database
SQL geo-replication
Web service Resource
directory
TCP
Client
SQL geo-replication
Geographical
Broker service database
Azure Traffic
Manager
TCP
RDP Shortpath
(public networks)
UDP
RDP Shortpath
(managed networks)
UDP
Region 2
The other Azure services on which Azure Virtual Desktop relies are themselves designed
to be resilient and reliable. For more information, see Azure Traffic Manager and Azure
Front Door.
Global reach
Azure Virtual Desktop is a service that can help organizations adapt to the demands of
their workers, particularly working remotely. It provides a secure, reliable, and flexible
way to deliver desktops and applications virtually anywhere. Azure Virtual Desktop is
designed to be resilient, using Azure features and services that help ensure a highly
available service for your workloads.
Related content
To learn about the locations that Azure Virtual Desktop stored data for service objects,
see Data locations for Azure Virtual Desktop.
Feedback
Was this page helpful? Yes No
Azure Virtual Desktop updates regularly. This article is where you find out about:
Make sure to check back here often to keep up with new updates.
Tip
See What's new in documentation, where we highlight new and updated articles
for Azure Virtual Desktop.
October 2024
Here's what changed in October 2024:
For additional information to configure languages other than English, see Install
language packs on Windows 11 Enterprise VMs in Azure Virtual Desktop.
September 2024
Here's what changed in September 2024:
For more information, see What is Windows App? and Windows App get started.
For more information, see Enable GPU acceleration for Azure Virtual Desktop.
August 2024
Here's what changed in August 2024:
For more information, see Configure the session lock behavior for Azure Virtual Desktop.
For more information see Configure the clipboard transfer direction in Azure Virtual
Desktop.
For more information see Learn about insider risk management forensic evidence.
For more information see Azure Virtual Desktop identities and authentication.
For more information see End of availability for classic Teams client.
July 2024
Here's what changed in July 2024:
June 2024
Here's what changed in June 2024:
For more information, see Configure default chroma value for Azure Virtual Desktop.
There are two versions of Teams, Classic Teams and New Teams, and you can use either
with Azure Virtual Desktop. New Teams has feature parity with Classic Teams, and
improves performance, reliability, and security.
New Teams can use either SlimCore or the WebRTC Redirector Service. SlimCore is
available in preview and you need to opt in to the preview to use it. If you use SlimCore,
you should also install the WebRTC Redirector Service. This allows a user to fall back to
WebRTC, such as if they roam between different devices that don't support the new
optimization architecture. For more information about SlimCore and how to opt into the
preview, see New VDI solution for Teams.
For more information, see Use Microsoft Teams on Azure Virtual Desktop.
For more information, see Preferred application group type behavior for pooled host
pools in Azure Virtual Desktop.
The reliability of a connection can have a significant impact on the end-user experience.
Azure Virtual Desktop Insights can help you understand disconnection events and
correlations between errors that affect end users.
For more information and instructions, see Use cases for Azure Virtual Desktop Insights.
For more information, see Configure RDP Shortpath for Azure Virtual Desktop.
For more information and instructions, see Add and manage app attach and MSIX app
attach applications.
May 2024
Here's what changed in May 2024:
For more information, see Configure client device redirection settings for Windows App
and the Remote Desktop app using Microsoft Intune.
For more information about the benefits of Trusted Launch, see our Trusted Launch
documentation.
April 2024
Here's what changed in April 2024:
For more information, see Autoscale scaling plans and example scenarios in Azure
Virtual Desktop and Set up Start VM on Connect.
March 2024
Here's what changed in March 2024:
For more information and examples, see Uniform Resource Identifier schemes with the
Remote Desktop client for Azure Virtual Desktop.
Every time sign-in frequency Conditional Access option is
now in preview
Using Microsoft Entra sign-in frequency with Azure Virtual Desktop prompts users to
reauthenticate when launching a new connection after a period of time. You can now
require reauthentication after a shorter period of time.
For more information, see Configure the clipboard transfer direction in Azure Virtual
Desktop.
For more information about these recommendations, see the Azure Proactive Resiliency
Library (APRL) .
February 2024
Here's what changed in February 2024:
Azure Virtual Desktop for Azure Stack HCI now generally
available
Azure Virtual Desktop for Azure Stack HCI extends the capabilities of the Microsoft
Cloud to your datacenters. Bringing the benefits of Azure Virtual Desktop and Azure
Stack HCI together, organizations can securely run virtualized desktops and apps on-
premises in their datacenter and at the edges of their organization. This versatility is
especially useful for organizations with data residency and proximity requirements or
latency-sensitive workloads.
For more information, see Azure Virtual Desktop for Azure Stack HCI now available!
For more information about the new features available in the new web client, see Use
features of the Remote Desktop Web client.
January 2024
There were no major releases or new features in January 2024.
December 2023
Here's what changed in December 2023:
For more information, see New app attach features for Azure Virtual Desktop in
preview and MSIX app attach and app attach in Azure Virtual Desktop.
The new Microsoft Teams desktop client is now generally
available to use with Azure Virtual Desktop
The new Microsoft Teams desktop client is now generally available to use with Azure
Virtual Desktop. The new Teams desktop client has feature parity with the classic Teams
app and improved performance, reliability, and security.
For more information, see Use Microsoft Teams on Azure Virtual Desktop.
November 2023
Here's what changed in November 2023:
For more information on preparing, storing and sharing images to be used to create
virtual machines, see Store and share VM images in a compute gallery.
For more information, see Autoscale scaling plans and example scenarios in Azure
Virtual Desktop.
For more information, see Configure single sign-on for Azure Virtual Desktop using
Microsoft Entra authentication.
October 2023
Here's what changed in October 2023:
You can learn more at Azure Virtual Desktop service architecture and resilience.
For more information about prerequisites and configuration, see Use Microsoft
OneDrive with a RemoteApp in Azure Virtual Desktop (preview).
September 2023
Here's what changed in September 2023:
Azure Virtual Desktop (classic) deprecation
Azure Virtual Desktop (classic) now blocks users from creating new tenants. Customers
should be deploying the current version of Azure Virtual Desktop for any new
workloads. However, while Azure Virtual Desktop (classic) blocks new tenants, you can
still access all other ongoing operation and management processes. We will no longer
support Azure Virtual Desktop (classic) in September 2026, so we highly recommend
you migrate from classic to Azure Virtual Desktop before then.
For more information about the Azure Virtual Desktop (classic) retirement, see Azure
Virtual Desktop (classic) retirement.
For more information about what's new in FSLogix, see the FSLogix Release Notes.
The Log Analytics agent for Azure Monitor is deprecating on August 31, 2024. We
recommend you migrate monitoring your virtual machines (VMs) and servers to Azure
Monitor Agent before that date. For more information about how to migrate, see
Migrate to Azure Monitor Agent from Log Analytics agent.
Custom Image Template feature is now generally
available
Azure Virtual Desktop just made it easier for you to create your golden image with the
new Custom Image Template feature. You can use this new management option in the
Azure portal to include built-in or custom scripts in your template that you can reuse.
For more information, see our blog post .
August 2023
Here's what changed in August 2023:
For more information about FSLogix Group Policy Template Files, see How to Use
FSLogix Group Policy Template Files for FSLogix.
We built the custom image templates feature using Azure Image Builder for you to use
with Azure Virtual Desktop. For more information, see Custom image templates.
July 2023
Here's what changed in July 2023:
For more information about which sites are compatible with this feature, see Call
redirection.
To learn more about autoscale for personal host pools, see Autoscale scaling plans and
example scenarios in Azure Virtual Desktop.
Azure confidential virtual machines (VMs) offer VM memory encryption with integrity
protection, which strengthens guest protections to deny the hypervisor and other host
management components code access to the VM memory and state. For more
information about the security benefits of confidential VMs, see our confidential
computing documentation.
Trusted Launch protects against advanced and persistent attack techniques. This feature
allows you to securely deploy your VMs with verified boot loaders, OS kernels, and
drivers. Trusted Launch also protects keys, certificates, and secrets in VMs. For more
information about the benefits of Trusted Launch, see our Trusted Launch
documentation. Trusted Launch is now enabled by default for all Windows images used
with Azure Virtual Desktop.
For more information about this announcement, see Announcing General Availability of
confidential VMs in Azure Virtual Desktop .
June 2023
Here's what changed in June 2023:
For more information, see Administrative template for Azure Virtual Desktop.
May 2023
Here's what changed in May 2023:
April 2023
Here's what changed in April 2023:
For more information about the preview release version, check out Use features of the
Azure Virtual Desktop Store app for Windows when connecting to Azure Virtual Desktop
(preview), What's new in the Azure Virtual Desktop Store App (preview), or read our blog
post .
Intune user-scope configuration for Windows 10
Enterprise multi-session VMs now generally available
Microsoft Intune user-scope configuration for Azure Virtual Desktop multi-session
Virtual Machines (VMs) on Windows 10 and 11 is now generally available. With this
feature, you're able to:
Configure user-scope policies using the Settings catalog and assign those policies
to groups of users.
Configure user certificates and assign them to users.
Configure PowerShell scripts to install in user context and assign the scripts to
users.
For more information, see Azure Virtual Desktop multi-session with Intune or our blog
post .
March 2023
Here's what changed in March 2023:
February 2023
Here's what changed in February 2023:
January 2023
Here's what changed in January 2023:
December 2022
Here's what changed in December 2022:
November 2022
Here's what changed in November 2022:
Configure user scope policies using the Settings catalog and assign them to
groups of users.
Configure user certificates and assign them to users.
Configure PowerShell scripts to install in the user context and assign them to users.
For more information, see Azure Virtual Desktop multi-session with Intune or our blog
post .
October 2022
Here's what changed in October 2022:
September 2022
Here's what changed in September 2022:
Single sign-on and passwordless authentication now in
preview
The ability to enable an Azure Active Directory (AD)-based single sign-on experience
and support for passwordless authentication, using Windows Hello and security devices
(like FIDO2 keys) is now in preview. This feature is available for Windows 10, Windows,
11 and Windows Server 2022 session hosts with the September Cumulative Update
Preview installed. The single sign-on experience is currently compatible with the
Windows Desktop and web clients. For more information, see our blog post .
August 2022
Here's what changed in August 2022:
July 2022
Here's what changed in July 2022:
June 2022
Here's what changed in June 2022:
May 2022
Here's what changed in May 2022:
April 2022
Here's what changed in April 2022:
March 2022
Here's what changed in March 2022:
Live Captions with Teams on Azure Virtual Desktop now
generally available
Accessibility has always been important to us, so we're pleased to announce that Teams
for Azure Virtual Desktop now supports real-time captions. Learn how to use live
captions at Use live captions in a Teams meeting . For more information, see our blog
post .
February 2022
Here's what changed in February 2022:
January 2022
Here's what changed in January 2022:
December 2021
Here's what changed in December 2021:
You can now calculate costs for any number of users greater than zero.
The calculator now includes storage and networking or bandwidth costs.
We've added new info messages for clarity.
Fixed bugs that affected storage configuration.
November 2021
Here's what changed in November 2021:
Autoscale preview
We're pleased to introduce the new autoscale feature, which lets you stop or start
session hosts automatically based on a schedule you set. Autoscale lets you optimize
infrastructure costs by configuring your shared or pooled desktops to only charge for
the resources you actually use. You can learn more about the autoscale feature by
reading our documentation and watching our Azure Academy video .
October 2021
Here's what changed in October 2021:
September 2021
Here's what changed in September 2021.
You can also now set host pool, application group, and workspace diagnostic settings
while creating host pools instead of afterwards. Configuring these settings during the
host pool creation process also automatically sets up reporting data for Azure Virtual
Desktop Insights.
Azure Active Directory domain join
Azure Active Directory domain join is now generally available. This service lets you join
your session hosts to Azure Active Directory (Azure AD). Domain join also lets you
autoenroll into Microsoft Intune. You can access this feature in the Azure public cloud,
but not the Government cloud or Azure operated by 21Vianet. For more information,
see our blog post .
August 2021
Here's what changed in August 2021:
July 2021
Here's what changed in July 2021:
RemoteApp streaming
We recently announced a new pricing option for RemoteApp streaming for using Azure
Virtual Desktop to deliver apps as a service to your customers and business partners. For
example, software vendors can use RemoteApp streaming to deliver apps as a software
as a service (SaaS) solution that's accessible to their customers. To learn more about
RemoteApp streaming, check out our documentation.
June 2021
Here's what changed in June 2021:
May 2021
Here's what's new for May 2021:
Added new images (including GEN2) to the drop-down list box of "image" when
creating a new Azure Virtual Desktop session host VM.
You can now configure boot diagnostics for virtual machines when creating a host
pool.
Added a tool tip to the RDP proxy in the advanced host pool RDP properties tab.
Added an information bubble for the icon path when adding an application from
an MSIX package.
You can no longer do managed boot diagnostics with an unmanaged disk.
Updated the template for creating a host pool in Azure Resource Manager so that
the Azure portal can now support creating host pools with third-party marketplace
images.
Enterprise-scale support
We've released an updated section of the Cloud Adoption framework for Enterprise-
scale support for Azure Virtual Desktop. For more information, see Enterprise-scale
support for the Azure Virtual Desktop construction set.
April 2021
Here's what's new for April:
Fixed an issue that caused an error to appear when retrieving the session host
while drain mode is enabled.
Upgraded the Portal SDK to version 7.161.0.
Fixed an issue that caused the resource ID missing error message to appear in the
User Sessions tab.
The Azure portal now shows detailed sub-status messages for session hosts.
Added hardware acceleration for video processing of outgoing video streams for
Windows 10-based clients.
When joining a meeting with both a front facing camera and a rear facing or
external camera, the front facing camera is selected by default.
Resolved an issue that made Teams crash on x86-based machines.
Resolved an issue that caused striations during screen sharing.
Resolved an issue that prevented meeting members from seeing incoming video
or screen sharing.
The macOS client now supports Apple Silicon and Big Sur
The macOS Azure Virtual Desktop client now supports Apple Silicon and Big Sur. The full
list of updates is available in What's new in the macOS client.
March 2021
Here's what changed in March 2021.
We've enabled new availability options (availability set and zones) for the
workflows to create host pools and add VMs.
We've fixed an issue where a host with the "Needs assistance" status appeared as
unavailable. Now the host has a warning icon next to it.
We've enabled sorting for active sessions.
You can now send messages to or sign out specific users on the host details tab.
We've changed the maximum session limit field.
We've added an OU validation path to the workflow to create a host pool.
You can now use the latest version of the Windows 10 image when you create a
personal host pool.
February 2021
Here's what changed in February 2021.
Portal experience
We've improved the Azure portal experience in the following ways:
January 2021
Here's what changed in January 2021:
For more information, see the release notes in What's new in FSLogix.
You can now add local VM admin credentials directly instead of having to add a
local account created with the Active Directory domain join account credentials.
Users can now list both individual and group assignments in separate tabs for
individual users and groups.
The version number of the Azure Virtual Desktop Agent is now visible in the Virtual
Machine overview for host pools.
Added bulk delete for host pools and application groups.
You can now enable or disable drain mode for multiple session hosts in a host
pool.
Removed the public IP field from the VM details page.
Built-in roles
We've added new built-in roles for Azure Virtual Desktop for admin permissions. For
more information, see Built-in roles for Azure Virtual Desktop.
The Desktop application friendly name is no longer overwritten on the "Add VM"
workflow.
The session host tab will now load if session hosts are part of scale sets.
October 2020
Here's what changed in October 2020:
Improved performance
We've optimized performance by reducing connection latency in the following Azure
geographies:
Switzerland
Canada
Fixed a resourceID error that prevented users from opening the "Sessions" tab.
Streamlined the UI on the "Session hosts" tab.
Fixed the "Defaults," "Usability," and "Restore defaults" settings under RDP
properties.
Made "Remove" and "Delete" functions consistent across all tabs.
The portal now validates app names in the "Add an app" workflow.
Fixed an issue where the session host export data wasn't aligned in the columns.
Fixed an issue where the portal couldn't retrieve user sessions.
Fixed an issue in session host retrieval that happened when the virtual machine
was created in a different resource group.
Updated the "Session host" tab to list both active and disconnected sessions.
The "Applications" tab now has pages.
Fixed an issue where the "requires command line" text didn't display correctly in
the "Application list" tab.
Fixed an issue when the portal couldn't deploy host pools or virtual machines while
using the German-language version of the Shared Image Gallery.
September 2020
Here's what changed in September 2020:
We released version 1.2.1364 of the Windows Desktop client for Azure Virtual
Desktop. In this update, we made the following changes:
Fixed an issue where single sign-on (SSO) didn't work on Windows 7.
Fixed an issue that caused the client to disconnect when a user who enabled
media optimization for Teams tried to call or join a Teams meeting while
another app had an audio stream open in exclusive mode.
Fixed an issue where Teams didn't enumerate audio or video devices when
media optimization for Teams was enabled.
Added a "Need help with settings?" link to the desktop settings page.
Fixed an issue with the "Subscribe" button that happened when using high-
contrast dark themes.
Thanks to the tremendous help from our users, we've fixed two critical issues for
the Microsoft Store Remote Desktop client. We continue to review feedback and fix
issues as we broaden our phased release of the client to more users worldwide.
We've added a new feature that lets you change VM location, image, resource
group, prefix name, network config as part of the workflow for adding a VM to
your deployment in the Azure portal.
August 2020
Here's what changed in August 2020:
The Microsoft Store Remote Desktop Client is now generally available. This version
of the Microsoft Store Remote Desktop Client is compatible with Azure Virtual
Desktop. We've also introduced refreshed UI flows for improved user experiences.
This update includes fluent design, light and dark modes, and many other exciting
changes. We've also rewritten the client to use the same underlying remote
desktop protocol (RDP) engine as the iOS, macOS, and Android clients. This lets us
deliver new features at a faster rate across all platforms. Download the client .
We fixed an issue in the Teams Desktop client (version 1.3.00.21759) where the
client only showed the UTC time zone in the chat, channels, and calendar. The
updated client now shows the remote session's time zone instead.
Azure Advisor is now a part of Azure Virtual Desktop. When you access Azure
Virtual Desktop through the Azure portal, you can see recommendations for
optimizing your Azure Virtual Desktop environment. Learn more at Introduction to
Azure Advisor.
We've updated our deployment templates to make them fully compatible with the
Azure Virtual Desktop Azure Resource Manager interfaces. You can find the
templates on GitHub .
The Azure Virtual Desktop US Gov portal is now in preview. To learn more, see our
announcement .
July 2020
July was when Azure Virtual Desktop with Azure Resource Management integration
became generally available.
The "Fall 2019 release" is now known as "Azure Virtual Desktop (classic)," while the
"Spring 2020 release" is now just "Azure Virtual Desktop." For more information,
check out this blog post .
To learn more about new features, check out this blog post .
Azure portal
You can now do the following things with the Azure portal in Azure Virtual Desktop:
Diagnostics
We've released some new prebuilt queries for the Log Analytics workspace. To access
the queries, go to Logs and under Category, select Azure Virtual Desktop. Learn more
at Use Log Analytics for the diagnostics feature.
The previous version of Remote Desktop client is now called “Remote Desktop 8." Any
existing connections you have in the earlier version of the client will be transferred
seamlessly to the new client. The new client has been rewritten to the same underlying
RDP core engine as the iOS and macOS clients, faster release of new features across all
platforms.
Teams update
We've made improvements to Microsoft Teams for Azure Virtual Desktop. Most
importantly, Azure Virtual Desktop now supports audio and video optimization for the
Windows Desktop client. Redirection improves latency by creating direct paths between
users when they use audio or video in calls and meetings. Less distance means fewer
hops, which makes calls look and sound smoother. Learn more at Use Teams on Azure
Virtual Desktop.
June 2020
Last month, we introduced Azure Virtual Desktop with Azure Resource Manager
integration in preview. This update has lots of exciting new features we'd love to tell you
about. Here's what's new for this version of Azure Virtual Desktop.
Azure Virtual Desktop is now integrated with the Azure portal. This means you can
manage everything directly in the portal, no PowerShell, web apps, or third-party
tools required. To get started, check out our tutorial at Create a host pool with the
Azure portal.
Before this update, you could only publish desktops and applications to individual
users. With Azure Resource Manager, you can now publish resources to Azure
Active Directory groups.
The earlier version of Azure Virtual Desktop had four built-in admin roles that you
could assign to a tenant or host pool. These roles are now in Azure role-based
access control (Azure RBAC). You can apply these roles to every Azure Virtual
Desktop Azure Resource Manager object, which lets you have a full, rich delegation
model.
In this update, you no longer need to run Azure Marketplace or the GitHub
template repeatedly to expand a host pool. All you need to expand a host pool is
to go to your host pool in the Azure portal and select + Add to deploy additional
session hosts.
Host pool deployment is now fully integrated with the Azure Shared Image Gallery.
Shared Image Gallery is a separate Azure service that stores VM image definitions,
including image versioning. You can also use global replication to copy and send
your images to other Azure regions for local deployment.
You're no longer required to complete Azure Active Directory consent to use Azure
Virtual Desktop. In this update, the Azure Active Directory tenant on your Azure
subscription authenticates your users and provides Azure RBAC controls for your
admins.
PowerShell support
We've added new AzWvd cmdlets to the Azure Az PowerShell module with this update.
This new module is supported in PowerShell Core, which runs on .NET Core.
To install the module, follow the instructions in Set up the PowerShell module for Azure
Virtual Desktop.
You can also see a list of available commands at the AzWvd PowerShell reference.
For more information about the new features, check out our blog post .
Additional gateways
We've added a new gateway cluster in South Africa to reduce connection latency.
Feedback
Was this page helpful? Yes No
The Azure Virtual Desktop agent links your session hosts with the Azure Virtual Desktop
service. It acts as the intermediate communicator between the service and the virtual
machines, enabling connectivity.
The Azure Virtual Desktop Agent is updated regularly. New versions of the Azure Virtual
Desktop Agent are installed automatically. When new versions are released, they're
rolled out progressively to session hosts. This process is called flighting and it enables
Microsoft to monitor the rollout in validation environments first.
A rollout might take several weeks before the agent is available in all environments.
Some agent versions might not reach nonvalidation environments, so you might see
multiple versions of the agent deployed across your environments. The Azure Virtual
Desktop Agent updates regularly. This article is where you'll find out about:
Make sure to check back here often to keep up with new updates.
ノ Expand table
Production 1.0.9742.2500
Validation 1.0.9103.2900
Tip
The Azure Virtual Desktop Agent is automatically installed when adding session
hosts in most scenarios. If you need to install the agent manually, you can
download it at Register session hosts to a host pool, together with the steps to
install it.
Version 1.0.9742.2500
Published: October 2024
Version 1.0.9103.3800
Published: June 2024
Version 1.0.9103.3700
Published: June 2024
Version 1.0.9103.2300
Published: June 2024
Version 1.0.9103.1000
Published: May 2024
Version 1.0.8804.1400
Published: April 2024
Enable customers to change relative path while leaving image path the same.
Update app attach packages to fetch and store timestamp info from certificate.
Version 1.0.8431.2300
Published: April 2024
Fixed an issue with App Attach diagnostics that caused the agent to always report
timeout exceptions. Now the agent only reports timeout exceptions to diagnostics
when app attach registration is unsuccessful.
Version 1.0.8431.1500
Published: March 2024
Version 1.0.8297.800
Published: February 2024
Version 1.0.8297.400
Published: January 2024
Version 1.0.7909.2600
Published: December 2023
Version 1.0.7909.1200
Published: November 2023
Version 1.0.7755.1800
Published: November 2023
Version 1.0.7755.1100
Published: September 2023
In this release, we've made the following change:
Version 1.0.7539.8300
Published: September 2023
Version 1.0.7539.5800
Published: September 2023
Version 1.0.7255.1400
Published: August 2023
Version 1.0.7255.800
Published: July 2023
Fixed an issue that would disable the Traversal Using Relay NAT (TURN) health
check when a user disabled the Unified Datagram Protocol (UDP).
Security improvements and bug fixes.
Version 1.0.7033.1401
Published: July 2023
Version 1.0.6713.1603
Published: July 2023
Version 1.0.7033.900
Published: July 2023
Version 1.0.6713.1300/1.0.6713.1600
Published: June 2023
Version 1.0.6713.400
Published: May 2023
Fixed an issue that made the Remote Desktop Agent incorrectly report Hybrid
Azure Active Directory (AD) Join virtual machines (VMs) as domain-joined.
General improvements and bug fixes.
Version 1.0.6425.1200
Published: May 2023
Version 1.0.6298.2100
Published: March 2023
Version 1.0.6129.9100
Published: March 2023
Version 1.0.6028.2200
Published: February 2023
Domain Trust health check is now enabled. When virtual machines fail the Domain
Trust health check, they're now given the Unavailable status.
General improvements and bug fixes.
Version 1.0.5739.9000/1.0.5739.9800
Published: January 2023
7 Note
You may see version 1.0.5739.9000 or 1.0.5739.9800 installed on session hosts
depending on whether the host pool is configured to be a validation environment.
Version 1.0.5739.9000 was released to validation environments and version
1.0.5739.9800 was released to all other environments.
Normally, all environments receive the same version. However, for this release, we
had to adjust certain parameters unrelated to the Agent to allow this version to roll
out to non-validation environments, which is why the non-validation version
number is higher than the validation version number. Besides those changes, both
versions are the same.
Version 1.0.5555.1010
Published: December 2022
Version 1.0.5555.1008
Published: November 2022
Version 1.0.5388.1701
Published: August 2022
Fixed a bug that prevented the Agent MSI from downloading on the first try.
Modified app attach on-demand registration.
Enhanced the AgentUpdateTelemetry parameter to help with StackFlighting data.
Removed unnecessary WebRTC health check.
Fixed an issue with the RDAgentMetadata parameter.
Version 1.0.5100.1100
Published: August 2022
Version 1.0.4739.1000
Published: July 2022
Report session load to Log Analytics for admins to get information on when
MaxSessionLimit is reached.
Adding AADTenant ID claim to the registration token.
Report closing errors to diagnostics explicitly.
Version 1.0.4574.1600
Published: June 2022
Version 1.0.4230.1600
Published: March 2022
Fixes an issue with the agent health check result being empty for the first agent
heart beat.
Added Azure VM ID to the WVDAgentHealthStatus Log Analytics table.
Updated the agent's update logic to install the Geneva Monitoring agent sooner.
Version 1.0.4119.1500
Published: February 2022
Version 1.0.4009.1500
Published: January 2022
Version 1.0.3855.1400
Published: December 2021
Version 1.0.3719.1700
Published: November 2021
Version 1.0.3583.2600
Published: October 2021
Version 1.0.3373.2605
Published: September 2021
Fixed an issue with package deregistration getting stuck when using MSIX App
Attach.
Version 1.0.3373.2600
Published: September 2021
Version 1.0.3050.2500
Published: July 2021
Version 1.0.2990.1500
Published: April 2021
Version 1.0.2944.1400
Published: April 2021
Placed links to the Azure Virtual Desktop Agent troubleshooting guide in the event
viewer logs for agent errors.
Added an additional exception for better error handling.
Added the WVDAgentUrlTool.exe that allows customers to check which required
URLs they can access.
Version 1.0.2866.1500
Published: March 2021
Version 1.0.2800.2802
Published: March 2021
Version 1.0.2800.2800
Published: March 2021
Version 1.0.2800.2700
Published: February 2021
Feedback
Was this page helpful? Yes No
The Azure Virtual Desktop agent links your session hosts with the Azure Virtual Desktop
service. It also includes a component called the SxS Network Stack. The Azure Virtual
Desktop agent acts as the intermediate communicator between the service and the
virtual machines, enabling connectivity. The SxS Network Stack component is required
for users to securely establish reverse server-to-client connections.
The Azure Virtual Desktop SxS Network Stack is updated regularly. New versions of the
Azure Virtual Desktop SxS Network Stack are installed automatically. When new versions
are released, they're rolled out progressively to session hosts. This process is called
flighting and it enables Microsoft to monitor the rollout in validation environments first.
A rollout might take several weeks before the agent is available in all environments.
Some agent versions might not reach nonvalidation environments, so you might see
multiple versions of the agent deployed across your environments.
Make sure to check back here often to keep up with new updates.
ノ Expand table
Production 1.0.2407.05700
Version 1.0.2407.05700
Published: September 2024
In this release, we've made the following changes:
Version 1.0.2404.16760
Published: July 2024
General improvements and bug fixes mainly around rdpshell and RemoteApp.
Version 1.0.2402.09880
Published: July 2024
General improvements and bug fixes mainly around rdpshell and RemoteApp.
The default chroma value has been changed from 4:4:4 to 4:2:0.
Reduce chance of progressive update blocking real updates from driver.
Improve user experience when bad credentials are saved.
Improve session switching to avoid hangs.
Update Intune version numbers for the granular clipboard feature.
Bug fixes for RemoteApp V2 decoder.
Bug fixes for RemoteApp.
Fix issue with caps lock state when using the on-screen keyboard.
Feedback
Was this page helpful? Yes No
October 2024
In October 2024, we made the following changes to the documentation:
Published a new article where you can lean about Graphics encoding over the
Remote Desktop Protocol.
Rewrote Multimedia redirection for video playback and calls and added a new
article for Developer integration with multimedia redirection for WebRTC-based
calling apps.
Published a set of new articles for host pools using the session host configuration
management approach and session host update:
Host pool management approaches.
Session host update.
Update session hosts using session host update.
Example diagnostic queries for session host update.
Troubleshoot session host update.
Updated Deploy Azure Virtual Desktop and Add session hosts to a host pool to
include the session host configuration management approach.
Consolidated Remote Desktop client articles per platform into a single article with
a tab per platform and separated legacy Windows clients to their own article.
Reorganized the table of contents into a new structure, changing the way articles
are grouped and displayed. The new structure is designed to make it easier to find
the information you need in the different stages of your journey with Azure Virtual
Desktop.
September 2024
In September 2024, we made the following changes to the documentation:
Updated Enable GPU acceleration for Azure Virtual Desktop for the support of the
High Efficiency Video Coding (HEVC), also known as H.265, which is in preview.
Published a new article where you can learn What's new in the Azure Virtual
Desktop SxS Network Stack.
August 2024
In August 2024, we made the following changes to the documentation:
Updated Set custom Remote Desktop Protocol (RDP) properties on a host pool in
Azure Virtual Desktop to include rewritten steps for Azure PowerShell and added
steps for Azure CLI.
Published a new article for Azure Virtual Desktop on Azure Extended Zones.
Published a new article to Configure the session lock behavior for Azure Virtual
Desktop and updated Configure single sign-on for Azure Virtual Desktop using
Microsoft Entra ID to include the relevant information.
Published a new article to Onboard Azure Virtual Desktop session hosts to forensic
evidence from Microsoft Purview Insider Risk Management.
Updated Configure the clipboard transfer direction and data types that can be
copied in Azure Virtual Desktop to include the steps for using the Microsoft Intune
settings catalog.
July 2024
In July 2024, there were no significant changes to the documentation.
June 2024
In June 2024, we made the following changes to the documentation:
Published two new articles about the Preferred application group type behavior for
pooled host pools and how to Set the preferred application group type for a
pooled host pool.
Added information about TLS 1.3 support in Understanding Azure Virtual Desktop
network connectivity.
Updated Use Microsoft Teams on Azure Virtual Desktop to include New Teams
SlimCore changes.
Added a section to Use cases for Azure Virtual Desktop Insights for how you can
view connection reliability information.
Rewrote Configure RDP Shortpath to include host pool settings and a better flow.
Rewrote Compare Remote Desktop app features across platforms and devices to
include more comprehensive information. This article is shared for Azure Virtual
Desktop, Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote
PC connections.
Combined host pool load balancing information to the single article Configure
host pool load balancing and added Azure CLI steps.
May 2024
In May 2024, we made the following changes to the documentation:
Published a new article to Configure client device redirection settings for Windows
App and the Remote Desktop app using Microsoft Intune.
Updated the branding of the Getting started feature to Quickstart to match the
Azure portal.
April 2024
In April 2024, we made the following changes to the documentation:
Updated Azure Virtual Desktop Insights glossary to include a list of gateway region
codes used in Azure Virtual Desktop Insights and the Azure regions they
correspond to.
Updated Watermarking to include the updated policy settings and add steps for
configuring watermarking using Microsoft Intune.
March 2024
In March 2024, we made the following changes to the documentation:
Published a new article to Configure the clipboard transfer direction and types of
data that can be copied between a local device and a remote session.
Published a new article to Migrate MSIX packages from MSIX app attach to app
attach.
Updated Eligible licenses to use Azure Virtual Desktop to include Windows Server
2022 RDS Subscriber Access License (SAL).
February 2024
In February 2024, we made the following changes to the documentation:
Added guidance for MSIX and Appx package certificates when using MSIX app
attach or app attach. For more information, see MSIX app attach and app attach in
Azure Virtual Desktop.
Consolidated articles for the three Remote Desktop clients available for Windows
into a single article, Connect to Azure Virtual Desktop with the Remote Desktop
client for Windows.
Updated Drain session hosts for maintenance in Azure Virtual Desktop, including
prerequisites and separating the Azure portal and Azure PowerShell steps into
tabs.
Updated Customize the feed for Azure Virtual Desktop users, including
prerequisite, Azure PowerShell steps, and separating the Azure portal and Azure
PowerShell steps into tabs.
January 2024
In January 2024, we made the following changes to the documentation:
Consolidated articles to Create and assign an autoscale scaling plan for Azure
Virtual Desktop into a single article.
Added PowerShell commands to Create and assign an autoscale scaling plan for
Azure Virtual Desktop.
December 2023
In December 2023, we made the following changes to the documentation:
Published new content for the preview of app attach, which is now available
alongside MSIX app attach. App attach brings many benefits over MSIX app attach,
including assigning applications per user, using the same application package
across multiple host pools, upgrading applications, and being able to run two
versions of the same application concurrently on the same session host. For more
information, see MSIX app attach and app attach in Azure Virtual Desktop.
Updated the article Use Microsoft Teams on Azure Virtual Desktop to include
support for new Teams desktop client on your session hosts.
Updated the article Configure single sign-on for Azure Virtual Desktop using
Microsoft Entra ID authentication to include example PowerShell commands to
help configure single sign-on using Microsoft Entra ID authentication.
November 2023
In November 2023, we made the following changes to the documentation:
Updated articles for the general availability of autoscale for personal host pools.
We also added in support for hibernate (preview). For more information, see
Autoscale scaling plans and example scenarios in Azure Virtual Desktop.
Updated articles for the updated preview of Azure Virtual Desktop on Azure Stack
HCI. You can now deploy Azure Virtual Desktop with your session hosts on Azure
Stack HCI as an integrated experience with Azure Virtual Desktop in the Azure
portal. For more information, see Azure Virtual Desktop on Azure Stack HCI and
Deploy Azure Virtual Desktop.
Updated articles for the general availability of Single sign-on using Microsoft Entra
authentication and In-session passwordless authentication. For more information,
see Configure single sign-on for Azure Virtual Desktop using Microsoft Entra
authentication and In-session passwordless authentication.
Published a new set of documentation for Windows App (preview). You can use
Windows App to connect to Azure Virtual Desktop, Windows 365, Microsoft Dev
Box, Remote Desktop Services, and remote PCs, securely connecting you to
Windows devices and apps. For more information, see Windows App.
October 2023
In October 2023, we made the following changes to the documentation:
Published a new article about the service architecture for Azure Virtual Desktop
and how it provides a resilient, reliable, and secure service for organizations and
users. Most components are Microsoft-managed, but some are customer-
managed. You can learn more at Azure Virtual Desktop service architecture and
resilience.
Updated Connect to Azure Virtual Desktop with the Remote Desktop Web client
and Use features of the Remote Desktop Web client when connecting to Azure
Virtual Desktop for the general availability of the updated user interface for the
Remote Desktop Web client.
September 2023
In September 2023, we made the following changes to the documentation:
Updated Use Azure Virtual Desktop Insights to monitor your deployment for the
general availability of using the Azure Monitor Agent with Azure Virtual Desktop
Insights.
August 2023
In August 2023, we made the following changes to the documentation:
Updated Administrative template for Azure Virtual Desktop to include being able
to configure settings using the settings catalog in Intune.
Published a new article for Use cases for Azure Virtual Desktop Insights that
includes example scenarios for how you can use Azure Virtual Desktop Insights to
help understand your Azure Virtual Desktop environment.
July 2023
In July 2023, we made the following changes to the documentation:
Updated autoscale articles for the preview of autoscale for personal host pools.
Learn more at Autoscale scaling plans and example scenarios and Create an
autoscale scaling plan.
Updated multimedia redirection articles for the preview of call redirection. Learn
more at Multimedia redirection for video playback and calls in a remote session.
Updated Set up Private Link with Azure Virtual Desktop for general availability,
made the configuration process clearer, and added commands for Azure
PowerShell and Azure CLI.
Improved the search experience of the table of contents, allowing you to search for
articles by alternative search terms. For example, searching for SSO shows entries
for single sign-on.
June 2023
In June 2023, we made the following changes to the documentation:
Updated Use Azure Virtual Desktop Insights to use the Azure Monitor Agent.
Published a new article to Assign Azure RBAC roles or Microsoft Entra roles to the
Azure Virtual Desktop service principals.
May 2023
In May 2023, we made the following changes to the documentation:
Added how to steps for the Azure portal to configure automatic or direct
assignment type in Configure personal desktop assignment.
April 2023
In April 2023, we made the following changes to the documentation:
New articles for the Azure Virtual Desktop Store app preview:
Connect to Azure Virtual Desktop with the Azure Virtual Desktop Store app for
Windows.
Use features of the Azure Virtual Desktop Store app for Windows.
What's new in the Azure Virtual Desktop Store app for Windows.
Provided guidance on how to Install the Remote Desktop client for Windows on a
per-user basis when using Intune or Configuration Manager.
March 2023
In March 2023, we made the following changes to the documentation:
Published a new article for the preview of Uniform Resource Identifier (URI)
schemes with the Remote Desktop client.
Updated Configure personal desktop assignment showing you how to Give session
hosts in a personal host pool a friendly name.
February 2023
In February 2023, we made the following changes to the documentation:
Updated RDP Shortpath and Configure RDP Shortpath articles with the preview
information for an indirect UDP connection using the Traversal Using Relay NAT
(TURN) protocol with a relay between a client and session host.
January 2023
In January 2023, we made the following change to the documentation:
Next steps
Learn What's new for Azure Virtual Desktop.
Feedback
Was this page helpful? Yes No
FSLogix has two (2) types of releases, feature and hotfix. A feature release has new or
changing functionality to the product, whereas a hotfix release is focused on specific
issues. Depending on the type of issue, we may have multiple hotfixes before a feature
release. Regardless of the of release type, customers are required to install and use the
latest version . For more information, see FSLogix product support.
Summary
This is a hotfix release to address known issues and other identified bugs. In addition,
this release brings back the capability to roam a user's Group Policy state which provides
asynchronous policy processing.
) Important
What's new
2210 hotfix 4 includes the following updates:
Group Policy processing can now occur asynchronously for users during sign-in.
MSIX folders under %LocalAppData%\Packages\<package-name>\ will automatically
get created when an ODFC container is created (new or reset container).
Teams data located in
%LocalAppData%\Publishers\8wekyb3d8bbwe\TeamsSharedConfig will now roam with
Fixed issues
2210 hotfix 4 includes the following fixed issues:
Windows Server 2019 would sometimes fail to query the provisioned AppX
applications for the user during sign-out.
MSIX folders that should not be backed up, would be removed during sign-out
instead of only removing the contents of those folders.
New Microsoft Teams crashes or fails to start in Windows Server 2019.
New Microsoft Teams would display an error during launch with The parameter is
incorrect .
New Microsoft Teams would display an error during launch with Invalid function .
New Microsoft Teams would not on-demand register during sign-in when using
the ODFC container.
New Microsoft Teams would not on-demand register during profile creation and
would not register during future sign-ins, despite being installed.
User-based Group Policy settings would persist in the user's profile after the policy
setting was removed or set to disabled.
File information
Download the following package and follow the installation instructions
Summary
This is a hotfix release with limited support for various versions of Windows and was
provided to unblock customers running the latest versions of Windows 11 with New
Teams in virtual desktop environments. All customers are urged to replace any
installations of this version with FSLogix 2210 hotfix 4, which provides a complete set of
changes and updates for New Teams.
) Important
Do not use this version, instead download and install 2210 hotfix 4
(2.9.8884.27471).
Changes
Update: When new Teams is detected, the AppX package is registered for the user
during sign-in using the family name.
Update: During user sign-out, Teams user data/cache located in
%LocalAppData%\Packages\MSTeams_8wekyb3d8bbwe\LocalCache will be saved in the
container.
Fix: Resolved an issue where a virtual machine would reboot unexpectedly as a
result of bug check (various stop codes) when a user's redirects were removed
before sign-out.
Summary
This is a hotfix release to address known issues and other identified bugs.
Changes
Fix: Resolved an issue where a virtual machine would reboot unexpectedly as a
result of bug check (various stop codes).
Fix: Cloud Cache no longer creates a race condition when multiple threads try
accessing the same tracking file.
Fix: Cloud Cache thread timing has been adjusted to ensure proper file handling
and sanitization.
Fix: Cloud Cache now writes an event log message when a storage provider is
offline when the user signs in.
Fix: Cloud Cache no longer causes a user session to hang while processing I/O.
Fix: Resolved an issue which failed to detach an ODFC container.
Update: Group Policy templates have been updated and re-organized. Read about
the changes in the Group Policy how-to article.
File information
Download the following package and follow the installation instructions
Summary
This is a hotfix release to address known issues and other identified bugs.
Changes
Setting: Added new configuration setting (RoamIdentity). Allows legacy roaming
for credentials and tokens created by the Web Account Manager (WAM) system.
Fix: Resolved an issue where frxsvc.exe would crash when processing
AppXPackages.
Fix: Resolved issues in handling FileIds associated with OneDrive.
Fix: Resolved an issue with orphaned meta files on Cloud Cache SMB providers.
Fix: Resolved an issue where a pending rename operation would fail because the
target filename was invalid.
Fix: Resolved an issue where user sessions were cleaned up before a proper sign
out.
Fix: Resolved an issue where ODFC incorrectly handled multiple VHDLocations.
Fix: Resolved an issue in how settings are applied for ObjectSpecific configurations.
Fix: Resolved an issue where an ODFC container wouldn't correctly detach during
sign out.
Fix: Resolved an issue where VHD Disk Compaction would fail to cancel correctly
when using Cloud Cache.
Fix: Resolved an issue where ODFC VHD Disk Compaction would fail when
RoamSearch was enabled.
Fix: Resolved an issue where users would be stuck at a black screen as a result of
attempting to empty the Recycle Bin prior to roaming.
Update: Added policy for new RoamIdentity setting.
Summary
This release is focused on three (3) core features, six (6) major bug fixes, and two (2)
updates.
Changes
Feature: Added the ability to compact the user's container during the sign out
phase. For more information, see VHD Disk Compaction.
Feature: Added a new process during the sign out phase, which creates an AppX
package manifest for the user. This manifest is used at sign-in to re-register the
AppX applications for an improved user experience. This work is on-going as AppX
packages and applications continue to evolve. The focus for this work has been on
the built-in Windows apps (inbox apps).
Feature: FSLogix now roams the users Recycle Bin within the user's container.
) Important
All three (3) of our new features are enabled by default, but have the option
to be disabled.
Fix: When OneDrive data is stored outside the user's profile, FSLogix correctly
impersonates OneDrive for setting permissions.
Fix: Cloud Cache now properly honors lock retry count and intervals.
Update: Group Policy templates have new names that align with their registry
settings. New help information indicates where in the registry Group Policy makes
the change. Added version history for newly added settings.
Update: Ensure Azure Storage Account Blob container names correctly adhere to
Azure naming requirements.
Summary
This update for FSLogix 2201 includes fixes to multi-session VHD mounting, Cloud
Cache meta tracking files, and registry cleanup operations.
Changes
Resolved an issue that would cause a system crash while reading from meta
tracking files in a Cloud Cache configuration.
Resolved an issue where a sign in would succeed even if when the disk failed to
attach. Most commonly occurs in multi-session environments.
Resolved an issue during profile cleanup where user registry hives would be
removed regardless of the FSLogix local group exclusions.
Summary
This update for FSLogix 2201 includes fixes to Cloud Cache and container redirection
processes. No new features are included with this update.
Changes
Resolved an issue with Cloud Cache where disk read / write blocking could
potentially create a deadlock to the disk and cause the Virtual Machine to become
unresponsive.
Resolved an issue that would cause a Virtual Machine to crash while removing
profile redirections during the sign out process.
Summary
This update for FSLogix is the latest full featured release. In this version there are, over
30 accessibility related updates, new support for Windows Search in specific versions of
Windows, better handling and tracking of locked VHD(x) containers, and resolved
various issues.
Changes
Fixed issue where the FSLogix Profile Service would crash if it was unable to
communicate with the FSLogix Cloud Cache Service.
The OfficeFileCache folder located at
%LOCALAPPDATA%\Microsoft\Office\16.0\OfficeFileCache is now machine specific
and encrypted so we exclude it from FSLogix containers. Office files located
outside this folder aren't impacted in this update.
Windows Server 2019 version 1809, and newer versions of Windows Server,
natively support per-user search indexes and we recommend you use that native
search index capability. FSLogix Search Indexing is no longer available on those
versions of Windows Server.
Windows 10 Enterprise Multi-session and Windows 11 Enterprise Multi-session
natively support per-user search indexes and FSLogix Search Indexing is no longer
available on those operating systems.
FSLogix now correctly handles cases where the Windows Profile Service refCount
registry value is set to an unexpected value.
Over 30 accessibility related updates have been made to the FSLogix installer and
App Rules Editor.
A Windows event now records when a machine locks a container disk with a
message that looks like "This machine '[HOSTNAME]' is using [USERNAME]'s (SID=
[USER SID]) profile disk. VHD(x): [FILENAME]. This event is generated from the
METADATA file created in the user's profile directory. This file can be ignored, but
not deleted."
Resolved an issue where the DeleteLocalProfileWhenVHDShouldApply registry
setting was ignored in some cases.
Fixed an issue where active user session settings weren't retained if the FSLogix
service was restarted. This was causing some logoffs to fail.
Fixed an issue where FSLogix didn't properly handle sign out events if Profile or
ODFC containers were disabled during the session or per-user/per-group filters
were applied mid-session that excluded the user from the feature. Now FSLogix
sign out related events always occurs based off the FSLogix settings applied at sign
in.
FSLogix no longer attempts to reattach a container disk when the user session is
locked.
Fixed an issue that caused the FSLogix service to crash when reattaching container
disks.
Fixed a Cloud Cache issue that caused IO failures if the session host's storage block
size was smaller than a cloud provider's block size. For optimal performance, we
recommend the session host disk hosting the CCD proxy directory has a physical
block size greater than or equal to the CCD storage provider with the largest block
size.
Fixed a Cloud Cache issue where a timed out read request (network outage,
storage outage, etc.) wasn't handled properly and would eventually fail.
Reduced the chance for a Cloud Cache container disk corruption if a provider is
experiencing connection issues.
Resolved an issue where temporary rule files weren't deleted if rule compilation
failed.
Previously, the Application masking folder was only created for the user who ran
the installer. With this update, the rules folder is created when the Rules editor is
launched.
Resolved an interoperability issue with large OneDrive file downloads that was
causing some operations to fail.
Fixed an issue where per-user and per-group settings didn't apply if the Profile or
ODFC container wasn't enabled for all users.
Resolved an issue where the Office container session configuration wasn't cleaned
up if a profile fails to load.
Fixed an issue where HKCU App Masking rules using wildcards would fail to apply.
Fixed an issue that caused some sessions configured with an ODFC container to fail
to sign in.
Resolved an issue where the App Rules editor would crash if no assignments were
configured.
Next steps
Download and install FSLogix
Configuration examples
This article describes the changes we make to each new version of Azure Virtual
Desktop Insights.
If you're not sure which version of Azure Virtual Desktop Insights you're currently using,
you can find it in the bottom-right corner of your Insights page or configuration
workbook. To access your workbook, go to https://aka.ms/azmonwvdi .
ノ Expand table
Public 3.5.0 Use Azure Virtual Desktop Insights to monitor your deployment
The first number is the major version, and is usually used for major releases.
The second number is the minor version. Minor versions are for backwards-
compatible changes such as new features and deprecation notices.
The third number is the patch version, which is used for small changes that fix
incorrect behavior or bugs.
For example, a release with a version number of 1.2.31 is on the first major release, the
second minor release, and patch number 31.
When one of the numbers is increased, all numbers after it must change, too. One
release has one version number. However, not all version numbers track releases. Patch
numbers can be somewhat arbitrary, for example.
Version 3.5.0
Published: July 1, 2024
Version 3.4.0
Published: May 13, 2024
Version 3.3.1
Published: April 29, 2024
Version 3.2.2
Published: February 12, 2024
Updated logic for Data Collection Rule (DCR) selection in the Configuration
workbook.
Removed unused performance counters from DCR for data savings.
Removed Terminal Services counters that the Azure Virtual Desktop Insights
workbook no longer uses.
Version 3.2.0
Published: October 9, 2023
Version 3.1.0
Published: October 2, 2023
Updated configuration workbook to allow users to use existing resource groups for
Azure Monitor Agent configuration.
Version 3.0.0
Published: September 18, 2023
Version 2.3.4
Published: September 5, 2023
Version 2.3.0
Published: June 5, 2023
Version 2.2.0
Published: May 22, 2023
In this update, we've made the following change:
Version 2.1.0
Published: May 1, 2023
Version 2.0.2
Published: April 3, 2023
Version 2.0.1
Published: March 20, 2023
Improved visualization for the Connection Time graph in the Utilization tab.
Version 2.0.0
Published: March 6, 2023
The Azure Virtual Desktop Insights at scale feature is now generally available.
Version 1.6.1
Published: February 27, 2023
The Azure Virtual Desktop Insights at scale feature is now generally available.
Added the version of the OS used on session hosts to the Overview tab.
Version 1.6.0
Published: January 30, 2023
Added idle session reporting to the Utilization tab that visualizes sessions with no
active connections.
Version 1.5.0
Published: January 9, 2023
Version 1.4.0
Published: October 2022
Added Windows 7 end-of-life reporting for client operating system and a dynamic
notification box as a reminder of the deprecation timeframe for Windows 7
support for Azure Virtual Desktop.
Version 1.3.0
Published: September 2022
Version 1.2.2
Published: July 2022
In this release, we've made the following change:
Version 1.2.1
Published: June 2022
Version 1.2.0
Published: May 2022
Version 1.1.10
Published: February 2022
Version 1.1.8
Published: November 2021
We added a dynamic check for host pool and workspaces Log Analytics tables to
show instances where diagnostics may not be configured.
Updated the source table for session history and calculations for users per core.
Version 1.1.7
Published: November 2021
We increased the session host limit to 1000 for the configuration workbook to
allow for larger deployments.
Version 1.1.6
Published: October 2021
Version 1.1.4
Published: October 2021
Version 1.1.3
Published: September 2021
Version 1.1.2
Published: August 2021
Version 1.1.1
Published: July 2021
We added the Workbooks gallery for quick access to Azure Virtual Desktop related
Azure workbooks.
Version 1.1.0
Published: July 2021
We added a Data Generated tab to the configuration workbook for detailed data
on storage space usage for Azure Virtual Desktop Insights to allow more insight
into Log Analytics usage.
Version 1.0.4
Published: June 2021
We made some changes to formatting and layout for better use of whitespace.
We changed the sort order for User Input Delay details in Host Performance to
descending.
Version 1.0.3
Published: May 2021
Version 1.0.2
Published: May 2021
We resolved an issue with user per core calculation in the Utilization tab.
Version 1.0.1
Published: April 2021
Version 1.0.0
Published: March 2021
We introduced a new visual indicator for high-impact errors and warnings from the
Azure Virtual Desktop agent event log on the host diagnostics page.
The setup process for Windows Event Log for the configuration workbook is now
automated.
The configuration workbook can now install the Log Analytics agent and setting-
preferred workspace for session hosts outside of the resource group's region.
The configuration workbook now has a tabbed layout for the setup process.
Next steps
For the general What's New page, see What's New in Azure Virtual Desktop.
To learn more about Azure Virtual Desktop Insights, see Use Azure Virtual Desktop
Insights to monitor your deployment.
Feedback
Was this page helpful? Yes No
This article provides the release notes for the latest updates to the MSIXMGR tool, which
you use for expanding MSIX-packaged applications into MSIX images for use with Azure
Virtual Desktop.
ノ Expand table
Version 1.2.0.0
Published: April 18, 2023
Next steps
To learn more about the MSIXMGR tool, check out these articles:
Feedback
Was this page helpful? Yes No
This article has the latest updates for host component of multimedia redirection for
Azure Virtual Desktop.
ノ Expand table
Added telemetry for time to first frame rendered and detecting a possible stall
issue.
Added changes for calling redirection including dual-tone multiple-frequency
(DTMF) tones, and initial support for video.
Next steps
Learn more about multimedia redirection at Multimedia redirection for video playback
and calls in a remote session.
Feedback
Was this page helpful? Yes No
In this article you'll learn about the latest updates for the Remote Desktop client for
Windows. To learn more about using the Remote Desktop client for Windows with Azure
Virtual Desktop, see Connect to Azure Virtual Desktop with the Remote Desktop client
for Windows and Use features of the Remote Desktop client for Windows when
connecting to Azure Virtual Desktop.
There are three versions of the Remote Desktop client for Windows, which are all
supported for connecting to Azure Virtual Desktop:
Standalone download as an MSI installer. This is the most common version of the
Remote Desktop client for Windows.
Azure Virtual Desktop app from the Microsoft Store. This is a preview version of
the Remote Desktop client for Windows.
Remote Desktop app from the Microsoft Store. This version is no longer being
developed.
Tip
You can also connect to Azure Virtual Desktop with Windows App, a single app to
securely connect you to Windows devices and apps from Azure Virtual Desktop,
Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs. For
more information, see What is Windows App?
Tip
Select the version of the Remote Desktop client for Windows you want to use with
the buttons at the top of this article.
ノ Expand table
Release Latest version Download
7 Note
This version replaced the Insider versions 1.2.5799, and 1.2.5800. Changes noted
above reflect all changes for these versions.
7 Note
This version replaced the Insider version 1.2.5702, 1.2.5701, and 1.2.5699. It
contains all changes made in noted versions and was promoted to public on
September 18, 2024.
Fixed an issue where the client crashed for users who have Windows N SKUs
without the media framework.
Addressed an issue that reduces the chance of encountering a “low virtual
memory” error on reconnect attempts.
7 Note
This hotfix version replaced the public version 1.2.5620 and has the same release
notes with the addition of the the above fixes.
7 Note
This version replaced the Insider version 1.2.5617 and has the same release notes
with the addition of the security release.
7 Note
This version replaced 1.2.5552 and has the same release notes.
Fixed an issue where users who were connecting using protocol launch had to
complete two MFA prompts.
7 Note
This Insider release was originally version 1.2.5550, but we made a change to
fix an issue with double MFA prompts and re-released as version 1.2.5552.
This version contains all the changes made in 1.2.5550.
This version was released as a public version on July 2, 2024, but was replaced
by version 1.2.5559 on July 17, 2024.
Fixed an issue where a minimized RemoteApp window will maximize when the lock
screen timer runs out for a RemoteApp session.
Improved usability of the connection bar by reducing the amount of time it
displays on the screen after the mouse moves away.
7 Note
This Insider release was originally version 1.2.5453, but we made this change
and re-released it as version 1.2.5454. This version contains all the changes
made in 1.2.5450, 1.2.5452, and 1.2.5453.
Fixed an issue where the client crashed when responding to an incoming Microsoft
Teams call.
7 Note
This Insider release was originally version 1.2.5452, but we made this change and
re-released it as 1.2.5453. This version contains all of the changes made in 1.2.5450
and 1.2.5452.
7 Note
This Insider release was originally version 1.2.5450, but we made this change and
re-released it as 1.2.5452. This version contains all of the changes made in 1.2.5450.
When subscribing to feeds via URL, all message states for the status message box
can be announced by screen readers.
When users search for workspaces via URL, they now see the searching status
when entering URL-formatted input and receive an error if results are not found.
Improved error messaging for end users when their saved credentials expire.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
7 Note
This release was originally version 1.2.5326, but we made a hotfix after receiving
user reports about issues that affected the MFA prompt and tenant URLs. Version
1.2.5331, which fixes these issues, has replaced version 1.2.5326.
7 Note
This version includes all the latest updates made in public build 1.2.5252 and
Insider builds 1.2.5248 and 1.2.5126.
7 Note
This version replaced 1.2.5252 and has the same release notes as version 1.2.5112.
7 Note
This version was released as a Public version on March 5, 2024 but was replaced by
version 1.2.5254 on March 6, 2024.
7 Note
This version was an Insiders version that was replaced by version 1.2.5252 and
never released to Public. In this release, we've made the following changes:
Fixed an issue that caused artifacts to appear on the screen during RemoteApp
sessions.
Fixed an issue where resizing the Teams video call window caused the client to
temporarily stop responding.
Fixed an issue that made Teams calls echo after expanding a two-person call to
meeting call.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
7 Note
This version was an Insiders version that was replaced by version 1.2.5248 and
never released to Public. In this release, we've made the following changes:
Fixed the regression that caused a display issue when a user selects monitors for
their session.
Made the following accessibility improvements:
Improved screen reader experience.
Greater contrast for background color of the connection bar remote commands
drop-down menu.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Fixed the regression that caused a display issue when a user selects monitors for
their session.
7 Note
This release was originally 1.2.5102 in Insiders, but we changed the Public version
number to 1.2.5105 after adding the security improvements addressing CVE-2024-
21307 .
7 Note
We replaced this Insiders version with version 1.2.5102. As a result, version 1.2.5018
is no longer available for download.
7 Note
This Insiders release was originally version 1.2.4675, but we made a hotfix for the
vulnerability known as CVE-2023-5217 .
Fixed an issue when using the default display settings and a change is made to the
system display settings, where the bar does not show when hovering over top of
screen after it is hidden.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Accessibility improvements:
Narrator now announces the view mode selector as "View combo box", instead
of "Tile view combo box" or "List view combo box".
Narrator now focuses on and announces Learn more hyperlinks.
Keyboard focus is now set correctly when a warning dialog loads.
Tooltip for the close button on the About panel now dismisses when keyboard
focus moves.
Keyboard focus is now properly displayed for certain drop-down selectors in the
Settings panel for published desktops.
7 Note
This release was originally version 1.2.4577, but we made a hotfix after reports that
connections to machines with watermarking policy enabled were failing. Version
1.2.4582, which fixes this issue, has replaced version 1.2.4577.
Fixed an issue where the client doesn't auto-reconnect when the gateway
WebSocket connection shuts down normally.
Added a new RDP file property called allowed security protocols. This property
restricts the list of security protocols the client can negotiate.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Accessibility improvements:
Narrator now describes the toggle button in the display settings side panel as
toggle button instead of button.
Control types for text now correctly say that they're text and not custom.
Fixed an issue where Narrator didn't read the error message that appears after
the user selects Delete.
Added heading-level description to Subscribe with URL.
Dialog improvements:
Updated file and URI launch dialog error handling messages to be more
specific and user-friendly.
The client now displays an error message after unsuccessfully checking for
updates instead of incorrectly notifying the user that the client is up to date.
Fixed an issue where, after having been automatically reconnected to the
remote session, the connection information dialog gave inconsistent
information about identity verification.
Improved connection bar resizing so that resizing the bar to its minimum width
doesn't make its buttons disappear.
Fixed an application compatibility issue that affected preview versions of Windows.
Moved the identity verification method from the lock window message in the
connection bar to the end of the connection info message.
Changed the error message that appears when the session host can't reach the
authenticator to validate a user's credentials to be clearer.
Added a reconnect button to the disconnect message boxes that appear whenever
the local PC goes into sleep mode or the session is locked.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Fixed an issue where the connection bar remained visible on local sessions when
the user changed their contrast themes.
Made minor changes to connection bar UI, including improved button sizing.
Fixed an issue where the client stopped responding if closed from the system tray.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
7 Note
This release was originally version 1.2.4065, but we made a hotfix after reports that
UPnP was causing connectivity issues. version 1.2.4066 has replaced the previous
version and has disabled UPnP.
) Important
This is the final version of the Remote Desktop client with Windows 7 support. After
this version, if you try to use the Remote Desktop client with Windows 7, it may not
work as expected. For more information about which versions of Windows the
Remote Desktop client currently supports, see Prerequisites.
Fixed an issue where the app sometimes entered an infinite loop while
disconnecting.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Updates to Teams for Azure Virtual Desktop, including the following:
Fixed an issue that caused the incorrect rendering of an incoming screen share
when using an ultrawide (21:9) monitor.
Reverted to version 1.2.3401 build to avoid a connectivity issue with older RDP
stacks.
Updates for version 1.2.3401
Published: August 2, 2022
Fixed an issue where the narrator was announcing the tenant expander button as
on or off instead of expanded or collapsed.
Fixed an issue where the text size didn't change when the user adjusted the text
size system setting.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Fixed an issue where the service couldn't render RemoteApp windows while
RemoteFX Advanced Graphics were disabled.
Fixed an issue that happened when a user tried to connect to an Azure Virtual
Desktop endpoint while using the Remote Desktop Services Transport Layer
Security protocol (RDSTLS) with CredSSP disabled, which caused the Windows
Desktop client to not prompt the user for credentials. Because the client couldn't
authenticate, it would get stuck in an infinite loop of failed connection attempts.
Fixed an issue that happened when users tried to connect to an Azure Active
Directory (Azure AD)-joined Azure Virtual Desktop endpoint from a client machine
joined to the same Azure AD tenant while the Credential Security Support Provider
protocol (CredSSP) was disabled.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Updates to Teams for Azure Virtual Desktop, including the following:
Better noise suppression during calls.
A diagnostic overlay now appears when you press Shift+Ctrl+Semicolon (;)
during calls. The diagnostic overlay only works with version 1.17.2205.23001 or
later of the Remote Desktop WebRTC Redirector Service. You can download the
latest version of the service here .
Fixed an issue where Narrator didn't announce grid or list views correctly.
Fixed an issue where the msrdc.exe process might take a long time to exit after
closing the last Azure Virtual Desktop connection if customers have set a very
short token expiration policy.
Updated the error message that appears when users are unable to subscribe to
their feed.
Updated the disconnect dialog boxes that appear when the user locks their remote
session or puts their local computer in sleep mode to be only informational.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Multimedia redirection for Azure Virtual Desktop now has an update that gives it
more site and media control compatibility.
Improved connection reliability for Teams on Azure Virtual Desktop.
Updates for version 1.2.2927
Published: March 15, 2022
Fixed an issue where the number pad didn't work on initial focus.
The Desktop client now supports Ctrl+Alt+arrow key keyboard shortcuts during
desktop sessions.
Improved graphics performance with certain mouse types.
Fixed an issue that caused the client to randomly crash when something ends a
RemoteApp connection.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Updates to Teams for Azure Virtual Desktop, including the following:
The background blur feature is rolling out this week for Windows endpoints.
Fixed an issue that caused the screen to turn black during Teams video calls.
Fixed an issue that caused a redirected camera to give incorrect error codes when
camera access was restricted in the Privacy settings on the client device. This
update should give accurate error messages in apps using the redirected camera.
Fixed an issue where the Azure Active Directory credential prompt appeared in the
wrong monitor.
Fixed an issue where the background refresh and update tasks were repeatedly
registered with the task scheduler, which caused the background and update task
times to change without user input.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Updates to Teams for Azure Virtual Desktop, including the following:
In September 2021 we released a preview of our GPU render path optimizations
but defaulted them off. After extensive testing, we've now enabled them by
default. These GPU render path optimizations reduce endpoint-to-endpoint
latency and solve some performance issues. You can manually disable these
optimizations by setting the registry key HKEY_CURRENT_USER
\SOFTWARE\Microsoft\Terminal Server Client\IsSwapChainRenderingEnabled
to 00000000.
Fixed an issue where some users were unable to subscribe using the subscribe
with URL option after updating to version 1.2.2687.0.
Improved manual refresh functionality to acquire new user tokens, which ensures
the service can accurately update user access to resources.
Fixed an issue where the service sometimes pasted empty frames when a user tried
to copy an image from a remotely running Internet Explorer browser to a locally
running Word document.
Fixed the vulnerability known as CVE-2021-38665 .
Fixed the vulnerability known as CVE-2021-38666 .
Fixed the vulnerability known as CVE-2021-1669 .
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Fixed a usability issue where the Windows Desktop client would sometimes
prompt for a password (Azure Active Directory prompt) after the device went into
sleep mode.
Fixed an issue where the client didn't automatically expand and display interactive
sign-in messages set by admins when a user signs in to their virtual machine.
Fixed a reliability issue that appeared in version 1.2.2686 where the client stopped
responding when users tried to launch new connections.
Updates to Teams for Azure Virtual Desktop, including the following:
The notification volume level on the client device is now the same as the host
device.
Fixed an issue where the device volume was low in Azure Virtual Desktop
sessions
Fixed a multi-monitor screen sharing issue where screen sharing didn't appear
correctly when moving from one monitor to the other.
Resolved a black screen issue that caused screen sharing to incorrectly show a
black screen sometimes.
Increased the reliability of the camera stack when resizing the Teams app or
turning the camera on or off.
Fixed a memory leak that caused issues like high memory usage or video
freezing when reconnecting with Azure Virtual Desktop.
Fixed an issue that caused Remote Desktop connections to stop responding.
The client also updates in the background when the auto-update feature is
enabled, no remote connection is active, and msrdcw.exe isn't running.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Fixed an ICE inversion parameter issue that prevented some Teams calls from
connecting.
Updates for version 1.2.2130
Published: June 22, 2021
Windows Virtual Desktop has been renamed to Azure Virtual Desktop. Learn more
about the name change at our announcement on our blog .
Fixed an issue where the client would ask for authentication after the user ended
their session and closed the window.
Improved client logging, diagnostics, and error classification to help admins
troubleshoot connection and feed issues.
Fixed an issue with Logitech C270 cameras where Teams only showed a black
screen in the camera settings and while sharing images during calls.
Added the Experience Monitor access point to the system tray icon.
Fixed an issue where entering an email address into the Subscribe to a Workplace
tab caused the application to stop responding.
Fixed an issue where the client sometimes didn't send Event Hubs and Diagnostics
events.
Updates to Teams on Azure Virtual Desktop, including:
Improved audio and video sync performance and added hardware accelerated
decode that decreases CPU utilization on the client.
Addressed the most prevalent causes of black screen issues when a user joins a
call or meeting with their video turned on, when a user performs screen sharing,
and when a user toggles their camera on and off.
Improved quality of active speaker switching in single video view by reducing
the time it takes for the video to appear and reducing intermittent black screens
when switching video streams to another user.
Fixed an issue where hardware devices with special characters would sometimes
not be available in Teams.
Added support for the screen capture protection feature for Windows 10
endpoints. To learn more, see Session host security best practices.
Added support for proxies that require authentication for feed subscription.
The client now shows a notification with an option to retry if an update didn't
successfully download.
Addressed some accessibility issues with keyboard focus and high-contrast mode.
Updates for version 1.2.1525
Published: December 1, 2020
Added List view for remote resources so that longer app names are readable.
Added a notification icon that appears when an update for the client is available.
Added the auto-update feature, which allows the client to install the latest updates
automatically.
The client now distinguishes between different feeds in the Connection Center.
Fixed an issue where the subscription account doesn't match the account the user
signed in with.
Fixed an issue where some users couldn't access a RemoteApp through a
downloaded file.
Fixed an issue with Smartcard redirection.
You can now be subscribed to Workspaces with multiple user accounts, using the
overflow menu (...) option on the command bar at the top of the client. To
differentiate Workspaces, the Workspace titles now include the username, as do all
app shortcuts titles.
Added additional information to subscription error messages to improve
troubleshooting.
The collapsed/expanded state of Workspaces is now preserved during a refresh.
Added a Send Diagnostics and Close button to the Connection information
dialog.
Fixed an issue with the CTRL + SHIFT keys in remote sessions.
Updated the automatic discovery logic for the Subscribe option to support the
Azure Resource Manager-integrated version of Azure Virtual Desktop. Customers
with only Azure Virtual Desktop resources should no longer need to provide
consent for Azure Virtual Desktop (classic).
Improved support for high-DPI devices with scale factor up to 400%.
Fixed an issue where the disconnect dialog didn't appear.
Fixed an issue where command bar tooltips would remain visible longer than
expected.
Fixed a crash when you tried to subscribe immediately after a refresh.
Fixed a crash from incorrect parsing of date and time in some languages.
When subscribing, you can now choose your account instead of typing your email
address.
Added a new Subscribe with URL option that allows you to specify the URL of the
Workspace you are subscribing to or leverage email discovery when available in
cases where we can't automatically find your resources. This is similar to the
subscription process in the other Remote Desktop clients. This can be used to
subscribe directly to Azure Virtual Desktop workspaces.
Added support to subscribe to a Workspace using a new URI scheme that can be
sent in an email to users or added to a support website.
Added a new Connection information dialog that provides client, network, and
server details for desktop and app sessions. You can access the dialog from the
connection bar in full screen mode or from the System menu when windowed.
Desktop sessions launched in windowed mode now always maximize instead of
going full screen when maximizing the window. Use the Full screen option from
the system menu to enter full screen.
The Unsubscribe prompt now displays a warning icon and shows the workspace
names as a bulleted list.
Added the details section to additional error dialogs to help diagnose issues.
Added a timestamp to the details section of error dialogs.
Fixed an issue where the RDP file setting desktop size ID didn't work properly.
Fixed an issue where the Update the resolution on resize display setting didn't
apply after launching the session.
Fixed localization issues in the desktop settings panel.
Fixed the size of the focus box when tabbing through controls on the desktop
settings panel.
Fixed an issue causing the resource names to be difficult to read in high contrast
mode.
Fixed an issue causing the update notification in the action center to be shown
more than once a day.
Added new display settings options for desktop connections available when right-
clicking a desktop icon on the Connection Center.
There are now three display configuration options: All displays, Single display
and Select displays.
We now only show available settings when a display configuration is selected.
In Select display mode, a new Maximize to current displays option allows you
to dynamically change the displays used for the session without reconnecting.
When enabled, maximizing the session causes it to go full screen on all displays
touched by the session window.
We've added a new Single display when windowed option for all displays and
select displays modes. This option switches your session automatically to a
single display when you exit full screen mode, and automatically returns to
multiple displays when you maximize the window.
We've added a new Display settings group to the system menu that appears when
you right-click the title bar of a windowed desktop session. This will let you change
some settings dynamically during a session. For example, you can change the new
Single display mode when windowed and Maximize to current displays settings.
When you exit full screen, the session window will return to its original location
when you first entered full screen.
The background refresh for Workspaces has been changed to every four hours
instead of every hour. A refresh now happens automatically when launching the
client.
Resetting your user data from the About page now redirects to the Connection
Center when completed instead of closing the client.
The items in the system menu for desktop connections were reordered and the
Help topic now points to the client documentation.
Addressed some accessibility issues with tab navigation and screen readers.
Fixed an issue where the Azure Active Directory authentication dialog appeared
behind the session window.
Fixed a flickering and shrinking issue when dragging a desktop session window
between displays of different scale factors.
Fixed an error that occurred when redirecting cameras.
Fixed multiple crashes to improve reliability.
Renamed the Update action for Workspaces to Refresh for consistency with other
Remote Desktop clients.
You can now refresh a Workspace directly from its context menu.
Manually refreshing a Workspace now ensures all local content is updated.
You can now reset the client's user data from the About page without needing to
uninstall the app.
You can also reset the client's user data using msrdcw.exe /reset with an optional
/f parameter to skip the prompt.
We now automatically look for a client update when navigating to the About page.
Updated the color of the buttons for consistency.
Connections to Azure Virtual Desktop are now blocked if the RDP file is missing
the signature or one of the signscope properties has been modified.
When a Workspace is empty or has been removed, the Connection Center no
longer appears to be empty.
Added the activity ID and error code on disconnect messages to improve
troubleshooting. You can copy the dialog message with Ctrl+C.
Fixed an issue that caused the desktop connection settings to not detect displays.
Client updates no longer automatically restart the PC.
Windowless icons should no longer appear on the taskbar.
You can now select which displays to use for desktop connections. To change this
setting, right-click the icon of the desktop connection and select Settings.
Fixed an issue where the connection settings didn't display the correct available
scale factors.
Fixed an issue where Narrator couldn't read the dialogue shown while the
connection initiated.
Fixed an issue where the wrong user name displayed when the Azure Active
Directory and Active Directory names didn't match.
Fixed an issue that made the client stop responding when initiating a connection
while not connected to a network.
Fixed an issue that caused the client to stop responding when attaching a headset.
You can now access information about updates directly from the more options
button on the command bar at the top of the client.
You can now report feedback from the command bar of the client.
The Feedback option is now only shown if the Feedback Hub is available.
Ensured the update notification is not shown when notifications are disabled
through policy.
Fixed an issue that prevented some RDP files from launching.
Fixed a crash on startup of the client caused by corruption of some persistent
settings.
The 32-bit and ARM64 versions of the client are now available!
The client now saves any changes you make to the connection bar (such as its
position, size, and pinned state) and applies those changes across sessions.
Updated gateway information and connection status dialogs.
Addressed an issue that caused two credentials to prompt at the same time while
trying to connect after the Azure Active Directory token expired.
On Windows 7, users are now properly prompted for credentials if they had saved
credentials when the server disallows it.
The Azure Active Directory prompt now appears in front of the connection window
when reconnecting.
Items pinned to the taskbar are now updated during a feed refresh.
Improved scrolling on the Connection Center when using touch.
Removed the empty line from the resolution drop-down menu.
Removed unnecessary entries in Windows Credential Manager.
Desktop sessions are now properly sized when exiting full screen.
The RemoteApp disconnection dialog now appears in the foreground when you
resume your session after entering sleep mode.
Addressed accessibility issues like keyboard navigation.
Improved the fallback languages for localized version. (For example, FR-CA will
properly display in French instead of English.)
When removing a subscription, the client now properly removes the saved
credentials from Credential Manager.
The client update process is now unattended once started and the client will
relaunch once completed.
The client can now be used on Windows 10 in S mode.
Fixed an issue that caused the update process to fail for users with a space in their
username.
Fixed a crash that happened when authenticating during a connection.
Fixed a crash that happened when closing the client.
Feedback
Was this page helpful? Yes No
In this article you'll learn about the latest updates for the Remote Desktop client for
macOS. To learn more about using the Remote Desktop client for macOS with Azure
Virtual Desktop, see Connect to Azure Virtual Desktop with the Remote Desktop client
for macOS and Use features of the Remote Desktop client for macOS when connecting
to Azure Virtual Desktop.
ノ Expand table
Applied a workaround to fix a screen sharing bug when using Teams optimizations.
Fixed a protocol sequencing issue that broke smart card redirection.
Updated the client connection path to fall back to TLS when NTLM isn't available in
the context of Network Level Authentication (NLA).
Applied a workaround to address a black screen when screen sharing via Microsoft
Teams redirection.
Resolved issues with connections that were routed via a Remote Desktop Services
gateway behind an F5 web app filter.
Fixed bugs in the single sign-on protocol connection sequence that were breaking
connectivity.
Improved diagnostics sent during connections to Azure Virtual Desktop.
) Important
Starting with version 10.9.6, the macOS client only supports macOS 12 and later.
Resolved some of the top crashes reported by customers from our telemetry.
Fixed microphone redirection on macOS 14.
Sorted out daylight savings time issues for time zone redirection scenarios.
Added watermarking support for Azure Virtual Desktop scenarios.
Resolved an issue that caused workspace resource icons to be partially obscured
by a white or black rectangle. If you encounter this issue, you can force a
workspace refresh by selecting Help > Troubleshooting > Force Refresh All
Workspaces.
Updates for version 10.9.4
Published: October 20, 2023
Fixed an issue that caused printer redirection to not work for connections between
macOS Sonoma and Windows 10 or later.
Addressed Proof Key for Code Exchange is required message users receive when
refreshing Azure Virtual Desktop workspaces after upgrading from versions 10.9.0
and 10.9.1.
Added support for RDP Shortpath for public networks for Azure Virtual Desktop
connections.
Integrated an Azure Virtual Desktop account profile switcher into the Connection
Center.
Improved diagnostics sent during Azure Virtual Desktop connections.
Added support for video mirroring in Teams redirection.
7 Note
This release isn't compatible with macOS 10.14 and macOS 10.15.
Fixed connectivity issue that affected connections with Windows XP and Windows
Vista.
Addressed an issue that caused diagnostics reporting for Azure Virtual Desktop
connections to be inaccurate.
Updates for Version 10.8.2
Published: April 25, 2023
Integrated support for the new Remote Desktop Services (RDS) Azure Active
Directory (Azure AD) Auth Protocol for authentication and session security.
Added deterministic progress UI for Azure Virtual Desktop workspace refresh.
Resolved some of the most common crashes reported by debug telemetry.
Fixed a bug that caused vertical lines to appear in the remote session rendering.
Addressed a scenario where the app would stop responding when running Slack.
Addressed issue with full-screen scenarios that happened when users disabled the
Displays have separate Spaces setting.
Fixed an issue that resulted in the caps lock state syncing incorrectly between
client and server.
Performance and reliability updates to Teams redirection
Updates to improve Azure Virtual Desktop connectivity and diagnostics.
Fixed a few bugs, cleaned up some underlying code, and made changes to prepare
for future updates.
Added a button to the General Preferences dialog that allows you to clear stored
PC thumbnails.
In this release, we've added some new features to Teams redirection for Azure Virtual
Desktop and Windows 365 scenarios:
We've also made some additional fixes and performance improvements, including the
following:
In this release, we fixed some customer-reported bugs and issues reported by telemetry.
Two of the impacted feature areas include Teams redirection and multi-monitor support.
A custom app switcher which spans multiple sessions for RemoteApp scenarios
(triggered by the Option+Tab keyboard combination).
Support for the in-session redirection of PIV smart cards (such as Yubikey).
We've also:
Added support for audio and video stream optimizations when connecting to
Azure Virtual Desktop session hosts that support Teams redirection. Learn more at
Use Microsoft Teams on Azure Virtual Desktop.
Made updates to improve connectivity, performance and diagnostic metrics when
connecting to Azure Virtual Desktop deployments.
With respect to bugs and smaller features, the following list summarizes some
highlights:
Added support for eTags in Azure Virtual Desktop workspace refresh scenarios to
improve sync times.
The read-only column in the folder redirection selection UI has been resized to
show the full column header.
Fixed an issue that resulted in the Outlook client showing the incorrect time or
time zone for certain calendar entries.
Resolved discrepancies with the reporting of device physical width and height
across Retina and non-Retina scenarios.
Updated the client to trigger an auto-reconnect in Azure Virtual Desktop scenarios
when a 0x3 error is generated by the Gateway.
Resolved an issue where the mouse cursor on a high DPI monitor is larger than a
regular monitor.
Updated the client to terminate auto-reconnect if the session window is closed
after waking from sleep.
Addressed an issue where the mapped hotkeys CMD+C , CMD+V , and CMD+F didn't
work in nested sessions.
Hid the Import from Remote Desktop 8 option if there is no data to import.
Updates for version 10.7.6
Date Published: February 3, 2022
In this release, we made some changes to improve connection reliability for Azure
Virtual Desktop scenarios.
Fixed an issue that caused display configuration to not work properly when using
the client on 2021 MacBook Pro 14" and 16" devices with multiple monitors. This
issue mainly affected devices with external monitors positioned above the
MacBook display.
Fixed an issue that caused the client to crash when used on earlier versions of
macOS 12
Fixed customer-reported smart card and folder redirection issues.
Addressed full screen display issues with 2021 MacBook Pro 14" and 16" models.
Better handle load-balanced Remote Desktop Gateway configurations.
Unfortunately, the 10.7.2 update disabled smart card redirection for some users when
they'd try to reconnect to their sessions. As a result, we've released this update to
address the issue.
Worked around a 0x907 (mismatched certificate) error code that was caused by
third-party infrastructure returning an incorrect certificate in redirection
scenarios.
Fixed the root cause of a 0x207 (handshake failure) error code that appeared
when users accidentally tried to connect with an incorrect password to a pre-
Windows 8 server with Network Level Authentication (NLA) enabled.
Resolved a 0x1107 (invalid workstation) error code that appeared when Active
Directory workstation logon restrictions were set.
Updated the default icon for published desktops and worked around an issue that
caused smart card redirection to stop working with recently patched versions of
Windows.
Enabled connections to Windows Server 2003 servers that have Transport Layer
Security (TLS) enabled for Remote Desktop connections.
Addressed a 0x3000066 error message that appeared in Remote Desktop Gateway
scenarios, and aligned TLS version usage with the Windows Remote Desktop client.
Fixed an issue that made the client return a 0x907 error code when connecting to a
server endpoint with a certificate that had a Remote Desktop Authentication EKU
property of 1.3.6.1.4.1.311.54.1.2 .
Updated the client to address a 0x2407 error code that prevented the client from
authorizing users for remote access.
Fixed an issue that caused the client to return a 0x907 error code when processing
a server authentication certificate with a validity lifetime of over 825 days.
Fixed an issue that caused the client to return a 0x507 error code.
Enabled support for the AVC420 codec on Apple Silicon.
Enabled Smart card redirection (requires macOS 11.2 or later) on Apple Silicon.
Removed a double prompt for credentials that occurred in some scenarios when
users tried to connect with a Remote Desktop Gateway.
Updates for version 10.6.1
Published: April 20, 2021
In this update, we fixed an issue that caused the client to stop responding when
connecting to a Remote Desktop Gateway.
In this release we made some significant updates to the shared underlying code that
powers the Remote Desktop experience across all our clients. We've also added some
new features and addressed bugs and crashes that were showing up in error reports.
) Important
As of this update, the macOS client requires macOS version 10.14 or later to run.
7 Note
This release is the last release that will be compatible with macOS version 10.13.
Addressed an issue where the UI would stop resolving a workspace name during
subscription.
Fixed an in-session bug where graphics updates would stall while the client
continued to send input.
Resolved reliability issues identified through crash reporting.
You can now edit the display, device, and folder redirection settings of published
PC connections.
RemoteApp windows now shrink to the dock when minimized.
Added a Connection Information dialog that displays the current bandwidth and
round-trip time.
Added support for Remote Desktop Gateway consent and admin messages.
Fixed an issue where an RDP file specifying a gatewayusagemethod value of 0 or 4
was incorrectly imported.
The Edit Workspace sheet now shows the exact time at which the workspace was
last updated.
Removed trace spew that was output when using the --script parameter.
Addressed an issue where the client would return a 0x30000066 error when
connecting using a Remote Desktop Gateway server.
Fixed an issue that caused the client to repeatedly prompt users for credentials if
Extended Protection for Authentication was set on the server.
Addressed reliability issues that users identified through crash reporting.
Addressed keyboard and VoiceOver-related accessibility bugs.
Updates for version 10.4.1
Published: November 6, 2020
In this release, we made substantial updates to the underlying code for the Remote
Desktop experience across all our clients. We've also added some new features and
addressed bugs and crashes that were showing up in error reporting. Here are some
changes you may notice:
In this release, we made some changes to improve interoperability with the Azure Virtual
Desktop service . In addition, we've included the following updates:
7 Note
This is the last release that will be compatible with macOS 10.12.
With this update, you can switch between Scancode (Ctrl+Command+K) and Unicode
(Ctrl+Command+U) modes when entering keyboard input. Unicode mode allows
extended characters to be typed using the Option key on a Mac keyboard. For example,
on a US Mac keyboard, Option+2 will enter the trademark (™) symbol. You can also
enter accented characters in Unicode mode. For example, on a US Mac keyboard,
entering Option+E and the A key at the same time will enter the character á on your
remote session.
Other updates in this release include:
Copying things from the remote session to a network share or USB drive no longer
creates empty files.
Specifying an empty password in a user account no longer causes a double
certificate prompt.
Addressed an issue that created zero-length files whenever you copied a folder
from the remote session to the local machine using file copy and paste.
Redirected folders can now be marked as read-only to prevent their contents from
being changed in the remote session.
We addressed a 0x607 error that appeared when connecting using RPC over
HTTPS Remote Desktop Gateway scenarios.
Fixed cases where users were double-prompted for credentials.
Fixed cases where users received the certificate warning prompt twice.
Added heuristics to improve trackpad-based scrolling.
The client no longer shows the Saved Desktops group if there are no user-created
groups.
Updated UI for the tiles in PC view.
Fixes to address crashes sent to us via application telemetry.
Added user defaults to disable smart card, clipboard, microphone, camera, and
folder redirection:
ClientSettings.DisableSmartcardRedirection
ClientSettings.DisableClipboardRedirection
ClientSettings.DisableMicrophoneRedirection
ClientSettings.DisableCameraRedirection
ClientSettings.DisableFolderRedirection
Resolved an issue that was causing programmatic session window resizes to not be
detected.
Fixed an issue where the session window contents appeared small when
connecting in windowed mode (with dynamic display enabled).
Fixed a bug that caused an incorrect device name to be sent to the remote session
(breaking licensing in some third-party apps).
Cleaned up some shutdown code to ensure the client closes more reliably.
In this release, we fixed a bug that made the display low resolution while connecting to
a session
Addressed connectivity issues with Remote Desktop Gateway servers that were
using 4096-bit asymmetric keys.
Fixed a bug that caused the client to randomly stop responding when
downloading feed resources.
Fixed a bug that caused the client to crash while opening.
Fixed a bug that caused the client to crash while importing connections from
Remote Desktop, version 8.
Fixed a hang that occurred when connecting via a Remote Desktop Gateway.
Added a privacy notice to the Add Feed dialog.
Resolved random disconnects (with error code 0x904) that took place when
connecting via a Remote Desktop Gateway.
Fixed a bug that caused the resolutions list in application preferences to be empty
after installation.
Fixed a bug that caused the client to crash if certain resolutions were added to the
resolutions list.
Addressed an ADAL authentication prompt loop when connecting to Azure Virtual
Desktop deployments.
Fixed a Remote Desktop Gateway connectivity issue that can occur when server
redirection takes place.
We also addressed a Remote Desktop Gateway regression caused by the 10.2.8
update.
Resolved connectivity issues that surfaced when using a Remote Desktop Gateway.
Fixed incorrect certificate warnings that were displayed when connecting.
Addressed some cases where the menu bar and dock would needlessly hide when
launching a RemoteApp.
Reworked the clipboard redirection code to address crashes and hangs that have
been plaguing some users.
Fixed a bug that caused the Connection Center to needlessly scroll when launching
a connection.
In this release, we addressed graphics mis-paints (caused by a server encoding bug) that
appeared when using AVC444 mode.
Added support for the AVC (420 and 444) codec, available when connecting to
current versions of Windows 10.
In Fit to Window mode, a window refresh now occurs immediately after a resize to
ensure that content is rendered at the correct interpolation level.
Fixed a layout bug that caused feed headers to overlap for some users.
Cleaned up the Application Preferences UI.
Polished the Add/Edit Desktop UI.
Made lots of fit and finish adjustments to the Connection Center tile and list views
for desktops and feeds.
7 Note
There is a bug in macOS 10.14.0 and 10.14.1 that can cause the
.com.microsoft.rdc.application-data_SUPPORT/_EXTERNAL_DATA folder (nested deep
inside the ~/Library folder) to consume a large amount of disk space. To resolve
this issue, delete the folder content and upgrade to macOS 10.14.2. Note that a
side-effect of deleting the folder contents is that snapshot images assigned to
bookmarks will be deleted. These images will be regenerated when reconnecting to
the remote PC.
Updates for version 10.2.4
Published: December 18, 2018
Added support for the remoteapplicationcmdline RDP file setting for RemoteApp
scenarios.
The title of the session window now includes the name of the RDP file (and server
name) when launched from an RDP file.
Fixed reported Remote Desktop Gateway performance issues.
Fixed reported Remote Desktop Gateway crashes.
Fixed issues where the connection would hang when connecting through a Remote
Desktop Gateway.
Better handling of a RemoteApp in full-screen by intelligently hiding the menu bar
and dock.
Fixed scenarios where a RemoteApp remained hidden after being launched.
Addressed slow rendering updates when using Fit to Window with hardware
acceleration disabled.
Handled database creation errors caused by incorrect permissions when the client
starts up.
Fixed an issue where the client was consistently crashing at launch and not starting
for some users.
Fixed a scenario where connections were incorrectly imported as full-screen from
Remote Desktop 8.
A brand new Connection Center that supports drag and drop, manual arrangement
of desktops, resizable columns in list view mode, column-based sorting, and
simpler group management.
The Connection Center now remembers the last active pivot (Desktops or Feeds)
when closing the app.
The credential prompting UI and flows have been overhauled.
Remote Desktop Gateway feedback is now part of the connecting status UI.
Settings import from the version 8 client has been improved.
RDP files pointing to RemoteApp endpoints can now be imported into the
Connection Center.
Retina display optimizations for single monitor Remote Desktop scenarios.
Support for specifying the graphics interpolation level (which affects blurriness)
when not using Retina optimizations.
256-color support to enable connectivity to Windows 2000.
Fixed clipping of the right and bottom edges of the screen when connecting to
Windows 7, Windows Server 2008 R2 and earlier.
Copying a local file into Outlook (running in a remote session) now adds the file as
an attachment.
Fixed an issue that was slowing down pasteboard-based file transfers if the files
originated from a network share.
Addressed a bug that was causing to Excel (running in a remote session) to hang
when saving to a file on a redirected folder.
Fixed an issue that was causing no free space to be reported for redirected folders.
Fixed a bug that caused thumbnails to consume too much disk storage on macOS
10.14.
Added support for enforcing Remote Desktop Gateway device redirection policies.
Fixed an issue that prevented session windows from closing when disconnecting
from a connection using Remote Desktop Gateway.
If Network Level Authentication (NLA) is not enforced by the server, you will now
be routed to the sign-in screen if your password has expired.
Fixed performance issues that surfaced when lots of data was being transferred
over the network.
Smart card redirection fixes.
Support for all possible values of the EnableCredSspSupport and Authentication
Level RDP file settings if the ClientSettings.EnforceCredSSPSupport user default
key (in the com.microsoft.rdc.macos domain) is set to 0.
Support for the Prompt for Credentials on Client RDP file setting when NLA is not
negotiated.
Support for smart card-based sign-in using smart card redirection at the Winlogon
prompt when NLA is not negotiated.
Fixed an issue that prevented downloading feed resources that have spaces in the
URL.
Enabled connectivity to Azure Active Directory (Azure AD) joined PCs. To connect
to an Azure AD joined PC, your username must be in one of the following formats:
AzureAD\user or AzureAD\user@domain .
Addressed some bugs affecting the usage of smart cards in a remote session.
Added support for changing the remote resolution by resizing the session window!
Fixed scenarios where remote resource feed download would take an excessively
long time.
Resolved the 0x207 error that could occur when connecting to servers not patched
with the CredSSP encryption oracle remediation update (CVE-2018-0886).
Feedback
Was this page helpful? Yes No
This article describes the latest updates for the Remote Desktop client for iOS and
iPadOS. To learn more about using the Remote Desktop client for iOS and iPadOS with
Azure Virtual Desktop, see Connect to Azure Virtual Desktop with the Remote Desktop
client for iOS and iPadOS and Use features of the Remote Desktop client for iOS and
iPadOS when connecting to Azure Virtual Desktop.
ノ Expand table
Updated the client connection path to fall back to TLS when NTLM isn't available in
the context of NLA.
Addressed an issue that prevented the hardware keyboard from working when
connected.
Added support for the new iPad models released in May 2024.
Bug fixes.
7 Note
As of this release, only iOS 16 and iPadOS 16 and later are supported.
7 Note
Added support for dual monitors when using iPads with Stage Manager.
Addressed reported accessibility bugs.
Fixed some keyboard mappings that stopped working after the iOS 17 update.
Added support for displaying sessions on an external monitor. You can use this
new feature with iPad and iPhone using AirPlay or a physical cable.
Added support for location redirection. To use this feature, you need access to
your device location, and your session hosts must be running Windows 11 or later.
We changed the connection bar to always start expanded by default. You can
minimize the connection bar by dragging it to a corner of the screen. To return the
connection bar to its regular size, drag it to the center of the screen.
You can now dismiss all in-app messages by swiping downwards.
Fixed an issue that caused graphics to look distorted in Lock to Landscape mode.
In this release we made some tweaks around the behavior of the connection bar on
iPads and fixed some bugs to keep things running smoothly.
We fixed an issue that caused the connection bar to get stuck under the Stage
Manager ellipsis menu.
The connection bar will now be docked on the right side of the screen when you
turn your iPad on. The iOS client will also save the position you dock your screen in
across all your iPad and iPhone devices.
We moved the Add a PC or Workspace button to the center of the toolbar at the
bottom of the screen.
We also fixed some bugs and added some small additional features:
7 Note
As of this release, only iOS 15 and iPadOS 15 and later are supported.
Fixed a WebSocket transport bug that affected some Azure Virtual Desktop
deployments
Addressed accessibility compliance issues.
In this release, we made targeted bug fixes and performance improvements, and also
added new features. Here's what we included:
You can now use Apple Pencil to draw, write, and interact with remote sessions.
You can now see a live preview of the current active session when switching to the
Connection Center from a remote session.
Gather logs for troubleshooting by going to Settings > Troubleshooting.
Review app highlights from previous versions by going to Settings > About >
Version Highlights.
We made some small appearance changes to the connection bar user interface.
We fixed issues that affected locking to landscape or portrait on iOS 16.
In this release, we resolved some bugs that impacted Azure Virtual Desktop deployment
connectivity. We also fixed an issue that caused external keyboard input to stop working
when you press Command+Tab to switch out of and return to the app.
This is a significant update with some new feature additions and lots of bug fixes and
improvements.
The biggest change in this release is that you can now dynamically change the
orientation of the remote session to either landscape or portrait mode while connected
to a machine running Windows 8.1, Windows Server 2012 R2 or later. You can set your
orientation preferences in Settings > Display.
To work seamlessly with dynamic orientation, we made updates to the following
experiences:
The in-session immersive switcher has a revamped look and feel, and can
accommodate both landscape and portrait orientation.
The on-screen keyboard has been redesigned to support portrait orientation.
The connecting UI now supports for both landscape and portrait orientation.
The PC tab of the connection center now supports high-resolution thumbnails and
portrait snapshots.
7 Note
This release removes support for iOS 13 and is only compatible with iOS 14 and 15.
In this release we added support for the iPad Mini 6 and addressed an issue with Slide
Over windows and keyboard interaction. Thanks for all the feedback. We're working
hard to make this app great!
In this release, we added support for time zone redirection. This new feature fixes an
issue in Windows 11 remote sessions that caused the screen to flicker, making the
session unusable.
In this release, we worked around a 0x907 (mismatched certificate) error code that was
caused by third-party infrastructure returning an incorrect certificate in redirection
scenarios. We also made some updates to improve compatibility and performance
metrics when connecting to Azure Virtual Desktop (formerly known as Windows Virtual
Desktop).
In this release, we made some significant updates to the shared underlying code that
powers the Remote Desktop experience across all our clients. We also added some new
features and addressed bugs and crashes that were showing up in error reporting.
In this release, we made the following changes to the connection bar and in-session
user experience:
You can now collapse the connection bar by moving it into one of the four corners
of the screen.
On iPads and large iPhones you can dock the connection bar to the left or right
edge of the screen.
You can now see the zoom slider panel by pressing and holding the connection
bar magnification button. The new zoom slider controls the magnification level of
the session in both touch and mouse pointer mode.
We also addressed some accessibility bugs and the following two issues:
The client now validates the PC name in the Add/Edit PC UI to make sure the name
doesn't contain illegal characters.
Addressed an issue where the UI would stop resolving a workspace name during
subscription.
In this release, we fixed issues that caused crashes and interfered with the "Display
Zoom View" setting. We also tweaked the "Use Full Display" setting to only appear on
applicable iPads and adjusted the available resolutions for iPhones and iPads.
In this release, we addressed some bugs affecting users running iOS 14 and iPadOS 14.
In this release, we addressed some compatibility issues with iOS and iPadOS 14. In
addition, we made the following fixes and feature updates:
Addressed crashes on iOS and iPadOS 14 that happened when entering input on
keyboard.
Added the Cmd+S and Cmd+N shortcuts to access the "Add Workspace" and
"Add PC" processes, respectively.
Added the Cmd+F shortcut to invoke Search UI in the Connection Center.
Added the "Expand All" and "Collapse All" commands to the Workspaces tab.
Resolved a bug that caused a 0xD06 protocol error to happen while running
Outlook as a RemoteApp.
The on-screen keyboard will now disappear when you scroll through search results
in the Connection Center.
Updated the animation used when hovering over workspace icons with a mouse or
trackpad pointer on iPadOS 14.
We put together some bug fixes and small feature updates for this release. Here's what's
new:
Addressed an issue where the client would report a 0x5000007 error message
when trying to connect to an RD Gateway server.
User account passwords updated in the credential UI are now saved after
successfully signing in.
Addressed an issue where range and multi-select with the mouse or trackpad
(Shift+click and Ctrl+click) didn't work consistently.
Addressed a bug where apps displayed in the in-session switcher UI were out of
sync with the remote session.
Made some cosmetic changes to the layout of Connection Center workspace
headers.
Improved visibility of the on-screen keyboard buttons for dark backdrops.
Fixed a localization bug in the disconnect dialog.
We put together some bug fixes and feature updates for this release. Here's what's new:
The input mode (Mouse Pointer or Touch mode) is now global across all active PC
and RemoteApp connections.
Fixed an issue that prevented microphone redirection from working consistently.
Fixed a bug that caused audio output to play from the iPhone earpiece instead of
the internal speaker.
The client now supports automatically switching audio output between the iPhone
or iPad internal speakers, bluetooth speakers, and AirPods.
Audio now continues to play in the background when switching away from the
client or locking the device.
The input mode automatically switches to Touch mode when using a SwiftPoint
mouse on iPhones or iPads (not running iPadOS, version 13.4 or later).
Addressed graphics output issues that occurred when the server was configured to
use AVC444 full screen mode.
Fixed some VoiceOver bugs.
Panning around a zoomed in session works when using an external mouse or
trackpad now works differently. To pan in a zoomed-in session with an external
mouse or trackpad, select the pan knob, then drag your mouse cursor away while
still holding the mouse button. To pan around in Touch mode, press on the pan
knob, then move your finger. The session will stick to your finger and follow it
around. In Mouse Pointer mode, push the virtual mouse cursor against the sides of
the screen.
Updates for version 10.1.2
Published 8/17/2020
Fixed a crash that occurred for some users when subscribing to an Azure Virtual
Desktop feed using non-brokered authentication.
Fixed the layout of workspace icons on the iPhone X, iPhone XS, and iPhone 11
Pro.
If you're using iPadOS 13.4 or later, can now control the remote session with a
mouse or trackpad.
The client now supports the following Apple Magic Mouse 2 and Apple Magic
Trackpad 2 gestures: left-click, left-drag, right-click, right-drag, horizontal and
vertical scrolling, and local zooming.
For external mice, the client now supports left-click, left-drag, right-click, right-
drag, middle-click, and vertical scrolling.
The client now supports keyboard shortcuts that use Ctrl, Alt, or Shift keys with the
mouse or trackpad, including multi-select and range-select.
The client now supports the "Tap-to-Click" feature for the trackpad.
We updated the Mouse Pointer mode's right-click gesture to press-and-hold (not
press-and-hold-and-release). On the iPhone client we added taptic feedback when
we detect the right-click gesture.
Added an option to disable NLA enforcement under iOS Settings > RD Client.
Mapped Control+Shift+Escape to Ctrl+Shift+Esc, where Escape is generated using
a remapped key on iPadOS or Command+.
Mapped Command+F to Ctrl+F.
Fixed an issue where the SwiftPoint middle mouse button didn't work in iPadOS
version 13.3.1 or earlier and iOS.
Fixed some bugs that prevented the client from recognizing the "rdp:" URI.
Addressed an issue where the in-session Immersive Switcher UI showed outdated
app entries if a disconnect was server-initiated.
The client now supports the Azure Resource Manager-integrated version of Azure
Virtual Desktop.
In this update we added the ability to sort the PC list view (available on iPhone) by name
or time last connected.
We put together some bug fixes and feature updates for this release. Here's what's new:
Launched RDP files are now automatically imported (look for the toggle in General
settings).
You can now launch iCloud-based RDP files that haven't been downloaded in the
Files app yet.
The remote session can now extend underneath the Home indicator on iPhones
(look for the toggle in Display settings).
Added support for typing composite characters with multiple keystrokes, such as é.
Added support for the iPad on-screen floating keyboard.
Added support for adjusting properties of redirected cameras from a remote
session.
Fixed a bug in the gesture recognizer that caused the client to become
unresponsive when connected to a remote session.
You can now enter App Switching mode with a single swipe up (except when
you're in Touch mode with the session extended into the Home indicator area).
The Home indicator will now automatically hide when connected to a remote
session, and will reappear when you tap the screen.
Added a keyboard shortcut to get to app settings in the Connection Center
(Command + ,).
Added a keyboard shortcut to refresh all workspaces in the Connection Center
(Command + R).
Hooked up the system keyboard shortcut for Escape when connected to a remote
session (Command + .).
Fixed scenarios where the Windows on-screen keyboard in the remote session was
too small.
Implemented auto-keyboard focus throughout the Connection Center to make
data entry more seamless.
Pressing Enter at a credential prompt now results in the prompt being dismissed
and the current flow resuming.
Fixed a scenario where the client would crash when pressing Shift + Option + Left,
Up, or Down arrow key.
Fixed a crash that occurred when removing a SwiftPoint device.
Fixed other crashes reported to us by users since the last release.
Support for launching connections from RDP files and RDP URIs.
Workspace headers are now collapsible.
Zooming and panning at the same time is now supported in Mouse Pointer mode.
A press-and-hold gesture in Mouse Pointer mode will now trigger a right-click in
the remote session.
Removed force-touch gesture for right-click in Mouse Pointer mode.
The in-session switcher screen now supports disconnecting, even if no apps are
connected.
Light dismiss is now supported in the in-session switcher screen.
PCs and apps are no longer automatically reordered in the in-session switcher
screen.
Enlarged the hit test area for the PC thumbnail view ellipses menu.
The Input Devices settings page now contains a link to supported devices.
Fixed a bug that caused the Bluetooth permissions UI to repeatedly appear at
launch for some users.
Fixed other crashes reported to us by users since the last release.
Feedback
Was this page helpful? Yes No
In this article you'll learn about the latest updates for the Remote Desktop client for
Android and Chrome OS. To learn more about using the Remote Desktop client for
Android and Chrome OS with Azure Virtual Desktop, see Connect to Azure Virtual
Desktop with the Remote Desktop client for Android and Chrome OS and Use features
of the Remote Desktop client for Android and Chrome OS when connecting to Azure
Virtual Desktop.
ノ Expand table
Added support for client-side IMEs when using built-in and onscreen keyboards.
Added a prompt for credentials when subscribing to a workflow.
Improved Azure Virtual Desktop workspace download performance to prevent
throttling.
Fixed an issue where incorrect command icons would appear in the UI.
Changed the client icon to distinguish it from the new client currently in preview.
Prepared the client to support settings and connections transfer to the new client.
This article provides information about the latest updates to the Remote Desktop
WebRTC Redirector Service for Teams for Azure Virtual Desktop, which you can
download at Remote Desktop WebRTC Redirector Service .
ノ Expand table
Fixed an Outlook Window Sharing Privacy issue to correctly stop window sharing
when the shared window is closed.
Fixed a freeze issue that occurred when starting screen sharing in GCCH.
Improved the video encoding adjustments for smoother streams.
Updates for version 1.50.2402.29001
Published: March 25, 2024
Fixed an issue that caused Teams audio to not apply remote volume changes or
mute when using the new Teams client.
Fixed an issue that caused Teams to stop responding when the user tries to use the
Give/Take Control feature after sharing their screen through chat.
Fixed an issue that caused users to be able to control hidden window regions while
application window sharing when using the Give/Take Control feature.
Added support for Teams optimization reinitialization upon virtual machine (VM)
hibernate and resume.
If a user is sharing a PowerPoint edit window then selects Present, the shared
window will automatically switch to the PowerPoint presentation window.
Improved WebRTC redirector service reliability and performance handling.
Fixed an issue where the diagnostic overlay hotkey ( Ctrl + Shift + ; ) caused
hotkeys to be disabled for non-Teams applications during Teams calls.
Fixed an issue where a race condition caused a loss of audio during Teams calls.
Support for non-Latin characters for window names in the application window
share tray.
Fixed an issue that made the WebRTC redirector service disconnect from Teams on
Azure Virtual Desktop.
Added keyboard shortcut detection for Shift+Ctrl+; that lets users turn on a
diagnostic overlay during calls on Teams for Azure Virtual Desktop. This feature is
supported in version 1.2.3313 or later of the Windows Desktop client.
Added further stability and reliability improvements to the service.
Fixed an issue that caused the screen to turn black while screen sharing. If you've
been experiencing this issue, confirm that this update will resolve it by resizing the
Teams window. If screen sharing starts working again after resizing, the update will
resolve this issue.
You can now control the meeting, ringtone, and notification volume from the host
VM. You can only use this feature with version 1.2.2459 or later of the Windows
Desktop client.
The installer will now make sure that Teams is closed before installing updates.
Fixed an issue that prevented users from returning to full screen mode after
leaving the call window.
Increased the connection reliability between the WebRTC redirector service and the
WebRTC client plugin.
Fixed an issue where minimizing the Teams app during a call or meeting caused
incoming video to drop.
Added support for selecting one monitor to share in multi-monitor desktop
sessions.
Next steps
Learn more about how to set up Teams on Azure Virtual Desktop at Use Microsoft
Teams on Azure Virtual Desktop.
Learn about known issues, limitations, and how to log issues at Troubleshoot Teams on
Azure Virtual Desktop.
Feedback
Was this page helpful? Yes No
This article details information about the latest updates for Windows App for Windows,
macOS, iOS and iPadOS, and web browsers.
To learn how to connect to Azure Virtual Desktop, Windows 365, Microsoft Dev Box,
Remote Desktop Services, and a remote PC, see Get started with Windows App.
Windows
Latest release
The following table lists the current versions available:
ノ Expand table
Public 2.0.297.0 Download Windows App from the Microsoft Store . 2.0.297.0
To learn more, see Get started with Windows App.
Windows 64-bit
Windows 32-bit
Windows Arm64
Insider 2.0.317.0 Download Windows App from the Microsoft Store . 2.0.297.0
To learn more, see Get started with Windows App.
) Important
Administrators: you won't receive automatic updates at this time when
downloading Windows App from the direct links in environments where the
Microsoft Store is blocked. To update Windows App to new versions, return to
this article to and use the same direct links.
Tip
The rollout of an update is phased over the course of a week, so some users
might receive the update later than others.
7 Note
This version replaced the Insider version 2.0.304.0. Changes noted above
reflect all changes for these versions.
Version 2.0.297.0
Date published: October 8, 2024
Version 2.0.294.0
Date published: September 24, 2024
Experience improvements:
Support for Windows 365 connections in GCC environment.
Removed the preview toggle, which prevents switching back to the
previous Windows 365 user interface.
Show the underlying client version number in Windows App settings.
Made an improvement where a new session windows don't become the
focused window.
Fixes:
Fixed an authentication error when switching accounts in which a user gets
stuck if they're prompted for interactive sign in and don't remember their
password.
Fixed a tooltip not showing for the close button in the Pin to taskbar dialog
box.
Fixed the refresh of remote resources taking a long time.
Fixed a bug to ensure that the screen mode ID setting in the underlying
.rdp file is honored.
Fixed an issue where Microsoft Teams rendered into the wrong window
when multiple remote session windows are open.
Fixed an issue where Windows App crashed for users who have Windows N
SKUs without the media framework.
Addressed an issue that reduces the chance of encountering the error Low
virtual memory on reconnect attempts.
Version 1.3.278.0
Date published: August 26, 2024
Experience improvements:
There's now a button to refresh your resources on the Devices and Apps
tabs, and also on the Home tab when there are pinned resources.
Added an option to view the Devices and Apps tabs in list view or grid
view.
Improved the discoverability of display settings when default settings are
used.
Stability and security improvements for printer redirection.
Improved the experience for single sign-on (SSO) lock screen dialogs.
Fixes:
Fixed an issue with SSO login failure.
Fixed an issue that caused Windows App to crash on disconnect.
Fixed an issue where Windows App didn't restart after installing updates.
Fixed an issue where Windows App crashed when double clicking on the
Pin to Taskbar Cloud PC icon.
Version 1.3.272.0
Date published: August 14, 2024
Version 1.3.264.0
Date published: July 13, 2024
Version 1.3.259.0
Date published: July 3, 2024
Fixed an issue where Windows App crashes when it can't access certain
required endpoints.
Version 1.3.252.0
Date published: May 21, 2024
Version 1.3.241.0
Date published: April 8, 2024
Fixed an issue where Windows App would crash when there was no network
connection.
Improved error messages for Windows 365 Boot.
Added support for automatic retry/reconnect in Windows 365 Boot when the
device goes to sleep, or with other disconnections.
Fixed an issue that caused an Azure Virtual Desktop RemoteApp window to
appear stretched.
Introduced a countdown timer on the Windows 365 Boot interstitial screen
that closes Windows App when it reaches zero.
Improved client logging, diagnostics, and error classification to help
administrators troubleshoot connection and feed issues.
Version 1.3.233.0
Date published: March 1, 2024
Version 1.3.212.0
Date published: January 22, 2024
Version 1.3.205.0
Date published: November 24, 2023
On the account sign-in screen, we've clarified that you can sign-in with work
or school accounts.
Minor updates to the user interface.
Version 1.3.204.0
Date published: November 15, 2023
Initial release.
Feedback
Was this page helpful? Yes No
Tutorial: Deploy a sample Azure Virtual
Desktop infrastructure with a Windows
11 desktop
Article • 10/26/2023
Azure Virtual Desktop enables you to access desktops and applications from virtually
anywhere. This tutorial shows you how to deploy a Windows 11 Enterprise desktop in
Azure Virtual Desktop using the Azure portal and how to connect to it. To learn more
about the terminology used for Azure Virtual Desktop, see Azure Virtual Desktop
terminology and What is Azure Virtual Desktop?
Tip
This tutorial shows a simple way you can get started with Azure Virtual Desktop. It
doesn't provide an in-depth guide of the different options and you can't publish a
RemoteApp in addition to the desktop. For a more in-depth and adaptable
approach to deploying Azure Virtual Desktop, see Deploy Azure Virtual Desktop,
or for suggestions of what else you can configure, see the articles we list in Next
steps.
Prerequisites
You need:
The Azure account must be assigned the following built-in role-based access
control (RBAC) roles as a minimum on the subscription, or on a resource group. For
more information, see Assign Azure roles using the Azure portal. If you want to
assign the roles to a resource group, you need to create this first.
ノ Expand table
Alternatively if you already have the Contributor or Owner RBAC role, you're
already able to create all of these resource types.
A virtual network in the same Azure region you want to deploy your session hosts
to.
A user account in Microsoft Entra ID you can use for connecting to the desktop.
This account must be assigned the Virtual Machine User Login or Virtual Machine
Administrator Login RBAC role on the subscription. Alternatively you can assign the
role to the account on the session host VM or the resource group containing the
VM after deployment.
A Remote Desktop client installed on your device to connect to the desktop. You
can find a list of supported clients in Remote Desktop clients for Azure Virtual
Desktop. Alternatively you can use the Remote Desktop Web client, which you can
use through a supported web browser without installing any extra software.
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. From the Azure Virtual Desktop overview page, select Create a host pool.
ノ Expand table
Parameter Value/Description
Project details
Subscription Select the subscription you want to deploy your host pool, session hosts,
workspace, and application group in from the drop-down list.
Resource group Select an existing resource group or select Create new and enter a name.
Host pool name Enter a name for the host pool, for example hp01.
Location Select the Azure region from the list where you want to create your host
pool, workspace, and application group.
Validation Select No. This setting enables your host pool to receive service updates
environment before all other production host pools, but isn't needed for this tutorial.
Preferred app Select Desktop. With this personal host pool, you publish a desktop, but
group type you can't also add a RemoteApp application group for the same host
pool to also publish applications. See Next steps for more advanced
scenarios.
Host pool type Select Personal. This means that end users have a dedicated assigned
session host that they always connect to. Selecting Personal shows a new
option for Assignment type.
ノ Expand table
Parameter Value/Description
Add Azure virtual Select Yes. This shows several new options.
machines
Resource group This automatically defaults to the resource group you chose your
host pool to be in on the Basics tab.
Name prefix Enter a name for your session hosts, for example hp01-sh.
This name prefix is used as the prefix for your session host VMs. Each
session host has a suffix of a hyphen and then a sequential number
added to the end, for example hp01-sh-0.
Parameter Value/Description
Virtual machine Select the Azure region where you want to deploy your session host
location VMs. It must be the same region that your virtual network is in.
Availability options Select No infrastructure redundancy required. This means that your
session host VMs aren't deployed in an availability set or in
availability zones.
Security type Select Trusted launch virtual machines. Leave the subsequent
defaults of Enable secure boot and Enable vTPM checked, and
Integrity monitoring unchecked. For more information, see Trusted
launch.
Virtual machine size Accept the default SKU. If you want to use a different SKU, select
Change size, then select from the list.
Number of VMs Enter 1 as a minimum. You can deploy up to 500 session host VMs at
this point if you wish, or you can add more separately.
With a personal host pool, each session host can only be assigned to
one user, so you need one session host for each user connecting to
this host pool. Once you've completed this tutorial, you can create a
pooled host pool, where multiple users can connect to the same
session host.
Network and
security
Virtual network Select your virtual network and subnet to connect session hosts to.
Public inbound Select No as you don't need to open inbound ports to connect to
ports Azure Virtual Desktop. Learn more at Understanding Azure Virtual
Desktop network connectivity.
Domain to join
Parameter Value/Description
Virtual Machine
Administrator
account
Username Enter a name to use as the local administrator account for these
session host VMs.
Custom
configuration
ノ Expand table
Parameter Value/Description
Register desktop app Select Yes. This registers the default desktop application group to
group the selected workspace.
To this workspace Select Create new and enter a name, for example ws01.
Once you've completed this tab, select Next: Review + create. You don't need to
complete the other tabs.
7. On the Review + create tab, ensure validation passes and review the information
that is used during deployment. If validation doesn't pass, review the error
message and check what you entered in each tab.
8. Select Create. A host pool, workspace, application group, and session host are
created. Once your deployment is complete, select Go to resource to go to the
host pool overview.
9. Finally, from the host pool overview, select Session hosts and verify the status of
the session hosts is Available.
2. Select the application group from the list, for example hp01-DAG.
4. Select + Add, then search for and select the user account you want to be assigned
to this application group.
Tip
To enable connections from all of the Remote Desktop clients, you need to add an RDP
property to your host pool configuration.
3. In the RDP Properties box, add targetisaadjoined:i:1; to the start of the text in
the box.
4. Select Save.
) Important
Make sure the user account you're using to connect has been assigned the Virtual
Machine User Login or Virtual Machine Administrator Login RBAC role on the
subscription, session host VM, or the resource group containing the VM, as
mentioned in the prerequisites, else you won't be able to connect.
Select the relevant tab and follow the steps, depending on which Remote Desktop client
you're using. We've only listed the steps here for Windows, Web and macOS, but if you
want to connect using one of our other Remote Desktop clients, see Remote Desktop
clients for Azure Virtual Desktop.
Windows
2. Select the three dots in the top right-hand corner, then select Subscribe with
URL.
4. Select Next.
5. Sign in with the user account you assigned to the application group. After a
few seconds, the workspace should show with an icon named
SessionDesktop.
Publish applications.
User profile management for Azure Virtual Desktop with FSLogix profile containers.
Configure single sign-on for Azure Virtual Desktop using Microsoft Entra
authentication.
Feedback
Was this page helpful? Yes No
You can deploy Azure Virtual Desktop to be tailored to your requirements, depending
on many factors like end-users, the existing infrastructure of the organization deploying
the service, and so on. How do you make sure you meet your organization's needs?
This article provides guidance for your Azure Virtual Desktop deployment structure. The
examples listed in this article aren't the only possible ways you can deploy Azure Virtual
Desktop. However, we do cover two of the most basic types of deployments for internal
or external commercial purposes.
These components are the most basic requirements for an Azure Virtual Desktop
deployment that can serve desktops and applications to users within your organization:
However, you can also deploy Azure Virtual Desktop with multiple host pools that offer
different applications to different groups of users.
Some customers choose to create separate Azure subscriptions to store each Azure
Virtual Desktop deployment in. This practice lets you distinguish the cost of each
deployment from each other based on the sub-organizations they provide resources to.
Others choose to use Azure billing scopes to distinguish costs at a more granular level.
To learn more, see Understand and work with scopes.
Licensing Azure Virtual Desktop works differently for internal and external commercial
purposes. If you're providing Azure Virtual Desktop access for internal commercial
purposes, you must purchase an eligible license for each user that accesses Azure Virtual
Desktop. You can't use per-user access pricing for internal commercial purposes. To
learn more about the different licensing options, see License Azure Virtual Desktop.
Azure Virtual Desktop doesn't currently support external identities, including business-
to-business (B2B) or business-to-client (B2C) users. You need to create and manage
these identities manually and provide the credentials to your users yourself. Users then
use these identities to access resources in Azure Virtual Desktop.
If you're providing Azure Virtual Desktop access for external commercial purposes, per-
user access pricing lets you pay for Azure Virtual Desktop access rights on behalf of
external users. You must enroll in per-user access pricing to build a compliant
deployment for external users. You pay for per-user access pricing through an Azure
subscription. To learn more about the different licensing options, see License Azure
Virtual Desktop.
Next steps
To learn more about licensing Azure Virtual Desktop, see License Azure Virtual
Desktop.
Learn how to Enroll in per-user access pricing.
Understand and estimate costs for Azure Virtual Desktop.
Feedback
Was this page helpful? Yes No
Azure Virtual Desktop costs come from two sources: underlying Azure resource
consumption and licensing. Azure Virtual Desktop costs are charged to the organization
that owns the Azure Virtual Desktop deployment, not the end-users accessing the
deployment resources. Some licensing charges must be paid in advance. Azure meters
track other licenses and the underlying resource consumption charges based on your
usage.
The organization who pays for Azure Virtual Desktop is responsible for handling the
resource management and costs. If the owner no longer needs resources connected to
their Azure Virtual Desktop deployment, they should ensure those resources are
properly removed. For more information, see How to manage Azure resources by using
the Azure portal.
This article explains consumption and licensing costs, and how to estimate service costs
before deploying Azure Virtual Desktop.
Of the charges for these components, virtual machine instances usually cost the most.
To mitigate compute costs and optimize resource demand with availability, you can use
autoscale to automatically scale session hosts based on demand and time. You can also
use Azure savings plans or Azure reserved VM instances to reduce compute costs.
ノ Expand table
Microsoft Entra ID only Free tier available, licensed tiers for some features , such as
conditional access.
Microsoft Entra ID + Microsoft Microsoft Entra ID and Microsoft Entra Domain Services ,
Entra Domain Services
ノ Expand table
Azure Virtual Desktop Log data in Azure Monitor . For more information, see Estimate Azure
Insights Virtual Desktop Insights costs.
App attach Application storage, such as Azure Files or Azure NetApp Files .
FSLogix profile User profile storage, such as Azure Files or Azure NetApp Files .
container
Custom image Storage and network costs for managed disks and bandwidth .
templates
Licensing costs
In the context of providing virtualized infrastructure with Azure Virtual Desktop, internal
users (for internal commercial purposes) refers to people who are members of your own
organization, such as employees of a business or students of a school, including external
vendors or contractors. External users (for external commercial purposes) aren't
members of your organization, but your customers where you might provide a
Software-as-a-Service (SaaS) application using Azure Virtual Desktop.
Licensing Azure Virtual Desktop works differently for internal and external commercial
purposes:
To learn more about the different options, see License Azure Virtual Desktop.
2. Select the Compute tab to show the Azure Pricing Calculator compute options.
3. Select Azure Virtual Desktop. The Azure Virtual Desktop calculator module should
appear.
4. Enter the values for your deployment into the fields to estimate your monthly
Azure bill based on:
7 Note
The Azure Pricing Calculator Azure Virtual Desktop module can only estimate
consumption costs for session host VMs and the aggregate additional storage of
any optional Azure Virtual Desktop features requiring storage that you choose to
deploy. Your total cost may also include egress network traffic to Microsoft 365
services, such as OneDrive for Business or Exchange Online. However, you can add
estimates for other Azure Virtual Desktop features in separate modules within the
same Azure Pricing calculator page to get a more complete or modular cost
estimate.
If you're using per-user access pricing, costs appear each billing cycle on the Azure
billing invoice for any enrolled subscription, alongside consumption costs and other
Azure charges.
If you Use Azure Virtual Desktop Insights, you can gain a detailed understanding of how
Azure Virtual Desktop is being used in your organization. You can use this information
to help you optimize your Azure Virtual Desktop deployment and reduce costs.
Next steps
Learn how to Licensing Azure Virtual Desktop.
Tag Azure Virtual Desktop resources to manage costs.
Use Azure Virtual Desktop Insights.
Feedback
Was this page helpful? Yes No
This article explains the licensing requirements for using Azure Virtual Desktop, whether
you're providing desktops or applications to users in your organization, or to external
users. This article shows you how licensing Azure Virtual Desktop for external
commercial purposes is different than for internal purposes, how per-user access pricing
works in detail, and how you can license other products you plan to use with Azure
Virtual Desktop.
7 Note
Take care not to confuse external users with external identities. Azure Virtual
Desktop doesn't support external identities, including external guest accounts or
business-to-business (B2B) identities. Whether you're serving internal commercial
purposes or external users with Azure Virtual Desktop, you'll need to create and
manage identities for those users yourself. For more information, see
Recommendations for deploying Azure Virtual Desktop for internal or external
commercial purposes.
Licensing Azure Virtual Desktop works differently for internal and external commercial
purposes. Consider the following examples:
A manufacturing company called Fabrikam, Inc. might use Azure Virtual Desktop to
provide Fabrikam's employees (internal users) with access to virtual workstations
and line-of-business apps. Because Fabrikam is serving internal users, Fabrikam
must purchase one of the eligible licenses listed in Azure Virtual Desktop pricing
for each of their employees that access Azure Virtual Desktop.
A retail company called Wingtip Toys might use Azure Virtual Desktop to provide
an external contractor company (external users) with access to line-of-business
apps. Because these external users are serving internal purposes, Wingtip Toys
must purchase one of the eligible licenses listed in Azure Virtual Desktop pricing
for each of their contractors that access Azure Virtual Desktop. Per-user access
pricing isn't applicable in this scenario.
A software vendor called Contoso might use Azure Virtual Desktop to sell remote
access of Contoso's productivity app to Contoso's customers (external users).
Because Contoso is serving external users for external commercial purposes,
Contoso must enroll in Azure Virtual Desktop's per-user access pricing. This
enables Contoso to pay for Azure Virtual Desktop access rights on behalf of those
external users who connect to Contoso's deployment. The users don't need a
separate license like Microsoft 365 to access Azure Virtual Desktop. Contoso still
needs to create and manage identities for those external users.
) Important
Per-user access pricing can only be used for external commercial purposes, not
internal purposes. Per-user access pricing isn't a way to enable external guest user
accounts with Azure Virtual Desktop. Check if your Azure Virtual Desktop solution is
is applicable for per-user access pricing by reviewing our licensing
documentation .
ノ Expand table
Windows 11 Enterprise Microsoft 365 E3, E5, A3, Per-user access pricing
multi-session A5, F3, Business by enrolling an Azure
Windows 11 Enterprise Premium, Student Use subscription.
Windows 10 Enterprise Benefit
multi-session Windows Enterprise E3,
Windows 10 Enterprise E5
Operating system Licensing
Windows
method
Education A3, Licensing method
(64-bit only) (Internal
A5 commercial (External commercial
purposes)
Windows VDA per user purposes)
You pay for per-user access pricing through your enrolled Azure subscription or
subscriptions on top of your charges for virtual machines, storage, and other Azure
services. Each billing cycle, you only pay for users who actually used the service. Only
users that connect at least once in that month to Azure Virtual Desktop incur an access
charge.
There are two price tiers for Azure Virtual Desktop per-user access pricing. Charges are
determined automatically each billing cycle based on the type of application groups a
user connected to. Each price tier has flat per-user access charges. For example, a user
incurs the same charge to your subscription no matter when or how many hours they
used the service during that billing cycle. If a user doesn't access a RemoteApp or
desktop, then there's no charge.
ノ Expand table
Apps A flat price is charged for each user who accesses at least one published
RemoteApp, but doesn't access a published full desktop.
Desktops + A flat price is charged for each user who accesses at least one published full
apps desktop. The user can also access published applications.
For more information about prices, see Azure Virtual Desktop pricing .
) Important
Azure Virtual Desktop will also charge users with separate assigned licenses that
otherwise entitle them to Azure Virtual Desktop access. If you have internal users
you're purchasing eligible licenses for, we recommend you give them access to
Azure Virtual Desktop through a separate subscription that isn't enrolled in per-
user access pricing to avoid effectively paying twice for those users.
Azure Virtual Desktop issues at most one access charge for a given user in a given
billing period. For example, if you grant the user Alice access to Azure Virtual Desktop
resources across two different Azure subscriptions in the same tenant, only the first
subscription accessed by Alice incurs a usage charge.
To learn how to enroll an Azure subscription for per-user access pricing, see Enroll in
per-user access pricing.
There are a few ways to enable your external users to access Office:
ノ Expand table
Component Eligible Windows, Microsoft 365, or Per-user access pricing
RDS license
Access rights Internal purposes only. It doesn't grant External commercial purposes only. It
permission for external commercial doesn't grant access to members of
purposes, not even identities you create your own organization or contractors
in your own Microsoft Entra tenant. for internal business purposes.
User Fixed cost per user each month Cost per user each month depends on
behavior regardless of user behavior. user behavior.
Next steps
Now that you're familiar with your licensing pricing options, you can start planning your
Azure Virtual Desktop environment. Here are some articles that might help you:
In this article, we'll give you a brief overview of what kinds of identities and
authentication methods you can use in Azure Virtual Desktop.
Identities
Azure Virtual Desktop supports different types of identities depending on which
configuration you choose. This section explains which identities you can use for each
configuration.
) Important
Azure Virtual Desktop doesn't support signing in to Microsoft Entra ID with one
user account, then signing in to Windows with a separate user account. Signing in
with two different accounts at the same time can lead to users reconnecting to the
wrong session host, incorrect or missing information in the Azure portal, and error
messages appearing while using app attach or MSIX app attach.
On-premises identity
Since users must be discoverable through Microsoft Entra ID to access the Azure Virtual
Desktop, user identities that exist only in Active Directory Domain Services (AD DS)
aren't supported. This includes standalone Active Directory deployments with Active
Directory Federation Services (AD FS).
Hybrid identity
Azure Virtual Desktop supports hybrid identities through Microsoft Entra ID, including
those federated using AD FS. You can manage these user identities in AD DS and sync
them to Microsoft Entra ID using Microsoft Entra Connect. You can also use Microsoft
Entra ID to manage these identities and sync them to Microsoft Entra Domain Services.
When accessing Azure Virtual Desktop using hybrid identities, sometimes the User
Principal Name (UPN) or Security Identifier (SID) for the user in Active Directory (AD) and
Microsoft Entra ID don't match. For example, the AD account [email protected] may
correspond to [email protected] in Microsoft Entra ID. Azure Virtual Desktop only
supports this type of configuration if either the UPN or SID for both your AD and
Microsoft Entra ID accounts match. SID refers to the user object property "ObjectSID" in
AD and "OnPremisesSecurityIdentifier" in Microsoft Entra ID.
Cloud-only identity
Azure Virtual Desktop supports cloud-only identities when using Microsoft Entra joined
VMs. These users are created and managed directly in Microsoft Entra ID.
7 Note
You can also assign hybrid identities to Azure Virtual Desktop Application groups
that host Session hosts of join type Microsoft Entra joined.
Federated identity
If you're using a third-party Identity Provider (IdP), other than Microsoft Entra ID or
Active Directory Domain Services, to manage your user accounts, you must ensure that:
External identity
Azure Virtual Desktop currently doesn't support external identities.
Authentication methods
When accessing Azure Virtual Desktop resources, there are three separate
authentication phases:
For the list of credential available on the different clients for each of the authentication
phase, compare the clients across platforms.
) Important
In order for authentication to work properly, your local machine must also be able
to access the required URLs for Remote Desktop clients.
Multifactor authentication
Follow the instructions in Enforce Microsoft Entra multifactor authentication for Azure
Virtual Desktop using Conditional Access to learn how to enforce Microsoft Entra
multifactor authentication for your deployment. That article will also tell you how to
configure how often your users are prompted to enter their credentials. When deploying
Microsoft Entra joined VMs, note the extra steps for Microsoft Entra joined session host
VMs.
Passwordless authentication
You can use any authentication type supported by Microsoft Entra ID, such as Windows
Hello for Business and other passwordless authentication options (for example, FIDO
keys), to authenticate to the service.
Azure Virtual Desktop also supports SSO using Active Directory Federation Services (AD
FS) for the Windows Desktop and web clients.
Without SSO, the client prompts users for their session host credentials for every
connection. The only way to avoid being prompted is to save the credentials in the
client. We recommend you only save credentials on secure devices to prevent other
users from accessing your resources.
Azure Virtual Desktop supports both NT LAN Manager (NTLM) and Kerberos for session
host authentication, however Smart card and Windows Hello for Business can only use
Kerberos to sign in. To use Kerberos, the client needs to get Kerberos security tickets
from a Key Distribution Center (KDC) service running on a domain controller. To get
tickets, the client needs a direct networking line-of-sight to the domain controller. You
can get a line-of-sight by connecting directly within your corporate network, using a
VPN connection or setting up a KDC Proxy server.
In-session authentication
Once you're connected to your RemoteApp or desktop, you may be prompted for
authentication inside the session. This section explains how to use credentials other than
username and password in this scenario.
To disable passwordless authentication on your host pool, you must customize an RDP
property. You can find the WebAuthn redirection property under the Device redirection
tab in the Azure portal or set the redirectwebauthn property to 0 using PowerShell.
When enabled, all WebAuthn requests in the session are redirected to the local PC. You
can use Windows Hello for Business or locally attached security devices to complete the
authentication process.
To access Microsoft Entra resources with Windows Hello for Business or security devices,
you must enable the FIDO2 Security Key as an authentication method for your users. To
enable this method, follow the steps in Enable FIDO2 security key method.
To use a smart card in your session, make sure you've installed the smart card drivers on
the session host and enabled smart card redirection. Review the client comparison chart
to make sure your client supports smart card redirection.
Next steps
Curious about other ways to keep your deployment secure? Check out Security
best practices.
Having issues connecting to Microsoft Entra joined VMs? Look at Troubleshoot
connections to Microsoft Entra joined VMs.
Having issues with in-session passwordless authentication? See Troubleshoot
WebAuthn redirection.
Want to use smart cards from outside your corporate network? Review how to set
up a KDC Proxy server.
Feedback
Was this page helpful? Yes No
Whether you're running your session host virtual machines (VM) on Remote Desktop
Services or Azure Virtual Desktop, different types of workloads require different VM
configurations. The examples in this article are generic guidelines, and you should only
use them for initial performance estimates. For the best possible experience, scale your
deployment depending on your users' needs.
Workloads
Users can run different types of workloads on the session host virtual machines. The
following table shows examples of a range of workload types to help you estimate what
size your virtual machines need to be. After you set up your virtual machines, you should
continually monitor their actual usage and adjust their size accordingly. If you end up
needing a bigger or smaller virtual machine, you can easily scale your existing
deployment up or down in Azure.
The following table describes each workload. Example users are the types of users that
might find each workload most helpful. Example apps are the kinds of apps that work
best for each workload.
ノ Expand table
Light Users doing basic data entry Database entry applications, command-line
tasks interfaces
Single-session recommendations
Single-session scenarios are when there's only one user signed in to a session host VM at
any one time. For example, if you use personal host pools in Azure Virtual Desktop,
you're using a single-session scenario. For VM sizing recommendations for single-
session scenarios, we recommend you use at least two physical CPU cores per VM,
typically four vCPUs with hyper-threading. If you need more specific VM sizing
recommendations for single-session scenarios, ask the software vendors specific to your
workload. VM sizing for single-session VMs usually align with physical device guidelines.
ノ Expand table
Multi-session recommendations
Multi-session scenarios are when there's more than one user signed in to a session host
virtual machine at any one time. For example, when you use pooled host pools in Azure
Virtual Desktop with the Windows 11 Enterprise multi-session operating system (OS),
that's a multi-session deployment.
The following table lists the maximum suggested number of users per virtual central
processing unit (vCPU) and the minimum VM configuration for standard or larger user
workload. If you need more specific VM sizing recommendations for single-session
scenarios, ask the software vendors specific to your workload.
ノ Expand table
For multi-session workloads, you should limit VM size to between 4 vCPUs and 24
vCPUs for the following reasons:
All VMs should have more than two cores. The UI components in Windows rely on
the use of at least two parallel threads for some of the heavier rendering
operations. For multi-session scenarios, having multiple users on a two-core VM
leads to the UI and apps becoming unstable, which lowers the quality of user
experience. Four cores are the lowest recommended number of cores that a stable
multi-session VM should have.
VMs shouldn't have more than 32 cores. As the number of cores increase, the
system's synchronization overhead also increases. For most workloads, at around
16 cores, the return on investment gets lower, with most of the extra capacity
offset by synchronization overhead. User experience is better with two 16-core
VMs instead of one 32-core one.
The recommended range between 4 and 24 cores generally provides better capacity
returns for your users as you increase the number of cores. For example, if you have 12
users sign in at the same time to a VM with four cores, the ratio is three users per core.
Meanwhile, on a VM with 8 cores and 14 users, the ratio is 1.75 users per core. In this
scenario, the latter configuration with a ratio of 1.75 offers greater burst capacity for
your applications that have short-term CPU demand.
This recommendation is true at a larger scale. For scenarios with 20 or more users
connected to a single VM, several smaller VMs would perform better than one or two
large VMs. For example, if you're expecting 30 or more users to sign in within 10
minutes of each other on the same session host with 16 cores, two 8-core VMs would
handle the workload better. You can also use breadth-first load balancing to evenly
distribute users across different VMs instead of depth-first load balancing, where you
can only use a new session host after the existing one is full of users.
It's also better to use a large number of smaller VMs instead of a few large VMs. It's
easier to shut down VMs that need to be updated or aren't currently in use. With larger
VMs, you're more likely to have at least one user signed in at any time, which prevents
you from shutting down the VM. When you have many smaller VMs, it's more likely you
have some VMs without active users. You can safely shut down these unused VMs to
conserve resources, either manually or automatically by using autoscale in Azure Virtual
Desktop. Conserving resources makes your deployment more resilient, easier to
maintain, and less expensive.
Graphics processing units (GPUs) are a good choice for users who regularly use
graphics-intensive programs for video rendering, 3D design, and simulations. Azure has
several graphics acceleration deployment options and multiple available GPU VM sizes.
Learn more at GPU optimized virtual machine sizes. For more general information about
graphics acceleration in Remote Desktop Services, see Remote Desktop Services - GPU
acceleration
B-series burstable VMs in Azure are a good choice for users who don't always need
maximum CPU performance. For more information, see Sizes for Windows virtual
machines in Azure and the pricing information on the Virtual Machine series .
Feedback
Was this page helpful? Yes No
Understanding Azure Virtual Desktop
network connectivity
Article • 06/24/2024
Azure Virtual Desktop hosts client sessions on session hosts running on Azure. Microsoft
manages portions of the services on the customer's behalf and provides secure
endpoints for connecting clients and session hosts. The following diagram gives a high-
level overview of the network connections used by Azure Virtual Desktop.
Azure AD Authentication
Active Directory
Reverse Connect Transport
Feed subscription
(various)
RD Web
Public Internet
Azure AD Connect sync
TCP 443
RD Gateway RD Broker
Session connectivity
Azure Virtual Desktop uses Remote Desktop Protocol (RDP) to provide remote display
and input capabilities over network connections. RDP was initially released with
Windows NT 4.0 Terminal Server Edition and was continuously evolving with every
Microsoft Windows and Windows Server release. From the beginning, RDP developed to
be independent of its underlying transport stack, and today it supports multiple types of
transport.
Reverse connect transport
Azure Virtual Desktop is using reverse connect transport for establishing the remote
session and for carrying RDP traffic. Unlike the on-premises Remote Desktop Services
deployments, reverse connect transport doesn't use a TCP listener to receive incoming
RDP connections. Instead, it's using outbound connectivity to the Azure Virtual Desktop
infrastructure over the HTTPS connection.
1. Using supported Azure Virtual Desktop client user subscribes to the Azure Virtual
Desktop Workspace.
2. Microsoft Entra authenticates the user and returns the token used to enumerate
resources available to a user.
3. Client passes token to the Azure Virtual Desktop feed subscription service.
5. Azure Virtual Desktop feed subscription service passes the list of available
desktops and applications back to the client in the form of digitally signed
connection configuration.
6. Client stores the connection configuration for each available resource in a set of
.rdp files.
7. When a user selects the resource to connect, the client uses the associated .rdp
file and establishes a secure TLS 1.2 connection to an Azure Virtual Desktop
gateway instance with the help of Azure Front Door and passes the connection
information. The latency from all gateways is evaluated, and the gateways are put
into groups of 10 ms. The gateway with the lowest latency and then lowest
number of existing connections is chosen.
8. Azure Virtual Desktop gateway validates the request and asks the Azure Virtual
Desktop broker to orchestrate the connection.
9. Azure Virtual Desktop broker identifies the session host and uses the previously
established persistent communication channel to initialize the connection.
10. Remote Desktop stack initiates a TLS 1.2 connection to the same Azure Virtual
Desktop gateway instance as used by the client.
11. After both client and session host connected to the gateway, the gateway starts
relaying the data between both endpoints. This connection establishes the base
reverse connect transport for the RDP connection through a nested tunnel, using
the mutually agreed TLS version supported and enabled between the client and
session host, up to TLS 1.3.
12. After the base transport is set, the client starts the RDP handshake.
Connection security
TLS is used for all connections. The version used depends on which connection is made
and the capabilities of the client and session host:
For all connections initiated from the clients and session hosts to the Azure Virtual
Desktop infrastructure components, TLS 1.2 is used. Azure Virtual Desktop uses the
same TLS 1.2 ciphers as Azure Front Door. It's important to make sure both client
computers and session hosts can use these ciphers.
For the reverse connect transport, both the client and session host connect to the
Azure Virtual Desktop gateway. After the TCP connection for the base transport is
established, the client or session host validates the Azure Virtual Desktop
gateway's certificate. RDP then establishes a nested TLS connection between client
and session host using the session host's certificates. The version of TLS uses the
mutually agreed TLS version supported and enabled between the client and
session host, up to TLS 1.3. TLS 1.3 is supported starting in Windows 11 (21H2) and
in Windows Server 2022. To learn more, see Windows 11 TLS support. For other
operating systems, check with the operating system vendor for TLS 1.3 support.
By default, the certificate used for RDP encryption is self-generated by the OS during
the deployment. You can also deploy centrally managed certificates issued by the
enterprise certification authority. For more information about configuring certificates,
see Remote Desktop listener certificate configurations.
Next steps
To learn about bandwidth requirements for Azure Virtual Desktop, see
Understanding Remote Desktop Protocol (RDP) Bandwidth Requirements for Azure
Virtual Desktop.
To get started with Quality of Service (QoS) for Azure Virtual Desktop, see
Implement Quality of Service (QoS) for Azure Virtual Desktop.
Feedback
Was this page helpful? Yes No
Remote Desktop Protocol multiplexes multiple Dynamic Virtual Channels (DVCs) into a
single data channel sent over different network transports. There are separate DVCs for
remote graphics, input, device redirection, printing, and more. Azure Virtual Desktop
partners can also use their extensions that use DVC interfaces.
The amount of the data sent over RDP depends on the user activity. For example, a user
may work with basic textual content for most of the session and consume minimal
bandwidth, but then generate a printout of a 200-page document to the local printer.
This print job will use a significant amount of network bandwidth.
When using a remote session, your network's available bandwidth dramatically impacts
the quality of your experience. Different applications and display resolutions require
different network configurations, so it's essential to make sure your network
configuration meets your needs.
Input Client to Amount of data is based on the user activity, less than 100 bytes for
session Host most of the operations
Type of Direction How to estimate
Data
File Both File transfers are using bulk compression. Use .zip compression for
transfers directions approximation
Printing Session host Print job transfer depends on the driver and using bulk compression,
to client use .zip compression for approximation
Other scenarios can have their bandwidth requirements change depending on how you
use them, such as:
However, in many cases, you may estimate network utilization by understanding how
Remote Desktop Protocol works and by analyzing your users' work patterns.
The remote protocol delivers the graphics generated by the remote server to display it
on a local monitor. More specifically, it provides the desktop bitmap entirely composed
on the server. While sending a desktop bitmap seems like a simple task at first
approach, it requires a significant amount of resources. For example, a 1080p desktop
image in its uncompressed form is about 8Mb in size. Displaying this image on the
locally connected monitor with a modest screen refresh rate of 30 Hz requires
bandwidth of about 237 MB/s.
To reduce the amount of data transferred over the network, RDP uses the combination
of multiple techniques, including but not limited to
Keep in mind that the stress put on your network depends on both your app workload's
output frame rate and your display resolution. If either the frame rate or display
resolution increases, the bandwidth requirement will also rise. For example, a light
workload with a high-resolution display requires more available bandwidth than a light
workload with regular or low resolution. Different display resolutions require different
available bandwidths.
The table below guides estimating of the data used by the different graphic scenarios.
These numbers apply to a single monitor configuration with 1920x1080 resolution and
with both default graphics mode and H.264/AVC 444 graphics mode.
Idle 0.3 0.3 Kbps User is paused their work and there's no
Kbps active screen updates
7 Note
Make sure that RDP Shortpath for managed networks is enabled - throttle rate-
limiting are not supported for reverse connect transport.
To create a QoS policy for domain-joined session hosts, first, sign in to a computer on
which Group Policy Management has been installed. Open Group Policy Management
(select Start, point to Administrative Tools, and then select Group Policy Management),
and then complete the following steps:
1. In Group Policy Management, locate the container where the new policy should be
created. For example, if all your session hosts computers are located in an OU
named Session Hosts, the new policy should be created in the Session Hosts OU.
2. Right-click the appropriate container, and then select Create a GPO in this
domain, and Link it here.
3. In the New GPO dialog box, type a name for the new Group Policy object in the
Name box, and then select OK.
6. In the Policy-based QoS dialog box, on the opening page, type a name for the
new policy in the Name box. Select Specify Outbound Throttle Rate and set the
required value, and then select Next.
7. On the next page, select Only applications with this executable name and enter
the name svchost.exe, and then select Next. This setting instructs the policy to
only prioritize matching traffic from the Remote Desktop Service.
8. On the third page, make sure that both Any source IP address and Any
destination IP address are selected. Select Next. These two settings ensure that
packets will be managed regardless of which computer (IP address) sent the
packets and which computer (IP address) will receive the packets.
9. On page four, select UDP from the Select the protocol this QoS policy applies to
drop-down list.
10. Under the heading Specify the source port number, select From this source port
or range. In the accompanying text box, type 3390. Select Finish.
The new policies you've created won't take effect until Group Policy has been refreshed
on your session host computers. Although Group Policy periodically refreshes on its
own, you can force an immediate refresh by following these steps:
1. On each session host for which you want to refresh Group Policy, open a
Command Prompt as administrator (Run as administrator).
Console
gpupdate /force
PowerShell
Next steps
To learn about bandwidth requirements for Azure Virtual Desktop, see
Understanding Remote Desktop Protocol (RDP) Bandwidth Requirements for Azure
Virtual Desktop.
To learn about Azure Virtual Desktop network connectivity, see Understanding
Azure Virtual Desktop network connectivity.
To get started with Quality of Service (QoS) for Azure Virtual Desktop, see
Implement Quality of Service (QoS) for Azure Virtual Desktop.
Azure Virtual Desktop on Azure Local
Article • 11/19/2024
) Important
Azure Virtual Desktop on Azure Local for Azure Government and Azure
operated by 21Vianet (Azure in China) is currently in preview with HCI version
22H2. Portal provisioning isn't available.
See the Supplemental Terms of Use for Microsoft Azure Previews for legal
terms that apply to Azure features that are in beta, preview, or otherwise not
yet released into general availability.
Using Azure Virtual Desktop on Azure Local, you can deploy session hosts for Azure
Virtual Desktop where you need them. If you already have an existing on-premises
virtual desktop infrastructure (VDI) deployment, Azure Virtual Desktop on Azure Local
can improve your experience. If you're already using Azure Virtual Desktop with your
session hosts in Azure, you can extend your deployment to your on-premises
infrastructure to better meet your performance or data locality needs.
Azure Virtual Desktop service components, such as host pools, workspaces, and
application groups are all deployed in Azure, but you can choose to deploy session
hosts on Azure Local. As Azure Virtual Desktop on Azure Local isn't an Azure Arc-
enabled service, it's not supported as a standalone service outside of Azure, in a
multicloud environment, or on other Azure Arc-enabled servers.
Benefits
Using Azure Virtual Desktop on , you can:
Improve performance for Azure Virtual Desktop users in areas with poor
connectivity to the Azure public cloud by giving them session hosts closer to their
location.
Meet data locality requirements by keeping app and user data on-premises. For
more information, see Data locations for Azure Virtual Desktop.
Improve access to legacy on-premises apps and data sources by keeping desktops
and apps in the same location.
Reduce cost and improve user experience with Windows 10 and Windows 11
Enterprise multi-session, which allows multiple concurrent interactive sessions.
Achieve the best performance by using RDP Shortpath for low-latency user access.
Deploy the latest fully patched images quickly and easily using Azure Marketplace
images.
Once your instance is ready, you can use the following 64-bit operating system images
for your session hosts that are in support:
To use session hosts on Azure Local with Azure Virtual Desktop, you also need to:
License and activate the virtual machines. For activating Windows 10 and Windows
11 Enterprise multi-session, and Windows Server 2022 Datacenter: Azure Edition,
use Azure verification for VMs. For all other OS images (such as Windows 10 and
Windows 11 Enterprise, and other editions of Windows Server), you should
continue to use existing activation methods. For more information, see Activate
Windows Server VMs on Azure Local.
Install the Azure Connected Machine agent on the virtual machines so they can
communicate with Azure Instance Metadata Service, which is a required endpoint
for Azure Virtual Desktop. The Azure Connected Machine agent is automatically
installed when you add session hosts using the Azure portal as part of the process
to Deploy Azure Virtual Desktop or Add session hosts to a host pool.
Finally, users can connect using the same Remote Desktop clients as Azure Virtual
Desktop.
Licensing and pricing
To run Azure Virtual Desktop on Azure Local, you need to make sure you're licensed
correctly and be aware of the pricing model. There are three components that affect
how much it costs to run Azure Virtual Desktop on Azure Local:
User access rights. The same licenses that grant access to Azure Virtual Desktop
on Azure also apply to Azure Virtual Desktop on Azure Local. Learn more at Azure
Virtual Desktop pricing .
Azure Virtual Desktop for Azure Local service fee. This fee requires you to pay for
each active virtual CPU (vCPU) for your Azure Virtual Desktop session hosts
running on Azure Local. Learn more at Azure Virtual Desktop pricing .
Data storage
There are different classifications of data for Azure Virtual Desktop, such as customer
input, customer data, diagnostic data, and service-generated data. With Azure Local, you
can choose to store user data on-premises when you deploy session host virtual
machines (VMs) and associated services such as file servers. However, some customer
data, diagnostic data, and service-generated data is still stored in Azure. For more
information on how Azure Virtual Desktop stores different kinds of data, see Data
locations for Azure Virtual Desktop.
Limitations
Azure Virtual Desktop on Azure Local has the following limitations:
Each host pool must only contain session hosts on Azure or on Azure Local. You
can't mix session hosts on Azure and on Azure Local in the same host pool.
You can only join session hosts on Azure Local to an Active Directory Domain
Services (AD DS) domain. This includes using Microsoft Entra hybrid join, where
you can benefit from some of the functionality provided by Microsoft Entra ID.
Next step
To learn how to deploy Azure Virtual Desktop on Azure Local, see Deploy Azure Virtual
Desktop.
Feedback
Was this page helpful? Yes No
Azure Extended Zones are small-footprint extensions of Azure placed in metros, industry
centers, or a specific jurisdiction to serve low latency and/or data residency workloads.
Azure Extended Zones is supported for Azure Virtual Desktop and can run latency-
sensitive and throughput-intensive applications close to end users and within approved
data residency boundaries. Azure Extended Zones are part of the Microsoft global
network that provides secure, reliable, high-bandwidth connectivity between
applications that run at an Azure Extended Zone close to the user.
Due to the proximity of the end user to the session host, you can benefit from reduced
latency using Azure Extended Zones. Azure Extended Zones uses RDP Shortpath, which
establishes a direct UDP-based transport between a supported Windows Remote
Desktop client and session host. The removal of extra relay points reduces round-trip
time, which improves connection reliability and user experience with latency-sensitive
applications and input methods.
Azure Private Link can also be used with Azure Extended Zones. Azure Private Link can
help with reducing latency and improving security. By creating a private endpoint, traffic
between your virtual network and the service remains on the Microsoft network, so you
no longer need to expose your service to the public internet.
Unlike Azure regions, Azure Extended Zones doesn't have any default outbound
connectivity. An existing Azure Load Balancer is needed on the virtual network that the
session hosts are being deployed to. You need to use one or more frontend IP addresses
of the load balancer for outbound connectivity to the internet in order for the session
hosts to join a host pool. For more information, see Azure's outbound connectivity
methods.
Gaining access to an Azure Extended Zone
To deploy Azure Virtual Desktop in Azure Extended Zone locations, you need to
explicitly register your subscription with the respective Azure Extended Zone using an
account that is a subscription owner. By default, this capability isn't enabled.
Registration of an Azure Extended Zone is always scoped to a specific subscription,
ensuring control and management over the resources deployed in these locations. Once
a subscription is registered with the Azure Extended Zone, you can deploy and manage
your desktops and applications within that specific Azure Extended Zone.
Limitations
Azure Virtual Desktop on Azure Extended Zones has the following limitations:
With Azure Extended Zones, there's no default outbound internet access. The
default outbound route is being retired across all Azure regions in September
2025, so Azure Extended Zones begins without this default outbound internet
route. For more information, see Default outbound access for VMs in Azure will be
retired— transition to a new method of internet access.
Azure Extended Zones don't support NAT Gateways. You need to use an Azure
Load Balancer with outbound rules enabled for outbound connectivity.
There's a reduced set of supported virtual machine SKUs you can use as session
hosts. For more information, see Service offerings for Azure Extended Zones.
Next step
To learn how to deploy Azure Virtual Desktop in an Azure Extended Zone, see Deploy
Azure Virtual Desktop.
Feedback
Was this page helpful? Yes No
Azure Virtual Desktop is a managed virtual desktop service that includes many security
capabilities for keeping your organization safe. The architecture of Azure Virtual Desktop
comprises many components that make up the service connecting users to their
desktops and apps.
Azure Virtual Desktop has many built-in advanced security features, such as Reverse
Connect where no inbound network ports are required to be open, which reduces the
risk involved with having remote desktops accessible from anywhere. The service also
benefits from many other security features of Azure, such as multifactor authentication
and conditional access. This article describes steps you can take as an administrator to
keep your Azure Virtual Desktop deployments secure, whether you provide desktops
and apps to users in your organization or to external users.
In most cloud services, however, there's a shared set of security responsibilities between
Microsoft and the customer or partner. For Azure Virtual Desktop, most components are
Microsoft-managed, but session hosts and some supporting services and components
are customer-managed or partner-managed. To learn more about the Microsoft-
managed components of Azure Virtual Desktop, see Azure Virtual Desktop service
architecture and resilience.
While some components come already secured for your environment, you'll need to
configure other areas yourself to fit your organization's or customer's security needs.
Here are the components of which you're responsible for the security in your Azure
Virtual Desktop deployment:
ノ Expand table
Component Responsibility
Security boundaries
Security boundaries separate the code and data of security domains with different levels
of trust. For example, there's usually a security boundary between kernel mode and user
mode. Most Microsoft software and services depend on multiple security boundaries to
isolate devices on networks, virtual machines (VMs), and applications on devices. The
following table lists each security boundary for Windows and what they do for overall
security.
ノ Expand table
Network boundary An unauthorized network endpoint can't access or tamper with code and
data on a customer’s device.
Kernel boundary A non-administrative user mode process can't access or tamper with
kernel code and data. Administrator-to-kernel is not a security boundary.
Process boundary An unauthorized user mode process can't access or tamper with the
code and data of another process.
capabilities.
User boundary A user can't access or tamper with the code and data of another user
without being authorized.
Session boundary A user session can't access or tamper with another user session without
being authorized.
Web browser An unauthorized website can't violate the same-origin policy, nor can it
boundary access or tamper with the native code and data of the Microsoft Edge
web browser sandbox.
Virtual machine An unauthorized Hyper-V guest virtual machine can't access or tamper
boundary with the code and data of another guest virtual machine; this includes
Hyper-V isolated containers.
Virtual Secure Mode Code running outside of the VSM trusted process or enclave can't access
(VSM) boundary or tamper with data and code within the trusted process.
Users from the same organization, like knowledge workers with apps that don't require
administrator privileges, are great candidates for multi-session session hosts like
Windows 11 Enterprise multi-session. These session hosts reduce costs for your
organization because multiple users can share a single VM, with only the overhead costs
of a VM per user. With user profile management products like FSLogix, users can be
assigned any VM in a host pool without noticing any service interruptions. This feature
also lets you optimize costs by doing things like shutting down VMs during off-peak
hours.
Windows uses security boundaries and controls to ensure user processes and data are
isolated between sessions. However, Windows still provides access to the instance the
user is working on.
Multi-session deployments would benefit from a security in depth strategy that adds
more security boundaries that prevent users within and outside of the organization from
getting unauthorized access to other users' personal information. Unauthorized data
access happens because of an error in the configuration process by the system admin,
such as an undisclosed security vulnerability or a known vulnerability that hasn't been
patched out yet.
We don't recommend granting users that work for different or competing companies
access to the same multi-session environment. These scenarios have several security
boundaries that can be attacked or abused, like network, kernel, process, user, or
sessions. A single security vulnerability could cause unauthorized data and credential
theft, personal information leaks, identity theft, and other issues. Virtualized
environment providers are responsible for offering well-designed systems with multiple
strong security boundaries and extra safety features enabled wherever possible.
ノ Expand table
Users from one organization with Use a Windows Enterprise multi-session operating
standard privileges system (OS).
Users require administrative privileges Use a personal host pool and assign each user their
own session host.
Users from different organizations Separate Azure tenant and Azure subscription
connecting
Azure security best practices
Azure Virtual Desktop is a service under Azure. To maximize the safety of your Azure
Virtual Desktop deployment, you should make sure to secure the surrounding Azure
infrastructure and management plane as well. To secure your infrastructure, consider
how Azure Virtual Desktop fits into your larger Azure ecosystem. To learn more about
the Azure ecosystem, see Azure security best practices and patterns.
Today's threat landscape requires designs with security approaches in mind. Ideally,
you'll want to build a series of security mechanisms and controls layered throughout
your computer network to protect your data and network from being compromised or
attacked. This type of security design is what the United States Cybersecurity and
Infrastructure Security Agency (CISA) calls defense in depth.
The following sections contain recommendations for securing an Azure Virtual Desktop
deployment.
Manage vulnerabilities.
Assess compliance with common frameworks like from the PCI Security Standards
Council.
Strengthen the overall security of your environment.
For profile solutions like FSLogix or other solutions that mount virtual hard disk files, we
recommend excluding those file extensions. For more information, see
Restrict Windows Explorer access by hiding local and remote drive mappings. This
prevents users from discovering unwanted information about system configuration
and users.
Avoid direct RDP access to session hosts in your environment. If you need direct
RDP access for administration or troubleshooting, enable just-in-time access to
limit the potential attack surface on a session host.
Grant users limited permissions when they access local and remote file systems.
You can restrict permissions by making sure your local and remote file systems use
access control lists with least privilege. This way, users can only access what they
need and can't change or delete critical resources.
Prevent unwanted software from running on session hosts. You can enable App
Locker for additional security on session hosts, ensuring that only the apps you
allow can run on the host.
Trusted launch
Trusted launch are Azure VMs with enhanced security features aimed to protect against
persistent attack techniques such as bottom-of-the-stack threats through attack vectors
such as rootkits, boot kits, and kernel-level malware. It allows for secure deployment of
VMs with verified boot loaders, OS kernels, and drivers, and also protects keys,
certificates, and secrets in the VMs. Learn more about trusted launch at Trusted launch
for Azure virtual machines.
When you add session hosts using the Azure portal, the default security type is Trusted
virtual machines. This ensures that your VM meets the mandatory requirements for
Windows 11. For more information about these requirements, see Virtual machine
support.
Deploying confidential virtual machines with Azure Virtual Desktop gives users access to
Microsoft 365 and other applications on session hosts that use hardware-based
isolation, which hardens isolation from other virtual machines, the hypervisor, and the
host OS. Memory encryption keys are generated and safeguarded by a dedicated secure
processor inside the CPU that can't be read from software. For more information,
including the VM sizes available, see the Azure confidential computing overview.
The following operating systems are supported for use as session hosts with confidential
virtual machines on Azure Virtual Desktop, for versions that are in active support. For
support dates, see Microsoft Lifecycle Policy.
Windows 11 Enterprise
Windows 11 Enterprise multi-session
Windows 10 Enterprise
Windows 10 Enterprise multi-session
Windows Server 2022
Windows Server 2019
You can create session hosts using confidential virtual machines when you deploy Azure
Virtual Desktop or add session hosts to a host pool.
vTPM
A vTPM is a virtualized version of a hardware Trusted Platform Module (TPM), with a
virtual instance of a TPM per VM. vTPM enables remote attestation by performing
integrity measurement of the entire boot chain of the VM (UEFI, OS, system, and
drivers).
We recommend enabling vTPM to use remote attestation on your VMs. With vTPM
enabled, you can also enable BitLocker functionality with Azure Disk Encryption, which
provides full-volume encryption to protect data at rest. Any features using vTPM will
result in secrets bound to the specific VM. When users connect to the Azure Virtual
Desktop service in a pooled scenario, users can be redirected to any VM in the host
pool. Depending on how the feature is designed this may have an impact.
7 Note
BitLocker shouldn't be used to encrypt the specific disk where you're storing your
FSLogix profile data.
Virtualization-based Security
Virtualization-based Security (VBS) uses the hypervisor to create and isolate a secure
region of memory that's inaccessible to the OS. Hypervisor-Protected Code Integrity
(HVCI) and Windows Defender Credential Guard both use VBS to provide increased
protection from vulnerabilities.
Hypervisor-Protected Code Integrity
HVCI is a powerful system mitigation that uses VBS to protect Windows kernel-mode
processes against injection and execution of malicious or unverified code.
7 Note
Windows Update
Keep your session hosts up to date with updates from Windows Update. Windows
Update provides a secure way to keep your devices up-to-date. Its end-to-end
protection prevents manipulation of protocol exchanges and ensures updates only
include approved content. You may need to update firewall and proxy rules for some of
your protected environments in order to get proper access to Windows Updates. For
more information, see Windows Update security.
macOS
iOS
Android
Next steps
Learn how to Set up multifactor authentication.
Apply Zero Trust principles for an Azure Virtual Desktop deployment.
Feedback
Was this page helpful? Yes No
Azure Virtual Desktop is available in many Azure regions, which are grouped by
geography. When Azure Virtual Desktop resources are deployed, you have to specify the
Azure region they'll be created in. The location of the resource determines where its
information will be stored and the geography where related information will be stored.
Azure Virtual Desktop itself is a non-regional service where there's no dependency on a
specific Azure region. Learn more about Data residency in Azure and Azure
geographies .
Azure Virtual Desktop stores various information for service objects, such as host pool
names, application group names, workspace names, and user principal names. Data is
categorized into different types, such as customer input, customer data, diagnostic data,
and service-generated data. For more information about data category definitions, see
How Microsoft categorizes data for online services .
7 Note
Microsoft doesn't control or limit the regions where you or your users can access
your user and app-specific data.
Diagnostic data
Diagnostic data is generated by the Azure Virtual Desktop service and is gathered
whenever administrators or users interact with the service. This data is only used for
troubleshooting, support, and checking the health of the service in aggregate form. For
example, when a session host VM is registered to a host pool, information is generated
that includes the virtual machine (VM) name, which host pool the VM belongs to, and so
on. This information is stored in the geography associated with the Azure region the
host pool is created in. Also, when a user connects to the service and launches a session,
diagnostic information is generated that includes the user principal name, client
location, client IP address, which host pool the user is connecting to, and so on. This
information is sent to two different locations:
The location closest to the user where the service infrastructure (client traces, user
traces, and diagnostic data) is present.
The location where the host pool is located.
Service-generated data
To keep Azure Virtual Desktop reliable and scalable, traffic patterns and usage are
aggregated to check the health and performance of the infrastructure control plane. For
example, to help us understand how to ramp up regional infrastructure capacity as
service usage increases, we process service usage log data. We then review the logs for
peak times and decide where to increase capacity.
Data locations
Storing customer data and service-generated data is currently supported in the
following geographies:
United States (US)
Europe (EU)
United Kingdom (UK)
Canada (CA)
Japan (JP)
Australia (AU)
India (IN)
In addition, service-generated data is aggregated from all locations where the service
infrastructure is, and sent to the US geography. The data sent to the US includes
scrubbed data. Customer data isn't aggregated.
Data storage
Stored information is encrypted at rest, and geo-redundant mirrors are maintained
within the geography. Data generated by the Azure Virtual Desktop service is replicated
within the Azure geography for disaster recovery purposes.
User-created or app-related information, such as app settings and user data, resides in
the Azure region you choose and isn't managed by the Azure Virtual Desktop service.
Feedback
Was this page helpful? Yes No
There are a few things you need to start using Azure Virtual Desktop. Here you can find
what prerequisites you need to complete to successfully provide your users with
desktops and applications.
To deploy Azure Virtual Desktop, you need to assign the relevant Azure role-based
access control (RBAC) roles. The specific role requirements are covered in each of the
related articles for deploying Azure Virtual Desktop, which are listed in the Next steps
section.
) Important
You must have permission to register a resource provider, which requires the
*/register/action operation. This is included if your account is assigned the
Azure portal
Identity
To access desktops and applications from your session hosts, your users need to be able
to authenticate. Microsoft Entra ID is Microsoft's centralized cloud identity service that
enables this capability. Microsoft Entra ID is always used to authenticate users for Azure
Virtual Desktop. Session hosts can be joined to the same Microsoft Entra tenant, or to
an Active Directory domain using Active Directory Domain Services (AD DS) or Microsoft
Entra Domain Services, providing you with a choice of flexible configuration options.
Session hosts
You need to join session hosts that provide desktops and applications to the same
Microsoft Entra tenant as your users, or an Active Directory domain (either AD DS or
Microsoft Entra Domain Services).
7 Note
For Azure Stack HCI, you can only join session hosts to an Active Directory Domain
Services domain. You can only join session hosts on Azure Stack HCI to an Active
Directory Domain Services (AD DS) domain. This includes using Microsoft Entra
hybrid join, where you can benefit from some of the functionality provided by
Microsoft Entra ID.
To join session hosts to Microsoft Entra ID or an Active Directory domain, you need the
following permissions:
For Microsoft Entra ID, you need an account that can join computers to your
tenant. For more information, see Manage device identities. To learn more about
joining session hosts to Microsoft Entra ID, see Microsoft Entra joined session
hosts.
For an Active Directory domain, you need a domain account that can join
computers to your domain. For Microsoft Entra Domain Services, you would need
to be a member of the AAD DC Administrators group.
Users
Your users need accounts that are in Microsoft Entra ID. If you're also using AD DS or
Microsoft Entra Domain Services in your deployment of Azure Virtual Desktop, these
accounts need to be hybrid identities, which means the user accounts are synchronized.
You need to keep the following things in mind based on which identity provider you
use:
If you're using Microsoft Entra ID with AD DS, you need to configure Microsoft
Entra Connect to synchronize user identity data between AD DS and Microsoft
Entra ID.
If you're using Microsoft Entra ID with Microsoft Entra Domain Services, user
accounts are synchronized one way from Microsoft Entra ID to Microsoft Entra
Domain Services. This synchronization process is automatic.
) Important
The user account must exist in the Microsoft Entra tenant you use for Azure Virtual
Desktop. Azure Virtual Desktop doesn't support B2B, B2C, or personal Microsoft
accounts.
When using hybrid identities, either the UserPrincipalName (UPN) or the Security
Identifier (SID) must match across Active Directory Domain Services and Microsoft
Entra ID. For more information, see Supported identities and authentication
methods.
ノ Expand table
Identity scenario Session hosts User accounts
For more detailed information about supported identity scenarios, including single sign-
on and multifactor authentication, see Supported identities and authentication methods.
Set up FSLogix Profile Container with Azure Files and Active Directory Domain
Services or Microsoft Entra Domain Services.
Set up FSLogix Profile Container with Azure Files and Microsoft Entra ID.
Set up FSLogix Profile Container with Azure NetApp Files
Deployment parameters
You need to enter the following identity parameters when deploying session hosts:
The account you use for joining a domain can't have multi-factor authentication
(MFA) enabled.
ノ Expand table
Windows 11 Enterprise Microsoft 365 E3, E5, A3, Per-user access pricing
multi-session A5, F3, Business by enrolling an Azure
Windows 11 Enterprise Premium, Student Use subscription.
Windows 10 Enterprise Benefit
multi-session Windows Enterprise E3,
Windows 10 Enterprise E5
Windows Education A3,
A5
Windows VDA per user
To learn more about licenses you can use, including per-user access pricing, see
Licensing Azure Virtual Desktop.
) Important
The following items are not supported:
32-bit operating systems.
N, KN, LTSC, and other editions of Windows operating systems not listed in
the previous table.
Ultra disks for the OS disk type.
Ephemeral OS disks for Azure VMs.
Virtual Machine Scale Sets.
For Azure, you can use operating system images provided by Microsoft in the Azure
Marketplace , or create your own custom images stored in an Azure Compute Gallery
or as a managed image. Using custom image templates for Azure Virtual Desktop
enables you to easily create a custom image that you can use when deploying session
host virtual machines (VMs). To learn more about how to create custom images, see:
Alternatively, for Azure Stack HCI you can use operating system images from:
Azure Marketplace. For more information, see Create Azure Stack HCI VM image
using Azure Marketplace images.
Azure Storage account. For more information, see Create Azure Stack HCI VM
image using image in Azure Storage account.
A local share. For more information, see Create Azure Stack HCI VM image using
images in a local share.
You can deploy a virtual machines (VMs) to be used as session hosts from these images
with any of the following methods:
Automatically, as part of the host pool setup process in the Azure portal.
Manually by adding session hosts to an existing host pool in the Azure portal.
Programmatically, with Azure CLI or Azure PowerShell.
If your license entitles you to use Azure Virtual Desktop, you don't need to install or
apply a separate license, however if you're using per-user access pricing for external
users, you need to enroll an Azure Subscription. You need to make sure the Windows
license used on your session hosts is correctly assigned in Azure and the operating
system is activated. For more information, see Apply Windows license to session host
virtual machines.
For session hosts on Azure Stack HCI, you must license and activate the virtual machines
you use before you use them with Azure Virtual Desktop. For activating Windows 10 and
Windows 11 Enterprise multi-session, and Windows Server 2022 Datacenter: Azure
Edition, use Azure verification for VMs. For all other OS images (such as Windows 10 and
Windows 11 Enterprise, and other editions of Windows Server), you should continue to
use existing activation methods. For more information, see Activate Windows Server
VMs on Azure Stack HCI.
7 Note
To ensure continued functionality with the latest security update, update your VMs
on Azure Stack HCI to the latest cumulative update by June 17, 2024. This update is
essential for VMs to continue using Azure benefits. For more information, see
Azure verification for VMs.
Tip
To simplify user access rights during initial development and testing, Azure Virtual
Desktop supports Azure Dev/Test pricing . If you deploy Azure Virtual Desktop in
an Azure Dev/Test subscription, end users may connect to that deployment without
separate license entitlement in order to perform acceptance tests or provide
feedback.
Network
There are several network requirements you need to meet to successfully deploy Azure
Virtual Desktop. This lets users connect to their desktops and applications while also
giving them the best possible user experience.
Users connecting to Azure Virtual Desktop securely establish a reverse connection to the
service, which means you don't need to open any inbound ports. Transmission Control
Protocol (TCP) on port 443 is used by default, however RDP Shortpath can be used for
managed networks and public networks that establishes a direct User Datagram
Protocol (UDP)-based transport.
To successfully deploy Azure Virtual Desktop, you need to meet the following network
requirements:
You need a virtual network and subnet for your session hosts. If you create your
session hosts at the same time as a host pool, you must create this virtual network
in advance for it to appear in the drop-down list. Your virtual network must be in
the same Azure region as the session host.
Make sure this virtual network can connect to your domain controllers and relevant
DNS servers if you're using AD DS or Microsoft Entra Domain Services, since you
need to join session hosts to the domain.
Your session hosts and users need to be able to connect to the Azure Virtual
Desktop service. These connections also use TCP on port 443 to a specific list of
URLs. For more information, see Required URL list. You must make sure these URLs
aren't blocked by network filtering or a firewall in order for your deployment to
work properly and be supported. If your users need to access Microsoft 365, make
sure your session hosts can connect to Microsoft 365 endpoints.
Your users might need access to applications and data that is hosted on different
networks, so make sure your session hosts can connect to them.
Round-trip time (RTT) latency from the client's network to the Azure region that
contains the host pools should be less than 150 ms. To see which locations have
the best latency, look up your desired location in Azure network round-trip latency
statistics. To optimize for network performance, we recommend you create session
hosts in the Azure region closest to your users.
Use Azure Firewall for Azure Virtual Desktop deployments to help you lock down
your environment and filter outbound traffic.
7 Note
To keep Azure Virtual Desktop reliable and scalable, we aggregate traffic patterns
and usage to check the health and performance of the infrastructure control plane.
We aggregate this information from all locations where the service infrastructure is,
then send it to the US region. The data sent to the US region includes scrubbed
data, but not customer data. For more information, see Data locations for Azure
Virtual Desktop.
Don't enable any policies or configurations that disable Windows Installer. If you
disable Windows Installer, the service can't install agent updates on your session
hosts, and your session hosts won't function properly.
If you're joining session hosts to an AD DS domain and you want to manage them
using Intune, you need to configure Microsoft Entra Connect to enable Microsoft
Entra hybrid join.
If you're joining session hosts to a Microsoft Entra Domain Services domain, you
can't manage them using Intune.
If you're using Microsoft Entra join with Windows Server for your session hosts,
you can't enroll them in Intune as Windows Server isn't supported with Intune. You
need to use Microsoft Entra hybrid join and Group Policy from an Active Directory
domain, or local Group Policy on each session host.
Azure regions
You can deploy host pools, workspaces, and application groups in the following Azure
regions. This list of regions is where the metadata for the host pool can be stored.
However, session hosts for the user sessions can be located in any Azure region, and on-
premises when using Azure Virtual Desktop on Azure Stack HCI, enabling you to deploy
compute resources close to your users. For more information about the types of data
and locations, see Data locations for Azure Virtual Desktop.
Australia East
Canada Central
Canada East
Central India
Central US
East US
East US 2
Japan East
North Central US
North Europe
South Central US
UK South
UK West
West Central US
West Europe
West US
West US 2
West US 3
Azure Virtual Desktop is also available in sovereign clouds, such as Azure for US
Government and Azure operated by 21Vianet in China.
To learn more about the architecture and resilience of the Azure Virtual Desktop service,
see Azure Virtual Desktop service architecture and resilience.
) Important
Azure Virtual Desktop doesn't support connections from the RemoteApp and
Desktop Connections (RADC) client or the Remote Desktop Connection (MSTSC)
client.
To learn which URLs clients use to connect and that you must allow through firewalls
and internet filters, see the Required URL list.
Next steps
For a simple way to get started with Azure Virtual Desktop by creating a sample
infrastructure, see Tutorial: Deploy a sample Azure Virtual Desktop infrastructure
with a Windows 11 desktop.
For a more in-depth and adaptable approach to deploying Azure Virtual Desktop,
see Deploy Azure Virtual Desktop.
Feedback
Was this page helpful? Yes No
) Important
Host pools with a session host configuration for Azure Virtual Desktop are currently
in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews
for legal terms that apply to Azure features that are in beta, preview, or otherwise
not yet released into general availability.
Host pools are logical groupings of session host virtual machines that have the same
configuration and serve the same workload. You can choose one of two host pool
management approaches, standard and using a session host configuration (preview). In
this article, you learn about each management approach and the differences between
them to help you decide which one to use.
U Caution
Currently the host pool management approach is set when you create a host pool
and can't be changed later. The management approach is stored in the host pool's
properties. Later in the preview for using a session host configuration, we plan to
enable any host pool to use a session host configuration.
A session host management policy specifies how session hosts should be created
and updated.
Session host update updates session hosts when there's an update made to the
session host configuration. Session host update ensures that all session hosts in
the pool have the same configuration.
Autoscale dynamically scales the number of session hosts up and down based on
the actual usage and the schedules defined in the scaling plan.
) Important
You can only join session hosts to an Active Directory domain. Joining session
hosts to Microsoft Entra ID isn't supported, but you can use Microsoft Entra
hybrid join.
VM image
VM name prefix
VM resource group
VM size
OS disk information
Domain join information
VM network configuration
VM location
VM availability zones
VM security type
VM admin credentials
VM name prefix
VM boot diagnostics information
Custom configuration PowerShell script
VM Tags
Any newly created session hosts are created from the session host configuration for the
host pool. To update the session hosts in your host pool, first you must update the
session host configuration. After updating the session host configuration, you schedule
when you would like that update to be applied to the session hosts in the host pool
using the session host update feature. If there are no session hosts in the host pool, any
property of the session host configuration can be changed without needing to schedule
a session host update.
For a comparison of host pool with a session host configuration and a host pool with
standard management, see Compare host pool management approaches.
When you use the Azure portal, a default session host management policy is created
when you create a host pool with a session host configuration. You can override its
values when updating session hosts, or you can also update the session host
management policy at any time using PowerShell.
ノ Expand table
Time zone The time zone to use when scheduling an update of the UTC
session hosts in a host pool.
Save original VM Determines whether to save the original virtual machine (VM) The original
before the update. This parameter is useful in rollback VM is saved.
scenarios, but normal costs apply for storing the original VM's
components.
Parameter Description Azure
portal
default
value
Logoff delay in The amount of time to wait after an update start time for 2
minutes users to be notified to sign out, between 0 and 60 minutes.
Users will automatically be signed out after this time elapses.
Logoff message A message to display to users that the session host they're You will be
connected to will be updated. signed out
ノ Expand table
Create session Add session hosts using the Azure Add session hosts using your
hosts portal based on the session host preferred method, then use a
configuration. You can't retrieve a registration token to add them to a
registration token to add session hosts host pool. If you use the Azure
created outside of Azure Virtual portal, you need to input the
Desktop to a host pool. configuration each time.
Scenario or Session host configuration Standard management
feature
Configure The session host configuration ensures You have to ensure the configuration
session hosts the configuration of session hosts is of session hosts in the host pool is
consistent. consistent. Session host
configuration isn't available.
Scale session Use autoscale to turn session hosts on Use autoscale to turn session hosts
hosts and off or create and delete session on and off based on a schedule and
hosts based on a schedule and usage. usage.
Update session Use session host update to update the Use your own existing tools and
host image image and configuration of your processes, such as automated
session hosts based on the session pipelines and custom scripts to
host management policy and session update the image and configuration
host configuration. of your session hosts. You can't use
session host update.
Next steps
Learn how to Deploy Azure Virtual Desktop with a session host configuration or
standard management.
Feedback
Was this page helpful? Yes No
) Important
Azure Virtual Desktop on Azure Local for Azure Government and for Azure
operated by 21Vianet (Azure in China).
For legal terms that apply to Azure features that are in beta, in preview, or
otherwise not yet released into general availability, see Supplemental Terms of Use
for Microsoft Azure Previews .
This article shows you how to deploy Azure Virtual Desktop on Azure, Azure Local, or
Azure Extended Zones by using the Azure portal, the Azure CLI, or Azure PowerShell. To
deploy Azure Virtual Desktop, you:
You can do all these tasks in a single process when using the Azure portal, but you can
also do them separately.
When you create a host pool, you can choose one of two management approaches:
Session host configuration (preview) is available for pooled host pools with session
hosts on Azure. Azure Virtual Desktop manages the lifecycle of session hosts in a
pooled host pool for you by using a combination of native features to provide an
integrated and dynamic experience.
Standard management is available for pooled and personal host pools with session
hosts on Azure or Azure Local. You manage creating, updating, and scaling session
hosts in a host pool. If you want to use existing tools and processes, such as
automated pipelines, custom scripts, or external partner solutions, you need to use
the standard host pool management type.
For more information on the terminology used in this article, see Azure Virtual Desktop
terminology. For more information about the Azure Virtual Desktop service, see Azure
Virtual Desktop service architecture and resilience.
Tip
Select a button at the top of this article to choose between host pools using
standard management or host pools using session host configuration to see the
relevant documentation.
Prerequisites
For a general idea of what's required and supported, such as operating systems (OSs),
virtual networks, and identity providers, review Prerequisites for Azure Virtual Desktop.
That article also includes a list of the supported Azure regions in which you can deploy
host pools, workspaces, and application groups. This list of regions is where the
metadata for the host pool can be stored. However, session hosts can be located in any
Azure region and on-premises with Azure Local. For more information about the types
of data and locations, see Data locations for Azure Virtual Desktop.
For more prerequisites, including role-based access control (RBAC) roles, select the
relevant tab for your scenario.
Azure portal
The Azure account that you use must have the following built-in RBAC roles or
equivalent as a minimum on a resource group or subscription to create the
following resource types. If you want to assign the roles to a resource group,
you need to create the resource group first.
ノ Expand table
Resource type RBAC role
Session hosts (Azure and Azure Extended Zones) Virtual Machine Contributor
application group. Built-in RBAC roles that include this permission are User
Access Administrator and Owner.
An Azure Local instance registered with Azure. Your Azure Local instances
need to be running a minimum of version 23H2. For more information, see
Azure Stack HCI, version 23H2 deployment overview. Azure Arc VM
management is installed automatically.
A logical network that you created on your Azure Local instance. DHCP
logical networks or static logical networks with automatic IP allocation are
supported. For more information, see Create logical networks for Azure
Local.
Azure portal
2. On the search bar, enter Azure Virtual Desktop and select the matching
service entry.
ノ Expand table
Parameter Value/Description
Subscription In the dropdown list, select the subscription where you want to
create the host pool.
Resource group Select an existing resource group, or select Create new and enter a
name.
Host pool name Enter a name for the host pool, such as hp01.
Location Select the Azure region where you want to create your host pool.
Preferred app Select the preferred application group type for this host pool:
group type Desktop or RemoteApp. A desktop application group is created
automatically when you use the Azure portal.
Parameter Value/Description
Host pool type Select whether you want your host pool to be Personal or Pooled.
If you select Pooled, two new options appear for Load balancing
algorithm and Max session limit.
- For Max session limit, enter the maximum number of users that
you want load-balanced to a single session host. For more
information, see Host pool load-balancing algorithms.
Tip
After you complete this tab, you can continue to optionally create session
hosts, create a workspace, register the default desktop application group
from this host pool, and enable diagnostic settings by selecting Next:
Virtual Machines. Alternatively, if you want to create and configure these
resources separately, select Next: Review + create and go to step 9.
5. Optional: On the Virtual machines tab, if you want to add session hosts,
expand one of the following sections and complete the information,
depending on whether you want to create session hosts on Azure or on Azure
Local. For guidance on sizing session host virtual machines, see Session host
virtual machine sizing guidelines.
ノ Expand table
Parameter Value/Description
Add virtual Select Yes. This action shows several new options.
machines
Resource group This value defaults to the resource group that you chose to
contain your host pool on the Basics tab, but you can select an
alternative.
Parameter Value/Description
Name prefix Enter a name prefix for your session hosts, such as hp01-sh.
Virtual machine Select the Azure region where you want to deploy your session
location hosts. This value must be the same region that contains your
virtual network.
Image Select the OS image that you want to use from the list, or select
See all images to see more. The full list includes any images
that you created and stored as an Azure Compute Gallery
shared image or a managed image.
Virtual machine Select a size. If you want to use a different size, select Change
size size, and then select from the list.
Number of VMs Enter the number of virtual machines that you want to deploy.
You can deploy up to 400 session hosts at this point if you want
(depending on your subscription quota), or you can add more
later.
OS disk type Select the disk type to use for your session hosts. We
recommend that you use only Premium SSD for production
workloads.
Network and
security
Network security Select whether you want to use a network security group (NSG).
group
- None doesn't create a new NSG.
Public inbound You can select a port to allow from the list. Azure Virtual
ports Desktop doesn't require public inbound ports, so we
recommend that you select No.
Domain to join
Virtual Machine
Administrator
account
Username Enter a name to use as the local administrator account for the
new session hosts.
Custom
configuration
ノ Expand table
Parameter Value/Description
Add virtual Select Yes. This action shows several new options.
machines
Resource group This value defaults to the resource group that you chose to
contain your host pool on the Basics tab, but you can select an
alternative.
Name prefix Enter a name prefix for your session hosts, such as hp01-sh.
Custom location In the dropdown list, select the Azure Local instance where you
want to deploy your session hosts.
Images Select the OS image that you want to use from the list, or
select Manage VM images to manage the images available on
the instance that you selected.
Number of VMs Enter the number of virtual machines that you want to deploy.
You can add more later.
Virtual processor Enter the number of virtual processors that you want to assign
count to each session host. This value isn't validated against the
resources available in the instance.
Memory type Select Static for a fixed memory allocation, or select Dynamic
for a dynamic memory allocation.
Memory (GB) Enter a number for the amount of memory, in gigabytes, that
you want to assign to each session host. This value isn't
validated against the resources available in the instance.
Maximum memory If you selected dynamic memory allocation, enter a number for
the maximum amount of memory, in gigabytes, that you want
your session host to be able to use.
Minimum memory If you selected dynamic memory allocation, enter a number for
the minimum amount of memory, in gigabytes, that you want
your session host to be able to use.
Network and
security
Domain to join
Select which Active Directory is the only available option. This includes
directory you would using Microsoft Entra hybrid join.
like to join
AD domain join Enter the user principal name (UPN) of an Active Directory user
UPN who has permission to join the session hosts to your domain.
Specify domain or Select yes if you want to join session hosts to a specific domain
unit or be placed in a specific organizational unit (OU). If you select
no, the suffix of the UPN is used as the domain.
Virtual Machine
Administrator
account
Username Enter a name to use as the local administrator account for the
new session hosts.
ノ Expand table
Parameter Value/Description
Add virtual Select Yes. This action shows several new options.
machines
Resource This value defaults to the resource group that you chose to contain
group your host pool on the Basics tab, but you can select an alternative.
Name prefix Enter a name prefix for your session hosts, such as hp01-sh.
Network and
security
Select a load Select an existing Azure load balancer on the same virtual network
balancer you want to use for your session hosts, or select Create a load
balancer to create a new load balancer.
Select a Select a backend pool on the load balancer you want to use for your
backend pool session hosts. If you're creating a new load balancer, select Create
new to create a new backend pool for the new load balancer.
Add If you're creating a new load balancer, select Create new to create a
outbound new outbound rule for it.
rule
ノ Expand table
Parameter Value/Description
Register desktop Select Yes. This action registers the default desktop application
app group group to the selected workspace.
To this workspace Select an existing workspace from the list, or select Create new
and enter a name, such as ws01.
ノ Expand table
Parameter Value/Description
8. Optional: On the Tags tab, you can enter any name/value pairs that you need,
and then select Next: Review + create.
9. On the Review + create tab, ensure that validation passes and review the
information that will be used during deployment.
11. Select Go to resource to go to the overview of your new host pool, and then
select Properties to view its properties.
Post-deployment tasks
If you also added session hosts to your host pool, you need to do some extra
configuration, as described in the following sections.
Licensing
To ensure that your session hosts have licenses applied correctly, you need to do
the following tasks:
If you have the correct licenses to run Azure Virtual Desktop workloads, you
can apply a Windows or Windows Server license to your session hosts as part
of Azure Virtual Desktop and run them without paying for a separate license.
This license is automatically applied when you create session hosts by using
the Azure Virtual Desktop service, but you might have to apply the license
separately if you create session hosts outside Azure Virtual Desktop. For more
information, see Apply a Windows license to session host virtual machines.
If your session hosts are running a Windows Server OS, you also need to issue
them a Remote Desktop Services (RDS) client access license (CAL) from an RDS
license server. For more information, see License your RDS deployment with
client access licenses.
For session hosts on Azure Local, you must license and activate the virtual
machines before you use them with Azure Virtual Desktop. For activating VMs
that use Windows 10 Enterprise multi-session, Windows 11 Enterprise multi-
session, and Windows Server 2022 Datacenter: Azure Edition, use Azure
verification for VMs. For all other OS images (such as Windows 10 Enterprise,
Windows 11 Enterprise, and other editions of Windows Server), you should
continue to use existing activation methods. For more information, see
Activate Windows Server VMs on Azure Local.
7 Note
If you created a host pool and a workspace, and you registered the
default desktop application group from this host pool in the same
process, go to the section Assign users to an application group and
complete the rest of the article. A desktop application group (whichever
application group type you set as preferred) is created automatically
when you use the Azure portal.
If you created a host pool and workspace in the same process, but you
didn't register the default desktop application group from this host pool,
go to the section Create an application group and complete the rest of
the article.
Create a workspace
Next, to create a workspace, select the relevant tab for your scenario and follow the
steps.
Azure portal
1. On the Azure Virtual Desktop overview, select Workspaces, and then select
Create.
ノ Expand table
Parameter Value/Description
Subscription In the dropdown list, select the subscription where you want to
create the workspace.
Resource group Select an existing resource group, or select Create new and enter a
name.
Location Select the Azure region where you want to deploy your workspace.
Tip
After you complete this tab, you can continue to optionally register an
existing application group to this workspace, if you have one, and enable
diagnostic settings by selecting Next: Application groups. Alternatively, if
you want to create and configure these resources separately, select
Review + create and go to step 9.
ノ Expand table
Parameter Value/Description
Register Select Yes, and then select + Register application groups. On the
application new pane that opens, select the Add icon for the application
Parameter Value/Description
groups groups that you want to add, and then choose Select.
ノ Expand table
Parameter Value/Description
5. Optional: On the Tags tab, you can enter any name/value pairs that you need,
and then select Next: Review + create.
6. On the Review + create tab, ensure that validation passes and review the
information that will be used during deployment.
7 Note
Azure portal
1. On the Azure Virtual Desktop overview, select Application groups, and then
select Create.
ノ Expand table
Parameter Value/Description
Subscription In the dropdown list, select the subscription where you want to
create the application group.
Resource group Select an existing resource group, or select Create new and
enter a name.
Host pool Select the host pool for the application group.
Application group Select the application group type for the host pool: Desktop or
type RemoteApp.
Application group Enter a name for the application group, such as Session
name Desktop.
Tip
After you complete this tab, select Next: Review + create. You don't need
to complete the other tabs to create an application group, but you need
to create a workspace, add an application group to a workspace, and
assign users to the application group before users can access the
resources.
If you created an application group for RemoteApp, you also need to add
applications to it. For more information, see Publish applications.
3. Optional: If you chose to create a RemoteApp application group, you can add
applications to this group. On the Application groups tab, select + Add
applications, and then select an application. For more information on the
application parameters, see Publish applications with RemoteApp. At least one
session host in the host pool must be turned on and available in Azure Virtual
Desktop.
After you complete this tab, or if you're creating a desktop application group,
select Next: Assignments.
ノ Expand table
Parameter Value/Description
Register application Select Yes. This action registers the default desktop application
group group to the selected workspace.
ノ Expand table
Parameter Value/Description
7. Optional: On the Tags tab, you can enter any name/value pairs that you need,
and then select Next: Review + create.
8. On the Review + create tab, ensure that validation passes and review the
information that will be used during deployment.
7 Note
Azure portal
Here's how to add an application group to a workspace by using the Azure portal:
1. On the Azure Virtual Desktop overview, select Workspaces, and then select
the name of the workspace to which you want to assign an application group.
2. On the workspace overview, select Application groups, and then select + Add.
3. In the list, select the plus icon (+) next to an application group. Only
application groups that aren't already assigned to a workspace are listed.
The account you use needs permission to assign roles in Azure RBAC on the application
group after it's created. The permission is
Microsoft.Authorization/roleAssignments/write , which is included in some built-in
Azure portal
Here's how to assign users or user groups to an application group by using the
Azure portal:
4. Select + Add, and then search for and select the user account or user group
that you want to assign to this application group.
5. Finish by choosing Select.
Related content
Azure portal
After you deploy Azure Virtual Desktop, your users can connect from several
platforms, including a web browser. For more information, see Remote Desktop
clients for Azure Virtual Desktop and Connect to Azure Virtual Desktop with the
Remote Desktop Web client.
Here are some extra tasks that you might want to do:
Feedback
Was this page helpful? Yes No
You can quickly deploy Azure Virtual Desktop with the quickstart in the Azure portal.
This can be used in smaller scenarios with a few users and apps, or you can use it to
evaluate Azure Virtual Desktop in larger enterprise scenarios. It works with existing
Active Directory Domain Services (AD DS) or Microsoft Entra Domain Services
deployments, or it can deploy Microsoft Entra Domain Services for you. Once you've
finished, a user will be able to sign in to a full virtual desktop session, consisting of one
host pool (with one or more session hosts), one application group, and one user. To
learn about the terminology used in Azure Virtual Desktop, see Azure Virtual Desktop
terminology.
Joining session hosts to Microsoft Entra ID with the quickstart is not supported. If you
want to join session hosts to Microsoft Entra ID, follow the tutorial to create a host pool.
Tip
You can see the list of resources that will be deployed further down in this article.
Prerequisites
Please review the Prerequisites for Azure Virtual Desktop to start for a general idea of
what's required, however there are some differences when using the quickstart that
you'll need to meet. Select a tab below to show instructions that are most relevant to
your scenario.
Tip
If you don't already have other Azure resources, we recommend you select the
New Microsoft Entra Domain Services tab. This scenario will deploy everything you
need to be ready to connect to a full virtual desktop session. If you already have AD
DS or Microsoft Entra Domain Services, select the relevant tab for your scenario
instead.
) Important
Deployment steps
New Microsoft Entra Domain Services
Here's how to deploy Azure Virtual Desktop and a new Microsoft Entra Domain
Services domain using the quickstart:
2. In the search bar, type Azure Virtual Desktop and select the matching service
entry.
3. Select Quickstart to open the landing page for the quickstart, then select
Start.
4. On the Basics tab, complete the following information, then select Next:
Virtual Machines >:
ノ Expand table
Parameter Value/Description
Subscription The subscription you want to use from the drop-down list.
Resource Enter a name. This will be used as the prefix for the resource groups
group that are deployed.
Location The Azure region where your Azure Virtual Desktop resources will be
deployed.
Azure admin The user principal name (UPN) of the account with the global
user name administrator Microsoft Entra role assigned on the Azure tenant and
the owner role on the subscription that you selected.
Domain admin The user principal name (UPN) for a new Microsoft Entra account
user name that will be added to a new AAD DC Administrators group and used
to manage your Microsoft Entra Domain Services domain. The UPN
suffix will be used as the Microsoft Entra Domain Services domain
name.
Make sure this user name meets the requirements noted in the
prerequisites.
5. On the Virtual machines tab, complete the following information, then select
Next: Assignments >:
ノ Expand table
Parameter Value/Description
Users per Select Multiple users or One user at a time depending on whether
virtual you want users to share a session host or assign a session host to an
machine individual user. Learn more about host pool types. Selecting Multiple
users will also create an Azure Files storage account joined to the
same Microsoft Entra Domain Services domain.
Image type Select Gallery to choose from a predefined list, or storage blob to
enter a URI to the image.
Image If you chose Gallery for image type, select the operating system
image you want to use from the drop-down list. You can also select
See all images to choose an image from the Azure Compute Gallery.
If you chose Storage blob for image type, enter the URI of the image.
Virtual The Azure virtual machine size used for your session host(s)
machine size
Name prefix The name prefix for your session host(s). Each session host will have a
hyphen and then a number added to the end, for example avd-sh-1.
This name prefix can be a maximum of 11 characters and will also be
used as the device name in the operating system.
Number of The number of session hosts you want to deploy at this time. You can
virtual add more later.
machines
Link Azure Tick the box if you want to link a separate ARM template for custom
template configuration on your session host(s) during deployment. You can
specify inline deployment script, desired state configuration, and
custom script extension. Provisioning other Azure resources in the
template isn't supported.
Untick the box if you don't want to link a separate ARM template
during deployment.
ARM template The URL of the ARM template file you want to use. This could be
file URL stored in a storage account.
ARM template The URL of the ARM template parameter file you want to use. This
parameter file could be stored in a storage account.
URL
Parameter Value/Description
Create test Tick the box if you want a new user account created during deployment
user for testing purposes.
account
Test user The user principal name (UPN) of the test account you want to be
name created, for example [email protected] . This user will be created in
your new Microsoft Entra tenant, synchronized to Microsoft Entra
Domain Services, and made a member of the AVDValidationUsers
security group that is also created during deployment. It must contain a
valid UPN suffix for your domain that is also added as a verified custom
domain name in Microsoft Entra ID.
Make sure this user name meets the requirements noted in the
prerequisites.
7. On the Review + create tab, ensure validation passes and review the
information that will be used during deployment.
8. Select Create.
If you didn't create a test account or assigned an existing user during deployment, you'll
need to add users to the AVDValidationUsers security group before you can connect.
Clean up resources
If you want to remove Azure Virtual Desktop resources from your environment, you can
safely remove them by deleting the resource groups that were deployed. These are:
your-prefix-deployment
your-prefix-avd
your-prefix-prerequisite (only if you deployed the quickstart with a new Microsoft
Entra Domain Services domain)
2. In the search bar, type Resource groups and select the matching service entry.
3. Select the name of one of resource groups, then select Delete resource group.
4. Review the affected resources, then type the resource group name in the box, and
select Delete.
Next steps
If you want to publish apps as well as the full virtual desktop, see the tutorial to Manage
application groups with the Azure portal.
If you'd like to learn how to deploy Azure Virtual Desktop in a more in-depth way, with
less permission required, or programmatically, check out our series of tutorials, starting
with Create a host pool with the Azure portal.
Feedback
Was this page helpful? Yes No
Azure Virtual Desktop uses Azure role-based access control (RBAC) to control access to
resources. There are many built-in roles for use with Azure Virtual Desktop that are a collection
of permissions. You assign roles to users and admins and these roles give permission to carry
out certain tasks. To learn more about Azure RBAC, see What is Azure RBAC?.
The standard built-in roles for Azure are Owner, Contributor, and Reader. However, Azure Virtual
Desktop has more roles that let you separate management roles for host pools, application
groups, and workspaces. This separation lets you have more granular control over
administrative tasks. These roles are named in compliance with Azure's standard roles and least-
privilege methodology. Azure Virtual Desktop doesn't have a specific Owner role, but you can
use the general Owner role for the service objects.
The built-in roles for Azure Virtual Desktop and the permissions for each one are detailed in this
article. You can assign each role to the scope you need. Some Azure Desktop features have
specific requirements for the assigned scope, which you can find in the documentation for the
relevant feature. For more information, see Understand Azure role definitions and Understand
scope for Azure RBAC.
ノ Expand table
actions Microsoft.DesktopVirtualization/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*
notActions None
dataActions None
notDataActions None
Desktop Virtualization Reader
The Desktop Virtualization Reader role allows viewing all your Azure Virtual Desktop resources,
but doesn't allow changes.
ID: 49a72310-ab8d-41df-bbb0-79b649203868
ノ Expand table
actions Microsoft.DesktopVirtualization/*/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/read
Microsoft.Support/*
notActions None
dataActions None
notDataActions None
ID: 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63
ノ Expand table
actions None
notActions None
dataActions Microsoft.DesktopVirtualization/applicationGroups/useApplications/action
notDataActions None
ID: e307426c-f9b6-4e81-87de-d99efb3c32bc
ノ Expand table
actions Microsoft.DesktopVirtualization/hostpools/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*
notActions None
dataActions None
notDataActions None
ID: ceadfde2-b300-400a-ab7b-6143895aa822
ノ Expand table
actions Microsoft.DesktopVirtualization/hostpools/*/read
Microsoft.DesktopVirtualization/hostpools/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/read
Microsoft.Support/*
notActions None
dataActions None
notDataActions None
Desktop Virtualization Application Group
Contributor
The Desktop Virtualization Application Group Contributor role allows managing all aspects of an
application group. If you want to assign user accounts or user groups to application groups too,
you also need the User Access Administrator role.
ID: 86240b0e-9422-4c43-887b-b61143f32ba8
ノ Expand table
actions Microsoft.DesktopVirtualization/applicationgroups/*
Microsoft.DesktopVirtualization/hostpools/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*
notActions None
dataActions None
notDataActions None
ID: aebf23d0-b568-4e86-b8f9-fe83a2c6ab55
ノ Expand table
actions Microsoft.DesktopVirtualization/applicationgroups/*/read
Microsoft.DesktopVirtualization/applicationgroups/read
Microsoft.DesktopVirtualization/hostpools/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/read
Action type Permissions
Microsoft.Support/*
notActions None
dataActions None
notDataActions None
ID: 21efdde3-836f-432b-bf3d-3e8e734d4b2b
ノ Expand table
actions Microsoft.DesktopVirtualization/workspaces/*
Microsoft.DesktopVirtualization/applicationgroups/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*
notActions None
dataActions None
notDataActions None
ID: 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d
ノ Expand table
actions Microsoft.DesktopVirtualization/workspaces/read
Action type Permissions
Microsoft.DesktopVirtualization/applicationgroups/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/read
Microsoft.Support/*
notActions None
dataActions None
notDataActions None
ID: ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6
ノ Expand table
actions Microsoft.DesktopVirtualization/hostpools/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*
notActions None
dataActions None
notDataActions None
ID: 2ad6aaab-ead9-4eaa-8ac5-da422f562408
ノ Expand table
actions Microsoft.DesktopVirtualization/hostpools/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*
notActions None
dataActions None
notDataActions None
ID: 489581de-a3bd-480d-9518-53dea7416b33
ノ Expand table
actions Microsoft.Compute/virtualMachines/start/action
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/instanceView/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.AzureStackHCI/virtualMachineInstances/read
Microsoft.AzureStackHCI/virtualMachineInstances/start/action
Microsoft.AzureStackHCI/virtualMachineInstances/stop/action
Microsoft.AzureStackHCI/virtualMachineInstances/restart/action
Microsoft.HybridCompute/machines/read
Action type Permissions
Microsoft.HybridCompute/operations/read
Microsoft.HybridCompute/locations/operationresults/read
Microsoft.HybridCompute/locations/operationstatus/read
notActions None
dataActions None
notDataActions None
ID: 40c5ff49-9181-41f8-ae61-143b0e78555e
ノ Expand table
actions Microsoft.Compute/virtualMachines/start/action
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/instanceView/read
Microsoft.Compute/virtualMachines/deallocate/action
Microsoft.Compute/virtualMachines/restart/action
Microsoft.Compute/virtualMachines/powerOff/action
Microsoft.Insights/eventtypes/values/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.DesktopVirtualization/hostpools/read
Microsoft.DesktopVirtualization/hostpools/write
Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/write
Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete
Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action
Microsoft.AzureStackHCI/virtualMachineInstances/read
Microsoft.AzureStackHCI/virtualMachineInstances/start/action
Microsoft.AzureStackHCI/virtualMachineInstances/stop/action
Microsoft.AzureStackHCI/virtualMachineInstances/restart/action
Microsoft.HybridCompute/machines/read
Microsoft.HybridCompute/operations/read
Microsoft.HybridCompute/locations/operationresults/read
Microsoft.HybridCompute/locations/operationstatus/read
Action type Permissions
notActions None
dataActions None
notDataActions None
ID: a959dbd1-f747-45e3-8ba6-dd80f235f97c
ノ Expand table
actions Microsoft.DesktopVirtualization/hostpools/read
Microsoft.DesktopVirtualization/hostpools/write
Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action
Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/write
Microsoft.DesktopVirtualization/hostpools/sessionhosts/delete
Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/disconnect/action
Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action
Microsoft.DesktopVirtualization/hostpools/sessionHostConfigurations/read
Microsoft.Compute/availabilitySets/read
Microsoft.Compute/availabilitySets/write
Microsoft.Compute/availabilitySets/vmSizes/read
Microsoft.Compute/disks/read
Microsoft.Compute/disks/write
Microsoft.Compute/disks/delete
Microsoft.Compute/galleries/read
Microsoft.Compute/galleries/images/read
Microsoft.Compute/galleries/images/versions/read
Microsoft.Compute/images/read
Microsoft.Compute/locations/usages/read
Microsoft.Compute/locations/vmSizes/read
Microsoft.Compute/operations/read
Microsoft.Compute/skus/read
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/write
Microsoft.Compute/virtualMachines/delete
Microsoft.Compute/virtualMachines/start/action
Microsoft.Compute/virtualMachines/powerOff/action
Microsoft.Compute/virtualMachines/restart/action
Action type Permissions
Microsoft.Compute/virtualMachines/deallocate/action
Microsoft.Compute/virtualMachines/runCommand/action
Microsoft.Compute/virtualMachines/extensions/read
Microsoft.Compute/virtualMachines/extensions/write
Microsoft.Compute/virtualMachines/extensions/delete
Microsoft.Compute/virtualMachines/runCommands/read
Microsoft.Compute/virtualMachines/runCommands/write
Microsoft.Compute/virtualMachines/vmSizes/read
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/networkInterfaces/write
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/join/action
Microsoft.Network/networkInterfaces/delete
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read
Microsoft.KeyVault/vaults/deploy/action
Microsoft.Storage/storageAccounts/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
notActions None
dataActions None
notDataActions None
Feedback
Was this page helpful? Yes No
Several Azure Virtual Desktop features require you to assign Azure role-based access
control (Azure RBAC) roles or Microsoft Entra roles to one of the Azure Virtual Desktop
service principals. Features that you need to assign a role to an Azure Virtual Desktop
service principal include:
App attach (when using Azure Files and your session hosts joined to Microsoft
Entra ID).
Autoscale.
Session host update
Start VM on Connect.
Tip
You can find which role or roles you need to assign to which service principal in the
article for each feature. For a list of all the available Azure RBAC roles created
specifically for Azure Virtual Desktop, see Built-in Azure RBAC roles for Azure
Virtual Desktop. To learn more about Azure RBAC, see Azure RBAC documentation
or for Microsoft Entra roles, see Microsoft Entra roles documentation.
ノ Expand table
This article shows you how to assign Azure RBAC roles or Microsoft Entra roles to the
correct Azure Virtual Desktop service principals by using the Azure portal, Azure CLI, or
Azure PowerShell.
Prerequisites
Before you can assign a role to an Azure Virtual Desktop service principal, you need to
meet the following prerequisites:
To assign Microsoft Entra roles, you must have the Privileged Role Administrator or
Global Administrator role.
If you want to use Azure PowerShell or Azure CLI locally, see Use Azure CLI and
Azure PowerShell with Azure Virtual Desktop to make sure you have the
Az.DesktopVirtualization PowerShell module or desktopvirtualization Azure CLI
extension installed. Alternatively, use the Azure Cloud Shell.
Azure portal
Here's how to assign an Azure RBAC role to an Azure Virtual Desktop service
principal scoped to a subscription using the Azure portal.
3. On the Overview page, in the search box for Search your tenant, enter the
application ID for the service principal you want to assign from the earlier
table.
4. In the results, select the matching enterprise application for the service
principal you want to assign, starting either Azure Virtual Desktop or
Windows Virtual Desktop.
5. Under properties, make a note of the name and the object ID. The object ID
correlates to the application ID, and is unique to your tenant.
6. In the search box, enter Subscriptions and select the matching service entry.
7. Select the subscription you want to add the role assignment to.
8. Select Access control (IAM), then select + Add followed by Add role
assignment.
9. Select the role you want to assign to the Azure Virtual Desktop service
principal, then select Next.
10. Ensure Assign access to is set to Microsoft Entra user, group, or service
principal, then select Select members.
11. Enter the name of the enterprise application you made a note of earlier.
12. Select the matching entry from the results, then select Select. If you have two
entries with the same name, select them both for now.
13. Review the list of members in the table. If you have two entries, remove the
entry that doesn't match the object ID you made a note of earlier.
14. Select Next, then select Review + assign to complete the role assignment.
Here's how to assign a Microsoft Entra role to an Azure Virtual Desktop service principal
scoped to a tenant using the Azure portal.
2. In the search box, enter Microsoft Entra ID and select the matching service entry.
4. Search for and select the name of the role you want to assign. If you want to
assign a custom role, see Create a custom role to create it first.
6. In the search box, enter the application ID for the service principal you want to
assign from the earlier table, for example 9cdead84-a844-4324-93f2-
b2e6bb768d07.
7. Check the box next to the matching entry, then select Add to complete the role
assignment.
Next steps
Learn more about the built-in Azure RBAC roles for Azure Virtual Desktop.
Feedback
Was this page helpful? Yes No
Single sign-on (SSO) for Azure Virtual Desktop using Microsoft Entra ID provides a
seamless sign-in experience for users connecting to session hosts. When you enable
single sign-on, users authenticate to Windows using a Microsoft Entra ID token. This
token enables the use of passwordless authentication and third-party identity providers
that federate with Microsoft Entra ID when connecting to a session host, making the
sign-in experience seamless.
Single sign-on using Microsoft Entra ID also provides a seamless experience for
Microsoft Entra ID-based resources within the session. For more information on using
passwordless authentication within a session, see In-session passwordless
authentication.
To enable single sign-on using Microsoft Entra ID authentication, there are five tasks you
must complete:
3. Create a Kerberos Server object, if Active Directory Domain Services is part of your
environment. More information on the criteria is included in its section.
Can require multifactor authentication to return to the session and prevent users
from unlocking with a simple username and password.
If you want to configure the session lock behavior to show the remote lock screen
instead of disconnecting the session, see Configure the session lock behavior.
If you need to make changes to a session host as an administrator, sign in to the session
host using a non-administrator account, then use the Run as administrator option or the
runas tool from a command prompt to change to an administrator.
Prerequisites
Before you can enable single sign-on, you must meet the following prerequisites:
To configure your Microsoft Entra tenant, you must be assigned one of the
following Microsoft Entra built-in roles or equivalent:
Application Administrator
Your session hosts must be running one of the following operating systems with
the relevant cumulative update installed:
Windows Server 2022 with the 2022-10 Cumulative Update for Microsoft server
operating system (KB5018421) or later installed.
Your session hosts must be Microsoft Entra joined or Microsoft Entra hybrid joined.
Session hosts joined to Microsoft Entra Domain Services or to Active Directory
Domain Services only aren't supported.
If your Microsoft Entra hybrid joined session hosts are in a different Active
Directory domain than your user accounts, there must be a two-way trust between
the two domains. Without the two-way trust, connections fall back to older
authentication protocols.
Install the Microsoft Graph PowerShell SDK version 2.9.0 or later on your local
device or in Azure Cloud Shell.
Web client.
ノ Expand table
) Important
To configure the service principal, use the Microsoft Graph PowerShell SDK to create a
new remoteDesktopSecurityConfiguration object on the service principal and set the
property isRemoteDesktopProtocolEnabled to true . You can also use the Microsoft
Graph API with a tool such as Graph Explorer.
1. Open Azure Cloud Shell in the Azure portal with the PowerShell terminal type, or
run PowerShell on your local device.
If you're using Cloud Shell, make sure your Azure context is set to the
subscription that you want to use.
If you're using PowerShell locally, first sign in with Azure PowerShell, and then
make sure your Azure context is set to the subscription that you want to use.
2. Make sure you installed the Microsoft Graph PowerShell SDK from the
prerequisites, then import the Authentication and Applications Microsoft Graph
modules and connect to Microsoft Graph with the Application.Read.All and
Application-RemoteDesktopConfig.ReadWrite.All scopes by running the following
commands:
PowerShell
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications
3. Get the object ID for each service principal and store them in variables by running
the following commands:
PowerShell
PowerShell
If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -
ServicePrincipalId $MSRDspId) -ne $true) {
Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -
ServicePrincipalId $MSRDspId -IsRemoteDesktopProtocolEnabled
}
If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -
ServicePrincipalId $WCLspId) -ne $true) {
Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -
ServicePrincipalId $WCLspId -IsRemoteDesktopProtocolEnabled
}
PowerShell
Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -
ServicePrincipalId $MSRDspId
Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -
ServicePrincipalId $WCLspId
Output
Id IsRemoteDesktopProtocolEnabled
-- ------------------------------
id True
You can hide this dialog by configuring a list of trusted devices. To configure the list of
devices, create one or more groups in Microsoft Entra ID that contains your session
hosts, then add the group IDs to a property on the SSO service principals, Microsoft
Remote Desktop and Windows Cloud Login.
Tip
We recommend you use a dynamic group and configure the dynamic membership
rules to include all your Azure Virtual Desktop session hosts. You can use the device
names in this group, but for a more secure option, you can set and use device
extension attributes using Microsoft Graph API. While dynamic groups normally
update within 5-10 minutes, large tenants can take up to 24 hours.
Dynamic groups requires the Microsoft Entra ID P1 license or Intune for Education
license. For more information, see Dynamic membership rules for groups.
To configure the service principal, use the Microsoft Graph PowerShell SDK to create a
new targetDeviceGroup object on the service principal with the dynamic group's object
ID and display name. You can also use the Microsoft Graph API with a tool such as
Graph Explorer.
1. Create a dynamic group in Microsoft Entra ID containing the session hosts for
which you want to hide the dialog. Make a note of the object ID of the group for
the next step.
PowerShell
$tdg = New-Object -TypeName
Microsoft.Graph.PowerShell.Models.MicrosoftGraphTargetDeviceGroup
$tdg.Id = "<Group object ID>"
$tdg.DisplayName = "<Group display name>"
PowerShell
New-
MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -
ServicePrincipalId $MSRDspId -BodyParameter $tdg
New-
MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -
ServicePrincipalId $WCLspId -BodyParameter $tdg
Output
Id DisplayName
-- -----------
12345678-abcd-1234-abcd-1234567890ab Contoso-session-hosts
Repeat steps 2 and 3 for each group you want to add to the targetDeviceGroup
object, up to a maximum of 10 groups.
4. If you later need to remove a device group from the targetDeviceGroup object, run
the following commands, replacing the <placeholders> with your own values:
PowerShell
Remove-
MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -
ServicePrincipalId $MSRDspId -TargetDeviceGroupId "<Group object ID>"
Remove-
MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -
ServicePrincipalId $WCLspId -TargetDeviceGroupId "<Group object ID>"
Your session host is Microsoft Entra hybrid joined. You must have a Kerberos server
object to complete authentication to a domain controller.
Your session host is Microsoft Entra joined and your environment contains Active
Directory domain controllers. You must have a Kerberos server object for users to
access on-premises resources, such as SMB shares and Windows-integrated
authentication to websites.
) Important
If you enable single sign-on on Microsoft Entra hybrid joined session hosts without
creating a Kerberos server object, one of the following things can happen when you
try to connect to a remote session:
You receive an error message saying the specific session doesn't exist.
Single sign-on will be skipped and you see a standard authentication dialog
for the session host.
To resolve these issues, create the Kerberos server object, then connect again.
In the Azure portal, set Microsoft Entra single sign-on to Connections will use
Microsoft Entra authentication to provide single sign-on.
For PowerShell, set the enablerdsaadauth property to 1.
Next steps
Check out In-session passwordless authentication to learn how to enable
passwordless authentication.
Learn how to Configure the session lock behavior for Azure Virtual Desktop.
For more information about Microsoft Entra Kerberos, see Deep dive: How
Microsoft Entra Kerberos works .
Feedback
Was this page helpful? Yes No
This article will walk you through the process of configuring Active Directory Federation
Service (AD FS) single sign-on (SSO) for Azure Virtual Desktop.
7 Note
Requirements
Before configuring AD FS single sign-on, you must have the following setup running in
your environment:
You must deploy the Active Directory Certificate Services (CA) role. All servers
running the role must be domain-joined, have the latest Windows updates
installed, and be configured as enterprise certificate authorities.
You must deploy the Active Directory Federation Services (AD FS) role. All servers
running this role must be domain-joined, have the latest Windows updates
installed, and be running Windows Server 2016 or later. See our federation tutorial
to get started setting up this role.
You must deploy Azure AD Connect to sync users to Azure AD. Azure AD Connect
must be configured in federation mode.
Set up your PowerShell environment for Azure Virtual Desktop on the AD FS server.
7 Note
This solution is not supported with Azure AD Domain Services. You must use an
Active Directory Domain Services domain controller.
Supported clients
The following Azure Virtual Desktop clients support this feature:
First, you'll need to create the Exchange Enrollment Agent (Offline Request)
certificate template. AD FS uses the Exchange Enrollment Agent certificate
template to request certificates on the user's behalf.
You'll also need to create the Smartcard Logon certificate template, which AD FS
will use to create the sign in certificate.
After you create these certificate templates, you'll need to enable the templates on the
certificate authority so AD FS can request them.
7 Note
This solution generates new short-term certificates every time a user signs in, which
can fill up the Certificate Authority database if you have many users. You can avoid
overloading your database by setting up a CA for non-persistent certificate
processing. If you do this, on the duplicated smartcard logon certificate template,
make sure you enable only Do not store certificates and requests in the CA
database. Don't enable Do not include revocation information in issued
certificates or the configuration won't work.
To determine if you are already using an enrollment agent certificate template, run the
following PowerShell command on the AD FS server and see if a value is returned. If it's
empty, create a new enrollment agent certificate template. Otherwise, remember the
name and update the existing enrollment agent certificate template.
PowerShell
Import-Module adfs
(Get-AdfsCertificateAuthority).EnrollmentAgentCertificateTemplateName
1. On the certificate authority, run mmc.exe from the Start menu to launch the
Microsoft Management Console.
2. Select File... > Add/Remote Snap-in... > Certificate Templates > Add > > OK to
view the list of certificate templates.
4. Select the General tab, then enter "ADFS Enrollment Agent" into the Template
display name field. This will automatically set the template name to
"ADFSEnrollmentAgent".
6. Next, select Object Types..., then Service Accounts, and then OK.
8. After the service account is added and is visible in the Security tab, select it in the
Group or user names pane, select Allow for both "Enroll" and "Autoenroll" in the
Permissions for the AD FS service account pane, then select OK to save.
To update an existing enrollment agent certificate template:
1. On the certificate authority, run mmc.exe from the Start menu to launch the
Microsoft Management Console.
2. Select File... > Add/Remote Snap-in... > Certificate Templates > Add > > OK to
view the list of certificate templates.
3. Expand the Certificate Templates, double-click the template that corresponds to
the one configured on the AD FS server. On the General tab, the template name
should match the name you found above.
4. Select the Security tab, then select Add....
5. Next, select Object Types..., then Service Accounts, and then OK.
6. Enter the service account name for AD FS and select OK.
7. After the service account is added and is visible in the Security tab, select it in the
Group or user names pane, select Allow for both "Enroll" and "Autoenroll" in the
Permissions for the AD FS service account pane, then select OK to save.
1. On the certificate authority, run mmc.exe from the Start menu to launch the
Microsoft Management Console.
2. Select File... > Add/Remote Snap-in... > Certificate Templates > Add > OK to view
the list of certificate templates.
4. Select the General tab, then enter "ADFS SSO" into the Template display name
field. This will automatically set the template name to "ADFSSSO".
7 Note
5. Select the Subject name tab and then select Supply in the request. When you see
a warning message, select OK.
11. Enter the service account name for AD FS just like you did in the Create the
enrollment agent certificate template section.
12. After the service account is added and is visible in the Security tab, select it in the
Group or user names pane, select Allow for both "Enroll" and "Autoenroll", then
select OK to save.
Enable the new certificate templates:
To enable the new certificate templates:
1. On the certificate authority, run mmc.exe from the Start menu to launch the
Microsoft Management Console.
2. Select File... > Add/Remove Snap-in... > Certification Authority > Add > > Finish
> and OK to view the Certification Authority.
3. Expand the Certification Authority on the left-hand pane and open Certificate
Templates.
4. Right-click in the middle pane that shows the list of certificate templates, select
New, then select Certificate Template to Issue.
5. Select both ADFS Enrollment Agent and ADFS SSO, then select OK. You should
see both templates in the middle pane.
7 Note
The relying-party trust between your AD FS server and the Azure Virtual Desktop service
allows single sign-on certificate requests to be forwarded correctly to your domain
environment.
When configuring AD FS single sign-on you must choose shared key or certificate:
If you have a single AD FS server, you can choose shared key or certificate.
If you have multiple AD FS servers, it's required to choose certificate.
The shared key or certificate used to generate the token to sign in to Windows must be
stored securely in Azure Key Vault. You can store the secret in an existing Key Vault or
deploy a new one. In either case, you must ensure to set the right access policy so the
Azure Virtual Desktop service can access it.
When using a certificate, you can use any general purpose certificate and there is no
requirement on the subject name or Subject Alternative Name (SAN). While not
required, it's recommended to create a certificate issued by a valid Certificate Authority.
This certificate can be created directly in Azure Key Vault and needs to have an
exportable private key. The public key can be exported and used to configure the AD FS
server using the script below. Note that this certificate is different from the AD FS SSL
certificate that must have a proper subject name and valid Certificate Authority.
This script only has one required parameter, ADFSAuthority, which is the URL that
resolves to your AD FS and uses "/adfs" as its suffix. For example,
https://adfs.contoso.com/adfs .
PowerShell
Set-AdfsCertificateAuthority -EnrollmentAgentCertificateTemplate
"ADFSEnrollmentAgent" -LogonCertificateTemplate "ADFSSSO" -
EnrollmentAgent
7 Note
7 Note
You need the $config variable values to complete the next part of the
instructions, so don't close the PowerShell window you used to complete the
previous instructions. You can either keep using the same PowerShell window
or leave it open while launching a new PowerShell session.
If you're using a shared key in the Key Vault, run the following PowerShell
cmdlet on the AD FS server with ADFSServiceUrl replaced with the full URL to
reach your AD FS service:
PowerShell
Install-Script ConfigureWVDSSO
$config = ConfigureWVDSSO.ps1 -ADFSAuthority "<ADFSServiceUrl>" [-
WvdWebAppAppIDUri "<WVD Web App URI>"] [-RdWebURL "<RDWeb URL>"]
7 Note
respectively.
If you're using a certificate in the Key Vault, run the following PowerShell
cmdlet on the AD FS server with ADFSServiceUrl replaced with the full URL to
reach your AD FS service:
PowerShell
Install-Script ConfigureWVDSSO
$config = ConfigureWVDSSO.ps1 -ADFSAuthority "<ADFSServiceUrl>" -
UseCert -CertPath "<Path to the pfx file>" -CertPassword <Password
to the pfx file> [-WvdWebAppAppIDUri "<WVD Web App URI>"] [-
RdWebURL "<RDWeb URL>"]
7 Note
respectively.
3. Set the access policy on the Azure Key Vault by running the following PowerShell
cmdlet:
PowerShell
4. Store the shared key or certificate in Azure Key Vault with a Tag containing a coma
separated list of subscription IDs allowed to use the secret.
If you're using a shared key in the Key Vault, run the following PowerShell
cmdlet to store the shared key and set the tag:
PowerShell
If your certificate is already in the Key Vault, run the following PowerShell
cmdlet to set the tag:
PowerShell
PowerShell
7 Note
You can optionally configure how often users are prompted for credentials by
changing the AD FS single sign-on settings. By default, users will be prompted
every 8 hours on unregistered devices.
After that, update the SSO information for your host pool by running one of the
following two cmdlets in the same PowerShell window on the AD FS VM:
If you're using a shared key in the Key Vault, run the following PowerShell cmdlet:
PowerShell
7 Note
You need to set the SsoClientId property to match the Azure cloud you're
deploying SSO in. In the Azure Commercial Cloud, this property should be set
to https://www.wvd.microsoft.com . However, the required setting for this
property will be different for other clouds, like the Azure Government cloud.
If you're using a certificate in the Key Vault, run the following PowerShell cmdlet:
PowerShell
7 Note
You need to set the SsoClientId property to match the Azure cloud you're
deploying SSO in. In the Azure Commercial Cloud, this property should be set
to https://www.wvd.microsoft.com . However, the required setting for this
property will be different for other clouds, like the Azure Government cloud.
To retrieve the settings from your existing host pool, open a PowerShell window and run
this cmdlet:
PowerShell
You can follow the steps to Configure your Azure Virtual Desktop host pool using the
same SsoClientId, SsoClientSecretKeyVaultPath, SsoSecretType, and SsoadfsAuthority
values.
Removing SSO
To disable SSO on the host pool, run the following cmdlet:
PowerShell
Update-AzWvdHostPool -Name "<Host Pool Name>" -ResourceGroupName "<Host Pool
Resource Group Name>" -SsoadfsAuthority ''
If you also want to disable SSO on your AD FS server, run this cmdlet:
PowerShell
Install-Script UnConfigureWVDSSO
UnConfigureWVDSSO.ps1 -WvdWebAppAppIDUri "<WVD Web App URI>" -
WvdClientAppApplicationID "a85cf173-4192-42f8-81fa-777a763e6e2c"
7 Note
The WvdWebAppAppIDUri property needs to match the Azure cloud you are
deploying in. In the Azure Commercial Cloud, this property is
https://www.wvd.microsoft.com . It will be different for other clouds like the Azure
Government cloud.
Next steps
Now that you've configured single sign-on, you can sign in to a supported Azure Virtual
Desktop client to test it as part of a user session. If you want to learn how to connect to
a session using your new credentials, check out these articles:
However, setting up the KDC proxy typically involves assigning the Windows Server
Gateway role in Windows Server 2016 or later. How do you use a Remote Desktop
Services role to sign in to Azure Virtual Desktop? To answer that, let's take a quick look
at the components.
There are two components to the Azure Virtual Desktop service that need to be
authenticated:
The feed in the Azure Virtual Desktop client that gives users a list of available
desktops or applications they have access to. This authentication process happens
in Azure Active Directory, which means this component isn't the focus of this
article.
The RDP session that results from a user selecting one of those available resources.
This component uses Kerberos authentication and requires a KDC proxy for remote
users.
This article will show you how to configure the feed in the Azure Virtual Desktop client
in the Azure portal. If you want to learn how to configure the RD Gateway role, see
Deploy the RD Gateway role.
Requirements
To configure a Azure Virtual Desktop session host with a KDC proxy, you'll need the
following things:
Access to the Azure portal and an Azure administrator account.
The remote client machines must be running at least Windows 10 and have the
Windows Desktop client installed. The web client isn't currently supported.
You must have a KDC proxy already installed on your machine. To learn how to do
that, see Set up the RD Gateway role for Azure Virtual Desktop.
The machine's OS must be Windows Server 2016 or later.
Once you've made sure you meet these requirements, you're ready to get started.
3. Select the host pool you want to enable the KDC proxy for, then select RDP
Properties.
4. Select the Advanced tab, then enter a value in the following format without
spaces:
kdcproxyname:s:<fqdn>
5. Select Save.
6. The selected host pool should now begin to issue RDP connection files that include
the kdcproxyname value you entered in step 4.
Next steps
To learn how to manage the Remote Desktop Services side of the KDC proxy and assign
the RD Gateway role, see Deploy the RD Gateway role.
If you're interested in scaling your KDC proxy servers, learn how to set up high
availability for KDC proxy at Add high availability to the RD Web and Gateway web front.
Enforce Microsoft Entra multifactor
authentication for Azure Virtual
Desktop using Conditional Access
Article • 08/02/2024
) Important
If you're visiting this page from the Azure Virtual Desktop (classic) documentation,
make sure to return to the Azure Virtual Desktop (classic) documentation once
you're finished.
Users can sign into Azure Virtual Desktop from anywhere using different devices and
clients. However, there are certain measures you should take to help keep your
environment and your users safe. Using Microsoft Entra multifactor authentication (MFA)
with Azure Virtual Desktop prompts users during the sign-in process for another form of
identification in addition to their username and password. You can enforce MFA for
Azure Virtual Desktop using Conditional Access, and can also configure whether it
applies to the web client, mobile apps, desktop clients, or all clients.
When a user connects to a remote session, they need to authenticate to the Azure
Virtual Desktop service and the session host. If MFA is enabled, it's used when
connecting to the Azure Virtual Desktop service and the user is prompted for their user
account and a second form of authentication, in the same way as accessing other
services. When a user starts a remote session, a username and password is required for
the session host, but this is seamless to the user if single sign-on (SSO) is enabled. For
more information, see Authentication methods.
Prerequisites
Here's what you need to get started:
6. Under the Include tab, select Select users and groups and check Users and
groups, then under Select, select 0 users and groups selected.
7. On the new pane that opens, search for and choose the group that contains your
Azure Virtual Desktop users as group members, then select Select.
9. Under the Include tab, select Select apps, then under Select, select None.
10. On the new pane that opens, search for and select the necessary apps based on
the resources you're trying to protect. Select the relevant tab for your scenario.
When searching for an application name on Azure, use search terms that begin
with the application name in order instead of keywords the application name
contains out of order. For example, when you want to use Azure Virtual Desktop,
you need to enter 'Azure Virtual', in that order. If you enter 'virtual' by itself, the
search doesn't return the desired application.
For Azure Virtual Desktop (based on Azure Resource Manager), you can
configure MFA on these different apps:
Tip
) Important
The clients used to access Azure Virtual Desktop use the Microsoft
Remote Desktop Entra ID app to authenticate to the session host
today. An upcoming change will transition the authentication to the
Windows Cloud Login Entra ID app. To ensure a smooth transition,
you need to add both Entra ID apps to your CA policies.
) Important
Don't select the app called Azure Virtual Desktop Azure Resource
Manager Provider (app ID 50e95039-b200-4007-bc97-8d5790743a63).
This app is only used for retrieving the user feed and shouldn't have
multifactor authentication.
14. On the new pane that opens, for Configure, select Yes.
Select Browser if you want the policy to apply to the web client.
Select Mobile apps and desktop clients if you want to apply the policy to
other clients.
Select both check boxes if you want to apply the policy to all clients.
Deselect values for legacy authentication clients.
16. Once you selected the client apps this policy applies to, select Done.
20. At the bottom of the page, set Enable policy to On and select Create.
7 Note
When you use the web client to sign in to Azure Virtual Desktop through your
browser, the log will list the client app ID as a85cf173-4192-42f8-81fa-
777a763e6e2c (Azure Virtual Desktop client). This is because the client app is
internally linked to the server app ID where the conditional access policy was set.
Tip
Some users may see a prompt titled Stay signed in to all your apps if the Windows
device they're using is not already registered with Microsoft Entra ID. If they
deselect Allow my organization to manage my device and select No, sign in to
this app only, they may be prompted for authentication more frequently.
Sign-in frequency policies result in different behavior based on the Microsoft Entra app
selected:
ノ Expand table
To configure the time period after which a user is asked to sign-in again:
If you select Periodic reauthentication, set the value for the time period after
which a user is asked to sign-in again when performing an action that
requires a new access token, and then select Select. For example, setting the
value to 1 and the unit to Hours, requires multifactor authentication if a
connection is launched more than an hour after the last user authentication.
The Every time option is currently available in preview and is only supported
when applied to the Microsoft Remote Desktop and Windows Cloud Login
apps when single sign-on is enabled for your host pool. If you select Every
time, users are prompted to reauthenticate when launching a new
connection after a period of 5 to 10 minutes since their last authentication.
7 Note
Next steps
Learn more about Conditional Access policies
Learn more about user sign in frequency
Feedback
Was this page helpful? Yes No
) Important
This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.
Azure Virtual Desktop has a delegated access model that lets you define the amount of
access a particular user is allowed to have by assigning them a role. A role assignment
has three components: security principal, role definition, and scope. The Azure Virtual
Desktop delegated access model is based on the Azure RBAC model. To learn more
about specific role assignments and their components, see the Azure role-based access
control overview.
Azure Virtual Desktop delegated access supports the following values for each element
of the role assignment:
Security principal
Users
User groups
Service principals
Role definition
Built-in roles
Custom roles
Scope
Host pools
Application groups
Workspaces
Azure Virtual Desktop uses Azure role-based access control (Azure RBAC) while
publishing application groups to users or user groups. The Desktop Virtualization User
role is assigned to the user or user group and the scope is the application group. This
role gives the user special data access on the application group.
Run the following cmdlet to add Microsoft Entra users to an application group:
PowerShell
Run the following cmdlet to add Microsoft Entra user group to an application group:
PowerShell
Next steps
For a more complete list of PowerShell cmdlets each role can use, see the PowerShell
reference.
For a complete list of roles supported in Azure RBAC, see Azure built-in roles.
For guidelines for how to set up a Azure Virtual Desktop environment, see Azure Virtual
Desktop environment.
Required FQDNs and endpoints for Azure
Virtual Desktop
Article • 11/21/2024
In order to deploy Azure Virtual Desktop and for your users to connect, you must allow specific
FQDNs and endpoints. Users also need to be able to connect to certain FQDNs and endpoints to
access their Azure Virtual Desktop resources. This article lists the required FQDNs and endpoints you
need to allow for your session hosts and users.
These FQDNs and endpoints could be blocked if you're using a firewall, such as Azure Firewall, or
proxy service. For guidance on using a proxy service with Azure Virtual Desktop, see Proxy service
guidelines for Azure Virtual Desktop.
You can check that your session host VMs can connect to these FQDNs and endpoints by following
the steps to run the Azure Virtual Desktop Agent URL Tool in Check access to required FQDNs and
endpoints for Azure Virtual Desktop. The Azure Virtual Desktop Agent URL Tool validates each FQDN
and endpoint and show whether your session hosts can access them.
) Important
Microsoft doesn't support Azure Virtual Desktop deployments where the FQDNs and
endpoints listed in this article are blocked.
This article doesn't include FQDNs and endpoints for other services such as Microsoft Entra
ID, Office 365, custom DNS providers or time services. Microsoft Entra FQDNs and
endpoints can be found under ID 56, 59 and 125 in Office 365 URLs and IP address ranges.
Azure Firewall also supports FQDN tags, which represent a group of fully qualified domain names
(FQDNs) associated with well known Azure and other Microsoft services. Azure Virtual Desktop
doesn't have a list of IP address ranges that you can unblock instead of FQDNs to allow network
traffic. If you're using a Next Generation Firewall (NGFW), you need to use a dynamic list made for
Azure IP addresses to make sure you can connect. For more information, see Use Azure Firewall to
protect Azure Virtual Desktop deployments.
Azure Virtual Desktop has both a service tag and FQDN tag entry available. We recommend you use
service tags and FQDN tags to simplify your Azure network configuration.
Azure cloud
ノ Expand table
The following table lists optional FQDNs and endpoints that your session host virtual machines
might also need to access for other services:
ノ Expand table
Tip
You must use the wildcard character (*) for FQDNs involving service traffic.
For agent traffic, if you prefer not to use a wildcard, here's how to find specific FQDNs to allow:
Azure cloud
ノ Expand table
If you're on a closed network with restricted internet access, you might also need to allow the FQDNs
listed here for certificate checks: Azure Certificate Authority details | Microsoft Learn.
Next steps
Check access to required FQDNs and endpoints for Azure Virtual Desktop.
To learn how to unblock these FQDNs and endpoints in Azure Firewall, see Use Azure Firewall to
protect Azure Virtual Desktop.
For more information about network connectivity, see Understanding Azure Virtual Desktop
network connectivity
Feedback
Was this page helpful? Yes No
In order to deploy Azure Virtual Desktop, you must allow specific FQDNs and endpoints.
You can find the list of FQDNs and endpoints in Required FQDNs and endpoints.
Available as part of the Azure Virtual Desktop Agent (RDAgent) on each session host, the
Azure Virtual Desktop Agent URL Tool enables you to quickly and easily validate whether
your session hosts can access each FQDN and endpoint. If not it can't, the tool lists any
required FQDNs and endpoints it can't access so you can unblock them and retest, if
needed.
7 Note
The Azure Virtual Desktop Agent URL Tool doesn't verify that you've allowed access
to wildcard entries we specify for FQDNs, only specific entries within those
wildcards that depend on the session host location, so make sure the wildcard
entries are allowed before you run the tool.
Prerequisites
You need the following things to use the Azure Virtual Desktop Agent URL Tool:
RDAgent version 1.0.2944.400 or higher on your session host. The executable for
the Azure Virtual Desktop Agent URL Tool is WVDAgentUrlTool.exe and is included
in the same installation folder as the RDAgent, for example C:\Program
Files\Microsoft RDInfra\RDAgent_1.0.2944.1200 .
2. Run the following commands to change the directory to the same folder as the
latest RDAgent installed on your session host:
PowerShell
cd $path
3. Run the following command to run the Azure Virtual Desktop Agent URL Tool:
PowerShell
.\WVDAgentUrlTool.exe
4. Once you run the file, you see a list of accessible and inaccessible FQDNs and
endpoints.
For example, the following screenshot shows a scenario where you'd need to
unblock two required FQDNs:
Here's what the output should look like when all required FQDNs and endpoints
are accessible. The Azure Virtual Desktop Agent URL Tool doesn't verify that you
allowed access to wildcard entries we specify for FQDNs.
5. You can repeat these steps on your other session host, particularly if they are in a
different Azure region or use a different virtual network.
Next steps
Review the list of the Required FQDNs and endpoints for Azure Virtual Desktop.
To learn how to unblock these FQDNs and endpoints in Azure Firewall, see Use
Azure Firewall to protect Azure Virtual Desktop.
For more information about network connectivity, see Understanding Azure Virtual
Desktop network connectivity
RDP Shortpath for Azure Virtual
Desktop
Article • 10/11/2024
RDP Shortpath establishes a UDP-based transport between a local device Windows App
or the Remote Desktop app on supported platforms and session host in Azure Virtual
Desktop. By default, the Remote Desktop Protocol (RDP) begins a TCP-based reverse
connect transport, then tries to establish a remote session using UDP. If the UDP
connection succeeds the TCP connection drops, otherwise the TCP connection is used as
a fallback connection mechanism.
UDP-based transport offers better connection reliability and more consistent latency.
TCP-based reverse connect transport provides the best compatibility with various
networking configurations and has a high success rate for establishing RDP connections.
a. A direct UDP connection between the client device and session host, where you
need to enable the RDP Shortpath listener and allow an inbound port on each
session host to accept connections.
b. A direct UDP connection between the client device and session host, using the
Simple Traversal Underneath NAT (STUN) protocol between a client and session
host. Inbound ports on the session host aren't required to be allowed.
2. Public networks, where direct connectivity is established between the client and
the session host when using a public connection. There are two connection types
when using a public connection, which are listed here in order of preference:
a. A direct UDP connection using the Simple Traversal Underneath NAT (STUN)
protocol between a client and session host.
b. An relayed UDP connection using the Traversal Using Relay NAT (TURN)
protocol between a client and session host.
The transport used for RDP Shortpath is based on the Universal Rate Control Protocol
(URCP) . URCP enhances UDP with active monitoring of the network conditions and
provides fair and full link utilization. URCP operates at low delay and loss levels as
needed.
) Important
RDP Shortpath for public networks via STUN for Azure Virtual Desktop is
available in the Azure public cloud and Azure Government cloud.
RDP Shortpath for public networks via TURN for Azure Virtual Desktop is only
available in the Azure public cloud.
Key benefits
Using RDP Shortpath has the following key benefits:
Higher throughput.
When using STUN, the removal of extra relay points reduces round-trip time
improves connection reliability and the user experience with latency-sensitive
applications and input methods.
RDP Shortpath brings support for configuring Quality of Service (QoS) priority
for RDP connections through Differentiated Services Code Point (DSCP) marks.
Managed networks
You can achieve the direct line of sight connectivity required to use RDP Shortpath
with managed networks using the following methods.
ExpressRoute private peering
Having direct line of sight connectivity means that the client can connect directly to
the session host without being blocked by firewalls.
7 Note
To use RDP Shortpath for managed networks, you must enable a UDP listener on
your session hosts. By default, port 3390 is used, although you can use a different
port.
Connection sequence
All connections begin by establishing a TCP-based reverse connect transport over
the Azure Virtual Desktop Gateway. Then, the client and session host establish the
initial RDP transport, and start exchanging their capabilities. These capabilities are
negotiated using the following process:
1. The session host sends the list of its IPv4 and IPv6 addresses to the client.
4. If the client has a direct connection to the session host, the client establishes a
secure connection using TLS over reliable UDP.
5. After establishing the RDP Shortpath transport, all Dynamic Virtual Channels
(DVCs), including remote graphics, input, and device redirection, are moved to
the new transport. However, if a firewall or network topology prevents the
client from establishing direct UDP connectivity, RDP continues with a reverse
connect transport.
If your users have both RDP Shortpath for managed network and public networks
available to them, then the first-found algorithm will be used. The user will use
whichever connection gets established first for that session.
Connection security
RDP Shortpath extends RDP multi-transport capabilities. It doesn't replace the reverse
connect transport but complements it. Initial session brokering is managed through the
Azure Virtual Desktop service and the reverse connect transport. All connection
attempts are ignored unless they match the reverse connect session first. RDP Shortpath
is established after authentication, and if successfully established, the reverse connect
transport is dropped and all traffic flows over the RDP Shortpath.
RDP Shortpath uses a secure connection using TLS over reliable UDP between the client
and the session host using the session host's certificates. By default, the certificate used
for RDP encryption is self-generated by the operating system during the deployment.
You can also deploy centrally managed certificates issued by an enterprise certification
authority. For more information about certificate configurations, see Remote Desktop
listener certificate configurations.
7 Note
The security offered by RDP Shortpath is the same as that offered by TCP reverse
connect transport.
Example scenarios
Here are some example scenarios to show how connections are evaluated to decide
whether RDP Shortpath is used across different network topologies.
Scenario 1
A UDP connection can only be established between the client device and the session
host over a public network (internet). A direct connection, such as a VPN, isn't available.
UDP is allowed through firewall or NAT device.
Scenario 2
A firewall or NAT device is blocking a direct UDP connection, but a relayed UDP
connection can be relayed using TURN between the client device and the session host
over a public network (internet). Another direct connection, such as a VPN, isn't
available.
Scenario 3
A UDP connection can be established between the client device and the session host
over a public network or over a direct VPN connection, but RDP Shortpath for managed
networks isn't enabled. When the client initiates the connection, the ICE/STUN protocol
can see multiple routes and will evaluate each route and choose the one with the lowest
latency.
In this example, a UDP connection using RDP Shortpath for public networks over the
direct VPN connection will be made as it has the lowest latency, as shown by the green
line.
Scenario 4
Both RDP Shortpath for public networks and managed networks are enabled. A UDP
connection can be established between the client device and the session host over a
public network or over a direct VPN connection. When the client initiates the
connection, there are simultaneous attempts to connect using RDP Shortpath for
managed networks through port 3390 (by default) and RDP Shortpath for public
networks through the ICE/STUN protocol. The first-found algorithm will be used and the
user will use whichever connection gets established first for that session.
Since going over a public network has more steps, for example a NAT device, a load
balancer, or a STUN server, it's likely that the first-found algorithm will select the
connection using RDP Shortpath for managed networks and be established first.
Scenario 5
A UDP connection can be established between the client device and the session host
over a public network or over a direct VPN connection, but RDP Shortpath for managed
networks isn't enabled. To prevent ICE/STUN from using a particular route, an admin can
block one of the routes for UDP traffic. Blocking a route would ensure the remaining
path is always used.
In this example, UDP is blocked on the direct VPN connection and the ICE/STUN
protocol establishes a connection over the public network.
Scenario 6
Both RDP Shortpath for public networks and managed networks are configured,
however a UDP connection couldn't be established using direct VPN connection. A
firewall or NAT device is also blocking a direct UDP connection using the public network
(internet), but a relayed UDP connection can be relayed using TURN between the client
device and the session host over a public network (internet).
Scenario 7
Both RDP Shortpath for public networks and managed networks are configured,
however a UDP connection couldn't be established. In this instance, RDP Shortpath will
fail and the connection will fall back to TCP-based reverse connect transport.
Next steps
Learn how to Configure RDP Shortpath.
Learn more about Azure Virtual Desktop network connectivity at Understanding
Azure Virtual Desktop network connectivity.
Understand Azure egress network charges .
To understand how to estimate the bandwidth used by RDP, see RDP bandwidth
requirements.
Feedback
Was this page helpful? Yes No
) Important
RDP Shortpath for public networks via TURN for Azure Virtual Desktop is only
available in the Azure public cloud.
Users can connect to a remote session from Azure Virtual Desktop using the Remote
Desktop Protocol (RDP) with a UDP or TCP-based transport. RDP Shortpath establishes a
UDP-based transport between a local device Windows App or the Remote Desktop app
on supported platforms and session host.
UDP-based transport offers better connection reliability and more consistent latency.
TCP-based reverse connect transport provides the best compatibility with various
networking configurations and has a high success rate for establishing RDP connections.
If a UDP connection can't be established, a TCP-based reverse connect transport is used
as a fallback connection method.
There are four options for RDP Shortpath that provide flexibility for how you want client
devices to a remote session using UDP:
RDP Shortpath for managed networks: A direct UDP connection between a client
device and session host using a private connection, such as ExpressRoute private
peering or a virtual private network (VPN). You enable the RDP Shortpath listener
on session hosts and allow an inbound port to accept connections.
RDP Shortpath for managed networks with ICE/STUN: A direct UDP connection
between a client device and session host using a private connection, such as
ExpressRoute private peering or a virtual private network (VPN). When the RDP
Shortpath listener isn't enabled on session hosts and an inbound port isn't allowed,
ICE/STUN is used to discover available IP addresses and a dynamic port that can be
used for a connection. The port range is configurable.
RDP Shortpath for public networks with ICE/STUN: A direct UDP connection
between a client device and session host using a public connection. ICE/STUN is
used to discover available IP addresses and a dynamic port that can be used for a
connection. The RDP Shortpath listener and an inbound port aren't required. The
port range is configurable.
RDP Shortpath for public networks via TURN: A relayed UDP connection between
a client device and session host using a public connection where TURN relays
traffic through an intermediate server between a client and session host. An
example of when you use this option is if a connection uses Symmetric NAT. A
dynamic port is used for a connection; the port range is configurable. For a list of
Azure regions that TURN is available, see supported Azure regions with TURN
availability. The connection from the client device must also be within a supported
location. The RDP Shortpath listener and an inbound port aren't required.
Which of the four options your client devices can use is also dependent on their network
configuration. To learn more about how RDP Shortpath works, together with some
example scenarios, see RDP Shortpath.
This article lists the default configuration for each of the four options and how to
configure them. It also provides steps to verify that RDP Shortpath is working and how
to disable it if needed.
Tip
RDP Shortpath for public networks with STUN or TURN will work automatically
without any additional configuration, if networks and firewalls allow the traffic
through and RDP transport settings in the Windows operating system for session
hosts and clients are using their default values.
Default configuration
Your session hosts, the networking settings of the related host pool, and client devices
need to be configured for RDP Shortpath. What you need to configure depends on
which of the four RDP Shortpath options you want to use and also the network
topology and configuration of client devices.
Here are the default behaviors for each option and what you need to configure:
ノ Expand table
RDP Shortpath for UDP and TCP are enabled in Windows Default UDP and TCP
managed by default. (enabled) are enabled in
networks
RDP Shortpath Session host settings Host pool Client device
option networking settings
settings
RDP Shortpath for UDP and TCP are enabled in Windows Default UDP and TCP
managed by default. (enabled) are enabled in
networks with Windows by
ICE/STUN You don't need any extra configuration, default.
but you can limit the port range used.
RDP Shortpath for UDP and TCP are enabled in Windows Default UDP and TCP
public networks by default. (enabled) are enabled in
with ICE/STUN Windows by
You don't need any extra configuration, default.
but you can limit the port range used.
RDP Shortpath for UDP and TCP are enabled in Windows Default UDP and TCP
public networks by default. (enabled) are enabled in
via TURN Windows by
You don't need any extra configuration, default.
but you can limit the port range used.
Prerequisites
Before you enable RDP Shortpath, you need:
Internet access for both clients and session hosts. Session hosts require
outbound UDP connectivity from your session hosts to the internet or
connections to STUN and TURN servers. To reduce the number of ports
required, you can limit the port range used with STUN and TURN.
Make sure session hosts and clients can connect to the STUN and TURN servers.
You can find details of the IP subnets, ports, and protocols used by the STUN
and TURN servers at Network configuration.
If you want to use Azure PowerShell locally, see Use Azure CLI and Azure
PowerShell with Azure Virtual Desktop to make sure you have the
Az.DesktopVirtualization PowerShell module installed. Alternatively, use the Azure
Cloud Shell.
) Important
You don't need to enable the RDP Shortpath listener for the other three RDP
Shortpath options, as they use ICE/STUN or TURN to discover available IP
addresses and a dynamic port that is used for a connection.
Select the relevant tab for your scenario.
Microsoft Intune
To enable the RDP Shortpath listener on your session hosts using Microsoft Intune:
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
4. Check the box for Enable RDP Shortpath for managed networks, then close
the settings picker.
5. Expand the Administrative templates category, then toggle the switch for
Enable RDP Shortpath for managed networks to Enabled.
6. Select Next.
7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
9. On the Review + create tab, review the settings, then select Create.
10. Make sure Windows Firewall and any other firewalls you have allows the port
you configured inbound to your session hosts. Follow the steps in Firewall
policy for endpoint security in Intune.
11. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
2. Run the following commands, which check the registry and outputs the current
RDP transport protocols setting:
PowerShell
Output
The RDP transport protocols setting hasn't been changed from its
default value.
If the output states that the value is Use only TCP it's likely that the value has been
changed by Microsoft Intune or Group Policy in an Active Directory domain. You
need to enable UDP in one of the following ways:
a. Edit the existing Microsoft Intune policy or Active Directory Group Policy that
targets your session hosts. The policy setting is at one of these locations:
b. Either set the setting to Not configured, or set it to Enabled, then for Select
Transport Type, select Use both UDP and TCP.
c. Update the policy on the session hosts, then restart them for the settings to
take effect.
Where there's a conflict between the host pool and session host configuration, the most
restrictive setting is used. For example, if RDP Shortpath for manage networks is
configured, where the listener is enabled on the session host and the host pool is set to
disabled, RDP Shortpath for managed networks won't work.
Azure portal
Here's how to configure RDP Shortpath in the host pool networking settings using
the Azure portal:
3. Select Host pools, then select the host pool you want to configure.
5. For each option, select a value from the drop-down each based on your
requirements. Default corresponds to Enabled for each option.
6. Select Save.
2. Run the following commands, which check the registry and outputs the current
setting:
PowerShell
Output
The default setting hasn't been changed from its default value. UDP is
enabled.
If the output states that UDP is disabled, it's likely that the value has been changed
by Microsoft Intune or Group Policy in an Active Directory domain. You need to
enable UDP in one of the following ways:
a. Edit the existing Microsoft Intune policy or Active Directory Group Policy that
targets your session hosts. The policy setting is at one of these locations:
c. Update the policy on the client devices, then restart them for the settings to
take effect.
You can run avdnettest.exe by double-clicking the file, or running it from the command
line. The output looks similar to this output if connectivity is successful:
You have access to TURN servers and your NAT type appears to be 'cone
shaped'.
Shortpath for public networks is very likely to work on this host.
If your environment uses Symmetric NAT, then you can use a relayed connection with
TURN. For more information you can use to configure firewalls and Network Security
Groups, see Network configurations for RDP Shortpath.
PowerShell
3. Restart the session hosts and client devices for the settings to take effect.
When choosing the base and pool size, consider the number of ports you need. The
range must be between 1024 and 49151, after which the ephemeral port range begins.
You can limit the port range this using Microsoft Intune or Group Policy in an Active
Directory domain. Select the relevant tab for your scenario.
Microsoft Intune
To limit the port range used with STUN and TURN using Microsoft Intune:
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
4. Check the box for Use port range for RDP Shortpath for unmanaged
networks, then close the settings picker.
5. Expand the Administrative templates category, then toggle the switch for Use
port range for RDP Shortpath for unmanaged networks to Enabled.
6. Enter values for Port pool size (Device) and UDP base port (Device). The
default values are 1000 and 38300 respectively.
7. Select Next.
8. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
9. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
10. On the Review + create tab, review the settings, then select Create.
11. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
Connection information
To make sure connections are using RDP Shortpath, you can check the connection
information on the client:
2. Open the Connection Information dialog by going to the Connection tool bar
on the top of the screen and select the signal strength icon, as shown in the
following screenshot:
3. You can verify in the output that UDP is enabled, as shown in the following
screenshots:
If a direct connection with RDP Shortpath for managed networks is used,
the transport protocol has the value UDP (Private Network):
Related content
If you're having trouble establishing a connection using the RDP Shortpath transport for
public networks, see Troubleshoot RDP Shortpath.
Feedback
Was this page helpful? Yes No
RDP Shortpath for managed networks provides a direct UDP-based transport between
Remote Desktop Client and Session host. RDP Shortpath for managed networks enables
configuration of Quality of Service (QoS) policies for the RDP data. QoS in Azure Virtual
Desktop allows real-time RDP traffic that's sensitive to network delays to "cut in line" in
front of traffic that's less sensitive. Example of such less sensitive traffic would be a
downloading a new app, where an extra second to download isn't a large deal. QoS uses
Windows Group Policy Objects to identify and mark all packets in real-time streams and
help your network to give RDP traffic a dedicated portion of bandwidth.
If you support a large group of users experiencing any of the problems described in this
article, you probably need to implement QoS. A small business with few users might not
need QoS, but it should be helpful even there.
Without some form of QoS, you might see the following issues:
Jitter – RDP packets arriving at different rates, which can result in visual and audio
glitches
Packet loss – packets dropped, which results in retransmission that requires
additional time
Delayed round-trip time (RTT) – RDP packets taking a long time to reach their
destinations, which result in noticeable delays between input and reaction from the
remote application.
The least complicated way to address these issues is to increase the data connections'
size, both internally and out to the internet. Since that is often cost-prohibitive, QoS
provides a way to manage the resources you have instead of adding bandwidth more
effectively. To address quality issues, we recommend that you first use QoS, then add
bandwidth only where necessary.
For QoS to be effective, you must apply consistent QoS settings throughout your
organization. Any part of the path that fails to support your QoS priorities can degrade
the quality RDP session.
When network traffic enters a router, the traffic is placed into a queue. If a QoS policy
isn't configured, there is only one queue, and all data is treated as first-in, first-out with
the same priority. That means RDP traffic might get stuck behind traffic where a few
extra milliseconds delay wouldn't be a problem.
When you implement QoS, you define multiple queues using one of several congestion
management features, such as Cisco’s priority queuing and Class-Based Weighted Fair
Queueing (CBWFQ) and congestion avoidance features, such as weighted random
early detection (WRED) .
A simple analogy is that QoS creates virtual "carpool lanes" in your data network. So
some types of data never or rarely encounter a delay. Once you create those lanes, you
can adjust their relative size and much more effectively manage the connection
bandwidth you have while still delivering business-grade experiences for your
organization's users.
Traffic congestion across a network will significantly impact media quality. A lack of
bandwidth leads to performance degradation and a poor user experience. As Azure
Virtual Desktop adoption and usage grows, use Log Analytics to identify problems and
then make adjustments using QoS and selective bandwidth additions.
VPN considerations
QoS only works as expected when implemented on all links between clients and session
hosts. If you use QoS on an internal network and a user signs in from a remote location,
you can only prioritize within your internal, managed network. Although remote
locations can receive a managed connection by implementing a virtual private network
(VPN), a VPN inherently adds packet overhead and creates delays in real-time traffic.
You can compare DSCP markings to postage stamps that indicate to postal workers how
urgent the delivery is and how best to sort it for speedy delivery. Once you've
configured your network to give priority to RDP streams, lost packets and late packets
should diminish significantly.
Once all network devices are using the same classifications, markings, and priorities, it's
possible to reduce or eliminate delays, dropped packets, and jitter. From the RDP
perspective, the essential configuration step is the classification and marking of packets.
However, for end-to-end QoS to be successful, you also need to align the RDP
configuration with the underlying network configuration carefully. The DSCP value tells a
correspondingly configured network what priority to give a packet or stream.
We recommend using DSCP value 46 that maps to Expedited Forwarding (EF) DSCP
class.
1. In Group Policy Management, locate the container where the new policy should be
created. For example, if all your session hosts computers are located in an OU
named "session hosts", the new policy should be created in the Session Hosts OU.
2. Right-click the appropriate container, and then select Create a GPO in this
domain, and Link it here.
3. In the New GPO dialog box, type a name for the new Group Policy object in the
Name box, and then select OK.
6. In the Policy-based QoS dialog box, on the opening page, type a name for the
new policy in the Name box. Select Specify DSCP Value and set the value to 46.
Leave Specify Outbound Throttle Rate unselected, and then select Next.
7. On the next page, select Only applications with this executable name and enter
the name svchost.exe, and then select Next. This setting instructs the policy to
only prioritize matching traffic from the Remote Desktop Service.
8. On the third page, make sure that both Any source IP address and Any
destination IP address are selected, and then select Next. These two settings
ensure that packets will be managed regardless of which computer (IP address)
sent the packets and which computer (IP address) will receive the packets.
9. On page four, select UDP from the Select the protocol this QoS policy applies to
drop-down list.
10. Under the heading Specify the source port number, select From this source port
or range. In the accompanying text box, type 3390. Select Finish.
The new policies you've created won't take effect until Group Policy has been refreshed
on your session host computers. Although Group Policy periodically refreshes on its
own, you can force an immediate refresh by following these steps:
1. On each session host for which you want to refresh Group Policy, open a
Command Prompt as administrator (Run as administrator).
Console
gpupdate /force
PowerShell
Related articles
Quality of Service (QoS) Policy
Next steps
To learn about bandwidth requirements for Azure Virtual Desktop, see
Understanding Remote Desktop Protocol (RDP) Bandwidth Requirements for Azure
Virtual Desktop.
To learn about Azure Virtual Desktop network connectivity, see Understanding
Azure Virtual Desktop network connectivity.
Azure Private Link with Azure Virtual
Desktop
Article • 06/24/2024
You can use Azure Private Link with Azure Virtual Desktop to privately connect to your
remote resources. By creating a private endpoint, traffic between your virtual network
and the service remains on the Microsoft network, so you no longer need to expose
your service to the public internet. You also use a VPN or ExpressRoute for your users
with the Remote Desktop client to connect to the virtual network. Keeping traffic within
the Microsoft network improves security and keeps your data safe. This article describes
how Private Link can help you secure your Azure Virtual Desktop environment.
1. Initial feed discovery: lets the client discover all workspaces assigned to a user. To
enable this process, you must create a single private endpoint to the global sub-
resource to any workspace. However, you can only create one private endpoint in
your entire Azure Virtual Desktop deployment. This endpoint creates Domain
Name System (DNS) entries and private IP routes for the global fully qualified
domain name (FQDN) needed for initial feed discovery. This connection becomes a
single, shared route for all clients to use.
2. Feed download: the client downloads all connection details for a specific user for
the workspaces that host their application groups. You create a private endpoint
for the feed sub-resource for each workspace you want to use with Private Link.
3. Connections to host pools: every connection to a host pool has two sides - clients
and session hosts. You need to create a private endpoint for the connection sub-
resource for each host pool you want to use with Private Link.
The following high-level diagram shows how Private Link securely connects a local client
to the Azure Virtual Desktop service. For more detailed information about client
connections, see Client connection sequence.
Supported scenarios
When adding Private Link with Azure Virtual Desktop, you have the following supported
scenarios to connect to Azure Virtual Desktop. Which scenario you choose depends on
your requirements. You can either share these private endpoints across your network
topology or you can isolate your virtual networks so that each has their own private
endpoint to the host pool or workspace.
1. All parts of the connection - initial feed discovery, feed download, and remote
session connections for clients and session hosts - use private routes. You need the
following private endpoints:
ノ Expand table
2. Feed download and remote session connections for clients and session hosts use
private routes, but initial feed discovery uses public routes. You need the following
private endpoints. The endpoint for initial feed discovery isn't required.
ノ Expand table
3. Only remote session connections for clients and session hosts use private routes,
but initial feed discovery and feed download use public routes. You need the
following private endpoint(s). Endpoints to workspaces aren't required.
ノ Expand table
4. Both clients and session host VMs use public routes. Private Link isn't used in this
scenario.
) Important
If you create a private endpoint for initial feed discovery, the workspace used
for the global sub-resource governs the shared Fully Qualified Domain Name
(FQDN), facilitating the initial discovery of feeds across all workspaces. You
should create a separate workspace that is only used for this purpose and
doesn't have any application groups registered to it. Deleting this workspace
will cause all feed discovery processes to stop working.
You can't control access to the workspace used for the initial feed discovery
(global sub-resource). If you configure this workspace to only allow private
access, the setting is ignored. This workspace is always accessible from public
routes.
Configuration outcomes
You configure settings on the relevant Azure Virtual Desktop workspaces and host pools
to set public or private access. For connections to a workspace, except the workspace
used for initial feed discovery (global sub-resource), the following table details the
outcome of each scenario:
ノ Expand table
Configuration Outcome
Public access enabled from all Workspace feed requests are allowed from public
networks routes.
Public access disabled from all Workspace feed requests are denied from public routes.
networks
Workspace feed requests are allowed from private
routes.
With the reverse connect transport, there are two network connections for connections
to host pools: the client to the gateway, and the session host to the gateway. In addition
to enabling or disabling public access for both connections, you can also choose to
enable public access for clients connecting to the gateway and only allow private access
for session hosts connecting to the gateway. The following table details the outcome of
each scenario:
ノ Expand table
Configuration Outcome
Public access enabled from all networks Remote sessions are allowed when either the client or
session host is using a public route.
Public access disabled from all networks Remote sessions are denied when either the client or
session host is using a public route.
Public access enabled for client Remote sessions are denied if the session host is
networks, but disabled for session host using a public route, regardless of the route the client
networks is using.
3. For each workspace in the feed, a DNS query is made for the address
<workspaceId>.privatelink.wvd.microsoft.com .
5. When connecting to a remote session, the .rdp file that comes from the
workspace feed download contains the address for the Azure Virtual Desktop
gateway service with the lowest latency for the user's device. A DNS query is made
to an address in the format <hostpooId>.afdfp-rdgateway.wvd.microsoft.com .
7. Following orchestration, the network traffic between the client, Azure Virtual
Desktop gateway service, and session host is transferred over to a port in the TCP
dynamic port range of 1 - 65535.
) Important
If you intend to restrict network ports from either the user client devices or your
session host VMs to the private endpoints, you will need to allow traffic across the
entire TCP dynamic port range of 1 - 65535 to the private endpoint for the host
pool resource using the connection sub-resource. The entire TCP dynamic port
range is needed because Azure private networking internally maps these ports to
the appropriate gateway that was selected during client orchestration. If you
restrict ports to the private endpoint, your users may not be able to connect to
Azure Virtual Desktop.
Before you use Private Link for Azure Virtual Desktop, you need to enable Private
Link with Azure Virtual Desktop on each Azure subscription you want to Private
Link with Azure Virtual Desktop.
All Remote Desktop clients to connect to Azure Virtual Desktop can be used with
Private Link. If you're using the Remote Desktop client for Windows on a private
network without internet access and you're subscribed to both public and private
feeds, you aren't able to access your feed.
After you've changed a private endpoint to a host pool, you must restart the
Remote Desktop Agent Loader (RDAgentBootLoader) service on each session host in
the host pool. You also need to restart this service whenever you change a host
pool's network configuration. Instead of restarting the service, you can restart each
session host.
Using both Private Link and RDP Shortpath for managed networks isn't supported,
but they can work together. You can use Private Link and RDP Shortpath for
managed networks at your own risk. All other RDP Shortpath options using STUN
or TURN aren't supported with Private Link.
Early in the preview of Private Link with Azure Virtual Desktop, the private endpoint
for the initial feed discovery (for the global sub-resource) shared the private DNS
zone name of privatelink.wvd.microsoft.com with other private endpoints for
workspaces and host pools. In this configuration, users are unable to establish
private endpoints exclusively for host pools and workspaces. Starting September 1,
2023, sharing the private DNS zone in this configuration will no longer be
supported. You need to create a new private endpoint for the global sub-resource
to use the private DNS zone name of privatelink-global.wvd.microsoft.com . For
the steps to do this, see Initial feed discovery.
Next steps
Learn how to Set up Private Link with Azure Virtual Desktop.
Learn how to configure Azure Private Endpoint DNS at Private Link DNS
integration.
For general troubleshooting guides for Private Link, see Troubleshoot Azure Private
Endpoint connectivity problems.
Understand Azure Virtual Desktop network connectivity.
See the Required URL list for the list of URLs you need to unblock to ensure
network access to the Azure Virtual Desktop service.
Feedback
Was this page helpful? Yes No
This article shows you how to set up Private Link with Azure Virtual Desktop to privately
connect to your remote resources. For more information about using Private Link with
Azure Virtual Desktop, including limitations, see Azure Private Link with Azure Virtual
Desktop.
Prerequisites
In order to use Private Link with Azure Virtual Desktop, you need the following things:
An existing host pool with session hosts, an application group, and workspace.
An existing virtual network and subnet you want to use for private endpoints.
If you're using the Remote Desktop client for Windows, you must use version
1.2.4066 or later to connect using a private endpoint.
If you want to use Azure CLI or Azure PowerShell locally, see Use Azure CLI and
Azure PowerShell with Azure Virtual Desktop to make sure you have the
desktopvirtualization Azure CLI extension or the Az.DesktopVirtualization
PowerShell module installed. Alternatively, use the Azure Cloud Shell.
Azure PowerShell cmdlets for Azure Virtual Desktop that support Private Link are in
preview. You'll need to download and install the preview version of the
Az.DesktopVirtualization module to use these cmdlets, which have been added in
version 5.0.0.
For Azure for US Government and Azure operated by 21Vianet, you also need to
register the feature for each subscription.
2. In the search bar, enter Subscriptions and select the matching service entry.
3. Select the name of your subscription, then in the Settings section, select Preview
features.
4. Select the drop-down list for the filter Type and set it to
Microsoft.DesktopVirtualization.
2. In the search bar, enter Subscriptions and select the matching service entry.
3. Select the name of your subscription, then in the section Settings, select Resource
providers.
ノ Expand table
2. Clients use public routes while session host VMs use private routes. You need the
following private endpoints. Endpoints to workspaces aren't required.
ノ Expand table
) Important
Portal
Here's how to create a private endpoint for the connection sub-resource for
connections to a host pool using the Azure portal.
2. In the search bar, type Azure Virtual Desktop and select the matching service
entry to go to the Azure Virtual Desktop overview.
3. Select Host pools, then select the name of the host pool for which you want to
create a connection sub-resource.
4. From the host pool overview, select Networking, then Private endpoint
connections, and finally New private endpoint.
ノ Expand table
Parameter Value/Description
Subscription Select the subscription you want to create the private endpoint in
from the drop-down list.
Network The network interface name fills in automatically based on the name
interface name you gave the private endpoint, but you can also specify a different
name.
ノ Expand table
Parameter Value/Description
Virtual network Select the virtual network you want to create the private
endpoint in from the drop-down list.
Subnet Select the subnet of the virtual network you want to create the
private endpoint in from the drop-down list.
Network policy for Select edit if you want to choose a subnet network policy. For
private endpoints more information, see Manage network policies for private
endpoints.
Application security Optional: select an existing application security group for the
group private endpoint from the drop-down list, or create a new one.
You can also add one later.
8. On the DNS tab, choose whether you want to use Azure Private DNS Zone by
selecting Yes or No for Integrate with private DNS zone. If you select Yes,
select the subscription and resource group in which to create the private DNS
zone privatelink.wvd.microsoft.com . For more information, see Azure Private
Endpoint DNS configuration.
9. Optional: On the Tags tab, you can enter any name/value pairs you need, then
select Next: Review + create.
10. On the Review + create tab, ensure validation passes and review the
information that is used during deployment.
11. Select Create to create the private endpoint for the connection sub-resource.
) Important
You need to create a private endpoint for the connection sub-resource for each
host pool you want to use with Private Link.
Feed download
To create a private endpoint for the feed sub-resource for a workspace, select the
relevant tab for your scenario and follow the steps.
Portal
1. From the Azure Virtual Desktop overview, select Workspaces, then select the
name of the workspace for which you want to create a feed sub-resource.
ノ Expand table
Parameter Value/Description
Subscription Select the subscription you want to create the private endpoint in
from the drop-down list.
Network The network interface name fills in automatically based on the name
interface name you gave the private endpoint, but you can also specify a different
name.
ノ Expand table
Parameter Value/Description
Virtual network Select the virtual network you want to create the private
endpoint in from the drop-down list.
Subnet Select the subnet of the virtual network you want to create the
private endpoint in from the drop-down list.
Network policy for Select edit if you want to choose a subnet network policy. For
private endpoints more information, see Manage network policies for private
endpoints.
Application security Optional: select an existing application security group for the
group private endpoint from the drop-down list, or create a new one.
You can also add one later.
6. On the DNS tab, choose whether you want to use Azure Private DNS Zone by
selecting Yes or No for Integrate with private DNS zone. If you select Yes,
select the subscription and resource group in which to create the private DNS
zone privatelink.wvd.microsoft.com . For more information, see Azure Private
Endpoint DNS configuration.
7. Optional: On the Tags tab, you can enter any name/value pairs you need, then
select Next: Review + create.
8. On the Review + create tab, ensure validation passes and review the
information that is used during deployment.
9. Select Create to create the private endpoint for the feed sub-resource.
) Important
You need to a create private endpoint for the feed sub-resource for each workspace
you want to use with Private Link.
) Important
Only create one private endpoint for the global sub-resource for all your Azure
Virtual Desktop deployments.
Portal
1. From the Azure Virtual Desktop overview, select Workspaces, then select the
name of a workspace you want to use for the global sub-resource.
a. Optional: Instead, create a placeholder workspace to terminate the global
endpoint by following the instructions to Create a workspace.
ノ Expand table
Parameter Value/Description
Subscription Select the subscription you want to create the private endpoint in
from the drop-down list.
Network The network interface name fills in automatically based on the name
interface name you gave the private endpoint, but you can also specify a different
name.
4. On the Resource tab, validate the values for Subscription, Resource type, and
Resource, then for Target sub-resource, select global. Once you've completed
this tab, select Next: Virtual Network.
ノ Expand table
Parameter Value/Description
Virtual network Select the virtual network you want to create the private
endpoint in from the drop-down list.
Subnet Select the subnet of the virtual network you want to create the
private endpoint in from the drop-down list.
Network policy for Select edit if you want to choose a subnet network policy. For
private endpoints more information, see Manage network policies for private
endpoints.
Application security Optional: select an existing application security group for the
group private endpoint from the drop-down list, or create a new one.
Parameter Value/Description
6. On the DNS tab, choose whether you want to use Azure Private DNS Zone by
selecting Yes or No for Integrate with private DNS zone. If you select Yes,
select the subscription and resource group in which to create the private DNS
zone privatelink-global.wvd.microsoft.com . For more information, see Azure
Private Endpoint DNS configuration.
7. Optional: On the Tags tab, you can enter any name/value pairs you need, then
select Next: Review + create.
8. On the Review + create tab, ensure validation passes and review the
information that is used during deployment.
9. Select Create to create the private endpoint for the global sub-resource.
Portal
Workspaces
1. From the Azure Virtual Desktop overview, select Workspaces, then select the
name of the workspace to control public traffic.
2. From the host pool overview, select Networking, then select the Public access
tab.
ノ Expand table
Setting Description
Enable public access from all End users can access the feed over the public
networks internet or the private endpoints.
Disable public access and use End users can only access the feed over the private
private access endpoints.
4. Select Save.
Host pools
1. From the Azure Virtual Desktop overview, select Host pools, then select the
name of the host pool to control public traffic.
2. From the host pool overview, select Networking, then select the Public access
tab.
ノ Expand table
Setting Description
Enable public access from all End users can access the feed and session hosts
networks securely over the public internet or the private
endpoints.
Enable public access for end End users can access the feed securely over the
users, use private access for public internet but must use private endpoints to
session hosts access session hosts.
Disable public access and use End users can only access the feed and session
private access hosts over the private endpoints.
4. Select Save.
) Important
Changing access for session hosts won't affect existing sessions. After you've
changed a private endpoint to a host pool, you must restart the Remote Desktop
Agent Loader (RDAgentBootLoader) service on each session host in the host pool.
You also need to restart this service whenever you change a host pool's network
configuration. Instead of restarting the service, you can restart each session host.
U Caution
Make sure you don't block traffic between your private endpoints and the
addresses in the required URL list.
Don't block certain ports from either the user client devices or your session
hosts to the private endpoint for a host pool resource using the connection
sub-resource. The entire TCP dynamic port range of 1 - 65535 to the private
endpoint is needed because port mapping is used to all global gateways
through the single private endpoint IP address corresponding to the
connection sub-resource. If you restrict ports to the private endpoint, your
users may not be able to connect successfully to Azure Virtual Desktop.
Portal
Workspaces
1. From the Azure Virtual Desktop overview, select Workspaces, then select the
name of the workspace for which you want to check the connection state.
3. For the private endpoint listed, check the Connection state is Approved.
Host pools
1. From the Azure Virtual Desktop overview, select Host pools, then select the
name of the host pool for which you want to check the connection state.
2. From the host pool overview, select Networking, then Private endpoint
connections.
3. For the private endpoint listed, check the Connection state is Approved.
a. From the Azure Virtual Desktop overview, select Host pools, then select the
name of the host pool.
c. Review the list of session hosts and check their status is Available.
1. Use the Remote Desktop client and make sure you can subscribe to and refresh
workspaces.
2. Finally, make sure your users can connect to a remote session.
Next steps
Learn more about how Private Link for Azure Virtual Desktop at Use Private Link
with Azure Virtual Desktop.
Learn how to configure Azure Private Endpoint DNS at Private Link DNS
integration.
For general troubleshooting guides for Private Link, see Troubleshoot Azure Private
Endpoint connectivity problems.
Understand how connectivity for the Azure Virtual Desktop service works atAzure
Virtual Desktop network connectivity.
See the Required URL list for the list of URLs you need to unblock to ensure
network access to the Azure Virtual Desktop service.
Proxy server guidelines for Azure Virtual
Desktop
Article • 06/29/2023
This article will show you how to use a proxy server with Azure Virtual Desktop. The
recommendations in this article only apply to connections between Azure Virtual
Desktop infrastructure, client, and session host agents. This article doesn't cover network
connectivity for Office, Windows 10, FSLogix, or other Microsoft applications.
Most proxy servers aren't designed for supporting long running WebSocket connections
and may affect connection stability. Proxy server scalability also causes issues because
Azure Virtual Desktop uses multiple long-term connections. If you do use proxy servers,
they must be the right size to run these connections.
If the proxy server's geography is far from the host, then this distance will cause more
latency in your user connections. More latency means slower connection time and worse
user experience, especially in scenarios that need graphics, audio, or low-latency
interactions with input devices. If you must use a proxy server, keep in mind that you
need to place the server in the same geography as the Azure Virtual Desktop Agent and
client.
If you configure your proxy server as the only path for Azure Virtual Desktop traffic to
take, the Remote Desktop Protocol (RDP) data will be forced over Transmission Control
Protocol (TCP) instead of User Datagram Protocol (UDP). This move lowers the visual
quality and responsiveness of the remote connection.
In summary, we don't recommend using proxy servers on Azure Virtual Desktop because
they cause performance-related issues from latency degradation and packet loss.
If you configure your proxy server to use SSL inspection, remember that you can't revert
your server to its original state after the SSL inspection makes changes. If something in
your Azure Virtual Desktop environment stops working while you have SSL inspection
enabled, you must disable SSL inspection and try again before you open a support case.
SSL inspection can also cause the Azure Virtual Desktop agent to stop working because
it interferes with trusted connections between the agent and the service.
To configure your network to use DNS resolution for WPAD, follow the instructions in
Auto detect settings Internet Explorer 11. Make sure the DNS server global query
blocklist allows the WPAD resolution by following the directions in Set-
DnsServerGlobalQueryBlockList.
The following example configures the Local System and Network Service accounts to
use a proxy .pac file . You'll need to run these commands from an elevated command
prompt, changing the placeholder value for <server> with your own address:
For a full reference and other examples, see bitsadmin util and setieproxy.
You can also set a device-wide proxy or Proxy Auto Configuration (.PAC) file that applies
to all interactive, Local System, and Network Service users. If your session hosts are
enrolled with Intune, you can set a proxy with the Network Proxy CSP, however,
Windows multi-session client operating systems don't support Policy CSP as they only
support the settings catalog. Alternatively you can configure a device-wide proxy using
the netsh winhttp command. For a full reference and examples, see Netsh Commands
for Windows Hypertext Transfer Protocol (WINHTTP)
Android No
iOS Yes
macOS Yes
For more information about proxy support on Linux based thin clients, see Thin client
support.
Support limitations
There are many third-party services and applications that act as a proxy server. These
third-party services include distributed next-gen firewalls, web security systems, and
basic proxy servers. We can't guarantee that every configuration is compatible with
Azure Virtual Desktop. Microsoft only provides limited support for connections
established over a proxy server. If you're experiencing connectivity issues while using a
proxy server, Microsoft support recommends you configure a proxy bypass and then try
to reproduce the issue.
Next steps
For more information about keeping your Azure Virtual Desktop deployment secure,
check out our security guide.
Use Azure Firewall to protect Azure
Virtual Desktop deployments
Article • 04/23/2024
Azure Virtual Desktop is a cloud virtual desktop infrastructure (VDI) service that runs on
Azure. When an end user connects to Azure Virtual Desktop, their session comes from a
session host in a host pool. A host pool is a collection of Azure virtual machines that
register to Azure Virtual Desktop as session hosts. These virtual machines run in your
virtual network and are subject to the virtual network security controls. They need
outbound internet access to the Azure Virtual Desktop service to operate properly and
might also need outbound internet access for end users. Azure Firewall can help you
lock down your environment and filter outbound traffic.
Follow the guidelines in this article to provide extra protection for your Azure Virtual
Desktop host pool using Azure Firewall.
Prerequisites
A deployed Azure Virtual Desktop environment and host pool. For more
information, see Deploy Azure Virtual Desktop.
An Azure Firewall deployed with at least one Firewall Manager Policy.
DNS and DNS Proxy enabled in the Firewall Policy to use FQDN in Network Rules.
To learn more about Azure Virtual Desktop terminology, see Azure Virtual Desktop
terminology.
Host pool outbound access to Azure Virtual
Desktop
The Azure virtual machines you create for Azure Virtual Desktop must have access to
several Fully Qualified Domain Names (FQDNs) to function properly. Azure Firewall uses
the Azure Virtual Desktop FQDN tag WindowsVirtualDesktop to simplify this
configuration. You'll need to create an Azure Firewall Policy and create Rule Collections
for Network Rules and Applications Rules. Give the Rule Collection a priority and an
allow or deny action.
You need to create rules for each of the required FQDNs and endpoints. The list is
available at Required FQDNs and endpoints for Azure Virtual Desktop. In order to
identify a specific host pool as Source, you can create an IP Group with each session host
to represent it.
) Important
We recommend that you don't use TLS inspection with Azure Virtual Desktop. For
more information, see the proxy server guidelines.
Next step
Learn more about Azure Virtual Desktop: What is Azure Virtual Desktop?
Get started with the Azure Virtual
Desktop Agent
Article • 05/15/2023
In the Azure Virtual Desktop Service framework, there are three main components: the
Remote Desktop client, the service, and the virtual machines. These virtual machines live
in the customer subscription where the Azure Virtual Desktop agent and agent
bootloader are installed. The agent acts as the intermediate communicator between the
service and the virtual machines, enabling connectivity. Therefore, if you're experiencing
any issues with the agent installation, update, or configuration, your virtual machines
won't be able to connect to the service. The agent bootloader is the executable that
loads the agent.
This article will give you a brief overview of the agent installation and update processes.
7 Note
This documentation is not for the FSLogix agent or the Remote Desktop Client
agent.
) Important
To successfully install the Azure Virtual Desktop agent, side-by-side stack, and
Geneva Monitoring agent, you must unblock all the URLs listed in the Required
URL list. Unblocking these URLs is required to use the Azure Virtual Desktop
service.
Agent update process
The Azure Virtual Desktop service updates the agent whenever an update becomes
available. Agent updates can include new functionality or fixes for previous issues. You
must always have the latest stable version of the agent installed so your VMs don't lose
connectivity or security. After you've installed the initial version of the Azure Virtual
Desktop agent, the agent will regularly query the Azure Virtual Desktop service to
determine if there’s a newer version of the agent, stack, or monitoring agent available. If
a newer version exists, the updated component is automatically installed by the flighting
system, unless you've configured the Scheduled Agent Updates feature. If you've
already configured the Scheduled Agent Updates feature, the agent will only install the
updated components during the maintenance window that you specify. For more
information, see Scheduled Agent Updates.
New versions of the agent are deployed at regular intervals in five-day periods to all
Azure subscriptions. These update periods are called "flights". It takes 24 hours for all
VMs in a single broker region to receive the agent update in a flight. Because of this,
when a flight happens, you may see VMs in your host pool receive the agent update at
different times. Also, if the VMs are in different regions, they might update on different
days in the five-day period. The flight will update all VM agents in all subscriptions by
the end of the deployment period. The Azure Virtual Desktop flighting system enhances
service reliability by ensuring the stability and quality of the agent update.
The agent update isn't connected to Azure Virtual Desktop infrastructure build
updates. When the Azure Virtual Desktop infrastructure updates, that doesn't
mean that the agent has updated along with it.
Because VMs in your host pool may receive agent updates at different times, you'll
need to be able to tell the difference between flighting issues and failed agent
updates. If you go to the event logs for your VM at Event Viewer > Windows Logs
> Application and see an event labeled "ID 3277," that means the Agent update
didn't work. If you don't see that event, then the VM is in a different flight and will
be updated later. See Set up diagnostics to monitor agent updates for more
information about how to set up diagnostic logs to track updates and make sure
they've been installed correctly.
When the Geneva Monitoring agent updates to the latest version, the old
GenevaTask task is located and disabled before creating a new task for the new
monitoring agent. The earlier version of the monitoring agent isn't deleted in case
that the most recent version of the monitoring agent has a problem that requires
reverting to the earlier version to fix. If the latest version has a problem, the old
monitoring agent will be re-enabled to continue delivering monitoring data. All
versions of the monitor that are earlier than the last one you installed before the
update will be deleted from your VM.
Your VM keeps three versions of the agent and of the side-by-side stack at a time.
This allows for quick recovery if something goes wrong with the update. The
earliest version of the agent or stack is removed from the VM whenever the agent
or stack updates. If you delete these components prematurely and the agent or
stack has a failure, the agent or stack won't be able to roll back to an earlier
version, which will put your VM in an unavailable state.
The agent update normally lasts 2-3 minutes on a new VM and shouldn't cause your VM
to lose connection or shut down. This update process applies to both Azure Virtual
Desktop (classic) and the latest version of Azure Virtual Desktop with Azure Resource
Manager.
Next steps
Now that you have a better understanding of the Azure Virtual Desktop agent, here are
some resources that might help you:
This article will walk you through the process of deploying and accessing Microsoft
Entra joined virtual machines in Azure Virtual Desktop. Microsoft Entra joined VMs
remove the need to have line-of-sight from the VM to an on-premises or virtualized
Active Directory Domain Controller (DC) or to deploy Microsoft Entra Domain Services.
In some cases, it can remove the need for a DC entirely, simplifying the deployment and
management of the environment. These VMs can also be automatically enrolled in
Intune for ease of management.
Known limitations
The following known limitations may affect access to your on-premises or Active
Directory domain-joined resources and you should consider them when deciding
whether Microsoft Entra joined VMs are right for your environment.
Azure Virtual Desktop (classic) doesn't support Microsoft Entra joined VMs.
Microsoft Entra joined VMs don't currently support external identities, such as
Microsoft Entra Business-to-Business (B2B) and Microsoft Entra Business-to-
Consumer (B2C).
Microsoft Entra joined VMs can only access Azure Files shares or Azure NetApp
Files shares for hybrid users using Microsoft Entra Kerberos for FSLogix user
profiles.
The Remote Desktop Store app for Windows doesn't support Microsoft Entra
joined VMs.
Host pools should only contain VMs of the same domain join type. For
example, Microsoft Entra joined VMs should only be with other Microsoft
Entra joined VMs, and vice-versa.
The VMs in the host pool must be Windows 11 or Windows 10 single-session
or multi-session, version 2004 or later, or Windows Server 2022 or Windows
Server 2019.
For Microsoft Entra joined VMs, you'll need to do two extra things on top of the
requirements for Active Directory or Microsoft Entra Domain Services-based
deployments:
Assign your users the Virtual Machine User Login role so they can sign in to the
VMs.
Assign administrators who need local administrative privileges the Virtual Machine
Administrator Login role.
To grant users access to Microsoft Entra joined VMs, you must configure role
assignments for the VM. You can assign the Virtual Machine User Login or Virtual
Machine Administrator Login role either on the VMs, the resource group containing the
VMs, or the subscription. We recommend assigning the Virtual Machine User Login role
to the same user group you used for the application group at the resource group level
to make it apply to all the VMs in the host pool.
Single sign-on
For the best experience across all platforms, you should enable a single sign-on
experience using Microsoft Entra authentication when accessing Microsoft Entra joined
VMs. Follow the steps to Configure single sign-on to provide a seamless connection
experience.
The local PC is Microsoft Entra joined to the same Microsoft Entra tenant as the
session host
The local PC is Microsoft Entra hybrid joined to the same Microsoft Entra tenant as
the session host
The local PC is running Windows 11 or Windows 10, version 2004 or later, and is
Microsoft Entra registered to the same Microsoft Entra tenant as the session host
To access Microsoft Entra joined VMs using the web, Android, macOS and iOS clients,
you must add targetisaadjoined:i:1 as a custom RDP property to the host pool. These
connections are restricted to entering user name and password credentials when
signing in to the session host.
If you're using Microsoft Entra multifactor authentication and you don't want to restrict
signing in to strong authentication methods like Windows Hello for Business, you'll need
to exclude the Azure Windows VM Sign-In app from your Conditional Access policy.
User profiles
You can use FSLogix profile containers with Microsoft Entra joined VMs when you store
them on Azure Files or Azure NetApp Files while using hybrid user accounts. For more
information, see Create a profile container with Azure Files and Microsoft Entra ID.
Next steps
Now that you've deployed some Microsoft Entra joined VMs, we recommend enabling
single sign-on before connecting with a supported Azure Virtual Desktop client to test it
as part of a user session. To learn more, check out these articles:
Custom image templates in Azure Virtual Desktop enable you to easily create a custom
image that you can use when deploying session host virtual machines (VMs). Using
custom images helps you to standardize the configuration of your session host VMs for
your organization. Custom image templates are built on Azure Image Builder and
tailored for Azure Virtual Desktop.
Creation process
There are two parts to creating a custom image:
1. Create a custom image template that defines what should be in the resulting
image.
2. Build the image from that custom image template, by submitting the template to
Azure Image Builder.
A custom image template is a JSON file that contains your choices of source image,
distribution targets, build properties, and customizations. Azure Image Builder uses this
template to create a custom image, which you can use as the source image for your
session hosts when creating or updating a host pool. When creating the image, Azure
Image Builder also takes care of generalizing the image with sysprep.
The source image must be supported for Azure Virtual Desktop and can be from:
Azure Marketplace.
An existing Azure Compute Gallery shared image.
An existing managed image.
An existing custom image template.
We've added several built-in scripts available for you to use that configures some of the
most popular features and settings when using Azure Virtual Desktop. You can also add
your own custom scripts to the template, as long as they're hosted at a publicly
available location, such as GitHub or a web service. You need to specify a duration for
the build, so make sure you allow enough time for your scripts to complete. Built-in
scripts include restarts where needed.
Here are some examples of the built-in scripts you can add to a custom image template:
When the custom image is being created and distributed, Azure Image Builder uses a
user-assigned managed identity. Azure Image Builder uses this managed identity to
create several resources in your subscription, such as a resource group, a VM used to
build the image, Key Vault, and a storage account. The VM needs internet access to
download the built-in scripts or your own scripts that you added. The built-in scripts are
stored in the RDS-templates GitHub repository at https://github.com/Azure/RDS-
Templates .
You can choose whether you want the VM to connect to an existing virtual network and
subnet, which will enable the VM to have access to other resources you may have
available to that virtual network. If you don't specify an existing virtual network, a
temporary virtual network, subnet, and public IP address are created for use by the VM.
For more information on networking options, see Azure VM Image Builder networking
options.
Resources
A resource group is created when the custom image template is created. The default
name is in the format IT_<ResourceGroupName>_<TemplateName>_<GUID> and stores the
resources required during the build. Most of these resources are temporary and are
deleted after the build is complete, except the storage account.
In the storage account, up to three containers are created:
shell is where customization scripts are stored, if you include any customization
scripts in your custom image template.
packerlogs has one or more folders named with a GUID, which contain a file called
customization.log. This file contains all the outputs from the Hashicorp Packer
service that Azure Image Builder uses. These outputs can be downloaded at any
time to review the progress, errors and completion status.
vhds temporarily stores the resulting virtual hard disk (VHD) file before being
stored as a managed image or in Azure Compute Gallery.
Next steps
Learn how to Create Custom image templates and custom images in Azure Virtual
Desktop.
Feedback
Was this page helpful? Yes No
Custom image templates in Azure Virtual Desktop enable you to easily create a custom
image that you can use when deploying session host virtual machines (VMs). Using
custom images helps you to standardize the configuration of your session host VMs for
your organization. Custom image templates are built on Azure Image Builder and
tailored for Azure Virtual Desktop.
This article shows you how to create a custom image template, then create a custom
image using that template. For more information, see Custom image templates.
Prerequisites
Before you can create a custom image template, you need to meet the following
prerequisites:
A resource group to store custom image templates, and images. If you specify your
own resource group for Azure Image Builder to use, then it needs to be empty
before the image build starts.
Create a custom role in Azure role-based access control (RBAC) with the following
permissions as actions:
JSON
"Microsoft.Compute/galleries/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/galleries/images/versions/read",
"Microsoft.Compute/galleries/images/versions/write",
"Microsoft.Compute/images/write",
"Microsoft.Compute/images/read",
"Microsoft.Compute/images/delete"
Assign the custom role to the managed identity. This should be scoped
appropriately for your deployment, ideally to the resource group you use store
custom image templates.
Optional: If you want to distribute your image to Azure Compute Gallery, create an
Azure Compute Gallery, then create a VM image definition. When you create a VM
image definition in the gallery you need to specify the generation of the image you
intend to create, either generation 1 or generation 2. The generation of the image
you want to use as the source image needs to match the generation specified in
the VM image definition. Don't create a VM image version at this stage. This will be
done by Azure Virtual Desktop.
Optional: You can use an existing virtual network when building an image. If you
do, the managed identity you're using needs access to the virtual network, or the
resource group it's contained within. For more information, see Permission to
customize images on your virtual networks.
If this virtual network is using a private service policy, it needs to be disabled for
Azure Image Builder to work correctly. For more information, see Disable private
service policy on the subnet.
2. In the search bar, enter Azure Virtual Desktop and select the matching service
entry.
3. Select Custom image templates, then select +Add custom image template.
ノ Expand table
Parameter Value/Description
Import from existing Select Yes if you have an existing custom image template that you
template want to use as the basis of the new template.
Subscription Select the subscription you want to use from the list.
Location Select a region from the list where the custom image template will
be created.
Managed identity Select the managed identity to use for creating the custom image
template.
5. On the Source image tab, for Source type select the source of your template from
one of the options, then complete the other fields for that source type.
Confidential VM and Trusted Launch support is inherited from Azure VM Image
Builder. For more information, see Confidential VM and Trusted Launch support.
ノ Expand table
Parameter Value/Description
Select Select the image you want to use from the list. The generation of the
image image will be shown.
Managed image provides a list of managed images you have in the same
subscription and location you selected on the Basics tab.
ノ Expand table
Parameter Value/Description
Image ID Select the image ID you want to use from the list. The generation of the
image will be shown.
ノ Expand table
Parameter Value/Description
Gallery name Select the Azure Compute Gallery that contains the source
image you want to use from the list.
Gallery image Select the Gallery image definition you want to use from the list.
definition
Gallery version Select the Gallery version you want to use from the list. The
generation of the image will be shown.
6. On the Distribution targets tab, check the relevant box whether you want to create
a managed image, an Azure Computer Gallery image, or both:
ノ Expand table
Parameter Value/Description
Resource Select an existing resource group from the list for the managed
group image.
Image name Select an existing managed image from the list or select Create a
managed image.
Location Select the Azure region from the list for the managed image.
Run output Enter a run output name for the image. This is a free text field.
name
Parameter Value/Description
Gallery name Select the Azure Compute Gallery you want to distribute the image
to from the list.
Gallery image Select the Gallery image definition you want to use from the list.
definition
Gallery image Optional Enter a version number for the image. If you don't Enter a
version value, one is generated automatically.
Run output Enter a run output name for the image. This is a free text field.
name
Replicated Select which Azure regions to store and replicate the image. The
regions region you selected for the custom image template is automatically
selected.
Excluded from Select Yes to prevent this image version from being used where you
latest specify latest as the version of the ImageReference element when
you create a VM. Otherwise, select No.
To change this later, see List, update, and delete gallery resources.
Storage Select the storage account type and redundancy from the list.
account type
ノ Expand table
Parameter Value/Description
Build timeout Enter the maximum duration to wait while building the image template
(minutes) (includes all customizations, validations, and distributions).
Build VM size Select a size for the temporary VM created and used to build the
template. You need to select a VM size that matches the generation of
your source image.
Parameter Value/Description
OS disk size Select the resource group you assigned the managed identity to.
(GB)
Alternatively, if you assigned the managed identity to the subscription,
you can create a new resource group here.
Staging group Enter a name for a new resource group you want Azure Image Builder to
use to create the Azure resources it needs to create the image. If you
leave this blank Azure Image Builder creates its own default resource
group.
Virtual network Select an existing virtual network for the VM used to build the template. If
you don't select an existing virtual network, a temporary one is created,
along with a public IP address for the temporary VM.
Subnet If you selected an existing virtual network, select a subnet from the list.
8. On the Customizations tab, you can add built-in scripts or your own scripts that
run when building the image.
b. Select the scripts you want to use from the list, and complete any required
information. Built-in scripts include restarts where needed.
c. Select Save.
b. Enter a name for your script and the Uniform Resource Identifier (URI) for your
script. This needs to be a publicly available location, such as GitHub, a web
service, or your own storage account. To use a storage account, you need to
assign the managed identity an appropriate RBAC role, such as Storage Blob
Data Reader.
c. Select Save. You can repeat these steps for each of your own scripts you want to
add.
You can change the order the scripts run by selecting Move up, Move down, Move
to top, or Move to bottom. Once you've completed this tab, select Next.
9. On the Tags tab, enter any name and value pairs you can use to help organize your
resources, then select Next. A default tag of AVD_IMAGE_TEMPLATE :
AVD_IMAGE_TEMPLATE is automatically created. For more information, see Resource
10. On the Review and create tab, review the information that is used during
deployment, then select Create.
Tip
The new template may take about 20 seconds to appear. From Custom
images templates, select Refresh to check the status.
Removing or uninstalling the Microsoft Store app isn't supported. Learn how
to Configure access to the Microsoft Store.
1. From Custom images templates, check the box for the custom image template
you want to build.
2. Select Start build. The image starts to be built. The time it takes to complete
depends on how long it takes any built-in scripts and your own scripts to
complete.
3. Select Refresh to check the status. You can see more information on the build
status by selecting the name of the custom image template where you can see the
Build run state.
2. Select My Items.
3. Select My Images to see a list of managed images, or select Shared Images to see
a list of images in Azure Compute Gallery.
) Important
When selecting a virtual machine size, you will need to select a size that
matches the generation of your source image.
4. Complete the steps to create a host pool and session hosts from your custom
image.
Next steps
Connect to Azure Virtual Desktop
Feedback
Was this page helpful? Yes No
This article will walk you through how to use the Azure portal to create a custom image
to use for your Azure Virtual Desktop session hosts. This custom image, which we'll call a
"golden image," contains all apps and configuration settings you want to apply to your
deployment. There are other approaches to customizing your session hosts, such as
using device management tools like Microsoft Intune or automating your image build
using tools like Azure Image Builder with Azure DevOps. Which strategy works best
depends on the complexity and size of your planned Azure Virtual Desktop environment
and your current application deployment processes.
) Important
The VM used for taking the image must be deployed without "Login with Azure
AD" flag. During the deployment of Session Hosts in Azure Virtual Desktop, if you
choose to add VMs to Azure Active Directory you are able to Login with AD
Credentials too.
Customize your VM
Sign in to the VM and start customizing it with apps, updates, and other things you'll
need for your image. If the VM needs to be domain-joined during customization,
remove it from the domain before running sysprep. If you need to install many apps, we
recommend you take multiple snapshots to revert your VM if a problem happens. Make
sure you've done the following things before taking the final snapshot:
7 Note
1. If your machine will include an antivirus app, it may cause issues when you
start sysprep. To avoid this, disable all antivirus programs before running
sysprep.
2. Unified Write Filter (UWF) is not supported for session hosts. Please ensure it
is not enabled in your image.
3. Do not join your golden image VM to a host pool, by deploying the Azure
Virtual Desktop Agent. If you do this when you create additional session hosts
from this image at a later time, they will fail to join the host pool as the
Registration token will have expired. The host pool deployment process will
automatically join the session hosts to the required host pool during the
provisioning process.
Run sysprep
Some optional things you can do before running Sysprep:
Reboot once
Clean up temp files in system storage
Optimize drivers (defrag)
Remove any user profiles
Generalize the VM by running sysprep
Capture the VM
After you've completed sysprep and shut down your machine in the Azure portal, open
the VM tab and select the Capture button to save the image for later use. When you
capture a VM, you can either add the image to a shared image gallery or capture it as a
managed image. The Shared Image Gallery lets you add features and use existing
images in other deployments. Images from a Shared Image Gallery are highly-available,
ensure easy versioning, and you can deploy them at scale. However, if you have a
simpler deployment, you may want to use a standalone managed image instead.
) Important
Other recommendations
Here are some extra things you should keep in mind when creating a golden image:
Don't capture a VM that already exists in your host pools. The image will conflict
with the existing VM's configuration, and the new VM won't work.
Make sure to remove the VM from the domain before running sysprep.
Delete the base VM once you've captured the image from it.
After you've captured your image, don't use the same VM you captured again.
Instead, create a new base VM from the last snapshot you created. You'll need to
periodically update and patch this new VM on a regular basis.
Don't create a new base VM from an existing custom image.
Next steps
If you want to add a language pack to your image, see Language packs.
Prepare and customize a VHD image for
Azure Virtual Desktop
Article • 03/04/2024
This article tells you how to prepare a master virtual hard disk (VHD) image for upload
to Azure, including how to create virtual machines (VMs) and install software on them.
These instructions are for an Azure Virtual Desktop-specific configuration that can be
used with your organization's existing processes.
) Important
We recommend you use an image from the Azure Compute Gallery or the Azure
portal. However, if you do need to use a customized image, make sure you don't
already have the Azure Virtual Desktop Agent installed on your VM. If you do,
either follow the instructions in Step 1: Uninstall all agent, boot loader, and stack
component programs to uninstall the Agent and all related components from your
VM or create a new image from a VM with the Agent uninstalled. Using a
customized image with the Azure Virtual Desktop Agent can cause problems with
the image, such as blocking registration as the host pool registration token will
have expired which will prevent user session connections.
Create a VM
Windows 10 Enterprise multi-session is available in the Azure Compute Gallery or the
Azure portal. There are two options for customizing this image.
The first option is to provision a virtual machine (VM) in Azure by following the
instructions in Create a VM from a managed image, and then skip ahead to Software
preparation and installation.
The second option is to create the image locally by downloading the image,
provisioning a Hyper-V VM, and customizing it to suit your needs, which we cover in the
following section.
You can also run the following cmdlet in PowerShell to disable checkpoints.
PowerShell
Fixed disk
If you create a VM from an existing VHD, it creates a dynamic disk by default. It can be
changed to a fixed disk by selecting Edit Disk... as shown in the following image. For
more detailed instructions, see Prepare a Windows VHD or VHDX to upload to Azure.
You can also run the following PowerShell command to change the disk to a fixed disk.
PowerShell
If you're installing Microsoft 365 Apps for enterprise and OneDrive on your VM, go to
Install Office on a master VHD image and follow the instructions there to install the
apps. After you're done, return to this article.
If your users need to access certain LOB applications, we recommend you install them
after completing this section's instructions.
This configuration only removes scanning of VHD and VHDX files during attachment,
but won't affect real-time scanning.
If you're using Windows Defender, you can learn more about how to configure Windows
Defender to exclude certain files from scanning at Configure and validate exclusions
based on file extension and folder location.
You can also run the following command from an elevated PowerShell prompt to disable
Automatic Updates.
PowerShell
New-ItemProperty -Path
"HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name
NoAutoUpdate -PropertyType DWORD -Value 1 -Force
PowerShell
New-ItemProperty -Path
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" -Name
SpecialRoamingOverrideAllowed -PropertyType DWORD -Value 1 -Force
1. On the Active Directory server, open the Group Policy Management Console.
2. Expand your domain and Group Policy Objects.
3. Right-click the Group Policy Object that you created for the group policy settings
and select Edit.
4. In the Group Policy Management Editor, navigate to Computer Configuration >
Policies > Administrative Templates > Windows Components > Remote Desktop
Services > Remote Desktop Session Host > Device and Resource Redirection.
5. Enable the Allow time zone redirection setting.
You can also run the following command from an elevated PowerShell prompt to
redirect time zones:
PowerShell
For the registry, you can run the following command from an elevated PowerShell
prompt to disable Storage Sense:
PowerShell
New-ItemProperty -Path
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameter
s\StoragePolicy" -Name 01 -PropertyType DWORD -Value 0 -Force
For Group Policy, configure a Group Policy Object with the setting Computer
Configuration > Administrative Templates > System > Storage Sense > Allow
Storage Sense set to Disabled.
For Intune, configure a configuration profile using the settings catalog with the
setting Storage > Allow Storage Sense Global set to Block.
PowerShell
New-ItemProperty -Path
"HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name
AllowTelemetry -PropertyType DWORD -Value 3 -Force
To prevent Watson crashes, run the following command from an elevated PowerShell
prompt:
PowerShell
PowerShell
After preparing the image for upload, make sure the VM remains in the off or
deallocated state.
The following instructions will tell you how to upload your master image into an Azure
storage account. If you don't already have an Azure storage account, follow the
instructions in this article to create one.
1. Convert the VM image (VHD) to Fixed if you haven't already. If you don't convert
the image to Fixed, you can't successfully create the image.
2. Upload the VHD to a blob container in your storage account. You can upload
quickly with the Storage Explorer tool . To learn more about the Storage Explorer
tool, see this article.
3. Next, go to the Azure portal in your browser and search for "Images." Your search
should lead you to the Create image page, as shown in the following screenshot:
4. Once you've created the image, you should see a notification like the one in the
following screenshot:
Next steps
Now that you have an image, you can create or update host pools. To learn more about
how to create and update host pools, see the following articles:
This article tells you how to install Microsoft 365 Apps for enterprise, OneDrive, and
other common applications on a custom virtual hard disk (VHD) image for upload to
Azure. If your users need to access certain line of business (LOB) applications, we
recommend you install them after completing the instructions in this article.
This article assumes you've already created a virtual machine (VM). If not, see Prepare
and customize a custom VHD image
This article also assumes you have elevated access on the VM, whether it's provisioned
in Azure or Hyper-V Manager. If not, see Elevate access to manage all Azure
subscription and management groups.
7 Note
These instructions are for an Azure Virtual Desktop-specific configuration that can
be used with your organization's existing processes. Consider using our Windows
Enterprise multi-session images with Microsoft 365 Apps pre-installed, which are
available to select when deploying a host pool, or find them in the Azure
Marketplace .
Use the Office Deployment Tool to install Office. Windows 10 Enterprise multi-session
and Windows 11 Enterprise-multi-session only support the following versions of Office:
The Office Deployment Tool requires a configuration XML file. To customize the
following sample, see the Configuration Options for the Office Deployment Tool.
This sample configuration XML we've provided will do the following things:
Install Office from the Monthly Enterprise Channel and deliver updates from the
Monthly Enterprise Channel.
Use the x64 architecture.
Disable automatic updates. Updates should be added to a custom image for your
session hosts and redeployed regularly, or installed manually when no end users
are signed in to a session host to avoid Office applications being in use.
Remove any existing installations of Office and migrate their settings.
Enable shared computer activation.
7 Note
Visio's stencil search feature may not work as expected in Azure Virtual Desktop.
This sample configuration XML won't install OneDrive in per-user mode. To learn more,
see Install OneDrive in per-machine mode.
7 Note
Shared Computer Activation can be set up through Group Policy Objects (GPOs) or
registry settings. The GPO is located at Computer
Configuration\Policies\Administrative Templates\Microsoft Office 2016
(Machine)\Licensing Settings
The Office Deployment Tool contains setup.exe. To install Office, run the following
command in a command line:
Sample configuration.xml
The following XML sample will install the Monthly Enterprise Channel release.
XML
<Configuration>
<Add OfficeClientEdition="64" Channel="MonthlyEnterprise">
<Product ID="O365ProPlusRetail">
<Language ID="en-US" />
<Language ID="MatchOS" />
<ExcludeApp ID="Groove" />
<ExcludeApp ID="Lync" />
<ExcludeApp ID="OneDrive" />
<ExcludeApp ID="Teams" />
</Product>
</Add>
<RemoveMSI/>
<Updates Enabled="FALSE"/>
<Display Level="None" AcceptEULA="TRUE" />
<Logging Level="Standard" Path="%temp%\WVDOfficeInstall" />
<Property Name="FORCEAPPSHUTDOWN" Value="TRUE"/>
<Property Name="SharedComputerLicensing" Value="1"/>
</Configuration>
7 Note
The Office team recommends using 64-bit install for the OfficeClientEdition
parameter.
After installing Office, you can update the default Office behavior. Run the following
commands individually or in a batch file to update the behavior.
1. First, create a location to stage the OneDrive installer. A local disk folder or UNC
path is fine.
4. Run this command from an elevated command prompt to set the AllUsersInstall
registry value:
6. Run this command to configure OneDrive to start at sign in for all users:
8. Redirect and move Windows known folders to OneDrive by running the following
command.
Tip
You can configure OneDrive so that it will attempt to automatically sign-in when a
user connects to a session. For more information, see Silently configure user
accounts.
Microsoft Teams
To learn how to install Microsoft Teams, see Use Microsoft Teams on Azure Virtual
desktop. Azure Virtual Desktop doesn't support Skype for Business.
Next steps
Now that you've added Office to the image, you can continue to customize your custom
VHD image. See Prepare and customize a custom VHD image.
Add language packs to a Windows 10
multi-session image
Article • 04/24/2023
Azure Virtual Desktop is a service that your users can deploy anytime, anywhere. That's
why it's important that your users be able to customize which language their Windows
10 Enterprise multi-session image displays.
There are two ways you can accommodate the language needs of your users:
Build dedicated host pools with a customized image for each language.
Have users with different language and localization requirements in the same host
pool, but customize their images to ensure they can select whichever language
they need.
The latter method is a lot more efficient and cost-effective. However, it's up to you to
decide which method best suits your needs. This article will show you how to customize
languages for your images.
Prerequisites
You need the following things to customize your Windows 10 Enterprise multi-session
images to add multiple languages:
The Language ISO, Feature on Demand (FOD) Disk 1, and Inbox Apps ISO of the
OS version the image uses. You can download them here:
Language ISO:
Windows 10 Language Pack ISO (version 2004 or later)
If you use Local Experience Pack (LXP) ISO files to localize your images, you'll
also need to download the appropriate LXP ISO for the best language
experience. Use the information in Adding languages in Windows 10: Known
issues to figure out which of the following LXP ISOs is right for you:
Windows 10, version 2004 or later 01C 2021 LXP ISO
Windows 10, version 2004 or later 02C 2021 LXP ISO
Windows 10, version 2004 or later 04B 2021 LXP ISO
Windows 10, version 2004 or later 05C 2021 LXP ISO
Windows 10, version 2004 or later 07C 2021 LXP ISO
Windows 10, version 2004 or later 09C 2021 LXP ISO
Windows 10, version 2004 or later 10C 2021 LXP ISO
Windows 10, version 2004 or later 11C 2021 LXP ISO
Windows 10, version 2004 or later 01C 2022 LXP ISO
Windows 10, version 2004 or later 02C 2022 LXP ISO
Windows 10, version 2004 or later 04C 2022 LXP ISO
Windows 10, version 2004 or later 06C 2022 LXP ISO
An Azure Files Share or a file share on a Windows File Server Virtual Machine
7 Note
The file share (repository) must be accessible from the Azure VM you plan to use to
create the custom image.
1. On an Azure VM, download the Windows 10 Multi-Language ISO, FODs, and Inbox
Apps for Windows 10 Enterprise multi-session, version 1903/1909, and 2004
images from the links in Prerequisites.
3. Go to the language pack ISO and copy the content from the LocalExperiencePacks
and x64\langpacks folders, then paste the content into the file share.
4. Go to the FOD ISO file, copy all of its content, then paste it into the file share.
5. Go to the amd64fre folder on the Inbox Apps ISO and copy the content in the
repository for the inbox apps that you've prepared.
7 Note
If you're working with limited storage, only copy the files for the languages
you know your users need. You can tell the files apart by looking at the
language codes in their file names. For example, the French file has the code
"fr-FR" in its name. For a complete list of language codes for all available
languages, see Available language packs for Windows.
) Important
6. Set the permissions on the language content repository share so that you have
read access from the VM you'll use to build the custom image.
Create a custom Windows 10 Enterprise multi-
session image manually
To create a custom Windows 10 Enterprise multi-session image manually:
1. Deploy an Azure VM, then go to the Azure Gallery and select the current version of
Windows 10 Enterprise multi-session you're using.
2. After you've deployed the VM, connect to it using RDP as a local admin.
3. Make sure your VM has all the latest Windows Updates. Download the updates
and restart the VM, if necessary.
) Important
After you install a language pack, you have to reinstall the latest cumulative
update that is installed on your image. If you do not reinstall the latest
cumulative update, you may encounter errors. If the latest cumulative update
is already installed, Windows Update does not offer it again; you have to
manually reinstall it. For more information, see Languages overview.
4. Connect to the language package, FOD, and Inbox Apps file share repository and
mount it to a letter drive (for example, drive E).
PowerShell
########################################################
## Add Languages to running Windows Image for Capture ##
########################################################
##Spanish##
Add-AppProvisionedPackage -Online -PackagePath $LIPContent\es-
es\LanguageExperiencePack.es-es.Neutral.appx -LicensePath $LIPContent\es-
es\License.xml
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Client-Language-Pack_x64_es-es.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Basic-es-es-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Handwriting-es-es-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-OCR-es-es-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Speech-es-es-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-TextToSpeech-es-es-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
NetFx3-OnDemand-Package~31bf3856ad364e35~amd64~es-es~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~es-es~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
MSPaint-FoD-Package~31bf3856ad364e35~amd64~es-es~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Notepad-FoD-Package~31bf3856ad364e35~amd64~es-es~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
PowerShell-ISE-FOD-Package~31bf3856ad364e35~amd64~es-es~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Printing-WFS-FoD-Package~31bf3856ad364e35~amd64~es-es~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
StepsRecorder-Package~31bf3856ad364e35~amd64~es-es~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
WordPad-FoD-Package~31bf3856ad364e35~amd64~es-es~.cab
$LanguageList = Get-WinUserLanguageList
$LanguageList.Add("es-es")
Set-WinUserLanguageList $LanguageList -force
##French##
Add-AppProvisionedPackage -Online -PackagePath $LIPContent\fr-
fr\LanguageExperiencePack.fr-fr.Neutral.appx -LicensePath $LIPContent\fr-
fr\License.xml
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Client-Language-Pack_x64_fr-fr.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Basic-fr-fr-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Handwriting-fr-fr-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-OCR-fr-fr-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Speech-fr-fr-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-TextToSpeech-fr-fr-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
NetFx3-OnDemand-Package~31bf3856ad364e35~amd64~fr-fr~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~fr-FR~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
MSPaint-FoD-Package~31bf3856ad364e35~amd64~fr-FR~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Notepad-FoD-Package~31bf3856ad364e35~amd64~fr-FR~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
PowerShell-ISE-FOD-Package~31bf3856ad364e35~amd64~fr-FR~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Printing-WFS-FoD-Package~31bf3856ad364e35~amd64~fr-FR~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
StepsRecorder-Package~31bf3856ad364e35~amd64~fr-FR~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
WordPad-FoD-Package~31bf3856ad364e35~amd64~fr-FR~.cab
$LanguageList = Get-WinUserLanguageList
$LanguageList.Add("fr-fr")
Set-WinUserLanguageList $LanguageList -force
##Chinese(PRC)##
Add-AppProvisionedPackage -Online -PackagePath $LIPContent\zh-
cn\LanguageExperiencePack.zh-cn.Neutral.appx -LicensePath $LIPContent\zh-
cn\License.xml
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Client-Language-Pack_x64_zh-cn.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Basic-zh-cn-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Fonts-Hans-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Handwriting-zh-cn-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-OCR-zh-cn-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-Speech-zh-cn-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
LanguageFeatures-TextToSpeech-zh-cn-Package~31bf3856ad364e35~amd64~~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
NetFx3-OnDemand-Package~31bf3856ad364e35~amd64~zh-cn~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~zh-cn~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
MSPaint-FoD-Package~31bf3856ad364e35~amd64~zh-cn~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Notepad-FoD-Package~31bf3856ad364e35~amd64~zh-cn~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
PowerShell-ISE-FOD-Package~31bf3856ad364e35~amd64~zh-cn~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
Printing-WFS-FoD-Package~31bf3856ad364e35~amd64~zh-cn~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
StepsRecorder-Package~31bf3856ad364e35~amd64~zh-cn~.cab
Add-WindowsPackage -Online -PackagePath $LIPContent\Microsoft-Windows-
WordPad-FoD-Package~31bf3856ad364e35~amd64~zh-cn~.cab
$LanguageList = Get-WinUserLanguageList
$LanguageList.Add("zh-cn")
Set-WinUserLanguageList $LanguageList -force
The script might take a while depending on the number of languages you need to
install.
Once the script is finished running, check to make sure the language packs installed
correctly by going to Start > Settings > Time & Language > Language. If the language
files are there, you're all set.
After you've added additional languages to the Windows image, the inbox apps are also
required to be updated to support the added languages. This can be done by refreshing
the pre-installed apps with the content from the inbox apps ISO. To perform this refresh
in an environment where the VM doesn't have internet access, you can use the following
PowerShell script template to automate the process and update only installed versions
of inbox apps.
PowerShell
#########################################
## Update Inbox Apps for Multi Language##
#########################################
##Set Inbox App Package Content Stores##
[string] $AppsContent = "F:\"
) Important
The inbox apps included in the ISO aren't the latest versions of the pre-installed
Windows apps. To get the latest version of all apps, you need to update the apps
using the Windows Store App and perform an manual search for updates after
you've installed the additional languages.
Once you're finished customizing your image, you'll need to run the system preparation
tool (sysprep).
To run sysprep:
1. Open an elevated command prompt and run the following command to generalize
the image:
2. Stop the VM, then capture it in a managed image by following the instructions in
Create a managed image of a generalized VM in Azure.
3. You can now use the customized image to deploy an Azure Virtual Desktop host
pool. To learn how to deploy a host pool, see Tutorial: Create a host pool with the
Azure portal.
PowerShell
$LanguageList = Get-WinUserLanguageList
$LanguageList.Add("es-es")
$LanguageList.Add("fr-fr")
$LanguageList.Add("zh-cn")
Set-WinUserLanguageList $LanguageList -force
After a user changes their language settings, they'll need to sign out of their Azure
Virtual Desktop session and sign in again for the changes to take effect.
Next steps
If you're curious about known issues for language packs, see Adding language packs in
Windows 10, version 1803 and later versions: Known issues.
If you have any other questions about Windows 10 Enterprise multi-session, check out
our FAQ.
Add languages to a Windows 11
Enterprise image
Article • 09/20/2024
It's important to make sure users within your organization from all over the world can
use your Azure Virtual Desktop deployment. That's why you can customize the Windows
11 Enterprise image you use for your virtual machines (VMs) to have different language
packs. Starting with Windows 11, non-administrator user accounts can now add both
the display language and its corresponding language features. This feature means you
won't need to pre-install language packs for users in a personal host pool. For pooled
host pools, we still recommend you add the languages you plan to add to a custom
image. You can use the instructions in this article for both single-session and multi-
session versions of Windows 11 Enterprise.
When your organization includes users with multiple different languages, you have two
options:
Create one dedicated host pool with a customized image per language.
Have multiple users with different languages in the same host pool.
The second option is more efficient in terms of resources and cost, but requires a few
extra steps. Fortunately, this article will help walk you through how to build an image
that can accommodate users of all languages and localization needs.
Prerequisites
Before you can add languages to a Windows 11 Enterprise VM, you'll need to have the
following things ready:
7 Note
The file share repository must be accessible from the Azure VM that you're going
to use to create the custom image.
2. Open and mount the ISO file you downloaded in the Prerequisites section above
on the VM.
4. Copy all content from the LanguagesAndOptionalFeatures folder in the ISO to the
folder you created.
7 Note
If you're working with limited storage, you can use the mounted "Languages
and Optional Features" ISO as a repository. To learn how to create a
repository, see Build a custom FOD and language pack repository.
) Important
1. Deploy an Azure VM, then go to the Azure Gallery and select the current version of
Windows 11 Enterprise you're using.
2. After you've deployed the VM, connect to it using RDP as a local admin.
3. Connect to the file share repository you created in Create a content repository for
language packages and features on demand and mount it to a letter drive (for
example, drive E).
4. Run the following PowerShell script from an elevated PowerShell session to install
language packs and satellite packages on Windows 11 Enterprise:
PowerShell
########################################################
## Add Languages to running Windows Image for Capture##
########################################################
##Disable Language Pack Cleanup##
Disable-ScheduledTask -TaskPath
"\Microsoft\Windows\AppxDeploymentClient\" -TaskName "Pre-staged app
cleanup"
Disable-ScheduledTask -TaskPath "\Microsoft\Windows\MUI\" -TaskName
"LPRemove"
Disable-ScheduledTask -TaskPath
"\Microsoft\Windows\LanguageComponentsInstaller" -TaskName
"Uninstallation"
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control
Panel\International" /v "BlockCleanupOfUnusedPreinstalledLangPacks" /t
REG_DWORD /d 1 /f
foreach($feature in $additionalFODList){
Dism /Online /Add-Package /PackagePath:$feature
}
if($langGroup){
Dism /Online /Add-Capability
/CapabilityName:Language.Fonts.$langGroup~~~und-$langGroup~0.0.1.0
}
7 Note
This example script uses the Spanish (es-es) language code. To automatically
install the appropriate files for a different language change the
$targetLanguage parameter to the correct language code. For a list of
language codes, see Available language packs for Windows.
The script might take a while to finish depending on the number of languages you
need to install. You can also install additional languages after initial setup by
running the script again with a different $targetLanguage parameter.
5. To automatically select the appropriate installation files, download and save the
Available Windows 10 1809 Languages and Features on Demand table as a CSV
file, then save it in the same folder as your PowerShell script.
6. Once the script is finished running, check to make sure the language packs
installed correctly by going to Start > Settings > Time & Language > Language. If
the language files are there, you're all set.
PowerShell
Remove-AppxPackage -Package
Microsoft.OneDriveSync_22000.8.13.0_neutral__8wekyb3d8bbwe
Once you're finished customizing your image, you'll need to run the system preparation
tool (sysprep).
To run sysprep:
1. Open an elevated command prompt and run the following command to generalize
the image:
2. If you run into any issues, check the SetupErr.log file in your C drive at Windows >
System32 > Sysprep > Panther. After that, follow the instructions in Sysprep fails
with Microsoft Store apps to troubleshoot your setup.
4. You can now use the customized image to deploy an Azure Virtual Desktop host
pool. To learn how to deploy a host pool, see Tutorial: Create a host pool with the
Azure portal.
7 Note
When a user changes their display language, they'll need to sign out of their Azure
Virtual Desktop session, then sign back in. They must sign out from the Start menu.
Next steps
Learn how to install language packages for Windows 10 multi-session VMs at Add
language packs to a Windows 10 multi-session image.
For a list of known issues, see Adding languages in Windows 10: Known issues.
Feedback
Was this page helpful? Yes No
) Important
Azure Virtual Desktop on Azure Stack HCI for Azure Government and for
Azure operated by 21Vianet (Azure in China).
For legal terms that apply to Azure features that are in beta, in preview, or
otherwise not yet released into general availability, see Supplemental Terms of Use
for Microsoft Azure Previews .
After you create a host pool, a workspace, and an application group, you need to add
session hosts to the host pool for your users to connect to. You might also need to add
more session hosts for extra capacity.
When you add session hosts to a host pool, the method you use depends on your host
pool's management approach:
For a host pool using a session host configuration (preview), you use the Azure
portal to specify the number of session hosts you want to add, then Azure Virtual
Desktop automatically creates them based on the session host configuration.
For a host pool using standard management, you can create new virtual machines
(VMs) to use as session hosts and add them to a host pool natively by using the
Azure Virtual Desktop service in the Azure portal. Alternatively, you can create VMs
outside the Azure Virtual Desktop service, such as using an automated pipeline,
the Azure CLI, or Azure PowerShell, and then add them as session hosts to a host
pool separately.
For Azure Stack HCI, you can create new VMs to use as session hosts and add them
to a host pool natively by using the Azure Virtual Desktop service in the Azure
portal. If you want to create the VMs outside the Azure Virtual Desktop service,
follow the steps in Create Azure Arc virtual machines on Azure Stack HCI, and then
add the VMs as session hosts to a host pool separately.
Tip
Select a button at the top of this article to choose between host pools using
standard management or host pools using session host configuration to see the
relevant documentation.
This article shows you how to generate a registration key by using the Azure portal, the
Azure CLI, or Azure PowerShell. It also shows you how to add session hosts to a host
pool by using the Azure Virtual Desktop service or add them to a host pool separately.
Prerequisites
For a general idea of what's required, such as supported operating systems, virtual
networks, and identity providers, review the prerequisites for Azure Virtual Desktop. In
addition:
You need an existing host pool with standard management. Each host pool must
only contain session hosts on Azure or on Azure Stack HCI. You can't mix session
hosts on Azure and on Azure Stack HCI in the same host pool.
If you have existing session hosts in the host pool, make a note of the virtual
machine size, the image, and name prefix that you used. All session hosts in a host
pool should have the same configuration, including the same identity provider. For
example, a host pool shouldn't contain some session hosts joined to Microsoft
Entra ID and some session hosts joined to an Active Directory domain.
The Azure account you use must have the following built-in role-based access
control (RBAC) roles or equivalent as a minimum on the resource group:
ノ Expand table
Generate a registration key for the host pool Desktop Virtualization Host
Pool Contributor
Create and add session hosts by using the Azure portal Desktop Virtualization Host
(Azure and Azure Extended Zones) Pool Contributor
Virtual Machine Contributor
Action RBAC role or roles
Create and add session hosts by using the Azure portal Desktop Virtualization Host
(Azure Stack HCI) Pool Contributor
Azure Stack HCI VM
Contributor
Don't disable Windows Remote Management (WinRM) when you're creating and
adding session hosts by using the Azure portal. PowerShell DSC requires it.
An Azure Stack HCI cluster registered with Azure. Your Azure Stack HCI clusters
need to be running a minimum of version 23H2. For more information, see
About Azure Stack HCI, version 23H2 deployment. Azure Arc VM management
is installed automatically.
At least one Windows OS image available on the cluster. For more information,
see how to create VM images by using Azure Marketplace images, use images
in an Azure Storage account, and use images in a local share.
The Azure Connected Machine agent on Azure Stack HCI VMs created outside
the Azure Virtual Desktop service, such as with an automated pipeline. The
virtual machines use the agent to communicate with Azure Instance Metadata
Service, which is a required endpoint for Azure Virtual Desktop.
A logical network that you created on your Azure Stack HCI cluster. DHCP
logical networks or static logical networks with automatic IP allocation are
supported. For more information, see Create logical networks for Azure Stack
HCI.
Your Azure subscription registered with the respective Azure Extended Zone. For
more information, see Request access to an Azure Extended Zone.
An Azure load balancer with an outbound rule on the virtual network to which
you're deploying session hosts. You can use an existing load balancer or you
create a new one when adding session hosts.
If you want to use the Azure CLI or Azure PowerShell locally, see Use the Azure CLI
and Azure PowerShell with Azure Virtual Desktop to make sure you have the
desktopvirtualization Azure CLI extension or the Az.DesktopVirtualization Azure
PowerShell module installed. Alternatively, use Azure Cloud Shell.
) Important
If you want to create Microsoft Entra joined session hosts, we only support this
using the AADLoginForWindows VM extension, which is added and configured
automatically when using the Azure portal or ARM template with the Azure Virtual
Desktop service.
To generate a registration key, select the relevant tab for your scenario and follow the
steps.
Azure portal
2. On the search bar, enter Azure Virtual Desktop and select the matching
service entry.
3. Select Host pools, and then select the name of the host pool for which you
want to generate a registration key.
5. Select Generate new key, enter an expiration date and time, and then select
OK. The registration key is created.
6. Select Download to download a text file that contains the newly created
registration key, or copy the registration key to your clipboard to use it later.
You can also retrieve the registration key later by returning to the host pool
overview.
Create and register session hosts with the
Azure Virtual Desktop service
You can create session hosts and register them to a host pool in a single end-to-end
process with the Azure Virtual Desktop service by using the Azure portal or an Azure
Resource Manager template (ARM template). You can find some example ARM
templates in this GitHub repo .
) Important
If you want to create virtual machines by using an alternative method outside Azure
Virtual Desktop, such as an automated pipeline, you need to register them
separately as session hosts to a host pool. Skip to the section Register session
hosts to a host pool.
Here's how to create session hosts and register them to a host pool by using the Azure
Virtual Desktop service in the Azure portal. Make sure that you generated a registration
key first.
2. On the search bar, enter Azure Virtual Desktop and select the matching service
entry.
3. Select Host pools, and then select the name of the host pool to which you want to
add session hosts.
4. On the host pool overview, select Session hosts, and then select + Add.
5. The Basics tab is unavailable because you're using the existing host pool. Select
Next: Virtual Machines.
6. On the Virtual machines tab, expand one of the following sections and complete
the information, depending on whether you want to create session hosts on Azure
or on Azure Stack HCI. For guidance on sizing session host virtual machines, see
Session host virtual machine sizing guidelines.
ノ Expand table
Parameter Value/Description
Resource group This value defaults to the same resource group as your host pool,
but you can select a different one from the dropdown list.
Name prefix Enter a name prefix for your session hosts, such as hp01-sh.
Virtual machine Select the Azure region where you want to deploy your session
location hosts. It must be the same region that contains your virtual network.
Image Select the OS image that you want to use from the list, or select See
all images to see more. The full list includes any images that you
created and stored as an Azure Compute Gallery shared image or a
managed image.
Virtual machine Select a size. If you want to use a different size, select Change size,
size and then select from the list.
Number of VMs Enter the number of virtual machines that you want to deploy. You
can deploy up to 400 session hosts at this point if you want
(depending on your subscription quota), or you can add more later.
For more information, see Azure Virtual Desktop service limits and
Virtual Machines limits.
OS disk type Select the disk type to use for your session hosts. We recommend
that you use only Premium SSD for production workloads.
Confidential If you're using a confidential VM, you must select the Confidential
computing compute encryption checkbox to enable OS disk encryption.
encryption
This checkbox appears only if you selected Confidential virtual
machines as your security type.
Network and
security
Virtual network Select your virtual network. An option to select a subnet appears.
Network security Select whether you want to use a network security group (NSG).
group
- None doesn't create a new NSG.
Public inbound You can select a port to allow from the list. Azure Virtual Desktop
ports doesn't require public inbound ports, so we recommend that you
select No.
Domain to join
Parameter Value/Description
Select which Select from Microsoft Entra ID or Active Directory and complete the
directory you relevant parameters for the selected option.
would like to join
To learn more about joining session hosts to Microsoft Entra ID, see
Microsoft Entra joined session hosts.
Virtual Machine
Administrator
account
Username Enter a name to use as the local administrator account for the new
session hosts.
Custom
configuration
Custom If you want to run a PowerShell script during deployment, you can
configuration script enter the URL here.
URL
ノ Expand table
Parameter Value/Description
Resource group This value defaults to the resource group that you chose to contain
your host pool on the Basics tab, but you can select an alternative.
Name prefix Enter a name prefix for your session hosts, such as hp01-sh.
Custom location In the dropdown list, select the Azure Stack HCI cluster where you
want to deploy your session hosts.
Parameter Value/Description
Images Select the OS image that you want to use from the list, or select
Manage VM images to manage the images available on the cluster
that you selected.
Number of VMs Enter the number of virtual machines that you want to deploy. You
can add more later.
Virtual processor Enter the number of virtual processors that you want to assign to
count each session host. This value isn't validated against the resources
available in the cluster.
Memory type Select Static for a fixed memory allocation, or select Dynamic for a
dynamic memory allocation.
Memory (GB) Enter a number for the amount of memory, in gigabytes, that you
want to assign to each session host. This value isn't validated
against the resources available in the cluster.
Network and
security
Domain to join
AD domain join UPN Enter the user principal name (UPN) of an Active Directory user
who has permission to join the session hosts to your domain.
Specify domain or Select yes if you want to join session hosts to a specific domain or
unit be placed in a specific organizational unit (OU). If you select no, the
suffix of the UPN is used as the domain.
Virtual Machine
Administrator
account
Username Enter a name to use as the local administrator account for the new
session hosts.
Parameter Value/Description
Resource This value defaults to the resource group that you chose to contain your
group host pool on the Basics tab, but you can select an alternative.
Name prefix Enter a name prefix for your session hosts, such as hp01-sh.
Each session host has a suffix of a hyphen and then a sequential number
added to the end, such as hp01-sh-0.
Network and
security
Select a load Select an existing Azure load balancer on the same virtual network you
balancer want to use for your session hosts, or select Create a load balancer to
create a new load balancer.
Select a Select a backend pool on the load balancer you want to use for your
backend pool session hosts. If you're creating a new load balancer, select Create new to
create a new backend pool for the new load balancer.
Add If you're creating a new load balancer, select Create new to create a new
outbound rule outbound rule for it.
7. On the Tags tab, you can optionally enter any name/value pairs that you need, and
then select Next: Review + create.
8. On the Review + create tab, ensure that validation passes and review the
information that will be used during deployment. If validation doesn't pass, review
the error message and check what you entered on each tab.
9. Select Create. After your deployment is complete, the session hosts should appear
in the host pool.
) Important
After you add session hosts by using the Azure Virtual Desktop service, skip to the
section Post-deployment tasks for some extra configuration that you might need
to do.
To register session hosts to a host pool, you need to install the Azure Virtual Desktop
Agent and the Azure Virtual Desktop Agent Boot Loader on each virtual machine and
use the registration key that you generated. You can register session hosts to a host
pool by using the agent installers' graphical user interface (GUI) or by using msiexec
from a command line.
Select the relevant tab for your scenario and follow the steps.
GUI
1. Make sure the virtual machines that you want to use as session hosts are
joined to Microsoft Entra ID or an Active Directory domain (Active Directory
Domain Services or Microsoft Entra Domain Services).
2. If your virtual machines are running a Windows Server OS, you need to install
the Remote Desktop Session Host role and then restart the virtual machine. For
more information, see Install roles, role services, and features by using the
Add Roles and Features Wizard.
3. Sign in to your virtual machine as an administrator.
4. Download the installation files for the Agent and the Agent Boot Loader by
using the following links. If you need to unblock them, right-click each file,
select Properties, select Unblock, and finally select OK.
Tip
The Azure Virtual Desktop Agent download link is for the latest
production version in non-validation environments. This download link is
updated after the automatic production rollout is complete, so you might
see a delay between the release of a production version and the update
of the download link. After you install the Azure Virtual Desktop Agent,
it's updated automatically. For more information about the rollout of new
versions of the agent, see What's new in the Azure Virtual Desktop
Agent?.
6. Follow the prompts. When the installer prompts you for the registration token,
paste it into the text box, which appears on a single line. Select Next, and then
complete the installation.
9. After a short time, the virtual machines are listed as session hosts in the host
pool. The status of the session hosts might initially appear as Unavailable. If a
newer agent version is available, it's upgraded automatically.
10. After the status of the session hosts is Available, restart the virtual machines.
Post-deployment tasks
After you add session hosts to your host pool, you might need to do some extra
configuration, as described in the following sections.
Licensing
To ensure that your session hosts have licenses applied correctly, you need to do the
following tasks:
If you have the correct licenses to run Azure Virtual Desktop workloads, you can
apply a Windows or Windows Server license to your session hosts as part of Azure
Virtual Desktop and run them without paying for a separate license. This license is
automatically applied when you create session hosts by using the Azure Virtual
Desktop service, but you might have to apply the license separately if you create
session hosts outside Azure Virtual Desktop. For more information, see Apply a
Windows license to session host virtual machines.
If your session hosts are running a Windows Server OS, you also need to issue
them a Remote Desktop Services (RDS) client access license (CAL) from an RDS
license server. For more information, see License your RDS deployment with client
access licenses.
For session hosts on Azure Stack HCI, you must license and activate the virtual
machines before you use them with Azure Virtual Desktop. For activating VMs that
use Windows 10 Enterprise multi-session, Windows 11 Enterprise multi-session,
and Windows Server 2022 Datacenter: Azure Edition, use Azure verification for
VMs. For all other OS images (such as Windows 10 Enterprise, Windows 11
Enterprise, and other editions of Windows Server), you should continue to use
existing activation methods. For more information, see Activate Windows Server
VMs on Azure Stack HCI.
For session hosts on Azure that are joined to Microsoft Entra ID, you also need to enable
single sign-on or earlier authentication protocols, assign an RBAC role to users, and
review your multifactor authentication policies so that users can sign in to the VMs. For
more information, see Microsoft Entra joined session hosts.
Related content
Now that you've expanded your existing host pool, you can sign in to an Azure Virtual
Desktop client to test the hosts as part of a user session. You can connect to a session
by using any of the following clients:
Feedback
Was this page helpful? Yes No
Tip
This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.
Select a product using the buttons at the top of this article to show the relevant
content.
Multimedia redirection redirects video playback and calls in a remote session from
Azure Virtual Desktop, a Windows 365 Cloud PC, or Microsoft Dev Box to your local
device for faster processing and rendering. Specifically, these two functions work in the
following ways:
Video playback redirection: optimizes video playback experience for web pages
with embedded videos like YouTube and Facebook. The browser in the remote
session fetches video content, but the bitstream of video data is sent to the local
device where it decodes and renders the video in the correct place on the screen.
Call redirection: optimizes audio calls for WebRTC-based calling apps, reducing
latency, and improving call quality. The connection happens between the local
device and the telephony app server, where WebRTC calls are offloaded from a
remote session to a local device, as shown in the following diagram. However, after
the connection is established, call quality becomes dependent on the web page or
app providers, just as it would with a non-redirected call.
There are two components you need to install for multimedia redirection:
This article shows you install and configure multimedia redirection in a remote session
from Azure Virtual Desktop, a Windows 365 Cloud PC, or Microsoft Dev Box with
Microsoft Edge or Google Chrome browsers, and manage settings for the browser
extension using Microsoft Intune or Group Policy. Additionally, this article shows you
how to manage settings for the browser extension in Microsoft Edge using the
Microsoft Edge management service.
Later in the article you can find a list of websites that work with multimedia redirection
for video playback and calls.
Prerequisites
Before you can use multimedia redirection, you need:
Local administrator privilege on your session hosts to install and update the
Remote Desktop Multimedia Redirection Service.
The latest version of Microsoft Edge or Google Chrome installed on your session
hosts.
You need to connect to a remote session from one of the following supported
apps and platforms:
Windows App on Windows, version 2.0.297.0 or later.
Remote Desktop app on Windows, version 1.2.5709 or later.
Your local Windows device must meet the hardware requirements for Teams on a
Windows PC.
7 Note
You install both the multimedia redirection service and browser extension from a single
.msi file, which you can run manually, use Intune Win32 app management, or your
2. Make sure Microsoft Edge or Google Chrome isn't running. Check in Task Manager
that there are no instances of msedge.exe or chrome.exe listed in the Details tab.
3. Install the .msi file using one of the following methods:
To install it manually, open the file that you downloaded to run the setup
wizard, then follow the prompts. After it's installed, select Finish.
After you install the multimedia redirection service and browser extension, next you
need to enable the browser extension.
) Important
Tip
By default, users are automatically prompted to enable the extension when they
open their browser. This section is optional if you want to enable and manage the
browser extension centrally.
You can enable and manage the browser extension centrally from Microsoft Edge Add-
ons or the Chrome Web Store for all users by using Microsoft Intune or Group Policy, or
the Microsoft Edge management service (for Microsoft Edge only).
Managing the browser extension has the following benefits:
Microsoft Intune
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
4. Check the box for Configure extension management settings, then close the
settings picker.
5. Expand the Microsoft Edge category, then toggle the switch for Configure
extension management settings to Enabled
JSON
{
"joeclbldhdmoijbaagobkhlpfjglcihd": {
"installation_mode": "force_installed",
"update_url":
"https://edge.microsoft.com/extensionwebstorebase/v1/crx",
}
}
7 Note
You can specify additional parameters to allow or block specific sites for
redirection and to show or hide advanced settings. For more information,
see:
7. Select Next.
8. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
9. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
10. On the Review + create tab, review the settings, then select Create.
11. After the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
3. Follow the steps to Import custom ADMX and ADML administrative templates
into Microsoft Intune. You need to import the google.admx and google.adml
first, then import chrome.admx and chrome.adml .
4. After you imported the Google Chrome administrative template, follow the
steps to Create a profile using your imported files
6. Select Extension management settings, which opens a new pane. Scroll to the
end, then select Enabled.
7. In the box, enter the following JSON as a single line string. This example
installs the extension with the required update URL:
JSON
{
"lfmemoeeciijgkjkgbgikoonlkabmlno": {
"installation_mode": "force_installed",
"update_url":
"https://clients2.google.com/service/update2/crx",
}
}
7 Note
You can specify additional parameters to allow or block specific sites for
redirection and to show or hide advanced settings. For more information,
see:
9. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
10. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
11. On the Review + create tab, review the settings, then select Create.
12. After the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
7 Note
The following examples are for Microsoft Edge. For Google Chrome:
Change joeclbldhdmoijbaagobkhlpfjglcihd to
lfmemoeeciijgkjkgbgikoonlkabmlno .
The following example installs the extension and shows the extension icon on the
toolbar by default, but still allows users to hide it. Other values are force_shown and
default_hidden . For more information about configuring extensions for Microsoft Edge,
JSON
{
"joeclbldhdmoijbaagobkhlpfjglcihd": {
"installation_mode": "force_installed",
"update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",
"toolbar_state": "default_shown"
}
}
Here's what the extension looks like when the advanced settings button is hidden:
This example installs the extension and hides the advanced settings button.
Alternatively, to show the advanced settings button, set HideAdvancedSettings to false .
JSON
{
"joeclbldhdmoijbaagobkhlpfjglcihd": {
"installation_mode": "force_installed",
"update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",
"HideAdvancedSettings": true
}
}
Icon Definition
State
The multimedia redirection extension is loaded, indicating that the website can be
redirected.
The multimedia redirection extension isn't loaded, indicating that content on the web
page isn't redirected.
The multimedia redirection extension failed to load correctly. You might need to
uninstall and reinstall the extension or the Remote Desktop Multimedia Redirection
Service, then try again.
AWS Training
BBC
Big Think
CNBC
Coursera
Daily Mail
Fidelity
Fox Sports
Fox Weather
IMDB
Infosec Institute
LinkedIn Learning
Microsoft Learn
Microsoft Stream
Pluralsight
Skillshare
The Guardian
Twitch
Udemy *
UMU
U.S. News
Vimeo
Yahoo
Yammer
) Important
1. Open the web page in Microsoft Edge or Google Chrome on your remote session.
2. Select the Microsoft Multimedia Redirection extension icon in the extension bar on
the top-right corner of your browser. If you're on a web page where multimedia
redirection is available, the icon has a blue border (rather than grey), and shows
the message The extension is loaded. For web pages that support video playback
redirection, Video Playback Redirection has a green check mark.
3. On the web page, play a video. Check the status of the extension icon that
multimedia redirection is active in your browser, which should look like the
following image:
To use multimedia redirection with Teams live events, you must use the web version of
Teams. Multimedia redirection isn't supported with the native Teams app. When you
launch the live event in your browser, make sure you select Watch on the web instead.
The Teams live event should automatically start playing in your browser with multimedia
redirection enabled.
Advanced settings for video playback redirection
The following advanced settings are available for video playback redirection. You can
also hide the advanced settings button from users; for more information, see Show or
hide advanced settings button.
Enable video playback for all sites (beta): By default, video playback redirection is
limited to the sites listed in Websites for video playback redirection. You can
enable video playback redirection for all sites to test the feature with other web
pages. This setting is experimental and might not work as expected.
Video status overlay: When enabled, a short message appears at the top of the
video player that indicates the redirection status of the current video. The message
disappears after five seconds.
7 Note
Change joeclbldhdmoijbaagobkhlpfjglcihd to
lfmemoeeciijgkjkgbgikoonlkabmlno .
This example installs the extension and allows learn.microsoft.com and youtube.com,
but blocks all other domains. You can use this example as part of the steps in Enable and
manage the browser extension centrally.
JSON
{
"joeclbldhdmoijbaagobkhlpfjglcihd": {
"installation_mode": "force_installed",
"runtime_allowed_hosts": [
"*://*.learn.microsoft.com";"*://*.youtube.com" ],
"runtime_blocked_hosts": [ "*://*" ],
"update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",
"toolbar_state": "default_shown"
}
}
Call redirection
The following sections contain information about how to test call redirection and how
you can configure advanced settings.
1. Open the web page in Microsoft Edge or Google Chrome on your remote session.
2. Select the Microsoft Multimedia Redirection extension icon in the extension bar on
the top-right corner of your browser. If you're on a web page where multimedia
redirection is available, the icon has a blue border (rather than grey), and shows
the message The extension is loaded. For web pages that support call redirection,
Call Redirection has a green check mark.
3. On the web page, make a call. Check the status of the extension icon that
multimedia redirection is active in your browser, which should look like the
following image:
Enable call redirection for specific domains
If you configure multimedia redirection using Microsoft Intune or Group Policy, you can
enable one or more domains for call redirection. This parameter enables you to specify
extra sites in addition to the Websites for call redirection. The supported format is the
fully qualified domain name (FQDN) with up to one subdirectory. The following formats
are supported:
contoso.com
conferencing.contoso.com
contoso.com/conferencing
www.contoso.com
contoso.com/conferencing/groups
contoso.com/
7 Note
Change joeclbldhdmoijbaagobkhlpfjglcihd to
lfmemoeeciijgkjkgbgikoonlkabmlno .
This example installs the extension and adds calling sites contoso.com ,
conferencing.contoso.com , and contoso.com/conferencing , which are separated by a
semicolon ; :
JSON
{
"joeclbldhdmoijbaagobkhlpfjglcihd": {
"installation_mode": "force_installed",
"AllowedCallRedirectionSites":
"contoso.com;conferencing.contoso.com;contoso.com/conferencing",
"update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx",
"toolbar_state": "default_shown"
}
}
1. On a local Windows device, add the following registry key and value:
Key: HKEY_CURRENT_USER\Software\Microsoft\MMR
Type: REG_DWORD
Value: AllowCallRedirectionAllSites
Data: 1
2. Connect to a remote session and load a web browser, then select the extension
icon in your browser.
Feedback
Was this page helpful? Yes No
Multimedia redirection redirects video playback and calls in a remote session from
Azure Virtual Desktop, a Windows 365 Cloud PC, or Microsoft Dev Box to your local
device for faster processing and rendering.
Call redirection optimizes audio calls for WebRTC-based calling apps, reducing latency,
and improving call quality. The connection happens between the local device and the
telephony app server, where WebRTC calls are offloaded from a remote session to a
local device. After the connection is established, call quality becomes dependent on the
web page or app providers, just as it would with a non-redirected call.
Call redirection can work with most WebRTC-based calling apps without modifications.
However, there might be unsupported scenarios or you might want to provide a
different experience in a remote session.
This article provides information about supported API interfaces and instance methods,
and shows JavaScript code snippets that you can use with the mediaDevices property of
the Navigator interface .
The navigator interface is part of the Media Capture and Streams API to integrate your
website with call redirection. Together with the WebRTC API , these APIs provide
support for streaming audio and video data with WebRTC-based calling apps.
Multimedia redirection replaces the implementation of the mediaDevices object in the
APIs to detect call redirection, handle disconnection and reconnection events, and
collect diagnostic information.
Tip
When you want to test your integration with multimedia redirection, you can
enable call redirection to be available for all websites. For more information, see
Enable call redirection for all sites for testing.
Here's a list of the supported interfaces and instance methods used by call redirection
from the Media Capture and Streams API and WebRTC API :
AnalyserNode
AudioContext
HTMLAudioElement
MediaDevices
enumerateDevices
getUserMedia
MediaStream
MediaStreamAudioDestinationNode
MediaStreamAudioSourceNode
MediaStreamTrack
RTCDataChannel
RTCPeerConnection
RTCRtpReceiver
RTCRtpSender
RTCRtpTransceiver
Known limitations
Call redirection has the following API limitations:
any local playback, such as a ringtone, always plays on the default audio output of
the remote session.
window.navigator.mediaDevices['isCallRedirectionEnabled'] = true;
The web page can detect and handle these disconnect and reconnect events by tearing
down and recreating all WebRTC objects, audio or video elements, and MediaStream or
MediaStreamTrack interfaces. This approach eliminates the need to refresh the web page.
JavaScript
navigator.mediaDevices.addEventListener('rdpClientConnectionStateChanged',
() =>
console.log("state change: " + event.detail.state);
);
JavaScript
window.navigator.mediaDevices['mmrClientVersion'];
window.navigator.mediaDevices['mmrHostVersion'];
window.navigator.mediaDevices['mmrExtensionVersion'];
window.navigator.mediaDevices['activityId'];
window.navigator.mediaDevices['connectionId'];
All of this information is available to the end user in the details of the browser extension,
but this example provides a programmatic way to collect it.
JavaScript
window.navigator.mediaDevices['mmrConsoleLoggingEnabled'] = true;
You might also want to programmatically collect multimedia redirection logs to aid in
investigations. All logs for the web page are also available by registering for the
mmrExtensionLog event on the document.
Level: denotes what kind of trace the entry is and allows you to filter for specific
events. Level is one of the following values:
info
verbose
warning
error
The following example shows how to register for the mmrExtensionLog event:
JavaScript
document.addEventListener('mmrExtensionLog', () =>
console.log("MMR event, level:" + event.detail.level + " : " +
event.detail.message);
);
Related content
Learn more about Multimedia redirection for video playback and calls in a remote
session.
Feedback
Was this page helpful? Yes No
Graphics data from a remote session is transmitted to a local device via the Remote
Desktop Protocol (RDP). The process involves encoding the graphics data on the remote
virtual machine before sending it to the local device. Each frame is processed based on
its content, passing through image processors, a classifier, and a codec, before being
delivered to the local device using RDP's graphics transport.
The aim of encoding and transmitting graphics data is to provide optimal performance
and quality, with an experience that is the same as using a device locally. This process is
important when using Azure Virtual Desktop, Cloud PCs in Windows 365, and Microsoft
Dev Box, where users expect a high-quality experience when working remotely.
RDP uses a range of features and techniques to process and transmit graphics data that
make it suitable for a wide range of scenarios, such as office productivity, video
playback, and gaming. These features and techniques include:
Hardware and software-based encoding: uses the CPU or GPU to encode graphics
data.
Software encoding: uses the CPU to encode graphics data at a low cost.
Software encoding is the default encoding profile used on a remote virtual
machine without a discrete GPU.
Mixed-mode: separates text and image encoding using different codecs to provide
the best quality and lowest encoding cost for each type of content. Mixed-mode is
only available with software encoding.
Adaptive graphics: adjusts the encoding quality based on the available bandwidth
and the content of the screen.
Full-screen video encoding: provides a higher frame rate and better user
experience.
Delta detection and caching: reduces the amount of data that needs to be
transmitted.
Multiple codec support: uses hardware decoders on a local device. Codecs include
the Advanced Video Coding (AVC) video codec, also known as H.264, and the High
Efficiency Video Coding (HEVC) video codec, also known as H.265. HEVC/H.265
support is in preview and requires a compatible GPU-enabled remote virtual
machine.
4:2:0 and 4:4:4 chroma subsampling: provides a balance between image quality
and bandwidth usage.
You can use a combination of these features and techniques depending on the available
resources of the remote session, local device, and network, and the user experience you
want to provide.
This article describes the process of encoding and delivering graphics data over RDP
using some of these features and techniques.
Tip
Mixed-mode
By default, graphics data is separated depending on its content. Text and images are
encoded using a mix of codecs to achieve optimal encoding performance across
different content types when using software encoding only. This process is known as
mixed-mode.
On average, approximately 80% of the graphics data for a remote session is text. In
order to provide the lowest encoding cost and best quality for text, RDP uses a custom
codec that's optimized for text. Due to image content being more challenging to
encode effectively, it's critical to use a codec that adapts well to available bitrate.
AVC/H.264 is a widely supported codec that has good compression ratio for images, is
capable of progressive encoding, and has ability to adjust quality based on bitrate. It
relies on the hardware decoder on the local device, which is widely supported on
modern devices. Using the hardware decoder on the local device reduces the CPU usage
on the local device and provides a better user experience. Check with the device
manufacturer to ensure that it supports AVC/H.264 hardware decoding.
The following diagram shows the process of encoding and delivering graphics data over
RDP using mixed-mode in a software encoding scenario:
Remote session
Video detector
Image
processors
Delta detection
Motion detection
Cache
Image classifier
Graphics channel
Local device
2. If the frame doesn't contain video, the image processors determine if there are
delta changes, motion is detected, or if content is available in the cache. If the
content matches certain criteria, the frame passes to the graphics channel.
3. If the frame needs further processing, the image classifier determines whether it
contains text or images.
4. Text and images are encoded using different codecs to provide the best quality
and lowest encoding cost for each type of content. Once encoded, the frame
passes to the graphics channel.
Instead of using two separate codecs for text and images with mixed-mode, you can
enable full-screen video encoding to process all screen content using the AVC/H.264
video codec.
A full-screen video profile provides a higher frame rate and better user experience, but
uses more network bandwidth and resources on both the remote virtual machine and
local device. It benefits applications such as 3D modeling, CAD/CAM, or video playback
and editing.
If you enable both HEVC/H.265 and AVC/H.264 hardware acceleration, but HEVC/H.265
isn't available on the local device, AVC/H.264 is used instead. HEVC/H.265 allows for 25-
50% data compression compared to AVC/H.264, at the same video quality, or improved
quality, at the same bitrate.
You can enable full-screen video encoding with AVC/H.264 even without GPU
acceleration, but HEVC/H.265 requires a compatible GPU-enabled remote virtual
machine.
To learn more, see Enable GPU acceleration for Azure Virtual Desktop.
Hardware GPU acceleration
Azure Virtual Desktop, Cloud PCs in Windows 365, and Microsoft Dev Box support
graphics processing unit (GPU) acceleration in rendering and encoding for improved
app performance and scalability using the Remote Desktop Protocol (RDP). GPU
acceleration is crucial for graphics-intensive applications, such as those used by graphic
designers, video editors, 3D modelers, data analysts, or visualization specialists.
There are two components to GPU acceleration that work together to improve the user
experience:
If the screen content in your workloads is largely image based, you can also enable full-
screen video encoding to process all screen content to provide a higher frame rate and
better user experience.
To learn more, see Increase the chroma value to 4:4:4 using the Advanced Video Coding
(AVC) video codec.
Feedback
Was this page helpful? Yes No
) Important
Azure Virtual Desktop supports graphics processing unit (GPU) acceleration in rendering
and encoding for improved app performance and scalability using the Remote Desktop
Protocol (RDP). GPU acceleration is crucial for graphics-intensive applications, such as
those used by graphic designers, video editors, 3D modelers, data analysts, or
visualization specialists.
There are three components to GPU acceleration in Azure Virtual Desktop that work
together to improve the user experience:
7 Note
If you enable both HEVC/H.265 and AVC/H.264 hardware acceleration, but
HEVC/H.265 isn't available on the local device, AVC/H.264 is used instead.
You can enable full-screen video encoding with AVC/H.264 even without GPU
acceleration, but HEVC/H.265 requires a compatible GPU-enabled remote
virtual machine.
You can also increase the default chroma value to improve the image quality.
This article shows you which Azure VM sizes you can use as a session host with GPU
acceleration, and how to enable GPU acceleration for rendering and encoding.
ノ Expand table
The right choice of VM size depends on many factors, including your particular
application workloads, desired quality of user experience, and cost. In general, larger
and more capable GPUs offer a better user experience at a given user density. Smaller
and fractional GPU sizes allow more fine-grained control over cost and quality.
VM sizes with an NVIDIA GPU come with a GRID license that supports 25 concurrent
users.
) Important
Azure NC, NCv2, NCv3, ND, and NDv2 series VMs aren't generally appropriate as
session hosts. These VM sizes are tailored for specialized, high-performance
compute or machine learning tools, such as those built with NVIDIA CUDA. They
don't support GPU acceleration for most applications or the Windows user
interface.
Prerequisites
Before you can enable GPU acceleration, you need:
An existing host pool with session hosts using a supported GPU-optimized Azure
VM size for the graphics features you want to enable. Supported graphics drivers
are listed in Install supported graphics drivers in your session hosts.
If you increased the chroma value to 4:4:4, the chroma value falls back to 4:2:0
when using HEVC hardware acceleration.
The Administrative template for Azure Virtual Desktop available in Group Policy to
configure your session hosts.
A local Windows device you use to connect to a remote session must have:
A GPU that has HEVC (H.265) 4K YUV 4:2:0 decode support. For more
information, see the manufacturer's documentation. Here are some links to
documentation for some manufacturers:
NVIDIA
AMD
Intel
Microsoft HEVC codec installed. The Microsoft HEVC codec is included in clean
installs of Windows 11 22H2 or later. You can also purchase the Microsoft HEVC
codec from the Microsoft Store .
One of the following apps to connect to a remote session. Other platforms and
versions aren't supported.
Windows App on Windows, version 1.3.278.0 or later.
Remote Desktop app on Windows, version 1.2.4671.0 or later.
) Important
For VMs sizes with an NVIDIA GPU, only NVIDIA GRID drivers support GPU
acceleration for most applications and the Windows user interface. NVIDIA CUDA
drivers don't support GPU acceleration for these VM sizes. To download and learn
how to install the driver, see Install NVIDIA GPU drivers on N-series VMs running
Windows and be sure to install the GRID driver. If you install the driver by using the
NVIDIA GPU Driver Extension, the GRID driver is automatically installed for these
VM sizes.
For HEVC/H.265 hardware acceleration, you must use NVIDIA GPU driver GRID
16.2 (537.13) or later.
For VMs sizes with an AMD GPU, install the AMD drivers that Azure provides. To
download and learn how to install the driver, see Install AMD GPU drivers on N-
series VMs running Windows.
Enable GPU-accelerated application rendering,
frame encoding, and full-screen video
encoding
By default, remote sessions are rendered with the CPU and don't use available GPUs.
You can enable GPU-accelerated application rendering, frame encoding, and full-screen
video encoding using Microsoft Intune or Group Policy.
Microsoft Intune
) Important
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
a. For GPU-accelerated application rendering, check the box for Use hardware
graphics adapters for all Remote Desktop Services sessions.
b. For GPU accelerated frame encoding, check the box for Configure
H.264/AVC hardware encoding for Remote Desktop connections.
c. For full-screen video encoding, check the box for Prioritize H.264/AVC 444
Graphics mode for Remote Desktop connections.
5. Expand the Administrative templates category, then set toggle the switch for
each setting as follows:
6. Select Next.
7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
9. On the Review + create tab, review the settings, then select Create.
10. After the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
a. Make sure the local Windows device has the Microsoft HEVC codec installed by
opening a PowerShell prompt and run the following command:
PowerShell
Output
Name Version
---- -------
Microsoft.HEVCVideoExtension 2.1.1161.0
b. Make sure multimedia redirection is disabled on the session host if you're using
it.
2. Connect to one of the session hosts you configured, either through Azure Virtual
Desktop or a direct RDP connection.
3. Open an application that uses GPU acceleration and generate some load for the
GPU.
4. Open Task Manager and go to the Performance tab. Select the GPU to see
whether the GPU is being utilized by the application.
Tip
For NVIDIA GPUs, you can also use the nvidia-smi utility to check for GPU
utilization when running your application. For more information, see Verify
driver installation.
5. Open Event Viewer from the start menu, or run eventvwr.msc from the command
line.
Event ID 170: If you see AVC hardware encoder enabled: 1 in the event text,
GPU-accelerated frame encoding is in use.
Event ID 162:
If you see AVC available: 1, Initial Profile: 2048 in the event text, GPU-
accelerated frame encoding with AVC/H.264 and full-screen video
encoding is in use.
If you see AVC available: 1, Initial Profile: 32768 in the event text, GPU-
accelerated frame encoding with HEVC/H.265 is in use.
Related content
Increase the default chroma value to improve the image quality.
Feedback
Was this page helpful? Yes No
The chroma value determines the color space used for encoding. By default, the chroma
value is set to 4:2:0, which provides a good balance between image quality and network
bandwidth. When you use the Advanced Video Coding (AVC) video codec, you can
increase the chroma value to 4:4:4 to improve image quality. You don't need to use GPU
acceleration to change the chroma value.
This article shows you how to set the chroma value. You can use Microsoft Intune or
Group Policy to configure your session hosts.
Prerequisites
Before you can configure the chroma value, you need:
Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.
A security group or organizational unit (OU) containing the devices you want to
configure.
Microsoft Intune
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
4. Check the box for the following settings, then close the settings picker:
a. Set toggle the switch for Prioritize H.264/AVC 444 Graphics mode for
Remote Desktop connections to Enabled.
b. Set toggle the switch for Configure image quality for RemoteFX Adaptive
Graphics to Enabled, then for Image quality: (Device), select High.
6. Select Next.
7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
9. On the Review + create tab, review the settings, then select Create.
10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
Related content
Configure GPU acceleration
Feedback
Was this page helpful? Yes No
This article answers frequently asked questions and explains best practices for Windows
10 Enterprise multi-session and Windows 11 Enterprise multi-session.
Customize the image to your needs by installing LOB applications and sysprep the
image. When you're done customizing, upload the image to Azure with the VHD inside.
After that, get Azure Virtual Desktop from the Azure Marketplace and use it to deploy a
new host pool with the customized image.
) Important
All named applications that come pre-installed are the latest version that is
available the 2nd Tuesday of that month. Any app updates after that day can only
be considered in the image update in the upcoming month.
For more information about how to configure an FSLogix profile container, see
Configure the FSLogix profile container.
Next steps
To learn more about Azure Virtual Desktop and Windows Enterprise multi-session:
This article describes how a Remote Desktop Session Host (RDSH) server, Windows 10
Enterprise multi-session, Windows 11 Enterprise multi-session, and Windows Server use
Fair Share technologies to balance CPU, disk, and network bandwidth resources among
multiple Remote Desktop sessions.
Introduction
Remote Desktop Services (RDS) server, Windows 10 Enterprise multi-session and
Windows 11 Enterprise multi-session use Fair Share technologies for CPU resources to
manage resources. RDS builds on the Fair Share technologies to add features for
allocating network bandwidth and disk resources. Fair Share CPU Scheduling is enabled
by default, while Dynamic Disk Fair Share and Dynamic Network Fair Share are disabled.
You can change the defaults by using PowerShell and WMI.
7 Note
Before turning on Dynamic Disk Fair Share or Dynamic Network Fair Share, it's
recommended to review performance on applications that require exchanging
larger amounts of data.
In a centralized computing scenario, the Dynamic Network Fair Share feature tries to
fairly distribute network interface bandwidth load among the sessions.
Feedback
Was this page helpful? Yes No
User profile management for Azure
Virtual Desktop with FSLogix profile
containers
Article • 08/22/2024
A remote user profile provides a partition between user data and the operating system.
It allows the operating system to be replaced or changed without affecting the user
data. With a VDI solution, such as Azure Virtual Desktop, the operating system may be
replaced for the following reasons:
We recommend using FSLogix profile containers with Azure Virtual Desktop to manage
and roam user profiles and personalization. FSLogix profile containers store a complete
user profile in a single container. At sign in, this container is dynamically attached to the
remote session as a natively supported Virtual Hard Disk (VHDX or VHD) file. The user
profile is immediately available and appears in the system exactly like a native user
profile. This article describes how FSLogix profile containers work with Azure Virtual
Desktop.
7 Note
If you're looking for comparison material about the different FSLogix Profile
Container storage options on Azure, see Storage options for FSLogix profile
containers.
Performance: The FSLogix profile containers are high performance and resolve
performance issues that have historically blocked cached exchange mode.
Additional folders: FSLogix profile containers provides the ability to extend user
profiles to include additional folders.
We recommend you use Azure Files or Azure NetApp Files to store profile
containers. To compare the different FSLogix Profile Container storage options on
Azure, see Storage options for FSLogix profile containers.
The storage account must be in the same region as the session host VMs.
Azure Files has limits on the number of open handles per root directory,
directory, and file. For more information on the limits and sizing guidance, see
Azure Files scalability and performance targets and Azure Files sizing guidance
for Azure Virtual Desktop.
Each host pool VM must be built of the same type and size VM based on the same
master image.
Each host pool VM must be in the same resource group to aid management,
scaling and updating.
For optimal performance, the storage solution and the FSLogix profile container
should be in the same data center location.
The storage account containing the master image must be in the same region and
subscription where the VMs are being provisioned.
Next steps
Learn more about storage options for FSLogix profile containers, see Storage
options for FSLogix profile containers in Azure Virtual Desktop.
Set up FSLogix Profile Container with Azure Files and Active Directory
Set up FSLogix Profile Container with Azure Files and Microsoft Entra ID
Set up FSLogix Profile Container with Azure NetApp Files
Feedback
Was this page helpful? Yes No
Azure offers multiple storage solutions that you can use to store your FSLogix profile
container. This article compares storage solutions that Azure offers for Azure Virtual
Desktop FSLogix user profile containers. We recommend storing FSLogix profile
containers on Azure Files for most of our customers.
Azure Virtual Desktop offers FSLogix profile containers as the recommended user profile
solution. FSLogix is designed to roam profiles in remote computing environments, such
as Azure Virtual Desktop. At sign-in, this container is dynamically attached to the
computing environment using a natively supported Virtual Hard Disk (VHD) and a
Hyper-V Virtual Hard Disk (VHDX). The user profile is immediately available and appears
in the system exactly like a native user profile.
The following tables compare the storage solutions Azure Storage offers for Azure
Virtual Desktop FSLogix profile container user profiles.
Capacity 100 TiB per 100 TiB per volume, up to 12.5 PiB per Maximum 32 TiB
share, Up to 5 NetApp account per disk
PiB per general
purpose account
Required Minimum share Minimum capacity pool 2 TiB, min Two VMs on Azure
infrastructure size 1 GiB volume size 100 GiB IaaS (+ Cloud
Witness) or at least
three VMs without
and costs for disks
Protocols SMB 3.0/2.1, NFSv3, NFSv4.1, SMB 3.x/2.x, dual- NFSv3, NFSv4.1,
NFSv4.1 protocol SMB 3.1
(preview), REST
Backup Azure backup snapshot Azure NetApp Files Azure backup snapshot
integration snapshots integration
Azure NetApp Files
backup
Azure Native Active Directory Azure Active Directory Native Active Directory or
Active and Azure Active Domain Services and Azure Active Directory
Directory Directory Domain Native Active Directory Domain Services support
integration Services only
Once you've chosen your storage method, check out Azure Virtual Desktop pricing for
information about our pricing plans.
Premium file shares are backed by solid-state drives (SSDs) and are deployed in
the FileStorage storage account type. Premium file shares provide consistent high
performance and low latency for input and output (IO) intensive workloads.
Premium file shares use a provisioned billing model, where you pay for the amount
of storage you would like your file share to have, regardless of how much you use.
Standard file shares are backed by hard disk drives (HDDs) and are deployed in the
general purpose version 2 (GPv2) storage account type. Standard file shares
provide reliable performance for IO workloads that are less sensitive to
performance variability, such as general-purpose file shares and dev/test
environments. Standard file shares use a pay-as-you-go billing model, where you
pay based on storage usage, including data stored and transactions.
To learn more about how billing works in Azure Files, see Understand Azure Files billing.
The following table lists our recommendations for which performance tier to use based
on your workload. These recommendations will help you select the performance tier
that meets your performance targets, budget, and regional considerations. We've based
these recommendations on the example scenarios from Remote Desktop workload
types.
Light (more than 200 users) Premium file shares or standard with multiple file shares
For more information about Azure Files performance, see File share and file scale
targets. For more information about pricing, see Azure Files pricing .
The following table lists our recommendations for which performance tier to use based
on workload defaults.
Power Graphic designers, 3D model makers, machines Ultra tier: small user count
learning researchers Premium tier: medium user
count
Standard tier: large user count
In order to provision the optimal tier and volume size, consider using this calculator
for guidance.
Next steps
To learn more about FSLogix profile containers, user profile disks, and other user profile
technologies, see the table in FSLogix profile containers and Azure Files.
If you're ready to create your own FSLogix profile containers, get started with one of
these tutorials:
Set up FSLogix Profile Container with Azure Files and Active Directory
Set up FSLogix Profile Container with Azure NetApp Files
Store FSLogix profile containers on
Azure Files and Microsoft Entra ID
Article • 10/18/2024
In this article, you'll learn how to create and configure an Azure Files share for Microsoft
Entra Kerberos authentication. This configuration allows you to store FSLogix profiles
that can be accessed by hybrid user identities from Microsoft Entra joined or Microsoft
Entra hybrid joined session hosts without requiring network line-of-sight to domain
controllers. Microsoft Entra Kerberos enables Microsoft Entra ID to issue the necessary
Kerberos tickets to access the file share with the industry-standard SMB protocol.
This feature is supported in the Azure cloud, Azure for US Government, and Azure
operated by 21Vianet.
Prerequisites
Before deploying this solution, verify that your environment meets the requirements to
configure Azure Files with Microsoft Entra Kerberos authentication.
When used for FSLogix profiles in Azure Virtual Desktop, the session hosts don't need to
have network line-of-sight to the domain controller (DC). However, a system with
network line-of-sight to the DC is required to configure the permissions on the Azure
Files share.
7 Note
Your Azure Storage account can't authenticate with both Microsoft Entra ID
and a second method like Active Directory Domain Services (AD DS) or
Microsoft Entra Domain Services. You can only use one authentication
method.
2. Create an Azure Files share under your storage account to store your FSLogix
profiles if you haven't already.
1. Enable the Microsoft Entra Kerberos functionality using one of the following
methods.
Configure this Intune Policy CSP and apply it to the session host:
Kerberos/CloudKerberosTicketRetrievalEnabled.
7 Note
Enable this Group policy on your device. The path will be one of the
following, depending on the version of Windows you use:
CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1
2. When you use Microsoft Entra ID with a roaming profile solution like FSLogix, the
credential keys in Credential Manager must belong to the profile that's currently
loading. This lets you load your profile on many different VMs instead of being
limited to just one. To enable this setting, create a new registry value by running
the following command:
7 Note
The session hosts don't need network line-of-sight to the domain controller.
To configure FSLogix:
7 Note
If you're configuring a session host created using the Azure Virtual Desktop
service, FSLogix should already be pre-installed.
2. Follow the instructions in Configure profile container registry settings to create the
Enabled and VHDLocations registry values. Set the value of VHDLocations to \\
<Storage-account-name>.file.core.windows.net\<file-share-name> .
If the user has signed in before, they'll have an existing local profile that the service will
use during this session. To avoid creating a local profile, either create a new user
account to use for tests or use the configuration methods described in Tutorial:
Configure profile container to redirect user profiles to enable the
DeleteLocalProfileWhenVHDShouldApply setting.
Finally, verify the profile created in Azure Files after the user has successfully signed in:
3. Select the storage account you configured for your session host pool.
6. If everything's set up correctly, you should see a directory with a name that's
formatted like this: <user SID>_<username> .
Next steps
To troubleshoot FSLogix, see this troubleshooting guide.
Feedback
Was this page helpful? Yes No
This article shows you how to set up a FSLogix profile container with Azure Files when
your session host virtual machines (VMs) are joined to an Active Directory Domain
Services (AD DS) domain or Microsoft Entra Domain Services managed domain.
Prerequisites
To configure a profile container, you need the following:
A host pool where the session hosts are joined to an AD DS domain or Microsoft
Entra Domain Services managed domain and users are assigned.
A security group in your domain that contains the users who will use the profile
container. If you're using AD DS, this must be synchronized to Microsoft Entra ID.
Permission on your Azure subscription to create a storage account and add role
assignments.
A domain account to join computers to the domain and open an elevated
PowerShell prompt.
The subscription ID of your Azure subscription where your storage account will be.
A computer joined to your domain for installing and running PowerShell modules
that will join a storage account to your domain. This device needs to be running a
Supported version of Windows. Alternatively, you can use a session host.
) Important
If users have previously signed in to the session hosts you want to use, local
profiles will have been created for them and must be deleted first by an
administrator for their profile to be stored in a profile container.
Tip
Whether you should select Premium depends on your IOPS and latency
requirements. For more information, see Container storage options.
On the Advanced tab, Enable storage account key access must be left
enabled.
For more information on the remaining configuration options, see Plan
for an Azure Files deployment.
2. Create an Azure Files share under your storage account to store your FSLogix
profiles if you haven't already.
AD DS
2. Download and extract the latest version of AzFilesHybrid from the Azure
Files samples GitHub repo. Make a note of the folder you extract the files to.
3. Open an elevated PowerShell prompt and change to the directory where you
extracted the files.
4. Run the following command to add the AzFilesHybrid module to your user's
PowerShell modules directory:
PowerShell
.\CopyToPSPath.ps1
5. Import the AzFilesHybrid module by running the following command:
PowerShell
) Important
This module requires the PowerShell Gallery and Azure PowerShell. You
may be prompted to install these if they are not already installed or they
need updating. If you are prompted for these, install them, then close all
instances of PowerShell. Re-open an elevated PowerShell prompt and
import the AzFilesHybrid module again before continuing.
PowerShell
Connect-AzAccount
Tip
7. Join the storage account to your domain by running the commands below,
replacing the values for $subscriptionId , $resourceGroupName , and
$storageAccountName with your values. You can also add the parameter -
PowerShell
$subscriptionId = "subscription-id"
$resourceGroupName = "resource-group-name"
$storageAccountName = "storage-account-name"
Join-AzStorageAccount `
-ResourceGroupName $ResourceGroupName `
-StorageAccountName $StorageAccountName `
-DomainAccountType "ComputerAccount"
8. To verify the storage account is joined to your domain, run the commands
below and review the output, replacing the values for $resourceGroupName and
$storageAccountName with your values:
PowerShell
$resourceGroupName = "resource-group-name"
$storageAccountName = "storage-account-name"
) Important
If your domain enforces password expiration, you must update the password
before it expires to prevent authentication failures when accessing Azure file
shares. For more information, see Update the password of your storage
account identity in AD DS for details.
1. From the Azure portal, browse to the storage account, then to the file share you
created previously.
3. Select + Add, then select Add role assignment from the drop-down menu.
4. Select the role Storage File Data SMB Share Contributor and select Next.
5. On the Members tab, select User, group, or service principal, then select +Select
members. In the search bar, search for and select the security group that contains
the users who will use the profile container.
1. From the Azure portal, search for and select storage account in the search bar.
2. From the list of storage accounts, select the account that you enabled Active
Directory Domain Services or Microsoft Entra Domain Services as the identity
source and assigned the RBAC role for in the previous sections.
3. Under Security + networking, select Access keys, then show and copy the key
from key1.
2. Open an elevated PowerShell prompt and run the command below to map the
storage account as a drive on your session host. The mapped drive won't show in
File Explorer, but can be viewed with the net use command. This is so you can set
permissions on the share.
For example:
3. Run the following commands to set permissions on the share that allow your
Azure Virtual Desktop users to create their own profile while blocking access to the
profiles of other users. You should use an Active Directory security group that
contains the users you want to use the profile container. In the commands below,
replace <mounted-drive-letter> with the letter of the drive you used to map the
drive and <DOMAIN\GroupName> with the domain and sAMAccountName of the
Active Directory group that will require access to the share. You can also specify
the user principal name (UPN) of a user.
For example:
To configure profile containers, we recommend you use Group Policy Preferences to set
registry keys and values at scale across all your session hosts. You can also set these in
your custom image.
1. If you need to install or update FSLogix Apps, download the latest version of
FSLogix and install it by running FSLogixAppsSetup.exe , then following the
instructions in the setup wizard. For more details about the installation process,
including customizations and unattended installation, see Download and Install
FSLogix.
2. Open an elevated PowerShell prompt and run the following commands, replacing
\\<storage-account-name>.file.core.windows.net\<share-name> with the UNC path
to your storage account you created earlier. These commands enable the profile
container and configure the location of the share.
PowerShell
$regPath = "HKLM:\SOFTWARE\FSLogix\profiles"
New-ItemProperty -Path $regPath -Name Enabled -PropertyType DWORD -
Value 1 -Force
New-ItemProperty -Path $regPath -Name VHDLocations -PropertyType
MultiString -Value \\<storage-account-name>.file.core.windows.net\
<share-name> -Force
3. Restart your device. You'll need to repeat these steps for any remaining devices.
You have now finished the setting up your profile container. If you're installing the
profile container in your custom image, you'll need to finish creating the custom image.
For more information, follow the steps in Create a custom image in Azure from the
section Take the final snapshot onwards.
If the user has signed in before, they'll have an existing local profile that they'll use
during this session. Either delete the local profile first, or create a new user account to
use for tests.
Users can check that the profile container is set up by following the steps below:
2. When the user signs in, the message "Please wait for the FSLogix Apps Services"
should appear as part of the sign-in process, before reaching the desktop.
Administrators can check the profile folder has been created by following the steps
below:
4. Open your file share and make sure the user profile folder you've created is in
there.
Feedback
Was this page helpful? Yes No
FSLogix profile containers store a complete user profile in a single container and are
designed to roam profiles in non-persistent remote computing environments like Azure
Virtual Desktop. When you sign in, the container dynamically attaches to the computing
environment using a locally supported virtual hard disk (VHD) and Hyper-V virtual hard
disk (VHDX). These advanced filter-driver technologies allow the user profile to be
immediately available and appear in the system exactly like a local user profile. To learn
more about FSLogix profile containers, see User profile management with FSLogix
profile containers.
You can create FSLogix profile containers using Azure NetApp Files , an easy-to-use
Azure native platform service that helps customers quickly and reliably provision
enterprise-grade SMB volumes for their Azure Virtual Desktop environments. To learn
more about Azure NetApp Files, see What is Azure NetApp Files?.
7 Note
This article doesn't cover best practices for securing access to the Azure NetApp
Files share.
7 Note
If you're looking for comparison material about the different FSLogix Profile
Container storage options on Azure, see Storage options for FSLogix profile
containers.
Considerations
To optimize performance and scalability, the number of concurrent users accessing
FSLogix profile containers stored on a single Azure NetApp Files regular volume
should be limited to 3,000. Having more than 3,000 concurrent users on a single
volume causes significant increased latency on the volume. If your scenario
requires more than 3,000 concurrent users, divide users across multiple regular
volumes or use a large volume. A single large volume can store FSLogix profiles for
up to 50,000 concurrent users. For more information on large volumes, see
Requirements and considerations for large volumes.
To protect your FSLogix profile containers, consider using Azure NetApp Files
snapshots and Azure NetApp Files backup.
Prerequisites
Before you can configure an FSLogix profile container with Azure NetApp Files, you
must have:
2. You need to create a new capacity pool. See Create a capacity pool for Azure
NetApp Files.
3. You then need to join an Active Directory connection. See Create and manage
Active Directory connections for Azure NetApp Files.
4. Create a new SMB volume. Follow the steps in Create an SMB volume for Azure
NetApp Files.
7 Note
It's recommended that you enable Continuous Availability on the SMB volume
for use with FSLogix profile containers, so select Enable Continuous
Availability. For more information, see Enable Continuous Availability on
existing SMB volumes.
Configure permissions
When configuring the directory and file-level permissions, review the recommended list
of permissions for FSLogix profiles at Configure the storage permissions for profile
containers.
Without proper directory-level permissions in place, a user can delete the user profile or
access the personal information of a different user. It's important to make sure users
have proper permissions to prevent accidental deletion from happening.
7 Note
When adding the VHDLocations registry key, set the data type to Multi-
String and set its data value to the URI for the Azure NetApp Files share.
Be careful when creating the DeleteLocalProfileWhenVHDShouldApply
value. When the FSLogix Profiles system determines a user should have
an FSLogix profile, but a local profile already exists, Profile Container will
permanently delete the local profile. The user will then be signed in with
the new FSLogix profile.
2. Open Azure NetApp Files, select your Azure NetApp Files account, and then select
Volumes. Once the Volumes menu opens, select the corresponding volume.
3. Go to the Overview tab and confirm that the FSLogix profile container is using
space.
4. Open the File Explorer, then navigate to the Mount path. Within this folder, there
should be a profile VHD (or VHDX).
Feedback
Was this page helpful? Yes No
Tip
FSLogix profile containers are a complete roaming profile solution for virtual environments.
The profile container (single container), redirects the entire Windows user profile into a VHD
stored on a storage provider. The most common storage provider is an SMB file share.
The profile container is inclusive of all the benefits and uses found in the ODFC container.
Learn how to
" Enable the product for profiles
" Specify the location for the containers
" Verify the container has been attached and working
Prerequisites
Successful deployment of a virtual desktop or Azure Virtual Desktop environment.
SMB file share with NTFS and share-level permissions correctly configured.
Download and install the latest version of FSLogix.
Review configuration options.
7 Note
This tutorial doesn't cover how to convert to / from single or dual containers.
7 Note
Includes all Microsoft 365 application data. No need for an ODFC container.
3. Select Start and Type Registry Editor directly into the Start Menu.
5. Go to: HKEY_LOCAL_MACHINE\SOFTWARE\FSLogix\Profiles .
ノ Expand table
1 Recommended to ensure user's don't use local profiles and lose data unexpectedly.
5 VHDX is preferred over VHD due to its supported size and reduced corruption scenarios.
2. Select Start and Type command prompt directly into the Start Menu.
3. Select Command Prompt from the Start Menu.
6. Select Start.
%username%-%sid%
Feedback
Was this page helpful? Yes No
There are two ways to make applications available to users in Azure Virtual Desktop: as
part of a full desktop or as individual applications with RemoteApp. You publish
applications by adding them to an application group, which is associated with a host
pool and workspace, and assigned to users. For more information about application
groups, see Terminology.
For desktop application groups, you can only publish a full desktop and all
applications in MSIX packages using MSIX app attach to appear in the user's start
menu in a desktop session. If you use app attach, applications aren't added to a
desktop application group.
This article shows you how to publish applications that are installed locally with
RemoteApp using the Azure portal and Azure PowerShell. You can't publish applications
using Azure CLI.
Prerequisites
Azure portal
An existing host pool with session hosts, a RemoteApp application group, and
a workspace.
At least one session host is powered on in the host pool the application group
is assigned to.
The applications you want to publish are installed on the session hosts in the
host pool the application group is assigned to. If you're using app attach, you
must add and assign an MSIX, Appx, or App-V package to your host pool
before you start. For more information, see Add and manage app attach
applications.
As a minimum, the Azure account you use must have the Desktop
Virtualization Application Group Contributor built-in role-based access control
(RBAC) roles on the resource group, or on the subscription to create the
resources.
Azure portal
Here's how to add applications to a RemoteApp application group using the Azure
portal.
2. In the search bar, type Azure Virtual Desktop and select the matching service
entry.
3. Select Application groups, then select the RemoteApp application group you
want to add an application to.
4. Select Applications, select + Add. Make sure you have at least one session
host powered on in the host pool the application group is assigned to.
5. On the Basics tab, from application source drop-down list, select App Attach,
Start menu, or File path. The remaining fields change depending on the
application source you select.
For App Attach, complete the following information. Your MSIX package
must already be added and assigned to your host pool.
ノ Expand table
Parameter Value/Description
Package Select a package available for the host pool from the drop-
down list. Regional packages are from app attach and host pool
packages are from MSIX app attach.
Display name Enter a friendly name for the application that is to users.
ノ Expand table
Parameter Value/Description
Display name Enter a friendly name for the application that is to users.
Application Review the file path to the .exe file for the application and
path change it if necessary.
Require Select if you need to add a specific command to run when the
command line application launches. If you select Yes, enter the command in
the Command line field.
ノ Expand table
Parameter Value/Description
Application Enter the file path to the .exe file for the application.
path
Display name Enter a friendly name for the application that is displayed to
users.
Require Select if you need to add a specific command to run when the
command line application launches. If you select Yes, enter the command in
the Command line field.
6. On the Icon tab, the options you see depend on the application source you
selected on the Basics tab. With app attach you can use a UNC path, but for
Start Menu and File path you can only use a local path.
If you selected App Attach, select Default to use the default icon for the
application, or select File path to use a custom icon.
Browse Azure Files to use an icon from an Azure file share. Select
Select a storage account and select the storage account containing
your icon file, then select Select icon file. Browse to the file share and
directory your icon is in, check the box next to the icon you want to
add, for example MyApp.ico , then select Select. You can also use a
.png file. For Icon index, specify the index number for the icon you
UNC file path to use an icon from a file share. For Icon path, enter the
UNC path to your icon file, for example \\MyFileShare\MyApp.ico . You
can also use a .png file. For Icon index, specify the index number for
the icon you want to use. This is usually 0.
If you selected Start menu or File path, for Icon path, enter a local path
to the .exe file or your icon file, for example C:\Program
Files\MyApp\MyApp.exe . For Icon index, specify the index number for the
icon you want to use. This is usually 0.
7. On the Review + add tab, ensure validation passes and review the information
that is used to add the application, then select Add to add the application to
the RemoteApp application group.
Using shell:appsFolder means the application icon isn't picked up automatically from
the application. You should provide an icon file on a local drive on each session host in a
path that doesn't change, unlike the application installation directory.
Select the relevant tab for your scenario and follow the steps.
Azure portal
Here's how to publish a Microsoft Store application using the Windows user
interface and the Azure portal:
2. Find the application in the list, right-click it, then select Create a shortcut.
3. For the shortcut prompt that appears, select Yes to place the shortcut on the
desktop.
4. View the properties of the shortcut and make a note of the Target value. This
value is the package family name and application ID you need to publish the
application.
Your session hosts need to use a virtual machine (VM) size that supports nested
virtualization. To check if a VM series supports nested virtualization, see Sizes for virtual
machines in Azure, go to the relevant article for the series of the VM, and check the list
of supported features.
1. To install Windows Sandbox on your session hosts, follow the steps in Windows
Sandbox overview. We recommend you install Windows Sandbox in a custom
image you can use when creating your session hosts.
2. Once you installed Windows Sandbox on your session hosts, it's available in a
desktop session. If you also want to publish it as a RemoteApp, follow the steps to
Add applications to a RemoteApp application group and use the file path
C:\Windows\System32\WindowsSandbox.exe .
Next steps
Learn how to Add and manage app attach applications.
Learn about how to customize the feed so resources appear in a recognizable way
for your users.
If you encounter issues with your applications running in Azure Virtual Desktop,
App Assure is a service from Microsoft designed to help you resolve them at no
extra cost. For more information, see App Assure.
Feedback
Was this page helpful? Yes No
This article lists the features of Microsoft Teams that Azure Virtual Desktop currently
supports and the minimum requirements to use each feature.
Supported features
The following table lists whether the Windows Desktop client, Azure Virtual Desktop
Store app or macOS client supports specific features for Teams on Azure Virtual
Desktop. Other clients aren't supported.
ノ Expand table
Tip
You can find a more general list of Teams features that aren't supported on any VDI
platform in the documentation for Microsoft Teams at Features not supported in
VDI.
Version requirements
The following table lists the minimum required versions for each Teams feature. For
optimal user experience on Teams for Azure Virtual Desktop, we recommend using the
latest supported versions of each client along with the WebRTC Redirector Service
installed on your session hosts, which you can find in the following list:
ノ Expand table
Supported Windows Desktop macOS WebRTC Redirector Teams
features client and Azure client Service version version
Virtual Desktop version
Store app version
Audio/video call 1.2.1755 and later 10.7.7 and 1.0.2006.11001 and later Updates
later within 90
days of the
current
version
Background 1.2.3004 and later 10.7.10 and 1.1.2110.16001 and later Updates
blur later within 90
days of the
current
version
Background 1.2.3004 and later 10.7.10 and 1.1.2110.16001 and later Updates
images later within 90
days of the
current
version
CART 1.2.2322 and later 10.7.7 and 1.0.2006.11001 and later Updates
transcriptions later within 90
days of the
current
version
Call health 1.2.1755 and later 10.7.7 and 1.0.2006.11001 and later Updates
panel later within 90
days of the
current
version
Configure audio 1.2.1755 and later Not 1.0.2006.11001 and later Updates
devices supported within 90
days of the
current
version
Configure 1.2.1755 and later 10.7.7 and 1.0.2006.11001 and later Updates
camera devices later within 90
days of the
Supported Windows Desktop macOS WebRTC Redirector Teams
features client and Azure client Service version version
Virtual Desktop version
Store app version
current
version
Dynamic e911 1.2.2600 and later 10.7.7 and 1.0.2006.11001 and later Updates
later within 90
days of the
current
version
Give and take 1.2.2924 and later 10.7.10 and 1.0.2006.11001 and later Updates
control later (Windows), within 90
1.31.2211.15001 and days of the
later (macOS) current
version
Live captions 1.2.2322 and later 10.7.7 and 1.0.2006.11001 and later Updates
later within 90
days of the
current
version
Live reactions 1.2.1755 and later 10.7.7 and 1.1.2110.16001 and later Updates
later within 90
days of the
current
version
Manage 1.2.1755 and later 10.7.7 and 1.0.2006.11001 and later Updates
breakout rooms later within 90
days of the
current
version
Mirror my video 1.2.3770 and later Not 1.0.2006.11001 and later Updates
supported within 90
days of the
current
version
Supported Windows Desktop macOS WebRTC Redirector Teams
features client and Azure client Service version version
Virtual Desktop version
Store app version
Multiwindow 1.2.1755 and later 10.7.7 and 1.1.2110.16001 and later Updates
later within 90
days of the
current
version
Noise 1.2.3316 and later 10.8.1 and 1.0.2006.11001 and later Updates
suppression* later within 90
days of the
current
version
Screen share 1.2.1755 and later 10.7.7 and 1.0.2006.11001 and later Updates
and video later within 90
together days of the
current
version
Screen share 1.2.1755 and later 10.7.7 and 1.0.2006.11001 and later Updates
later within 90
days of the
current
version
Secondary 1.2.3004 and later 10.7.7 and 1.0.2006.11001 and later Updates
ringer later within 90
days of the
current
version
Shared system 1.2.4058 and later Not 1.0.2006.11001 and later Updates
audio supported within 90
days of the
current
version
Simulcast 1.2.3667 and later 10.8.1 and 1.0.2006.11001 and later Updates
later within 90
days of the
current
version
Learn about known issues, limitations, and how to log issues at Troubleshoot Teams on
Azure Virtual Desktop.
Learn about the latest version of the Remote Desktop WebRTC Redirector Service at
What's new in the Remote Desktop WebRTC Redirector Service.
Preferred application group type
behavior for pooled host pools in Azure
Virtual Desktop
Article • 06/11/2024
Desktop: users access the full Windows desktop from a session host. Available with
pooled or personal host pools.
RemoteApp: users access individual applications you select and publish to the
application group. Available with pooled host pools only.
With pooled host pools, you can assign both application group types to the same host
pool at the same time. You can only assign a single desktop application group with a
host pool, but you can also assign multiple RemoteApp application groups to the same
host pool.
Users assigned to multiple RemoteApp application groups assigned to the same host
pool have access to an aggregate of all the applications in the application groups
they're assigned to.
To help prevent users from connecting to a desktop and RemoteApp application at the
same time from application groups assigned to the same host pool, pooled host pools
have the setting Preferred application group type. This setting determines whether
users have access to the full desktop or RemoteApp applications from this host pool in
Windows App or the Remote Desktop app, should they be assigned to an application
group of each type to the same host pool.
) Important
Users who have access to both a desktop application group and RemoteApp
application group assigned to the same host pool only have access to the type of
applications from the application group determined by the preferred application
group type for the host pool. It doesn't prevent a user from having access to the
full desktop and RemoteApp applications from different host pools, or different
users from having access to different application group types from the same host
pool.
You must specify the preferred application group type for a host pool at the point of
creation. Additionally, when creating a host pool using the Azure portal there are two
default behaviors, which don't happen when creating a host pool using a different
method, such as Azure PowerShell or Azure CLI. These default behaviors are:
The default preferred application group type selected using the Azure portal is
Desktop. You can change this setting when you create the host pool or after the
host pool is created.
To prevent this scenario, set the preferred application group type for each host pool to
either Desktop or RemoteApp. To learn how to set the preferred application group type,
see Set the preferred application group type for a pooled host pool in Azure Virtual
Desktop.
For host pools that still don't have a preferred application group type set, where a user
has access to both a desktop application group and RemoteApp application group
assigned to the same host pool, Windows App or the Remote Desktop app now only
shows the desktop resource. The Desktop preferred application group type is enforced.
Windows App or the Remote Desktop app doesn't show the RemoteApp applications
from the RemoteApp application group.
) Important
The enforcement of the Desktop preferred application group type for host pools
that don't have a preferred application group type set is currently rolling out to all
Azure regions.
It's still possible to connect to both the desktop and RemoteApp applications from the
same host pool using the ms-avd:connect URI scheme regardless of the preferred
application group type, but we don't recommend this approach. If a user ends up with
two different sessions to the same host pool, it can cause a negative experience and
session performance for that user and other users, including:
Expected behavior
Here's a matrix of the expected behavior for the resources users see in Windows App or
the Remote Desktop app based on the preferred application group type setting of a
host pool, the application groups assigned to the host pool and their type, and user
assignments to the application groups:
ノ Expand table
Example scenarios
Here are some example scenarios that show how the preferred application group type
setting affects which types of remote resources are shown to users.
Scenario 1
In this scenario, a desktop application group and a RemoteApp application group are
assigned to the same host pool hp01 . User Tim is in the finance security group, which is
assigned to the desktop application group. User Gabriella is in the legal security group,
which is assigned to the RemoteApp application group.
The preferred application group type for host pool hp01 isn't relevant as users in the
finance security group only have access to the desktop application group and users in
the legal security group only have access to the RemoteApp application group. In
Windows App or the Remote Desktop app, Tim is shown the desktop, and Gabriella is
shown the RemoteApp applications.
Scenario 2
In this scenario, a desktop application group and a RemoteApp application group are
assigned to the same host pool hp01 . User Tim is in the finance security group, which is
assigned to the desktop application group. User Gabriella is in the legal security group,
which is assigned to both the desktop and RemoteApp application groups.
The preferred application group type for host pool hp01 is set to Desktop. In Windows
App or the Remote Desktop app, both Tim and Gabriella are shown the desktop.
Gabriella isn't shown any RemoteApp applications.
Scenario 3
In this scenario, a desktop application group is assigned to host pool hp01 and a
RemoteApp application group is assigned to host pool hp02 . User Tim is in the finance
security group and user Gabriella is in the legal security group. Both security groups are
assigned to the desktop application group and RemoteApp application group.
The preferred application group type for host pool hp01 is set to Desktop and the
preferred application group type for host pool hp02 is set to RemoteApp. In Windows
App or the Remote Desktop app, Tim and Gabriella are shown both desktop and
RemoteApp applications.
Next step
To learn how to set the preferred application group type, see Set the preferred
application group type for a pooled host pool in Azure Virtual Desktop.
Set the preferred application group type
for a pooled host pool in Azure Virtual
Desktop
Article • 06/11/2024
Desktop: users access the full Windows desktop from a session host. Available with
pooled or personal host pools.
RemoteApp: users access individual applications you select and publish to the
application group. Available with pooled host pools only.
To help prevent users from connecting to a desktop and RemoteApp application at the
same time from application groups assigned to the same host pool, pooled host pools
have the setting Preferred application group type. This setting determines whether
users have access to the full desktop or RemoteApp applications from this host pool in
Windows App or the Remote Desktop app, should they be assigned to an application
group of each type to the same host pool.
For more information about the behavior of the preferred application group type setting
and why it's necessary, see Preferred application group type behavior for pooled host
pools in Azure Virtual Desktop.
This article shows you how to set the preferred application group type for a pooled host
pool using the Azure portal, Azure PowerShell, or Azure CLI.
Prerequisites
Before you can set the preferred application group type for a pooled host pool, you
need:
An existing pooled host pool.
An Azure account you can use that has the Desktop Virtualization Host Pool
Contributor role-based access control (RBAC) role assigned.
If you want to use Azure PowerShell or Azure CLI locally, see Use Azure PowerShell
and Azure CLI with Azure Virtual Desktop to make sure you have the
Az.DesktopVirtualization PowerShell module or the desktopvirtualization Azure CLI
extension installed. Alternatively, use the Azure Cloud Shell.
Portal
Here's how to set the preferred application group type for a host pool using the
Azure portal:
2. In the search bar, enter Azure Virtual Desktop and select the matching service
entry.
3. Select Host pools, then select the name of the pooled host pool you want to
configure.
4. Select Properties.
5. For Preferred app group type, select either Desktop or RemoteApp from the
drop-down list.
6. Select Save.
Related content
Learn about the Preferred application group type behavior for pooled host pools in
Azure Virtual Desktop
Feedback
Was this page helpful? Yes No
There are two features in Azure Virtual Desktop that enable you to dynamically attach
applications from an application package to a user session in Azure Virtual Desktop -
app attach and MSIX app attach. With both app attach and MSIX app attach, applications
aren't installed locally on session hosts or images, making it easier to create custom
images for your session hosts, and reducing operational overhead and costs for your
organization. Applications run within containers, which separate user data, the operating
system, and other applications, increasing security and making them easier to
troubleshoot.
The following table compares MSIX app attach with app attach:
ノ Expand table
Applications might only run on one host The same application package can be used across
pool. If you want it to run on another host multiple host pools.
pool, you must create another package.
Applications can only run on the host pool Applications can run on any session host running a
in which they're added. Windows client operating system in the same
Azure region as the application package.
To update the application, you must delete Applications can be upgraded to a new application
and recreate the application with another version with a new disk image without the need for
version of the package. You should update a maintenance window.
the application in a maintenance window.
Users can't run two versions of the same Users can run two versions of the same application
application on the same session host. concurrently on the same session host.
Telemetry for usage and health is not Telemetry for usage and health is available through
available through Azure Log Analytics. Azure Log Analytics.
You can use the following application package types and file formats:
ノ Expand table
MSIX and Appx are Windows application package formats that provide a modern
packaging experience to Windows applications. Applications run within containers,
which separate user data, the operating system, and other applications, increasing
security and making them easier to troubleshoot. MSIX and Appx are similar, where the
main difference is that MSIX is a superset of Appx. MSIX supports all the features of
Appx, plus other features that make it more suitable for enterprise use.
Tip
Select a button at the top of this article to choose between app attach and MSIX
app attach to see the relevant documentation.
You can get MSIX packages from software vendors, or you can create an MSIX package
from an existing installer. To learn more about MSIX, see What is MSIX?
The application must be assigned to the host pool. Assigning the application to
the host pool enables you to be selective about which host pools the application is
available on to ensure that the right hardware resources are available for use by
the application. For example, if an application is graphics-intensive, you can ensure
it only runs on a host pool with GPU-optimized session hosts.
The user must be able to sign-in to session hosts in the host pool, so they must be
in a Desktop or RemoteApp application group. For a RemoteApp application
group, the app attach application must be added to the application group, but you
don't need to add the application to a desktop application group.
The application must be assigned to the user. You can use a group or a user
account.
If all of these requirements are met, the user gets the application. This process provides
control over who gets an application on which host pool and also how it's possible for
users within a single host pool or even signed in to the same multi-session session host
to get different application combinations. Users who don’t meet the requirements don't
get the application.
Application images
Before you can use MSIX application packages with Azure Virtual Desktop, you need to
Create an MSIX image from your existing application packages. Alternatively, you can
use an App-V package instead. You then need to store each MSIX image or App-V
package on a file share that's accessible by your session hosts. For more information on
the requirements for a file share, see File share.
A CimFS image is a combination of several files: one file has the .cim file extension and
contains metadata, together with at least two other files, one starting with objectid_
and the other starting with region_ that contain the actual application data. The files
accompanying the .cim file don't have a file extension. The following table is a list of
example files you'd find for a CimFS image:
ノ Expand table
File name Size
MyApp.cim 1 KB
objectid_b5742e0b-1b98-40b3-94a6-9cb96f497e56_0 27 KB
objectid_b5742e0b-1b98-40b3-94a6-9cb96f497e56_1 20 KB
objectid_b5742e0b-1b98-40b3-94a6-9cb96f497e56_2 42 KB
region_b5742e0b-1b98-40b3-94a6-9cb96f497e56_0 428 KB
region_b5742e0b-1b98-40b3-94a6-9cb96f497e56_1 217 KB
region_b5742e0b-1b98-40b3-94a6-9cb96f497e56_2 264,132 KB
The following table is a performance comparison between VHDX and CimFS. These
numbers were the result of a test run with 500 files of 300 MB each per format and the
tests were performed on a DSv4 Azure virtual machine.
ノ Expand table
Application registration
App attach mounts disk images or App-V packages containing your applications from a
file share to a user's session during sign-in, then a registration process makes the
applications available to the user. There are two types of registration:
MSIX app attach mounts disk images containing your applications from a file share to a
user's session during sign-in, then a registration process makes the applications
available to the user. There are two types of registration:
On-demand: applications are only partially registered at sign-in and the full
registration of an application is postponed until the user starts the application. On-
demand is the registration type we recommend you use as it doesn't affect the
time it takes to sign-in to Azure Virtual Desktop. On-demand is the default
registration method.
) Important
All MSIX and Appx application packages include a certificate. You're responsible for
making sure the certificates are trusted in your environment. Self-signed certificates
are supported with the appropriate chain of trust.
App attach doesn't limit the number of applications users can use. You should consider
your available network throughput and the number of open handles per file (each
image) your file share supports, as it might limit the number of users or applications you
can support. For more information, see File share.
Application state
Application packages are set as active or inactive. Packages set to active makes the
application available to users. Packages set to inactive are ignored by Azure Virtual
Desktop and not added when a user signs-in.
Side by side: create a new application using the new disk image and assign it to
the same host pools and users as the existing application.
In-place: create a new image where the version number of the application
changes, then update the existing application to use the new image. The version
number can be higher or lower, but you can't update an application with the same
version number. Don't delete the existing image until all users are finished using it.
Once updated, users will get the updated application version the next time they sign-in.
Users don't need to stop using the previous version to add a new version.
Identity providers
Here are the identity providers you can use with app attach:
ノ Expand table
File share
App attach requires that your application images are stored on an SMB file share, which
is then mounted on each session host during sign-in. App attach doesn't have
dependencies on the type of storage fabric the file share uses. We recommend using
Azure Files as it's compatible with Microsoft Entra ID or Active Directory Domain
Services, and offers great value between cost and management overhead.
You can also use Azure NetApp Files, but that requires your session hosts to be joined to
Active Directory Domain Services.
The following sections provide some guidance on the permissions, performance, and
availability required for the file share.
Permissions
Each session host mounts application images from the file share. You need to configure
NTFS and share permissions to allow each session host computer object read access to
the files and file share. How you configure the correct permission depends on which
storage provider and identity provider you're using for your file share and session hosts.
To use Azure Files when your session hosts joined to Microsoft Entra ID, you need
to assign the Reader and Data Access Azure role-based access control (RBAC) role
to both the Azure Virtual Desktop and Azure Virtual Desktop ARM Provider
service principals. This RBAC role assignment allows your session hosts to access
the storage account using access keys or Microsoft Entra.
To learn how to assign an Azure RBAC role to the Azure Virtual Desktop service
principals, see Assign RBAC roles to the Azure Virtual Desktop service principals. In
a future update, you won't need to assign the Azure Virtual Desktop ARM
Provider service principal.
For more information about using Azure Files with session hosts that are joined to
Microsoft Entra ID, Active Directory Domain Services, or Microsoft Entra Domain
Services, see Overview of Azure Files identity-based authentication options for
SMB access.
2 Warning
Assigning the Azure Virtual Desktop ARM Provider service principal to the
storage account grants the Azure Virtual Desktop service to all data inside the
storage account. We recommended you only store apps to use with app
attach in this storage account and rotate the access keys regularly.
For Azure Files with Active Directory Domain Services, you need to assign the
Storage File Data SMB Share Reader Azure role-based access control (RBAC) role as
the default share-level permission, and configure NTFS permissions to give read
access to each session host's computer object.
For more information about using Azure Files with session hosts that are joined to
Microsoft Entra ID, Active Directory Domain Services, or Microsoft Entra Domain
Services, see Overview of Azure Files identity-based authentication options for
SMB access.
For Azure NetApp Files, you can create an SMB volume and configure NTFS
permissions to give read access to each session host's computer object. Your
session hosts need to be joined to Active Directory Domain Services or Microsoft
Entra Domain Services.
You can verify the permissions are correct by using PsExec. For more information, see
Check file share access.
Performance
Requirements can vary greatly depending how many packaged applications are stored
in an image and you need to test your applications to understand your requirements.
For larger images, you need to allocate more bandwidth. The following table gives an
example of the requirements a single 1 GB image or App-V package containing one
application requires per session host:
ノ Expand table
Resource Requirements
Latency 400 ms
Your file share should be in the same Azure region as your session hosts. If you're
using Azure Files, your storage account needs to be in the same Azure region as
your session hosts.
Exclude the disk images containing your applications from antivirus scans as
they're read-only.
Ensure your storage and network fabric can provide adequate performance. You
should avoid using the same file share with FSLogix profile containers.
Availability
Any disaster recovery plans for Azure Virtual Desktop must include replicating the file
share to your secondary failover location. You also need to ensure your file share path is
accessible in the secondary location. For example, you can use Distributed File System
(DFS) Namespaces with Azure Files to provide a single share name across different file
shares. To learn more about disaster recovery for Azure Virtual Desktop, see Set up a
business continuity and disaster recovery plan.
Azure Files
Azure Files has limits on the number of open handles per root directory, directory, and
file. When using app attach or MSIX app attach, VHDX or CimFS disk images are
mounted using the computer account of the session host, meaning one handle is
opened per session host per disk image, rather than per user. For more information on
the limits and sizing guidance, see Azure Files scalability and performance targets and
Azure Files sizing guidance for Azure Virtual Desktop.
Once you've obtained a certificate, you need to digitally sign your MSIX or Appx
packages with the certificate. You can use the MSIX Packaging Tool to sign your
packages when you create an MSIX package. For more information, see Create an MSIX
package from any desktop installer.
To ensure the certificate is trusted on your session hosts, you need your session hosts to
trust the whole certificate chain. How you do this depends on where you got the
certificate from and how you manage your session hosts and the identity provider you
use. The following table provides some guidance on how to ensure the certificate is
trusted on your session hosts:
Public CA: certificates from a public CA are trusted by default in Windows and
Windows Server.
For session hosts joined to Microsoft Entra ID, you can use Microsoft Intune to
distribute the root and intermediate certificates to session hosts. For more
information, see Trusted root certificate profiles for Microsoft Intune.
For session hosts using Microsoft Entra hybrid join, you can use either of the
previous methods, depending on your requirements.
Self-signed: install the trusted root to the Trusted Root Certification Authorities
store on each session host. We don't recommend distributing this certificate using
Group Policy or Intune as it should only be used for testing.
) Important
You should timestamp your package so that its validity can outlast your certificate's
expiration date. Otherwise, once the certificate has expired, you need to update the
package with a new valid certificate and once again ensure it's trusted on your
session hosts.
Next steps
Learn how to Add and manage app attach applications in Azure Virtual Desktop.
Feedback
Was this page helpful? Yes No
To use MSIX packages with app attach and MSIX app attach in Azure Virtual Desktop,
you need to expand an MSIX package application into an MSIX image. This article shows
you how to create an MSIX image.
Prerequisites
Before you can create an MSIX image, you need the following things:
An MSIX-packaged application ( .msix file) you want to use with Azure Virtual
Desktop. To learn how to convert a desktop installer to an MSIX package, see
Create an MSIX package from any desktop installer (MSI, EXE, ClickOnce, or App-
V).
Tip
7 Note
If you're using packages from the Microsoft Store for Business or Education
on your network or on devices not connected to the internet, you'll need to
download and install package licenses from the Microsoft Store to run the
apps. To get the licenses, see Use packages offline.
CIM
Here are example commands to create a CIM disk image from an MSIX package.
You'll need to change the example values for your own.
You should create a new folder for the destination because a CIM disk image is
made up of multiple files and this helps differentiate between the images.
) Important
To guarantee compatibility, make sure the CIM files storing your MSIX images
are generated on a version of Windows that is lower than or equal to the
version of Windows where you are planning to run the MSIX packages. For
example, CIM files generated on Windows 11 may not work on Windows 10.
2. Make sure the folder you use for the destination exists before you run
MSIXMGR. Create a new folder if necessary.
Output
Feedback
Was this page helpful? Yes No
Tip
A new version of app attach for Azure Virtual Desktop is available. Select a button
at the top of this article to choose between app attach and MSIX app attach to see
the relevant documentation.
App attach enables you to dynamically attach applications from an application package
to a user session in Azure Virtual Desktop. Applications aren't installed locally on session
hosts or images, enabling you to create fewer custom images for your session hosts,
and reducing operational overhead and costs for your organization. Delivering
applications with app attach also gives you greater control over which applications your
users can access in a remote session.
This article shows you how to add and manage applications with app attach in Azure
Virtual Desktop using the Azure portal and Azure PowerShell. You can't add or manage
app attach applications using Azure CLI. Before you start, make sure you read the
overview for app attach and MSIX app attach in Azure Virtual Desktop.
) Important
You have to choose whether you want to use app attach or MSIX app attach with a
host pool. You can't use both versions with the same host pool.
Prerequisites
In order to use app attach in Azure Virtual Desktop, you need the following things:
An existing host pool with session hosts, an application group, and a workspace.
Your session hosts need to run a supported Windows client operating system and
at least one of them must be powered on. Windows Server isn't supported.
Your session hosts need to be joined to Microsoft Entra ID or an Active Directory
Domain Services (AD DS) domain.
An SMB file share in the same Azure region as your session hosts. All session hosts
in the host pool must have read access with their computer account. This file share
is used to store your application images. For more information on the
requirements for the file share, see File share.
To use Azure Files when your session hosts joined to Microsoft Entra ID, you need
to assign the Reader and Data Access Azure role-based access control (RBAC) role
to both the Azure Virtual Desktop and Azure Virtual Desktop ARM Provider
service principals. This RBAC role assignment allows your session hosts to access
the storage account using access keys or Microsoft Entra.
To learn how to assign an Azure RBAC role to the Azure Virtual Desktop service
principals, see Assign RBAC roles to the Azure Virtual Desktop service principals. In
a future update, you won't need to assign the Azure Virtual Desktop ARM
Provider service principal.
An MSIX or Appx disk image that you created from an application package or an
App-V package stored on the file share. For more information, see Create an
image, where you can also download a prebuilt MSIX package for testing. If using
App-V, see Creating and managing App-V virtualized applications.
To add MSIX images, you need the Desktop Virtualization Contributor Azure role-
based access control (RBAC) role assigned on the resource group as a minimum. To
assign users to the application group, you also need
Microsoft.Authorization/roleAssignments/write permissions on the application
group. Built-in RBAC roles that include this permission are User Access
Administrator and Owner.
If you want to use Azure PowerShell locally, see Use Azure PowerShell with Azure
Virtual Desktop to make sure you have the Az.DesktopVirtualization and Microsoft
Graph PowerShell modules installed. Alternatively, use the Azure Cloud Shell.
) Important
You have to choose whether you want to use app attach or MSIX app attach
with a host pool. You can't use both versions with the same package in the
same host pool.
Add an application
To add an application in an MSIX image, Appx image, or App-V package to Azure Virtual
Desktop as an app attach package, select the relevant tab for your scenario and follow
the steps.
Portal
Here's how to add an MSIX image, Appx image, or App-V package as an app attach
package using the Azure portal:
2. In the search bar, type Azure Virtual Desktop and select the matching service
entry to go to the Azure Virtual Desktop overview.
ノ Expand table
Parameter Description
Subscription Select the subscription you want to add an MSIX image, Appx image,
or App-V package to from the drop-down list.
Resource Select an existing resource group or select Create new and enter a
group name.
Host pool Select an existing host pool from the drop-down list.
Location Select the Azure region for your app attach package.
Parameter Description
Image path Select from Select from storage account if your image is stored in
Azure Files or Input UNC to specify a UNC path. Subsequent fields
depend on which option you select.
Select from
storage account
File share Select Select a file, then browse to the file share and directory your
image is in. Check the box next to the image you want to add, for
example MyApp.cim , then select Select.
MSIX package Select the MSIX or Appx package from the image.
Input UNC
MSIX package Select the MSIX or Appx package from the image.
Either option
Health check Select the status for the package if it fails to stage on a session
status on failure host. This status is reported for AppAttachHealthCheck for the
session host health check status.
Tip
Once you've completed this tab, you can continue to optionally assign
the application to host pools, users and groups. Alternatively, if you want
to configure assignments separately, select Review + create, then go to
Assign an app attach package.
b. Select Add users or user groups, then search for and select the users or
groups you want to assign the application to. Once you have finished,
select Select.
7. Optional: On the Tags tab, you can enter any name/value pairs you need, then
select Review + create.
8. On the Review + create tab, ensure validation passes and review the
information that is used during deployment, then select Create to add the
application.
7 Note
Portal
Here's how to assign an application package to host pools, users and groups using
the Azure portal:
Host pools
1. From the Azure Virtual Desktop overview, select App attach, then select the
name of the app attach package you want to assign.
4. Select Add.
1. From the Azure Virtual Desktop overview, select App attach, then select the
name of the app attach package you want to assign.
3. Select + Add, then select one or more groups and/or users from the list.
4. Select Select.
7 Note
Adding a package, setting it to active, and assigning it to a host pool and users
automatically makes the application available in a desktop session. If you want to
use RemoteApp, you'll need to add the application to a RemoteApp application
group. For more information, see Publish an MSIX or Appx application with a
RemoteApp application group. You can't add MSIX or Appx applications to the
desktop application group with app attach.
Portal
Here's how to change a package's registration type and state using the Azure
portal:
1. From the Azure Virtual Desktop overview, select App attach. You should see a
list of all existing packages within the host pool.
Portal
Here's how to add an application from the package you added in this article to a
RemoteApp application group using the Azure portal:
1. From the Azure Virtual Desktop overview, select Application groups, then
select the RemoteApp application group you want to add an application to.
2. Select Applications, select + Add. Make sure you have at least one session
host powered on in the host pool the application group is assigned to.
ノ Expand table
Parameter Value/Description
Application Select App Attach from the drop-down list. If you want to add
source applications from the Start menu or by specifying a file path, see
Publish applications with RemoteApp.
Package Select a package available for the host pool from the drop-down list.
Regional packages are from app attach.
Display name Enter a friendly name for the application that is to users.
Parameter Value/Description
4. On the Icon tab, select Default to use the default icon for the application, or
select File path to use a custom icon. For File path, select one of the following
options:
Browse Azure Files to use an icon from an Azure file share. Select Select
a storage account and select the storage account containing your icon
file, then select Select icon file. Browse to the file share and directory
your icon is in, check the box next to the icon you want to add, for
example MyApp.ico , then select Select. You can also use a .png file. For
Icon index, specify the index number for the icon you want to use. This
number is usually 0.
UNC file path to use an icon from a file share. For Icon path, enter the
UNC path to your icon file, for example \\MyFileShare\MyApp.ico . You
can also use a .png file. For Icon index, specify the index number for the
icon you want to use. This number is usually 0.
5. On the Review + add tab, ensure validation passes and review the information
that is used to add the application, then select Add to add the application to
the RemoteApp application group.
To update an existing package in-place, select the relevant tab for your scenario and
follow the steps.
Portal
2. Select the package you want to update, then from the overview, select
Update.
a. Subscription and Resource group are prepopulated with the values for the
current package.
b. Select the Host pool for which you want to update the package.
c. Select the image path from Select from storage account or Input UNC.
Subsequent fields depend on which option you select.
i. For Select from storage account, select the Storage account containing
the updated image. Select Select a file, then browse to the file share and
directory your image is in. Check the box next to the image you want to
add, for example MyApp.cim , then select Select.
ii. For Input UNC, enter the UNC path to your image file.
d. For MSIX package, select the MSIX or Appx package from the image.
Tip
Portal
Here's how to remove an app attach package using the Azure portal:
1. From the Azure Virtual Desktop overview, select App attach. You should see a
list of all existing packages.
2. Check the box next to the name of the package you want to remove, then
select Remove. The package is also removed from any host pools it's assigned
to.
Key: HKLM\Software\Policies\Microsoft\WindowsStore
Type: DWORD
Name: AutoDownload
Value: 2
Description: Disables Microsoft Store automatic update.
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager
Type: DWORD
Name: PreInstalledAppsEnabled
Value: 0
Description: Disables content delivery automatic download.
Key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\D
ebug
Type: DWORD
Name: ContentDeliveryAllowedOverride
Value: 2
Description: Disables content delivery automatic download.
You can set these registry values using Group Policy or Intune, depending on how your
session hosts are managed. You can also set them by running the following PowerShell
commands as an administrator on each session host, but if you do this, you should also
set them in your operating system image:
PowerShell
Next steps
Learn how to publish applications from the start menu or a file path with RemoteApp.
For more information, see Publish applications.
Feedback
Was this page helpful? Yes No
This article shows you how to mount MSIX packages outside of Azure Virtual Desktop to
help test your packages for app attach. The APIs that power app attach are available for
Windows 11 Enterprise and Windows 10 Enterprise. These APIs can be used outside of
Azure Virtual Desktop for testing, however there's no management plane for app attach
or MSIX app attach outside of Azure Virtual Desktop.
For more information about app attach and MSIX app attach, see app attach and MSIX
app attach in Azure Virtual Desktop.
Prerequisites
Before you can test a package to follow the directions in this article, you need the
following things:
An application you expanded from MSIX format into an image you can use with
app attach. Learn how to Create an MSIX image to use with app attach in Azure
Virtual Desktop.
If you're using a CimFS image, you need to install the CimDiskImage PowerShell
module .
A user account that has local administrator permission on the device you're using
to test the MSIX package.
You don't need an Azure Virtual Desktop deployment because this article describes a
process for testing outside of Azure Virtual Desktop.
7 Note
Phases
To use MSIX packages outside of Azure Virtual Desktop, there are four distinct phases
that you must perform in the following order:
1. Stage
2. Register
3. Deregister
4. Destage
Staging and destaging are machine-level operations, while registering and deregistering
are user-level operations. The commands you need to use vary based on which version
of PowerShell you're using and whether your disk images are in CimFS, VHDX or VHD
format.
7 Note
All MSIX packages include a certificate. You're responsible for making sure the
certificates for MSIX packages are trusted in your environment.
Select the relevant tab for the version of PowerShell you're using.
To stage packages using PowerShell 6 or later, you need to run the following
commands before the staging operations to bring the capabilities of the Windows
Runtime package to PowerShell.
2. Run the following command to download and install the Windows Runtime
Package. You only need to run the following commands once per machine.
PowerShell
PowerShell
CimFS
PowerShell
#We can now get the Device Id for the mounted volume, this will be
useful for the destage step.
$deviceId = $mount.DeviceId
Write-Output $deviceId
2. Keep the variable $deviceId . You need this information later in this article.
1. In the same PowerShell session, retrieve the application information by running the
following commands:
PowerShell
2. Get the MSIX package full name and store it in a variable by running the following
commands. This variable is needed for later steps.
PowerShell
$msixPackageFullName = $manifestFolder.Split('\')[-1]
Write-Output $msixPackageFullName
3. Create an absolute URI for the manifest folder for the Package Manager API by
running the following commands:
PowerShell
$folderUri = $maniFestFolder.Replace('\\?\','file:\\\')
$folderAbsoluteUri = ([Uri]$folderUri).AbsoluteUri
4. Use the absolute URI to stage the application package by running the following
commands:
PowerShell
$asTask = ([System.WindowsRuntimeSystemExtensions].GetMethods() |
Where-Object { $_.ToString() -eq
'System.Threading.Tasks.Task`1[TResult] AsTask[TResult,TProgress]
(Windows.Foundation.IAsyncOperationWithProgress`2[TResult,TProgress])'
})[0]
$asTaskAsyncOperation =
$asTask.MakeGenericMethod([Windows.Management.Deployment.DeploymentResu
lt], [Windows.Management.Deployment.DeploymentProgress])
$asyncOperation = $packageManager.StagePackageAsync($folderAbsoluteUri,
$null, "StageInPlace")
5. Monitor the staging progress for the application package by running the following
commands. The time it takes to stage the package depends on its size. The Status
property of the $stagingResult variable will be RanToCompletion when the staging
is complete.
PowerShell
$stagingResult = $asTaskAsyncOperation.Invoke($null,
@($asyncOperation))
Write-Output $stagingResult
Once your MSI package is staged, you can register your MSIX package.
PowerShell
Now that your MSIX package is registered, your application should be available for use
in your session. You can now open the application for testing and troubleshooting. Once
you're finished, you need to deregister and destage your MSIX package.
Deregister an MSIX package
Once you're finished with your MSIX package and are ready to remove it, first you need
to deregister it. To deregister the MSIX package, run the following commands in the
same PowerShell session. These commands get the disk's DeviceId parameter again,
and remove the package using the $msixPackageFullName variable created in a previous
section.
PowerShell
PowerShell
CimFS
To dismount a CimFS disk image, run the following commands in the same
PowerShell session:
PowerShell
Dismount-CimDiskImage -DeviceId $deviceId
Once you finished dismounting your disks, you've safely removed your MSIX package.
7 Note
You can use task scheduler to run the stage script. To run the script, set the task
trigger to When the computer starts and enable Run with highest privileges.
To install the license files, you need to use a PowerShell script that calls the
MDM_EnterpriseModernAppManagement_StoreLicenses02_01 class in the WMI Bridge
Provider.
1. Download the app package, license, and required frameworks from the Microsoft
Store for Business. You need both the encoded and unencoded license files. To
learn how to download an offline-licensed app, see Distribute offline apps.
2. Run the following PowerShell commands as an administrator. You can install the
license is at the end of the staging phase. You need to edit the following variables:
$contentID is the ContentID value from the unencoded license file ( .xml ).
You can open the license file in a text editor of your choice.
$licenseBlob is the entire string for the license blob in the Encoded license
file ( .bin ). You can open the encoded license file in a text editor of your
choice.
PowerShell
$namespaceName = "root\cimv2\mdm\dmmap"
$className =
"MDM_EnterpriseModernAppManagement_StoreLicenses02_01"
$methodName = "AddLicenseMethod"
$parentID =
"./Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLice
nses"
$session = New-CimSession
$params = New-Object
Microsoft.Management.Infrastructure.CimMethodParametersCollection
$param =
[Microsoft.Management.Infrastructure.CimMethodParameter]::Create("
param",$licenseString ,"String", "In")
$params.Add($param)
try
{
$instance = New-CimInstance -Namespace $namespaceName -
ClassName $className -Property
@{ParentID=$parentID;InstanceID=$contentID}
$session.InvokeMethod($namespaceName, $instance, $methodName,
$params)
}
catch [Exception]
{
Write-Host $_ | Out-String
}
Demonstration scripts
You can find demonstration scripts for all four stages of testing MSIX packages and
syntax help for how to use them in our GitHub repository . These scripts work with any
version of PowerShell and any disk image format.
Next steps
Learn more about app attach and MSIX app attach in Azure Virtual Desktop:
Feedback
Was this page helpful? Yes No
App attach improves the administrative and user experiences over MSIX app attach. If
you use MSIX app attach, you can migrate your MSIX packages to app attach using a
PowerShell script.
Creates a new app attach package object and can delete the original MSIX
package object, if necessary.
Copy permissions from application groups associated with the host pool and MSIX
package.
Copy the location and resource group of the host pool and MSIX package.
Prerequisites
To use the migration script, you need:
A local device with PowerShell. Make sure you have the latest versions of Az
PowerShell and Microsoft Graph PowerShell SDK installed. Specifically, the
following modules are required:
Az.DesktopVirtualization
Az.Accounts
Az.Resources
Microsoft.Graph.Authentication
Parameters
Here are the parameters you can use with the migration script:
ノ Expand table
Parameter Description
MsixPackage The MSIX package object to migrate to an app attach object. This value
can be passed in via pipeline.
PermissionSource Where to get permissions from for the new app attach object. Defaults
to no permissions granted. The options are:
DAG : the desktop application group associated with the host
pool and MSIX package
RAG : one or more RemoteApp application groups associated
with the host pool and MSIX package
Both options grant permission to all users and groups with any
permission that is scoped specifically to the application group.
HostPoolsForNewPackage Resource IDs of host pools to associate new app attach object with.
Defaults to no host pools. Host pools must be in the same location as
the app attach packages they're associated with.
TargetResourceGroupName Resource group to store the new app attach object. Defaults to
resource group of host pool that the MSIX package is associated with.
Location Azure region to create new app attach object in. Defaults to location of
host pool that the MSIX package is associated with. App attach
packages have to be in the same location as the host pool they're
associated with.
PassThru Passes new app attach object through. Passthru returns the object for
the created package. Use this value if you want to inspect it or pass it
to another PowerShell command.
In the following examples, you'll need to change the <placeholder> values for your
own.
PowerShell
$url = "https://raw.githubusercontent.com/Azure/RDS-
Templates/master/msix-app-attach/MigrationScript/Migrate-
MsixPackagesToAppAttach.ps1"
$filename = $url.Split('/')[-1]
PowerShell
Import-Module Az.DesktopVirtualization
Import-Module Az.Accounts
Import-Module Az.Resources
Import-Module Microsoft.Graph.Authentication
4. Connect to Azure by running the following command and following the prompts
to sign in to your Azure account:
PowerShell
Connect-AzAccount
PowerShell
The following subsections contain some examples of how to use the migration script.
Refer to the parameters section for all the available parameters and a description of
each parameter.
Tip
If you don't pass any parameters to the migration script, it has the following default
behavior:
Migrates the MSIX package to the same resource group and location as the host
pool.
Assigns the MSIX package in app attach to the same host pool and the same users
as the RemoteApp application group source.
Leaves the existing MSIX package configuration in MSIX app attach active on the
host pool. If you want to disable the MSIX package immediately, use the -
DeactivateOrigin parameter.
Sets the new MSIX package configuration in app attach inactive. If you want to
enable the MSIX package immediately, use the -IsActive parameter.
Writes log information to the default file path and format.
1. From the same PowerShell prompt, get a list of MSIX packages added to a host
pool by running the following commands:
PowerShell
$parameters = @{
HostPoolName = '<HostPoolName>'
ResourceGroupName = '<ResourceGroupName>'
}
Output
DisplayName Name
----------- ----
MyApp hp01/MyApp_1.0.0.0_neutral__abcdef123ghij
2. Find the MSIX package you want to migrate and use the value from the Name
parameter in the previous output:
PowerShell
$parameters = @{
HostPoolName = '<HostPoolName>'
ResourceGroupName = '<ResourceGroupName>'
}
PowerShell
$parameters = @{
PermissionSource = 'RAG'
HostPoolsForNewPackage = $hostPoolId
PassThru = $true
}
1. From the same PowerShell prompt, get all MSIX packages added to a host pool
and store them in a variable by running the following commands:
PowerShell
$parameters = @{
HostPoolName = '<HostPoolName>'
ResourceGroupName = '<ResourceGroupName>'
}
PowerShell
$logFilePath = "C:\Temp\MsixToAppAttach.log"
$parameters = @{
IsActive = $true
DeactivateOrigin = $true
PermissionSource = 'DAG'
HostPoolsForNewPackage = $hostPoolId
PassThru = $true
LogInJSON = $true
LogFilePath = $LogFilePath
}
Feedback
Was this page helpful? Yes No
Several partners provide application delivery solutions to Azure Virtual Desktop via
integration with app attach. This article provides links to those partners where you can
read more about connecting to Azure Virtual Desktop. You can also use our native app
attach solution to dynamically deliver applications to your session hosts.
ノ Expand table
) Important
Next steps
Learn more about Remote Desktop clients at App attach overview.
Feedback
Was this page helpful? Yes No
This article contains the command line parameters and syntax you can use with the
MSIXMGR tool.
Prerequisites
To use the MSIXMGR tool, you need:
-AddPackage
Add the package at specified file path.
or
-RemovePackage
Remove the package with specified package full name.
-RemovePackage <Package name>
or
-x <Package name>
Here's an example of using the -RemovePackage parameter. You can find the package full
name by running the PowerShell cmdlet Get-AppxPackage.
-FindPackage
Find a package with specific package full name.
Here's an example of using the -FindPackage parameter. You can find the package full
name by running the PowerShell cmdlet Get-AppxPackage.
-ApplyACLs
Apply ACLs to a package folder (an unpacked package). You also need to specify the
following required subparameters:
ノ Expand table
Required Description
parameter
-packagePath The path to the package to unpack OR the path to a directory containing
multiple packages to unpack
-Unpack
Unpack a package in one of the file formats .appx , .msix , .appxbundle , or .msixbundle ,
and extract its contents to a folder. You also need to specify the following required
subparameters:
ノ Expand table
Required Description
parameter
-fileType The type of file to unpack packages to. Valid file types include .vhd , .vhdx ,
.cim . This parameter is only required when unpacking to CIM files.
-packagePath The path to the package to unpack OR the path to a directory containing
multiple packages to unpack.
-rootDirectory Specifies root directory on image to unpack packages to. This parameter is
only required when unpacking to new and existing CIM files.
Here are the optional parameters you can use with the -Unpack parameter:
ノ Expand table
-MountImage
Mount a VHD, VHDX, or CIM image. You also need to specify the following required
subparameters:
ノ Expand table
Required Description
parameter
-fileType The type of file to unpack packages to. Valid file types include VHD , VHDX ,
CIM .
-MountImage -imagePath <Path to the MSIX image> -fileType <VHD | VHDX | CIM>
Here's an example of using the -MountImage parameter:
Here are the optional parameters you can use with the -MountImage parameter:
ノ Expand table
-UnmountImage
Unmount a VHD, VHDX, or CIM image. You also need to specify the following required
subparameters:
ノ Expand table
Required Description
parameter
-fileType The type of file to unpack packages to. Valid file types include VHD , VHDX ,
CIM .
ノ Expand table
-volumeId The GUID of the volume (specified without curly msixmgr.exe -UnmountImage
braces) associated with the image to unmount. This -volumeId 199a2f93-99a8-
parameter is optional only for CIM files. You can 11ee-9b0d-4c445b63adac -
find volume ID by running the PowerShell cmdlet filetype CIM
Get-Volume.
-quietUX
Suppresses user interaction when running the MSIXMGR tool. This parameter is optional
and can be used with any other parameter.
Here's an example of using the -quietUX parameter with the -AddPackage parameter:
Next steps
To learn more about MSIX app attach, check out these articles:
Microsoft Teams on Azure Virtual Desktop supports chat and collaboration. With media
optimizations, it also supports calling and meeting functionality by redirecting it to the
local device when using Windows App or the Remote Desktop client on a supported
platform. You can still use Microsoft Teams on Azure Virtual Desktop on other platforms
without optimized calling and meetings. Teams chat and collaboration features are
supported on all platforms.
There are two versions of Teams, Classic Teams and New Teams, and you can use either
with Azure Virtual Desktop. New Teams has with feature parity with Classic Teams, but
improves performance, reliability, and security.
To redirect calling and meeting functionality to the local device, Azure Virtual Desktop
uses an extra component. This component is either SlimCore or the WebRTC Redirector
Service. The option you use depends on the following:
New Teams can use either SlimCore or the WebRTC Redirector Service. SlimCore is
available in preview and you need to opt in to the preview to use it. If you use
SlimCore, you should also install the WebRTC Redirector Service. This allows a user
to fall back to WebRTC, such as if they roam between different devices that don't
support the new optimization architecture. For more information about SlimCore
and how to opt into the preview, see New VDI solution for Teams.
Tip
If you're using the classic Teams app with Virtual Desktop Infrastructure (VDI)
environments, such as as Azure Virtual Desktop, end of support is October 1, 2024
and end of availability is July 1, 2025, after which you'll need to use the new
Microsoft Teams app. For more information, see End of availability for classic
Teams app.
Prerequisites
Before you can use Microsoft Teams on Azure Virtual Desktop, you need:
Prepare your network for Microsoft Teams.
For Windows, you also need to install the latest version of the Microsoft Visual
C++ Redistributable on your client device and session hosts. The C++
Redistributable is required to use media optimization for Teams on Azure Virtual
Desktop.
Install the latest version of Windows App or the Remote Desktop client on
Windows or macOS that meets the hardware requirements for Microsoft Teams.
If you use FSLogix for profile management and want to use the new Microsoft
Teams app, you need to install FSLogix 2210 hotfix 3 (2.9.8716.30241) or later.
Media optimization for Microsoft Teams is only available for the following clients:
Remote Desktop client for Windows or the Azure Virtual Desktop app, version
1.2.1026.0 or later, including ARM64-based devices.
Windows App.
For more information about which features Teams on Azure Virtual Desktop supports
and minimum required client versions, see Supported features for Teams on Azure
Virtual Desktop.
already exist.
ノ Expand table
IsWVDEnvironment DWORD 1
Alternatively, you can create the registry entry by running the following commands from
an elevated PowerShell session:
PowerShell
3. Open the file that you downloaded to start the setup process.
You can find more information about the latest version of the WebRTC Redirector
Service at What's new in the Remote Desktop WebRTC Redirector Service.
Tip
If you want to use SlimCore, all of its required components come bundled with new
Teams and Windows App or the Remote Desktop client.
Install Teams on session hosts
You can deploy the Teams desktop app per-machine or per-user. For session hosts in a
pooled host pool, you need to install Teams per-machine. To install Teams on your
session hosts follow the steps in the relevant article:
4. Select Version.
If media optimizations loaded, the banner shows you AVD SlimCore Media
Optimized or AVD Media Optimized. If the banner shows you AVD Media not
connected, quit the Teams app and try again.
If media optimizations loaded, the audio devices and cameras available locally will
be enumerated in the device menu. If the menu shows Remote audio, quit the
Teams app and try again. If the devices still don't appear in the menu, check the
Privacy settings on your local PC. Ensure the under Settings > Privacy > App
permissions - Microphone the setting "Allow apps to access your microphone" is
toggled On. Disconnect from the remote session, then reconnect and check the
audio and video devices again. To join calls and meetings with video, you must
also grant permission for apps to access your camera.
If media optimizations don't load, uninstall then reinstall Teams and check again.
1. On your client device, from the start menu, run Registry Editor as an administrator.
2. Go to HKCU\SOFTWARE\Microsoft\Terminal Server Client\Default\AddIns\WebRTC
Redirector .
1. On your session host VM, from the start menu, run Registry Editor as an
administrator.
2. Go to HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\WebRTC
Redirector\Policy .
7 Note
You must enable the ShareClientDesktop key before you can use this key.
1. On your session host VM, from the start menu, run Registry Editor as an
administrator.
2. Go to HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\WebRTC
Redirector\Policy .
7 Note
You must enable the ShareClientDesktop key before you can use this key.
1. On your session host VM, from the start menu, run Registry Editor as an
administrator.
2. Go to HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\WebRTC
Redirector\Policy .
Enabling device redirections isn't required when using Teams with media optimization. If
you're using Teams without media optimization, set the following RDP properties to
enable microphone and camera redirection:
audiocapturemode:i:1 enables audio capture from the local device and redirects
To learn more, check out Customize Remote Desktop Protocol properties for a host
pool.
Next steps
See Supported features for Teams on Azure Virtual Desktop for more information about
which features Teams on Azure Virtual Desktop supports and minimum required client
versions.
Learn about known issues, limitations, and how to log issues at Troubleshoot Teams on
Azure Virtual Desktop.
Learn about the latest version of the WebRTC Redirector Service at What's new in the
WebRTC Redirector Service for Azure Virtual Desktop.
Feedback
Was this page helpful? Yes No
You can Launch Microsoft OneDrive alongside a RemoteApp in Azure Virtual Desktop,
allowing users to access and synchronize their files while using a RemoteApp. When a
user connects to a RemoteApp, OneDrive can automatically launch as a companion to
the RemoteApp.
In the settings for OneDrive, there's the option Start OneDrive when I sign in to
Windows, which ordinarily starts OneDrive when a user signs in. However, this setting
doesn't work with RemoteApp in Azure Virtual Desktop. Instead, you configure OneDrive
to launch by configuring a registry value. You also enable an enhanced shell experience
for RemoteApp sessions, offering support for default file associations, Run/RunOnce
registry keys, and more.
User experience
When a user launches a RemoteApp, OneDrive is also launched and the OneDrive icon is
integrated in the taskbar of their local Windows device. If a user launches another
RemoteApp from the same host pool on the same session host, it uses the same
instance of OneDrive and another doesn't start.
If your session hosts are joined to Microsoft Entra ID, you can silently configure user
accounts so users are automatically signed in to OneDrive and start synchronizing
straight away. Otherwise, users need to sign in to OneDrive on first use.
The icon for the instance of OneDrive accompanying the RemoteApp in the system tray
looks the same as if OneDrive is installed on a local device. You can differentiate the
OneDrive icon from the remote session by hovering over the icon where the tooltip
includes the word Remote.
When a user closes or disconnects from the last RemoteApp they're using on the
session host, OneDrive exits within a few minutes, unless the user has the OneDrive
Action Center window open.
Prerequisites
Before you can use OneDrive with a RemoteApp in Azure Virtual Desktop:
If you're using FSLogix, install the latest version of FSLogix on your session hosts.
For more information, see Install FSLogix applications.
1. Download and install the latest version of the OneDrive sync app per-machine
on your session hosts. For more information, see Install the sync app per-machine.
2. If your session hosts are joined to Microsoft Entra ID, silently configure user
accounts for OneDrive on your session hosts, so users are automatically signed in
to OneDrive.
3. The Group Policy settings are only available in Windows 11, version 22H2 or 23H2
with the 2024-07 Cumulative Update for Windows 11 (KB5040442) or later
installed. You need to copy the administrative template files
C:\Windows\PolicyDefinitions\terminalserver.admx and
C:\Windows\PolicyDefinitions\en-US\terminalserver.adml from a session host to
the same location on your domain controllers or the Group Policy Central Store,
depending on your environment. In the file path for terminalserver.adml replace
en-US with the appropriate language code if you're using a different language.
4. Open the Group Policy Management console on a device you use to manage the
Active Directory domain.
5. Create or edit a policy that targets the computers providing a remote session you
want to configure.
6. Navigate to Computer Configuration > Policies > Administrative Templates >
Windows Components > Remote Desktop Services > Remote Desktop Session
Host > Remote Session Environment.
7. Double-click the policy setting Enable enhanced shell experience for RemoteApp
to open it. Select Enabled, then select OK.
Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Type: REG_SZ
Name: OneDrive
Data: "C:\Program Files\Microsoft OneDrive\OneDrive.exe" /background
You can configure the registry using an enterprise deployment tool such as Intune,
Configuration Manager, or Group Policy. Alternatively, to set this registry value
using PowerShell, open PowerShell as an administrator and run the following
command:
PowerShell
New-ItemProperty -Path
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name OneDrive -
PropertyType String -Value '"C:\Program Files\Microsoft
OneDrive\OneDrive.exe" /background' -Force
qwinsta
The output includes a line beginning with rdp-sxs followed by a number, where
the number correlates to the version number of the side-by-side stack, as shown in
the following example. You can find a list of the version numbers at What's new in
the Azure Virtual Desktop SxS Network Stack.
Output
1. Use a supported version of Windows App or the Remote Desktop client to connect
to a RemoteApp from the host pool withe the session hosts you configured.
2. Check that the OneDrive icon can be seen on the task bar of your local Windows
device. Hover over the icon to show the tooltip and ensure it includes the word
Remote, which differentiates it from a local instance of OneDrive.
3. Check that OneDrive is synchronizing files by opening the OneDrive Action Center.
Sign in to OneDrive if you weren't automatically signed in.
4. From the RemoteApp, check that you can access your files from OneDrive.
5. Finally, close the RemoteApp and any others from the same session host, and
within a few minutes OneDrive should exit.
OneDrive recommendations
When using OneDrive with a RemoteApp in Azure Virtual Desktop, we recommend that
you configure the following settings using the OneDrive administrative template. For
more information, see Manage OneDrive using Group Policy and Use administrative
templates in Intune.
Feedback
Was this page helpful? Yes No
The migration module tool lets you migrate your organization from Azure Virtual
Desktop (classic) to Azure Virtual Desktop automatically. This article will show you how
to use the tool.
Requirements
Before you use the migration module, make sure you have the following things ready:
You must be assigned the Contributor role to create Azure objects on your
subscription, and the User Access Administrator role to assign users to application
groups.
PowerShell or PowerShell ISE to run the scripts you'll see in this article. The
Microsoft.RdInfra.RDPowershell module doesn't work in PowerShell Core.
) Important
Migration only creates service objects in the US geography. If you try to migrate
your service objects to another geography, it won't work. Also, if you have more
than 500 application groups in your Azure Virtual Desktop (classic) deployment,
you won't be able to migrate. You'll only be able to migrate if you rebuild your
environment to reduce the number of application groups within your Azure Active
Directory (Azure AD) tenant.
Prepare your PowerShell environment
First, you'll need to prepare your PowerShell environment for the migration process.
1. Before you start, make sure you have the latest version of the Az.Desktop
Virtualization and Az.Resources modules by running the following cmdlets:
PowerShell
Get-Module Az.Resources
Get-Module Az.DesktopVirtualization
https://www.powershellgallery.com/packages/Az.DesktopVirtualization/
https://www.powershellgallery.com/packages/Az.Resources/
If you don't, then you'll have to install and import the modules by running these
cmdlets:
PowerShell
Install-module Az.Resources
Import-module Az.Resources
Install-module Az.DesktopVirtualization
Import-module Az.DesktopVirtualization
2. Next, uninstall the current RDInfra PowerShell module by running this cmdlet:
PowerShell
PowerShell
4. Once you're done installing everything, run this cmdlet to make sure you have the
right versions of the modules:
PowerShell
Get-Module Microsoft.RDInfra.RDPowershell
5. Now, let's install and import the migration module by running these cmdlets:
PowerShell
6. Once you're done, sign into Azure Virtual Desktop (classic) in your PowerShell
window:
PowerShell
PowerShell
Login-AzAccount
8. If you have multiple subscriptions, select the one you want to migrate your
resources to with this cmdlet:
PowerShell
9. Register the Resource Provider in Azure portal for the selected subscription.
10. Finally you'll need to register the provider. There are two ways you can do this:
PowerShell
Register-AzResourceProvider -ProviderNamespace
Microsoft.DesktopVirtualization
If you'd rather use the Azure portal, open and sign in to the Azure portal,
then go to Subscriptions and select the name of the subscription you want to
use. After that, go to Resource Provider > Microsoft.DesktopVirtualization
and select Re-register. You won't see anything change in the UI just yet, but
your PowerShell environment should now be ready to run the module.
To migrate your Azure virtual Desktop (classic) resources to Azure Resource Manager:
1. Before you migrate, if you want to understand how the existing Classic resources
will get mapped to new Azure Resource Manager resources, run this cmdlet:
PowerShell
Get-RdsHostPoolMigrationMapping
PowerShell
For example:
PowerShell
If you want to migrate your resources a specific host pool, then include the host
pool name. For example, if you want to move the host pool named "Office," run a
command like this:
PowerShell
If you don't give a workspace name, the module will automatically create one for
you based on the tenant name. However, if you'd prefer to use a specific
workspace, you can enter its resource ID like this:
PowerShell
If you'd like to use a specific workspace but don't know its resource ID, run this
cmdlet:
PowerShell
You'll also need to specify a user assignment mode for the existing user
assignments:
Use Copy to copy all user assignments from your old application groups to
Azure Resource Manager application groups. Users will be able to see feeds
for both versions of their clients.
Use None if you don't want to change the user assignments. Later, you can
assign users or user groups to application groups with the Azure portal,
PowerShell, or API. Users will only be able to see feeds using the Azure Virtual
Desktop (classic) clients.
You can only copy 2,000 user assignments per subscription, so your limit will
depend on how many assignments are already in your subscription. The module
calculates the limit based on how many assignments you already have. If you don't
have enough assignments to copy, you'll get an error message that says
"Insufficient role assignment quota to copy user assignments. Rerun command
without the -CopyUserAssignments switch to migrate."
3. After you run the commands, it will take up to 15 minutes for the module to create
the service objects. If you copied or moved any user assignments, that will add to
the time it takes for the module to finish setting everything up.
Azure service objects for the tenant or host pool you specified.
Virtual machines will be available in both existing and new host pools to
avoid user downtime during the migration process. This lets users connect to
the same user session.
Since these new Azure service objects are Azure Resource Manager objects, the
module can't set Role-based Access Control (RBAC) permissions or diagnostic
settings on them. Therefore, you'll need to update the RBAC permissions and
settings for these objects manually.
Once the module validates the initial user connections, you can also publish the
application group to more users or user groups, if you'd like.
7 Note
4. If you want to delete all Azure Virtual Desktop (classic) service objects, run
Complete-RdsHostPoolMigration to finish the migration process. This cmdlet will
delete all Azure Virtual Desktop (classic) objects, leaving only the new Azure
objects. Users will only be able to see the feed for the newly created application
groups on their clients. Once this command is done, you can safely delete the
Azure Virtual Desktop (classic) tenant to finish the process.
For example:
PowerShell
If you want to complete a specific host pool, you can include the host pool name
in the cmdlet. For example, if you want to complete a host pool named "Office,"
you'd use a command like this:
PowerShell
This will delete all service objects created by Azure Virtual Desktop (classic). You
will be left with just the new Azure objects and users will only be able to see the
feed for the newly created application groups on their clients. Once you are done
finalizing your migration, you need to explicitly delete the tenant in Azure Virtual
Desktop (classic).
5. If you've changed your mind about migrating and want to revert the process, run
the Revert-RdsHostPoolMigration cmdlet.
For example:
PowerShell
If you'd like to revert a specific host pool, you can include the host pool name in
the command. For example, if you want to revert a host pool named "Office," then
you'd enter something like this:
PowerShell
This cmdlet will delete all newly created Azure service objects. Your users will only
see the feed for Azure Virtual Desktop (classic) objects in their clients.
However, the cmdlet won't delete the workspace the module created or its
associated resource group. You'll need to manually delete those items to get rid of
them.
6. If you don't want to delete your Azure Virtual Desktop (classic) service objects yet
but do want to test migration, you can run Set-RdsHostPoolHidden.
For example:
PowerShell
Setting the status to "true" will hide the Azure Virtual Desktop (classic) resources.
Setting it to "false" will reveal the resources to your users.
The -Hostpool parameter is optional. You can use this parameter if there's a specific
Azure Virtual Desktop (classic) host pool you want to hide.
This cmdlet will hide the Azure Virtual Desktop (classic) user feed and service
objects instead of deleting them. However, this is usually only used for testing and
doesn't count as a completed migration. To complete your migration, you'll need
to run the Complete-RdsHostPoolMigration command. Otherwise, revert your
deployment by running Revert-RdsHostPoolMigration.
Make sure your admin account has the required permissions to access the tenant.
Try running Get-RdsTenant on the tenant.
If those two things work, try running the Set-RdsMigrationContext cmdlet to set the
RDS Context and ADAL Context for your migration:
Next steps
If you'd like to learn how to migrate your deployment manually instead, see Migrate
manually from Azure Virtual Desktop (classic).
Once you've migrated, get to know how Azure Virtual Desktop works by checking out
our tutorials. Learn about advanced management capabilities at Expand an existing host
pool and Customize RDP properties.
To learn more about service objects, check out Azure Virtual Desktop environment.
Migrate manually from Azure Virtual
Desktop (classic)
Article • 04/14/2023
Azure Virtual Desktop (classic) creates its service environment with PowerShell cmdlets,
REST APIs, and service objects. An object in an Azure Virtual Desktop service
environment is a thing that Azure Virtual Desktop creates. Service objects include
tenants, host pools, application groups, and session hosts.
However, Azure Virtual Desktop (classic) isn't integrated with Azure. Without Azure
integration, any objects you create aren't automatically managed by the Azure portal
because they're not connected to your Azure subscription.
The recent major update of Azure Virtual Desktop marks a shift in the service towards
full Azure integration. Objects you create in Azure Virtual Desktop are automatically
managed by the Azure portal.
In this article, we'll explain why you should consider migrating to the latest version of
Azure Virtual Desktop. After that, we'll tell you how to manually migrate from Azure
Virtual Desktop (classic) to the latest update of Azure Virtual Desktop.
Why migrate?
Major updates can be inconvenient, especially ones you have to do manually. However,
there are some reasons why you can't automatically migrate:
Existing service objects made with the classic release don't have any representation
in Azure. Their scope doesn't extend beyond the Azure Virtual Desktop service.
With the latest update, the service's application ID was changed to remove consent
for apps the way it did for Azure Virtual Desktop (classic). You won't be able to
create new Azure objects with Azure Virtual Desktop unless they're authenticated
with the new application ID.
Despite the hassle, migrating away from the classic version is still important. Here's what
you can do after you migrate:
There are a few scenarios in particular where we recommend you manually migrate:
You have a test host pool setup with a small number of users.
You have a production host pool setup with a small number of users, but plan to
eventually ramp up to hundreds of users.
You have a simple setup that can be easily replicated. For example, if your VMs use
a gallery image.
) Important
If you're using an advanced configuration that took a long time to stabilize or has a
lot of users, we don't recommend manually migrating.
The Contributor role lets you create Azure objects on your subscription, and the
User Access Administrator role lets you assign users to application groups.
To migrate manually from Azure Virtual Desktop (classic) to Azure Virtual Desktop:
1. Follow the instructions in Create a host pool with the Azure portal to create all
high-level objects with the Azure portal.
2. If you want to bring over the virtual machines you're already using, follow the
instructions in Register the virtual machines to the Azure Virtual Desktop host pool
to manually register them to the new host pool you created in step 1.
3. Create new RemoteApp application groups.
4. Publish users or user groups to the new desktop and RemoteApp application
groups.
5. Update your Conditional Access policy to allow the new objects by following the
instructions in Set up multi-factor authentication.
To prevent downtime, you should first register your existing session hosts to the Azure
Resource Manager-integrated host pools in small groups at a time. After that, slowly
bring your users over to the new Azure Resource Manager-integrated application
groups.
Next steps
If you'd like to learn how to migrate your deployment automatically instead, go to
Migrate automatically from Azure Virtual Desktop (classic).
Once you've migrated, get to know how Azure Virtual Desktop works by checking out
our tutorials. Learn about advanced management capabilities at Expand an existing host
pool and Customize RDP properties.
To learn more about service objects, check out Azure Virtual Desktop environment.
Azure Virtual Desktop FAQ
FAQ
This article answers frequently asked questions and explains best practices for Azure
Virtual Desktop.
You must be assigned the User Access Admin role on an application group to publish
application groups to users or user groups.
To restrict an admin to only manage user sessions, such as sending messages to users,
signing out users, and so on, you can create custom roles. For example:
JSON
{
"actions": [
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/tags/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
Workspaces also must be in the same location as their application groups. Whenever the
workspace updates, the related application group updates along with it. Like with
application groups, the service requires that all workspaces are associated with
application groups created in the same location.
For example:
PowerShell
To see all of a resource's properties, add either format-list or fl to the end of the
cmdlet.
For example:
PowerShell
For example:
PowerShell
CustomRdpProperty :
audiocapturemode:i:0;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1
;redirectcomports:i:0;redirectprinters:i:1;redirectsmartcards:i:1;screen
modeid:i:2;
You can't use your own licenses for the benefit of a third-party. Also, Azure Virtual
Desktop doesn't currently support Microsoft Account (MSA).
The Azure template is limited to 800 objects. To learn more, see Azure subscription
and service limits, quotas, and constraints. Each VM also creates about six objects,
so that means you can create around 132 VMs each time you run the template.
There are restrictions on how many vCPUs you can create per region and per
subscription. For example, if you have an Enterprise Agreement subscription, by
default you can create 350 vCPUs. You need to divide 350 by either the default
number of vCPUs per VM or your own vCPU limit to determine how many VMs you
can create each time you run the template. Learn more at Virtual Machines limits -
Azure Resource Manager and Check vCPU quotas.
The VM prefix name can't exceed 11 characters, so that when a sequential number
is added the total name is a maximum of 15 characters. To learn more, see Naming
rules and restrictions for Azure resources.
Can I manage Azure Virtual Desktop
environments with Azure Lighthouse?
Azure Lighthouse doesn't fully support managing Azure Virtual Desktop environments.
Since Lighthouse doesn't currently support cross-Microsoft Entra ID tenant user
management, Lighthouse customers still need to sign in to the Microsoft Entra ID that
customers use to manage users.
You also can't use CSP sandbox subscriptions with the Azure Virtual Desktop service. To
learn more, see Integration sandbox account.
Finally, if you enabled the resource provider from the CSP owner account, the CSP
customer accounts aren't able to modify the resource provider.
ノ Expand table
None Gallery
Availability set with managed SKU (managed disk) Blob storage (Gallery option disabled)
Feedback
Was this page helpful? Yes No
When users sign in to Windows App or the Remote Desktop app, desktops and
applications that they have access to are shown. For each desktop and application, there
is a corresponding .rdp file that contains all the connection properties to use when
connecting to a remote session over the Remote Desktop Protocol (RDP). These RDP
properties are set per host pool.
Each host pool has a set of default RDP properties and values. You can add other
properties to the default set or override the default values by setting custom RDP
properties. This article shows you how to set custom RDP properties on a host pool by
using the Azure portal, Azure PowerShell, and Azure CLI.
ノ Expand table
devicestoredirect:s:* Determines which peripherals that use the Media Transfer Protocol
(MTP) or Picture Transfer Protocol (PTP), such as a digital camera, are
redirected from a local Windows device to a remote session.
drivestoredirect:s:* Determines which fixed, removable, and network drives on the local
device will be redirected and available in a remote session.
enablecredsspsupport:i:1 Determines whether the client will use the Credential Security
Support Provider (CredSSP) for authentication if it's available.
redirectcomports:i:1 Determines whether serial or COM ports on the local device are
redirected to a remote session.
redirectsmartcards:i:1 Determines whether smart card devices on the local device will be
redirected and available in a remote session.
usbdevicestoredirect:s:* Determines which supported USB devices on the client computer are
redirected using opaque low-level redirection to a remote session.
use multimon:i:1 Determines whether the remote session will use one or multiple
displays from the local device.
For a full list of supported properties and values, see Supported RDP properties with
Azure Virtual Desktop
Tip
To learn more about redirecting peripherals and resources, see Peripheral and
resource redirection over the Remote Desktop Protocol. You might need to
configure more than just an RDP property.
Prerequisites
Before you can set custom RDP properties on a host pool, you need:
An Azure account assigned the Desktop Virtualization Host Pool Contributor role
or equivalent.
If you want to use Azure CLI or Azure PowerShell locally, see Use Azure CLI and
Azure PowerShell with Azure Virtual Desktop to make sure you have the
desktopvirtualization Azure CLI extension or the Az.DesktopVirtualization
PowerShell module installed. Alternatively, use the Azure Cloud Shell.
Here's how to configure RDP properties using the Azure portal. For a full list of
supported properties and values, see Supported RDP properties with Azure Virtual
Desktop.
2. In the search bar, enter Azure Virtual Desktop and select the matching service
entry.
3. Select Host pools, then select the name of the host pool you want to update.
5. Add extra RDP properties or make changes to the existing RDP properties in a
semicolon-separated format, like the default values already shown.
6. When you're done, select Save to save your changes. Users need to refresh
their resources to receive the changes.
Related content
Supported RDP properties with Azure Virtual Desktop
Peripheral and resource redirection over the Remote Desktop Protocol
Feedback
Was this page helpful? Yes No
Provide product feedback | Get help at Microsoft Q&A
Configure host pool load balancing in
Azure Virtual Desktop
Article • 08/22/2024
Azure Virtual Desktop supports two load balancing algorithms for pooled host pools.
Each algorithm determines which session host is used when a user starts a remote
session. Load balancing doesn't apply to personal host pools because users always have
a 1:1 mapping to a session host within the host pool.
The following load balancing algorithms are available for pooled host pools:
Breadth-first, which aims to evenly distribute new user sessions across the session
hosts in a host pool. You don't have to specify a maximum session limit for the
number of sessions.
Depth-first, which keeps starting new user sessions on one session host until the
maximum session limit is reached. Once the session limit is reached, any new user
connections are directed to the next session host in the host pool until it reaches
its session limit, and so on.
You can only configure one of the load balancing algorithms at a time per pooled host
pool, but you can change which one is used at any time. Both load balancing algorithms
share the following behaviors:
If a user already has an active or disconnected session in the host pool and signs in
again, the load balancer will successfully redirect them to the session host with
their existing session. This behavior applies even if drain mode has been enabled
for that session host.
If a user doesn't already have a session on a session host in the host pool, the load
balancer doesn't consider a session host where drain mode has been enabled.
If you lower the maximum session limit on a session host while it has active user
sessions, the change doesn't affect existing user sessions.
The breadth-first algorithm first queries session hosts in a host pool that allow new
connections. The algorithm then selects a session host randomly from half the set of
available session hosts with the fewest sessions. For example, if there are nine session
hosts with 11, 12, 13, 14, 15, 16, 17, 18, and 19 sessions, a new session doesn't
automatically go to the session host with the fewest sessions. Instead, it can go to any of
the first five session hosts with the fewest sessions at random. Due to the
randomization, some sessions may not be evenly distributed across all session hosts.
The depth-first algorithm first queries session hosts that allow new connections and
haven't reached their maximum session limit. The algorithm then selects the session
host with most sessions. If there's a tie, the algorithm selects the first session host from
the query.
You must set a maximum session limit when using the depth-first algorithm. You can use
Azure Virtual Desktop Insights to monitor the number of sessions on each session host
and review session host performance to help determine the best maximum session limit
for your environment.
) Important
Once all session hosts have reached the maximum session limit, you need to
increase the limit or add more session hosts to the host pool.
Prerequisites
To configure load balancing for a pooled host pool, you need:
An Azure account assigned the Desktop Virtualization Host Pool Contributor role.
If you want to use Azure CLI or Azure PowerShell locally, see Use Azure CLI and
Azure PowerShell with Azure Virtual Desktop to make sure you have the
desktopvirtualization Azure CLI extension or the Az.DesktopVirtualization
PowerShell module installed. Alternatively, use the Azure Cloud Shell.
Azure portal
2. In the search bar, enter Azure Virtual Desktop and select the matching service
entry
3. Select Host pools, then select the name of the host pool you want to
configure.
4. Select Properties.
5. For Load balancing algorithm, select which type you want to use for this host
pool from the drop-down menu, then for Max session limit, enter a value.
7 Note
Related content
Understand how autoscale can automatically scale the number of available session
hosts in a host pool.
Feedback
Was this page helpful? Yes No
) Important
This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.
A personal host pool is a type of host pool that has personal desktops. Personal
desktops have one-to-one mapping, which means a single user can only be assigned to
a single personal desktop. Every time the user signs in, their user session is directed to
their assigned personal desktop session host. This host pool type is ideal for customers
with resource-intensive workloads because user experience and session performance
will improve if there's only one session on the session host. Another benefit of this host
pool type is that user activities, files, and settings persist on the virtual machine
operating system (VM OS) disk after the user signs out.
Users must be assigned to a personal desktop to start their session. You can configure
the assignment type of your personal desktop host pool to adjust your Azure Virtual
Desktop environment to better suit your needs. In this topic, we'll show you how to
configure automatic or direct assignment for your users.
7 Note
The instructions in this article only apply to personal desktop host pools, not
pooled host pools, since users in pooled host pools aren't assigned to specific
session hosts.
Prerequisites
If you're using either the Azure portal or PowerShell method, you'll need the following
things:
If you're assigning desktops with PowerShell, you'll need to download and install the
Azure Virtual Desktop PowerShell module if you haven't already.
To automatically assign users, first assign them to the personal desktop host pool so
that they can see the desktop in their feed. When an assigned user launches the desktop
in their feed, their user session will be load-balanced to an available session host if they
haven't already connected to the host pool. You can still assign a user directly to a
session host before they connect, even if the assignment type is set automatic.
Azure portal
2. In the search bar, enter Azure Virtual Desktop and select the matching service
entry.
3. Select Host pools, then select the personal host pool you want to configure
automatic assignment.
5. Select Save.
Azure portal
2. In the search bar, type Azure Virtual Desktop and select the matching service
entry.
3. Select Host pools, then select the personal host pool you want to configure
automatic assignment.
5. Select Save.
Azure portal
4. At the Azure Virtual Desktop page, go the menu on the left side of the
window and select Host pools.
6. Next, go to the menu on the left side of the window and select Application
groups.
7. Select the name of the app group you want to assign users to, then select
Assignments in the menu on the left side of the window.
8. Select + Add, then select the users or user groups you want to assign to this
app group.
10. Select the session host you want to assign to the user, then select Assign. You
can also select Assignment > Assign user.
11. Select the user you want to assign the session host to from the list of available
users.
Azure portal
4. At the Azure Virtual Desktop page, go the menu on the left side of the
window and select Host pools.
5. Select the host pool you want to modify user assignment for.
6. Next, go to the menu on the left side of the window and select Session hosts.
7. Select the checkbox next to the session host you want to unassign a user
from, select the ellipses at the end of the row, and then select Unassign user.
You can also select Assignment > Unassign user.
8. Select Unassign when prompted with the warning.
Azure portal
4. At the Azure Virtual Desktop page, go the menu on the left side of the
window and select Host pools.
5. Select the host pool you want to modify user assignment for.
6. Next, go to the menu on the left side of the window and select Session hosts.
7. Select the checkbox next to the session host you want to reassign to a
different user, select the ellipses at the end of the row, and then select Assign
to a different user. You can also select Assignment > Assign to a different
user.
8. Select the user you want to assign the session host to from the list of available
users.
1. Launch the Azure Cloud Shell in the Azure portal with the PowerShell terminal type,
or run PowerShell on your local device.
If you're using Cloud Shell, make sure your Azure context is set to the
subscription you want to use.
If you're using PowerShell locally, first Sign in with Azure PowerShell, then
make sure your Azure context is set to the subscription you want to use.
Azure PowerShell
$parameters = @{
HostPoolName = 'HostPoolName'
Name = 'SessionHostName'
ResourceGroupName = 'ResourceGroupName'
FriendlyName = 'SessionHostFriendlyName'
}
Update-AzWvdSessionHost @parameters
3. To get the session host friendly name, run the following command in PowerShell:
Azure PowerShell
$sessionHostParams = @{
HostPoolName = 'HostPoolName'
Name = 'SessionHostName'
ResourceGroupName = 'ResourceGroupName'
}
Next steps
Now that you've configured the personal desktop assignment type and given your
session host a friendly name, you can sign in to an Azure Virtual Desktop client to test it
as part of a user session. These articles will show you how to connect to a session using
the client of your choice:
Feedback
Was this page helpful? Yes No
) Important
This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.
Host pools are a collection of one or more identical virtual machines within Azure Virtual
Desktop environment. We highly recommend you create a validation host pool where
service updates are applied first. Validation host pools let you monitor service updates
before the service applies them to your standard or non-validation environment.
Without a validation host pool, you may not discover changes that introduce errors,
which could result in downtime for users in your standard environment.
To ensure your apps work with the latest updates, the validation host pool should be as
similar to host pools in your non-validation environment as possible. Users should
connect as frequently to the validation host pool as they do to the standard host pool. If
you have automated testing on your host pool, you should include automated testing
on the validation host pool.
You can debug issues in the validation host pool with either the diagnostics feature or
the Azure Virtual Desktop troubleshooting articles.
7 Note
We recommend that you leave the validation host pool in place to test all future
updates. Validation host pools should only be used for testing, and not in
production environments.
Update schedule
Service updates happen monthly. If there are major issues, critical updates will be
provided at a more frequent pace.
If there are any service updates, make sure you have at least a couple of users sign in
each day to validate the environment. We recommend you regularly visit our
TechCommunity site and follow any posts with WVDUPdate or AVDUpdate to stay
informed about service updates.
Next steps
Now that you've created a validation host pool, you can learn how to use Azure Service
Health to monitor your Azure Virtual Desktop deployment.
The Scheduled Agent Updates feature lets you create up to two maintenance windows
for the Azure Virtual Desktop agent, side-by-side stack, and Geneva Monitoring agent to
get updated so that updates don't happen during peak business hours. To monitor
agent updates, you can use Log Analytics to see when agent component updates are
available and when updates are unsuccessful.
This article describes how the Scheduled Agent Updates feature works and how to set it
up.
7 Note
Azure Virtual Desktop (classic) doesn't support the Scheduled Agent Updates
feature.
3. Select Host pools, then go to the host pool where you want to enable the feature.
You can only configure this feature for existing host pools. You can't enable this
feature when you create a new host pool.
4. In the host pool, select Scheduled Agent Updates. Scheduled Agent Updates is
disabled by default. This means that, unless you enable this setting, the agent can
get updated at any time by the agent update flighting service. Select the
Scheduled agent updates checkbox to enable the feature.
5. Enter your preferred time zone setting. If you select Use local session host time
zone, Scheduled Agent Updates will automatically use the VM's local time zone. If
you don't select Use local session host time zone, you'll need to specify a time
zone.
6. Select a day and time for the Maintenance window. If you'd like to make an
optional second maintenance window, you can also select a date and time for it
here. Since Scheduled Agent Updates is a host pool setting, the time zone setting
and maintenance windows you configure will be applied to all session hosts in the
host pool.
All maintenance windows are two hours long to account for situations where all
three agent components must be updated at the same time. For example, if your
maintenance window is Saturday at 9:00 AM PST, the updates will happen between
9:00 AM PST and 11:00 AM PST.
The Use session host local time parameter isn't selected by default. If you want
the agent component update to be in the same time zone for all session hosts in
your host pool, you'll need to specify a single time zone for your maintenance
windows. Having a single time zone helps when all your session hosts or users are
located in the same time zone.
If you select Use session host local time, the agent component update will be in
the local time zone of each session host in the host pool. Use this setting when all
session hosts in your host pool or their assigned users are in different time zones.
For example, let's say you have one host pool with session hosts in West US in the
Pacific Standard Time zone and session hosts in East US in the Eastern Standard
Time zone, and you've set the maintenance window to be Saturday at 9:00 PM.
Enabling Use session host local time ensures that updates to all session hosts in
the host pool will happen at 9:00 PM in their respective time zones. Disabling Use
session host local time and setting the time zone to be Central Standard Time
ensures that updates to the session hosts in the host pool will happen at 9:00 PM
Central Standard Time, regardless of the session hosts' local time zones.
The local time zone for VMs you create using the Azure portal is set to
Coordinated Universal Time (UTC) by default. If you want to change the VM time
zone, run the Set-TimeZone PowerShell cmdlet on the VM.
To get a list of available time zones for a VM, run the Get-TimeZone PowerShell
cmdlet on the VM.
Next steps
For more information related to Scheduled Agent Updates and agent components,
check out the following resources:
Learn how to set up diagnostics for this feature at the Scheduled Agent Updates
Diagnostics guide.
Learn more about the Azure Virtual Desktop agent, side-by-side stack, and Geneva
Monitoring agent at Getting Started with the Azure Virtual Desktop Agent.
For more information about the current and earlier versions of the Azure Virtual
Desktop agent, see Azure Virtual Desktop agent updates.
If you're experiencing agent or connectivity-related issues, see the Azure Virtual
Desktop Agent issues troubleshooting guide.
Customize the feed for Azure Virtual
Desktop users
Article • 08/22/2024
You can customize the feed so the RemoteApp and remote desktop resources appear in
a recognizable way for your users.
Prerequisites
If you're using either the Azure portal or PowerShell method, you'll need the following
things:
If you want to use Azure PowerShell locally, see Use Azure CLI and Azure
PowerShell with Azure Virtual Desktop to make sure you have the
Az.DesktopVirtualization PowerShell module installed. Alternatively, use the Azure
Cloud Shell.
Azure portal
Here's how to customize the display name for a published RemoteApp or desktop
using the Azure portal.
4. On the Azure Virtual Desktop page, select Application groups on the left side
of the screen, then select the name of the application group you want to edit.
7. Select Save. The application you edited should now display the updated name.
Users see the new name once their client refreshes.
1. Launch the Azure Cloud Shell in the Azure portal with the PowerShell terminal type,
or run PowerShell on your local device.
If you're using Cloud Shell, make sure your Azure context is set to the
subscription you want to use.
If you're using PowerShell locally, first Sign in with Azure PowerShell, then
make sure your Azure context is set to the subscription you want to use.
Azure PowerShell
$parameters = @{
HostPoolName = 'HostPoolName'
Name = 'SessionHostName'
ResourceGroupName = 'ResourceGroupName'
FriendlyName = 'SessionHostFriendlyName'
}
Update-AzWvdSessionHost @parameters
3. To get the session host friendly name, run the following command in PowerShell:
Azure PowerShell
$sessionHostParams = @{
HostPoolName = 'HostPoolName'
Name = 'SessionHostName'
ResourceGroupName = 'ResourceGroupName'
}
Feedback
Was this page helpful? Yes No
All host pools created in Azure Virtual Desktop are attached to session hosts and
application groups. To delete a host pool, you need to delete its associated application
groups and session hosts. Deleting an application group is fairly simple, but deleting a
session host is more complicated. When you delete a session host, you need to make
sure it doesn't have any active user sessions. All user sessions on the session host should
be logged off to prevent users from losing data.
Portal
3. Select Host pools in the menu on the left side of the page, then select the
name of the host pool you want to delete.
4. On the menu on the left side of the page, select Application groups.
5. Select all application groups in the host pool you're going to delete, then
select Remove.
6. Once you've removed the application groups, go to the menu on the left side
of the page and select Overview.
7. Select Remove.
8. If there are session hosts in the host pool you're deleting, you'll see a message
asking for your permission to continue. Select Yes.
9. The Azure portal will now remove all session hosts and delete the host pool.
The VMs related to the session host won't be deleted and will remain in your
subscription.
Next steps
To learn how to create a host pool, check out these articles:
Create a host pool with the Azure portal
Create a host pool with PowerShell
To learn how to configure host pool settings, check out these articles:
Microsoft Intune
Microsoft Intune can manage your Microsoft Entra joined and Microsoft Entra hybrid
joined session hosts. To learn more about using Intune to manage Windows 11 and
Windows 10 single session hosts, see Using Azure Virtual Desktop with Intune.
For Windows 11 and Windows 10 multi-session hosts, Intune supports both device-
based configurations and user-based configurations on Windows 11 and Windows 10.
User-scope configuration on Windows 10 requires the update March 2023 Cumulative
Update Preview (KB5023773) and OS version 19042.2788, 19044.2788, 19045.2788 or
later. To learn more about using Intune to manage multi-session hosts, see Using Azure
Virtual Desktop multi-session with Intune.
7 Note
Managing Azure Virtual Desktop session hosts using Intune is currently supported
in the Azure Public and Azure Government clouds.
Licensing
Microsoft Intune licenses are included with most Microsoft 365 subscriptions.
Azure Virtual Desktop is a desktop and app virtualization service that runs on Microsoft
Azure. It lets end users connect securely to a full desktop from any device. With
Microsoft Intune, you can secure and manage your Azure Virtual Desktop VMs with
policy and apps at scale, after they're enrolled.
Prerequisites
Currently, for single-session, Intune supports Azure Virtual Desktop VMs that are:
For more information on Azure Virtual Desktop licensing requirements, see What is
Azure Virtual Desktop?.
For information about working with multi-session remote desktops, see Windows 10 or
Windows 11 Enterprise multi-session remote desktops.
Intune treats Azure Virtual Desktop personal VMs the same as Windows 10 or Windows
11 Enterprise physical desktops. This treatment lets you use some of your existing
configurations and secure the VMs with compliance policy and conditional access.
Intune management doesn't depend on or interfere with Azure Virtual Desktop
management of the same virtual machine.
Limitations
There are some limitations to keep in mind when managing Windows 10 Enterprise
remote desktops:
Configuration
All VM limitations listed in Using Windows 10 virtual machines also apply to Azure
Virtual Desktop VMs.
Domain Join
Wi-Fi
7 Note
Configuration and compliance policies for Secure Boot and features leveraging
vTPM (Virtual Trusted Platform Module) are not supported at this time for Azure
Virtual Desktop VMs.
Remote actions
The following Windows 10 desktop device remote actions aren't
supported/recommended for Azure Virtual Desktop VMs:
Autopilot reset
BitLocker key rotation
Fresh Start
Remote lock
Reset password
Wipe
Retirement
Deleting VMs from Azure leaves orphaned device records in Intune. They'll be
automatically cleaned up according to the cleanup rules configured for the tenant.
Known issues
The following table provides a set of known issues along with more information about
each issue.
ノ Expand table
Can't auto-enroll if tenant has more than This issue will be fixed in the future.
one MDM provider
Modern apps, such as Universal Using FSLogix and Modern apps could cause
Windows Platform (UWP) apps, aren't compatibility issues. We recommend that you don't
working correctly if FSLogix is configured configure Modern apps when FSLogix is configured.
Next steps
Learn more about Azure Virtual Desktops.
Use Azure Virtual Desktop multi-session with Intune
Feedback
Was this page helpful? Yes No
Azure Virtual Desktop multi-session with Microsoft Intune is now generally available.
You can now use Microsoft Intune to manage Windows 10 or Windows 11 Enterprise
multi-session remote desktops in the Microsoft Intune admin center just as you can
manage a shared Windows 10 or Windows 11 client device. When managing such virtual
machines (VMs), you'll be able to use both device-based configuration targeted to
devices or user-based configuration targeted to users.
You can manage Windows 10 and Windows 11 Enterprise multi-session VMs created in
Azure Government Cloud in US Government Community (GCC), GCC High, and DoD.
) Important
Microsoft Intune support for Azure Virtual Desktop multi-session is not currently
available for Citrix DaaS and VMware Horizon Cloud. Because Intune cannot offer
support for Citrix DaaS, review the Citrix documentation, and be aware of Citrix
support options for multi-session support. All questions, concerns or help should
be directed to Citrix for multi-session support. See Citrix support .
Overview
Device configuration support in Microsoft Intune for Windows 10 or Windows 11
Enterprise multi-session is generally available (GA). This means policies defined in the
OS scope and apps configured to install in the system context can be applied to Azure
Virtual Desktop multi-session VMs when assigned to device groups.
7 Note
Device-based configuration cannot be assigned to users and user-based
configuration cannot be assigned to devices. It will be reported as Error or Not
applicable.
Configure user scope policies using Settings catalog and assign to groups of
users. You can use the search bar to search all configurations with scope set to
"user".
Configure PowerShell scripts to install in the user context and assign to users.
Prerequisites
This feature supports Windows 10 or Windows 11 Enterprise multi-session VMs, which
are:
Limitations
Intune does not support using a cloned image of a computer that is already enrolled.
This includes both physical and virtual devices such as Azure Virtual Desktop (AVD).
When device enrollment or identity tokens are replicated between devices, Intune
device enrollment or synchronization failures will occur.
7 Note
If you're joining session hosts to Microsoft Entra Domain Services, you can't
manage them using Intune.
) Important
If you're using Windows 10, versions 2004, 20H2, or 21H1 builds, make sure
that you install the July 2021 Windows Update or a later Windows update.
Otherwise, remote actions in the Microsoft Intune admin center, like remote
sync, won't work correctly. As a result, pending policies assigned to devices
might take up to 8 hours to be applied.
Intune does not currently support token roaming functionality between
devices. If FSLogix, or a similar technology, is used to manage Windows user
profiles and settings, you must ensure that tokens are not unexpectedly
roamed or duplicated across devices. To confirm that you are running a
supported version and configuration of FSLogix with token roaming disabled,
please see the FSLogix RoamIdentity Configuration Settings Reference.
The existing device configuration profile templates aren't supported for Windows 10 or
Windows 11 Enterprise multi-session VMs, except for the following templates:
Trusted certificate - Device (machine) when targeting devices and User when
targeting users
SCEP certificate - Device (machine) when targeting devices and User when
targeting users
PKCS certificate - Device (machine) when targeting devices and User when
targeting users
VPN - Device Tunnel only
7 Note
To configure policies
1. Sign in to the Microsoft Intune admin center and choose Devices > By platform
> Windows > Manage devices > Configuration > Create > New Policy.
2. For Platform, select Windows 10 and later.
3. For Profile type, select Settings catalog, or when deploy settings by using a
Template, select Templates and then the name of the supported Template.
4. Select Create.
5. On the Basics page, provide a Name and (optionally) Description > Next.
6. On the Configuration settings page, select Add settings.
7. Under Settings picker, select Add filter and select the following options:
Key: OS edition
Operator: ==
Value: Enterprise multi-session
Select Apply. The filtered list now shows all configuration profile categories
that support Windows 10 or Windows 11 Enterprise multi-session. The scope
for a policy is shown in parentheses. For user scope it shows as (User) and all
the rest are policies with device scope.
8. From the filtered list, pick the categories that you want.
For each category you pick, select the settings that you want to apply to your
new configuration profile.
For each setting, select the value that you want for this configuration profile.
Administrative templates
Windows 10 or Windows 11 Administrative Templates are supported for Windows 10 or
Windows 11 Enterprise multi-session via the Settings catalog with some limitations:
ADMX-backed policies are supported. Some policies aren't yet available in the
Settings catalog.
ADMX-ingested policies are supported, including Office and Microsoft Edge
settings available in Office administrative template files and Microsoft Edge
administrative template files. For a complete list of ADMX-ingested policy
categories, see Win32 and Desktop Bridge app policy configuration. Some ADMX
ingested settings won't be applicable to Windows 10 or Windows 11 Enterprise
multi-session.
To list supported Administrative Templates, you'll need to use the filter in Settings
catalog.
) Important
You'll need to create a new compliance policy and target it to the device group
containing your multi-session VMs. User-targeted compliance configurations aren't
supported.
Conditional Access policies support both user and device based configurations for
Windows 10 or Windows 11 Enterprise multi-session.
7 Note
7 Note
Configuration and compliance policies for BitLocker, Secure Boot, and features
leveraging vTPM (Virtual Trusted Platform Module) are not supported at this time
for Azure Virtual Desktop VMs.
Endpoint security
You can configure profiles under Endpoint security for multi-session VMs by selecting
Platform Windows 10, Windows 11, and Windows Server. If that Platform is not
available, the profile is not supported on multi-session VMs.
For more information, see Manage device security with endpoint security policies in
Microsoft Intune
Application deployment
All Windows 10 or Windows 11 apps can be deployed to Windows 10 or Windows 11
Enterprise multi-session with the following restrictions:
Script deployment
Scripts configured to run in the system context and assigned to devices are supported
on Windows 10 or Windows 11 Enterprise multi-session. This can be configured under
Script settings by setting Run this script using the logged on credentials to No.
Scripts configured to run in the user context and assigned to users are supported on
Windows 10 and Windows 11 Enterprise multi-session. This can be configured under
Script settings by setting Run this script using the logged on credentials to Yes.
The following settings are available in the catalog, with the links opening the Windows
CSP documentation:
Remote actions
The following Windows 10 or Windows 11 desktop device remote actions aren't
supported and will be grayed out in the UI and disabled in Graph for Windows 10 or
Windows 11 Enterprise multi-session VMs:
Autopilot reset
BitLocker key rotation
Fresh Start
Remote lock
Reset password
Wipe
Retirement
Deleting VMs from Azure will leave orphaned device records in the Microsoft Intune
admin center. They'll be automatically cleaned up according to the cleanup rules
configured for the tenant.
Security baselines
Security baselines aren't available for Windows 10 or Windows 11 Enterprise multi-
session at this time. We recommend that you review the Available security baselines and
configure the recommended policies and values in the Settings catalog.
Additional configurations that aren't supported
on Windows 10 or Windows 11 Enterprise multi-
session VMs
Out of Box Experience (OOBE) enrollment isn't supported for Window 10 or Windows 11
Enterprise multi-session. This restriction means that:
Troubleshooting
The following sections provide troubleshooting guidance for common issues.
Enrollment issues
ノ Expand table
Issue Detail
Enrollment of Microsoft The Azure Virtual Desktop agent you're using isn't updated.
Entra joined virtual The agent must be version 1.0.2944.1400 or above.
machine fails Azure Virtual Desktop host pool wasn't created through the
Azure Resource Manager template.
Configuration issues
ノ Expand table
Issue Detail
Settings catalog policy fails Confirm the VM is enrolled using device credentials.
Enrollment with user credentials isn't currently
supported for Windows 10 or Windows 11 Enterprise
multi-session.
Configuration policy didn't apply Templates (except for Certificates) aren't supported on
Windows 10 or Windows 11 Enterprise multi-session.
All policies must be created via the settings catalog.
Configuration policy reports as Not Some policies aren't applicable to Azure Virtual
applicable Desktop VMs.
Microsoft Edge/Microsoft Office ADMX Applicability for these settings isn't based on the
policy doesn't show up when I apply Windows version or edition but on whether those apps
the filter for Windows 10 or Windows have been installed on the device. To add these
11 Enterprise multi-session edition settings to your policy, you may have to remove any
filters applied in the settings picker.
App configured to install in system Confirm the app doesn't have a dependency or
context didn't apply supersedence relationship on any apps configured to
install in user context. User context apps aren't
currently supported on Windows 10 or Windows 11
Enterprise multi-session.
Update rings for Windows 10 and later Windows update rings policies aren't currently
policy didn't apply supported. Quality updates can be managed via
settings available in the settings catalog.
Next steps
Learn more about Azure Virtual Desktops.
Feedback
Was this page helpful? Yes No
Azure Virtual Desktop session hosts running Windows 10 Enterprise multi-session and
Windows 11 Enterprise multi-session can be grouped together in Microsoft
Configuration Manager to automatically apply updates. A collection is created based on
a query which you can then use as the target collection for a servicing plan.
You can update Windows 10 Enterprise multi-session and Windows 11 Enterprise multi-
session with the corresponding Windows client updates. For example, you can update
Windows 10 Enterprise multi-session, version 21H2 by installing the client updates for
Windows 10, version 21H2.
Prerequisites
To create this query-based collection, you'll need to do the following:
Make sure you've installed the Microsoft Configuration Manager Agent on your
session host virtual machines (VMs) and they're assigned to a site in Configuration
Manager.
Make sure your version of Microsoft Configuration Manager is at least on branch
level 1910 for Windows 10, or 2107 for Windows 11.
Tip
The operating system SKU for Windows 10 Enterprise multi-session and Windows
11 Enterprise multi-session is 175. You can use PowerShell to find the operating
system SKU by running the following command:
PowerShell
2. Go to Overview > Device Collections and right-click Device collections and select
Create Device Collection from the drop-down menu.
3. In the General tab of the menu that opens, enter a name that describes your
collection in the Name field. In the Comment field, you can give additional
information describing what the collection is. In Limiting Collection, define which
machines you're including in the collection query.
4. In the Membership Rules tab, add a rule for your query by selecting Add Rule,
then selecting Query Rule.
5. In Query Rule Properties, enter a name for your rule, then define the parameters
of the rule by selecting Edit Query Statement.
WQL
select
SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS
_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SM
S_R_SYSTEM.Client
from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on
SMS_G_System_OPERATING_SYSTEM.ResourceId = SMS_R_System.ResourceId
where
SMS_G_System_OPERATING_SYSTEM.OperatingSystemSKU = 175
9. To check if you successfully created the collection, go to Assets and Compliance >
Overview > Device Collections.
For more information about deploying software updates with Microsoft Configuration
Manager, see Deploy software updates. For the steps to create an ADR, see
Automatically deploy software updates.
Drain session hosts for maintenance in
Azure Virtual Desktop
Article • 08/22/2024
Drain mode enables you to isolate a session host when you want to perform
maintenance without disruption to service. When a session host is set to drain, it won't
accept new user sessions. Any new connections will be redirected to the next available
session host. Existing connections to the session host will remain active until the user
signs out or an administrator ends the session. Once there aren't any sessions remaining
on the session host, you can perform the maintenance you need. Administrators can still
remotely connect to the server directly without going through the Azure Virtual Desktop
service.
This article shows you how to drain session hosts using the Azure portal or Azure
PowerShell.
Prerequisites
To drain session hosts, you need:
An Azure account assigned the Desktop Virtualization Session Host Operator role.
If you want to use Azure PowerShell locally, see Use Azure CLI and Azure
PowerShell with Azure Virtual Desktop to make sure you have the
Az.DesktopVirtualization PowerShell module installed. Alternatively, use the Azure
Cloud Shell.
Azure portal
To enable drain mode for a session host and block new sessions in the Azure portal:
3. From the Azure Virtual Desktop overview page, select Host pools.
4. Select the host pool that contains the session host you want to drain, then
select Session hosts.
5. Check the box next to the session host you want to enable drain mode, then
select Turn drain mode on.
6. When you're ready to allow new connections to the session host, check the
box next to the session host you want to disable drain mode, then select Turn
drain mode off.
Feedback
Was this page helpful? Yes No
) Important
Session host update for Azure Virtual Desktop is currently in PREVIEW. See the
Supplemental Terms of Use for Microsoft Azure Previews for legal terms that
apply to Azure features that are in beta, preview, or otherwise not yet released into
general availability.
Session host update enables you to update the underlying virtual machine (VM) disk
type, operating system (OS) image, and other configuration properties of all session
hosts in a host pool with a session host configuration. Session host update deallocates
or deletes the existing virtual machines and creates new ones that are added to your
host pool with the updated configuration. This method of updating session hosts aligns
with the recommendation of managing updates within the core source image, rather
than distributing and installing updates to each session host individually on an ongoing
repeated schedule to keep them up to date.
Here are the changes you can make when performing an update:
After you complete an update of your session hosts using session host update, all
session hosts in a host pool are standardized with the changes you specified. Other
Azure properties of the session hosts, such as the availability configuration, network
configuration, and location, are persisted across updates.
Update process
You can specify the number of session hosts in a host pool to update concurrently,
known as a batch. This value is the maximum number of session hosts that are
unavailable at a time during the update and all remaining session hosts are available to
use. When an update starts, only one session host is targeted (known as the initial) to
test that the end-to-end update process is successful before moving on to updating the
rest of the session hosts in the pool in batches. This approach minimizes the impact if a
failure occurs.
Here's an example: if you have a host pool with 10 session hosts and you enter a batch
size of three, a single session host (the initial) is updated, then the remaining session
hosts are updated in three batches of three session hosts. At any point after the initial
session host completes its update, there are a minimum of seven session hosts available
for use in the host pool.
1. Existing session hosts are selected based upon their name, and the size of the
batch previously specified. A notification specified by the admin is sent out to any
connected users, then the service waits the duration also specified earlier before
signing out any remaining users.
2. The selected session hosts are placed into drain mode, then removed from the
host pool. The computer account for session hosts joined to an Active Directory
domain isn't deleted.
3. The same number of new session hosts are created using the updated session host
configuration. The new Azure resources for the VM, OS disk, and network interface
are in the format SessionHostName-DateTime , for example, an existing VM called
VM1-0 is replaced with a new VM called VM1-0-2023-04-15T17-16-07 . The hostname
of the operating system isn't changed. These new session hosts are joined to your
directory using Azure VM extensions.
4. The new session hosts are joined to the existing host pool and drain mode is
disabled, and the session hosts can accept connections.
5. The original VMs are either deallocated or deleted, depending upon whether you
chose to save the original VMs.
There can only be one session host update operation running or scheduled in a single
host pool at a time. However, you can have session host update operations running on
multiple host pools at the same time.
The existing power state and drain mode of session hosts is honored. You can perform
an update on a host pool where all the session hosts are deallocated to save costs.
) Important
If you use Azure Virtual Desktop Insights, the Azure Monitor agent or Log
Analytics agent isn't automatically installed on the updated session hosts. To
install the agent automatically, here are some options:
For the Azure Monitor agent, you can use Azure Policy.
For the Log Analytics agent, you can use Azure Automation.
We recommend that you test the update process on a test host pool aligned
to the host pool you want to update. This will test the update process itself
and also the result of a new VM with the same name as the previous VM
within your environment. It's also important to test that any updates, such as
new applications or hotfixes, work as expected within your environment
before updating a production host pool.
Azure Marketplace.
As session host update creates new virtual machines, it needs to join them to a
directory. You must use the same directory as the existing VMs. You can't change the
directory during an update.
Any customizations, such as files, registry keys, or certificates that were added manually
to session hosts, aren't present after the update is complete. You can't update session
hosts in the pool individually, so you should either add these customizations into the
image itself, ensure the customizations are applied by configuration management tools
such as Intune or Group Policy, or add these customizations to the custom configuration
PowerShell script in the session host configuration.
During an update with session hosts joined to Active Directory, computer objects aren't
deleted. This means that there are temporarily orphaned computer objects within Active
Directory. When the new virtual machine is joined to the domain, it uses the original
host name and inherits the orphaned computer object. If you change the domain, you
need to remove the orphaned computer objects from the previous domain.
Group Policy objects (GPOs) are used to apply policy to session hosts and are typically
applied at the OU level in the Active Directory domain. However, there might be some
application/filtering done using computer objects or group objects. As the new VMs
inherit the orphaned computer objects, existing GPOs still apply. You should ensure that
existing GPOs still apply if you change the OU membership as part of the update
process.
New connections are directed to session hosts that are updated to avoid them signing
in to a session host that will be updated imminently, only for them to be notified to sign
out again. However, at the beginning of an update there aren't any newly updated
session hosts, so users who were asked to sign out and recently signed in to session
hosts yet to be updated are notified to sign out again.
With only a reduced number of session hosts available, you should schedule an update
at an appropriate time for your business to minimize disruption to end users.
Session host update is only available in the global Azure cloud. It isn't available in
other clouds, such as Azure US Government or Azure operated by 21Vianet.
For session hosts that were created from an Azure Compute Gallery shared image
that has a purchase plan, the plan isn't retained when the session hosts are
updated. To check whether the image you use for your session hosts has a
purchase plan, you can use Azure PowerShell or Azure CLI.
Session host update currently requires access to the public Azure Storage endpoint
wvdhpustgr0prod.blob.core.windows.net to deploy the RDAgent. Until this is
migrated to a required endpoint for Azure Virtual Desktop, session hosts that can't
access wvdhpustgr0prod.blob.core.windows.net fail to be updated with the error
CustomerVmNoAccessToDeploymentPackageException .
The size of the OS disk can't be changed during an update. The update service
defaults to the same size as defined by the gallery image.
If an update fails, the host pool can't be deleted until the update is canceled.
The update progress only changes when a session host has updated. As an
example, in a host pool with 10 session hosts, while the first session host is being
updated the progress shows as 0.00%. This only moves to 10% once the first
session host has updated.
If you decide to create an image that is taken from an existing session host that
you then use as the source image for your session host update, you need to delete
the C:\packages\plugin folder before creating the image. Otherwise this folder
prevents the DSC extension that joins the updated virtual machines to the host
pool from running.
If you use Azure Virtual Desktop Insights, the Azure Monitor agent or Log Analytics
agent isn't automatically installed on the updated session hosts. To install the
agent automatically, here are some options:
For the Azure Monitor agent, you can use Azure Policy.
For the Log Analytics agent, you can use Azure Automation.
Manually add these new session hosts from within Azure Virtual Desktop
Insights in the Azure portal.
Modifying a session host configuration in a host pool with no session hosts at the
same time a session host is being created can result in a host pool with
inconsistent session host properties and should be avoided.
Updates with large batch sizes can result in intermittent failures with the error code
AgentRegistrationFailureGeneric . If this occurs for a subset of session hosts being
Feedback
Was this page helpful? Yes No
) Important
Session host update for Azure Virtual Desktop is currently in PREVIEW. See the
Supplemental Terms of Use for Microsoft Azure Previews for legal terms that
apply to Azure features that are in beta, preview, or otherwise not yet released into
general availability.
When you want to update session hosts in a host pool with a session host configuration,
you use session host update. Session host update enables you to update the underlying
virtual machine (VM) image, size, disk type, and other configuration properties. During
an update, the existing virtual machines are deleted or deallocated, and new ones are
created with the updated configuration stored in the session host configuration. The
update also uses the values from the session host management policy to determine how
session hosts should get updated.
This article shows you how to update a host pool's session host configuration, update
the session hosts in that pool, and how to monitor the progress of an update using the
Azure portal and Azure PowerShell.
To learn more about how session host update works, see Session host update.
Prerequisites
Before you update session hosts using session host update, you need:
An existing pooled host pool with a session host configuration with session hosts
that are all in the same Azure region and resource group. Personal host pools
aren't supported.
The new image must be supported for Azure Virtual Desktop and match the
generation of virtual machine. If you're using Trusted launch virtual machines or
Confidential virtual machines, your image must be for generation 2 VMs. It can be
from:
Azure Marketplace.
An existing Azure Compute Gallery shared image. We recommend having at
least two replicas of the image you use.
An existing managed image.
Remove any resource locks on session hosts or the resource group they're in.
Assign the Azure Virtual Desktop service principal the Desktop Virtualization
Virtual Machine Contributor role-based access control (RBAC) role on the
resource group or subscription with the host pools and session hosts you want to
use with session host update. For more information, see Assign Azure RBAC roles
or Microsoft Entra roles to the Azure Virtual Desktop service principals.
An Azure account you use to configure session host update with the following
Azure RBAC roles to update the following resource types. You can also use another
built-in role that includes the same permissions, or create a custom role.
ノ Expand table
You can only join session hosts to an Active Directory domain. Joining session
hosts to Microsoft Entra ID isn't supported, but you can use Microsoft Entra hybrid
join.
If you're joining session hosts to a Microsoft Entra Domain Services domain, you
need to be a member of the AAD DC Administrators group.
If you're joining session hosts to an Active Directory Domain Services (AD DS)
domain, you need to use an account with more permissions than typically
required for joining a domain because the new OS image reuses the existing
computer object. The permissions and properties in the following table need to
be applied to the account on the Organizational Unit (OU) containing your
session hosts:
ノ Expand table
Name Type Applies to
Beginning with KB5020276 , further protections were introduced for the reuse
of computer accounts in an Active Directory domain. To successfully reuse the
existing computer object for the session host, either:
The user account joining the session host to the domain is the creator of the
existing computer account.
The computer account was created by a member of the domain
administrators security group.
Apply the Group Policy setting Domain controller: Allow computer account
re-use during domain join to the owner of the computer account. For more
A key vault containing the secrets you want to use for your virtual machine local
administrator account credentials and, if you're joining session hosts to an Active
Directory domain, your domain join account credentials. You need one secret for
each username and password. The virtual machine local administrator password
must meet the password requirements when creating a VM.
You need to provide the Azure Virtual Desktop service principal the ability to
read the secrets. Your key vault can be configured to use either:
The Azure RBAC permission model with the role Key Vault Secrets User
assigned to the Azure Virtual Desktop service principal.
An access policy with the Get secret permission assigned to the Azure Virtual
Desktop service principal.
The key vault must allow Azure Resource Manager for template deployment.
See Assign Azure RBAC roles or Microsoft Entra roles to the Azure Virtual Desktop
service principals to make sure you're using the correct service principal.
For any custom configuration PowerShell scripts you specify in the session host
configuration to run after an update, the URL to the script must be resolvable from
the public internet.
If you want to use Azure PowerShell locally, see Use Azure CLI and Azure
PowerShell with Azure Virtual Desktop to make sure you have the
Az.DesktopVirtualization PowerShell module installed. Alternatively, use the Azure
Cloud Shell.
Azure PowerShell cmdlets for Azure Virtual Desktop that support session host
update are in preview. You need to download and install the preview version of the
Az.DesktopVirtualization module to use these cmdlets, which are added in
version 5.3.0.
To schedule an update for your session hosts, select the relevant tab for your scenario
and follow the steps.
) Important
During an update, the number of available session hosts for user sessions is
reduced and any logged on users will be asked to log off. We recommend you
schedule an update during less busy periods to minimize disruption to end
users.
If you use a custom network security group (NSG) for the session hosts you
want to update, there's a known issue where you can't start an update using
the Azure portal. To work around this issue, use Azure PowerShell to start the
update.
Azure portal
Here's how to schedule a new update for your session hosts using the Azure portal.
Tip
When you schedule an update using the Azure portal, values are populated
from the session host configuration. If this is the first update and a session
host configuration hasn't already been created, the portal shows the default
session host configuration until the session host configuration is created. Any
changes you make to the session host configuration during an update will be
saved.
If you edit the session host configuration using the Azure portal, you have to
schedule an update.
2. In the search bar, enter Azure Virtual Desktop and select the matching service
entry.
3. Select Host pools, then select the host pool with a session host configuration
that you want to update.
5. If you want to review the session host configuration before you schedule an
update, select Manage session host configuration, then View. Once you
review the session host configuration, select Cancel.
6. To schedule a new update, select Manage session host update, then select
New update. Alternatively, select Manage session host configuration, then
Edit.
ノ Expand table
Parameter Value/Description
Enable saving original Useful in rollback scenarios, but normal costs apply for
virtual machines after storing the original VM's components.
the update
Current host pool size The number of session hosts in your host pool.
(read-only)
VM batch size The maximum number of session hosts that are updated at
authorized to be a time.
Parameter Value/Description
Session hosts available The minimum number of session hosts that are available for
during the update user sessions during the update.
(read-only)
8. On the Session hosts tab, you can optionally update the following parameters
in your session host configuration:
ノ Expand table
Parameter Value/Description
Image Select the OS image you want to use from the list, or select See
all images to see more, including any custom images you
created and stored as an Azure Compute Gallery shared image
or a managed image.
Virtual machine Select a recommended SKU from the list. If you want to use
size different SKU, select See all sizes, then select from the list.
OS disk type Select the disk type to use for your session hosts. We
recommend you use Premium SSD for production workloads.
Domain to join
Select which Select Active Directory, then select the key vault that contains
directory you the secrets for the username and password for the domain join
would like to join account.
Virtual Machine Complete the relevant parameters by selecting the key vault and
Administrator secret for the username and password for the local
account administrator account of the updated session host VMs. The
username and password must meet the requirements for
Windows VMs in Azure.
Custom
configuration
Once you review or finish making changes to the session host configuration,
select Next: Schedule.
9. On the Schedule tab, either check the box to Schedule update now, or select
a date, time, and time zone that you want the update to start, up to a
maximum of two weeks from the current time.
ノ Expand table
Parameter Value/Description
Minutes before The amount of time to wait after the update start time for users
the users are to be notified to sign out. This value is configurable between 0
signed out and 60 minutes. Users will automatically be logged off after this
elapsed time.
Sign out message A message you can specify to inform users that the session host
they're using is about to start updating.
12. Select Update to schedule the update. When you view the list of session hosts,
the column Current Version shows the timestamp of the version of the session
host configuration that the session host is using. If the Current Version
column has a warning icon, it means the timestamp of the version in the
column Target Version is later and the session host needs to be updated.
7 Note
The first time you schedule an update, the settings you provide overwrite the
default settings in the session host management policy. Subsequent updates
will have those parameters pre-populated and any changes are saved.
) Important
Once an update has been scheduled, you can't edit the schedule or settings. If
you need to make any changes, you'll need to cancel the update and schedule
a new one.
Don't remove any VMs from the host pool while the update is ongoing. Doing
so may create issues with the ongoing update.
Don't change the drain mode of any VMs in the host pool while an update is
ongoing. The drain mode of the VMs is automatically changed based on
which stage of the update it is in. If a session host is not recoverable after an
update, its drain mode setting will be enabled. Once the update is complete,
the drain mode is reset.
Azure portal
Here's how to monitor the progress of an update using the Azure portal.
1. From the Azure Virtual Desktop overview, select Host pools, then select the
host pool you scheduled an update for.
3. A blue banner provides the status of the update. It only shows a point in time,
so you need to select Refresh to check the latest progress.
If you selected to start the update immediately, the message will state that the
update is scheduled while it begins, but this message is updated once you refresh.
During an update, you see the batch size number of session hosts that are removed
from the host pool during the update.
Tip
You can also see the activity of an update using Azure Monitor activity log.
If you don't resume an update within two weeks, the update is canceled. Once an
update is canceled, you can't resume it.
U Caution
If you cancel an update part way through, there will be differences between the
session hosts in the host pool, such as a different operating system version, or
joined to a different Active Directory domain. This may provide an inconsistent
experience to users, so you will need to schedule another update as soon as
possible to make sure there is parity across all session hosts.
Azure portal
Here's how to pause, resume, cancel, or retry an update using the Azure portal.
1. From the Azure Virtual Desktop overview, select Host pools, then select the
host pool you scheduled an update for.
3. Select Pause, Resume, Cancel, or Retry depending on the current state of the
update.
4. Select Refresh to update the status message in the blue banner. It can take
approximately 20 seconds to show the correct status.
Next steps
Learn how to use session host update diagnostics.
Feedback
Was this page helpful? Yes No
) Important
Session host update for Azure Virtual Desktop is currently in PREVIEW. See the
Supplemental Terms of Use for Microsoft Azure Previews for legal terms that
apply to Azure features that are in beta, preview, or otherwise not yet released into
general availability.
Session host update uses Log Analytics in Azure Monitor to store information about
updates. This article has some example Kusto queries you can use with Log Analytics to
see information about session host updates.
Prerequisites
Before you can use these queries, you need:
Configured diagnostic settings on each host pool you use with session host update
to send logs and metrics to a Log Analytics workspace. The categories Checkpoint,
Error, and Session Host Management Activity Logs must be enabled as a
minimum.
A previously scheduled and run a session host update on the session hosts in the
host pool.
The rest of this article has some example queries you can run. You can use them as a
basis to create your own queries. You need to run each of these queries in Log Analytics.
For more information on how to run queries, see Start Log Analytics.
Kusto
ノ Expand table
Column Definition
UpdateDeleteOriginalVm Whether the original virtual machine was preserved after the
completion of an update of the image
Kusto
ノ Expand table
Column Definition
Kusto
ノ Expand table
Column Definition
CorrelationId Unique identifier assigned to every update of the image of a host pool
UpdateBatchSize Number of session hosts that were in a single batch during an update of
the image
Kusto
ノ Expand table
Column Definition
Kusto
ノ Expand table
Column Definition
Next steps
For troubleshooting guidance for session host update, see Troubleshoot session host
update.
Feedback
Was this page helpful? Yes No
Autoscale lets you scale your session host virtual machines (VMs) in a host pool up or
down according to schedule to optimize deployment costs.
7 Note
For best results, we recommend using autoscale with VMs you deployed with Azure
Virtual Desktop Azure Resource Manager (ARM) templates or first-party tools from
Microsoft.
You can assign one scaling plan to one or more host pools of the same host pool
type. The scaling plan's schedules will be applied to all assigned host pools.
You can only associate one scaling plan per host pool. If you assign a single scaling
plan to multiple host pools, those host pools can't be assigned to another scaling
plan.
Hibernate is available for personal host pools. For more information, view
Hibernation in virtual machines.
Make sure you understand usage patterns before defining your schedule. You'll
need to schedule around the following times of day:
Ramp-up: the start of the day, when usage picks up.
Peak hours: the time of day when usage is expected to be at its highest.
Ramp-down: when usage tapers off. This is usually when you shut down your
VMs to save costs.
Off-peak hours: the time of the day when usage is expected to be at its lowest.
The scaling plan will take effect as soon as you enable it.
For pooled host pools, autoscale overwrites drain mode, so make sure to use
exclusion tags when updating VMs in host pools.
7 Note
To learn more about what the parameter terms mean, see our autoscale glossary.
For example, let's look at the following host pool setup as described in this table:
ノ Expand table
Parameter Value
Phase Ramp-up
User sessions 0
At the beginning of this phase, autoscale has turned on two session hosts to match the
minimum percentage of hosts. Although 30% of six isn't a whole number, autoscale
rounds up to the nearest whole number. Having two available session hosts and a
maximum session limit of five sessions per host means that this host pool has an
available host pool capacity of 10. Since there aren't currently any user sessions, the
used host pool capacity is 0%.
When the day begins, let's say three users sign in and start user sessions. Their user
sessions get evenly distributed across the two available session hosts since the load
balancing algorithm is breadth first. The available host pool capacity is still 10, but with
the three new user sessions, the used host pool capacity is now 30%. However,
autoscale won't turn on virtual machines (VMs) until the used host pool capacity is
greater than the capacity threshold. In this example, the capacity threshold is 30%, so
autoscale won't turn on any VMs yet.
Parameter Value
Phase Ramp-up
User sessions 3
When another user signs in and starts a session, there are now four total users sessions
distributed across two session hosts. The used host pool capacity is now 40%, which is
greater than the capacity threshold. As a result, autoscale will turn on another session
host to bring the used host pool capacity to less than or equal to the capacity threshold
(30%).
In summary, here are the parameters when the used host pool capacity exceeds the
capacity threshold:
ノ Expand table
Parameter Value
Phase Ramp-up
User sessions 4
Here are the parameters after autoscale turns on another session host:
ノ Expand table
Parameter Value
Phase Ramp-up
User sessions 4
Turning on another session host means there are now three available session hosts in
the host pool. With the maximum session limit still being five, the available host pool
capacity has gone up to 15. Because the available host pool capacity increased, the used
host pool capacity has gone down to 27%, which is below the 30% capacity threshold.
When another user signs in, there are now five user sessions spread across three
available session hosts. The used host pool capacity is now 33%, which is over the 30%
capacity threshold. Exceeding the capacity threshold activates autoscale to turn on
another session host.
Since our example is in the ramp-up phase, new users are likely to keep signing in. As
more users arrive, the pattern becomes clearer:
ノ Expand table
Total user Number of Available Capacity Used host Does autoscale
sessions available host pool threshold pool turn on another
session hosts capacity capacity session host?
5 4 20 30% 25% No
6 4 20 30% 30% No
7 5 25 30% 28% No
As this table shows, autoscale only turns on new session hosts when the used host pool
capacity goes over the capacity threshold. If the used host pool capacity is at or below
the capacity threshold, autoscale won't turn on new session hosts.
The following animation is a visual recap of what we just went over in Scenario 1.
For this scenario, the host pool starts off looking like this:
ノ Expand table
Parameter Value
Phase Peak
User sessions 7
Because we're in the peak phase, we can expect the number of users to remain relatively
stable. However, to keep the amount of resources used stable while also remaining
efficient, autoscale will turn session hosts on and off as needed.
So, let's say that there are seven users signed in during peak hours. If the total number
of user sessions is seven, that would make the used host pool capacity 28%. Because
autoscale can't turn off a session host without the used host pool capacity exceeding
the capacity threshold, autoscale won't turn off any session hosts yet.
If two of the seven users sign out during their lunch break, that leaves five user sessions
across five session hosts. Since the maximum session limit is still five, the available host
pool capacity is 25. Having only five users means that the used host pool capacity is now
20%. autoscale must now check if it can turn off a session host without making the used
host pool capacity go above the capacity threshold.
If autoscale turned off a session host, the available host pool capacity would be 20. With
five users, the used host pool capacity would then be 25%. Because 25% is less than the
capacity threshold of 30%, autoscale will select a session host without user sessions on
it, put it in drain mode, and turn it off.
Once autoscale turns off one of the session hosts without user sessions, there are four
available session hosts left. The host pool maximum session limit is still five, so the
available host pool capacity is 20. Since there are five user sessions, the used host pool
capacity is 25%, which is still below the capacity threshold.
However, if another user signs out and heads out for lunch, there are now four user
sessions spread across the four session hosts in the host pool. Since the maximum
session limit is still five, the available host pool capacity is 20, and the used host pool
capacity is 20%. Turning off another session host would leave three session hosts and an
available host pool capacity of 15, which would cause the used host pool capacity to
jump up to around 27%. Even though 27% is below the capacity threshold, there are no
session hosts with zero user sessions on it. Autoscale will select the session host with the
least number of user sessions, put it in drain mode, and wait for all user sessions to sign
out before turning it off. If at any point the used host pool capacity gets to a point
where autoscale can no longer turn off the session host, it will take the session host out
of drain mode.
The following animation is a visual recap of what we just went over in Scenario 2.
ノ Expand table
Parameter Value
Phase Ramp-down
User sessions 4
During the ramp-down phase, the host pool admin has set the capacity threshold to
75% and the minimum percentage of hosts to 10%. Having a high capacity threshold
and a low minimum percentage of hosts in this phase decreases the need to turn on
new session hosts at the end of the workday.
For this scenario, let's say that there are currently four users on the four available session
hosts in this host pool. Since the available host pool capacity is 20, that means the used
host pool capacity is 20%. Based on this information, autoscale detects that it can turn
off two session hosts without going over the capacity threshold of 75%. However, since
there are user sessions on all the session hosts in the host pool, in order to turn off two
session hosts, autoscale will need to force users to sign out.
When you've enabled the force logoff setting, autoscale will select the session hosts
with the fewest user sessions, then put the session hosts in drain mode. Autoscale then
sends users in the selected session hosts notifications that they're going to be forcibly
signed out of their sessions after a certain time. Once that time has passed, if the users
haven't already ended their sessions, autoscale will forcibly end their sessions for them.
In this scenario, since there are equal numbers of user sessions on each of the session
hosts in the host pool, autoscale will choose two session hosts at random to forcibly
sign out all their users and will then turn off the session hosts.
Once autoscale turns off the two session hosts, the available host pool capacity is now
10. Now that there are only two user sessions left, the used host pool capacity is 20%, as
shown in the following table.
ノ Expand table
Parameter Value
Phase Ramp-down
User sessions 2
Now, let's say that the two users who were forced to sign out want to continue doing
work and sign back in. Since the available host pool capacity is still 10, the used host
pool capacity is now 40%, which is below the capacity threshold of 75%. However,
autoscale can't turn off more session hosts, because that would leave only one available
session host and an available host pool capacity of five. With four users, that would
make the used host pool capacity 80%, which is above the capacity threshold.
ノ Expand table
Parameter Value
Phase Ramp-down
User sessions 4
If at this point another user signs out, that leaves only three user sessions distributed
across the two available session hosts. In other words, the host pool now looks like this:
ノ Expand table
Parameter Value
Phase Ramp-down
User sessions 3
Because the maximum session limit is still five and the available host pool capacity is 10,
the used host pool capacity is now 30%. Autoscale can now turn off one session host
without exceeding the capacity threshold. Autoscale turns off a session host by
choosing the session host with the fewest number of user sessions on it. Autoscale then
puts the session host in drain mode, sends users a notification that says the session host
will be turned off, then after a set amount of time, forcibly signs any remaining users out
and turns it off. After doing so, there's now one remaining available session host in the
host pool with a maximum session limit of five, making the available host pool capacity
five.
Since autoscale forced a user to sign out when turning off the chosen session host, there
are now only two user sessions left, which makes the used host pool capacity 40%.
ノ Expand table
Parameter Value
Phase Ramp-down
User sessions 2
After that, let's imagine that the user who was forced to sign out signs back in, making
the host pool look like this:
ノ Expand table
Parameter Value
Phase Ramp-down
User sessions 3
Now there are three user sessions in the host pool. However, the host pool capacity is
still five, which means the used host pool capacity is 60% and below the capacity
threshold. Because turning off the remaining session host would make the available host
pool capacity zero, which is below the 10% minimum percentage of hosts, autoscale will
ensure that there's always at least one available session host during the ramp-down
phase.
The following animation is a visual recap of what we just went over in Scenario 3.
ノ Expand table
Parameter Value
Phase Off-peak
User sessions 3
In this example scenario, the host pool admin applies the scaling plan exclusion tag to
five out of the six session hosts. When a new user signs in, that brings the total number
of user sessions up to four. There's only one available session host and the host pool's
maximum session limit is still five, so the available host pool capacity is five. The used
host pool capacity is 80%. However, even though the used host pool capacity is greater
than the capacity threshold, autoscale won't turn on any other session hosts because all
of the session hosts except for the one currently running have been tagged with the
exclusion tag.
ノ Expand table
Parameter Value
Phase Off-peak
User sessions 4
Next, let's say all four users have signed out, leaving no user sessions left on the
available session host. Because there are no user sessions in the host pool, the used host
pool capacity is 0. Autoscale will keep this single session host on despite it having no
users, because during the off-peak phase, autoscale's minimum percentage of hosts
setting dictates that it needs to keep at least one session host available during this
phase.
ノ Expand table
Parameter Value
Phase Off-peak
User sessions 0
If the admin applies the exclusion tag name to the last untagged session host virtual
machine and turns it off, then that means even if other users try to sign in, autoscale
won't be able to turn on a VM to accommodate their user session. That user will see a
"No resources available" error.
However, being unable to turn VMs back on means that the host pool won't be able to
meet its minimum percentage of hosts. To fix any potential problems that causes, the
admin removes the exclusion tags from two of the VMs. Autoscale only turns on one of
the VMs, because it only needs one VM to meet the 10% minimum requirement.
ノ Expand table
Parameter Value
Phase Off-peak
User sessions 0
The following animation is a visual recap of what we just went over in Scenario 4.
Next steps
To learn how to create scaling plans for autoscale, see Create autoscale scaling for
Azure Virtual Desktop host pools.
To review terms associated with autoscale, see the autoscale glossary.
For answers to commonly asked questions about autoscale, see the autoscale FAQ.
Feedback
Was this page helpful? Yes No
This article is a list of definitions for key terms and concepts related to the autoscale
feature for Azure Virtual Desktop.
Autoscale
Autoscale is Azure Virtual Desktop’s native scaling service that turns VMs on and off
based on the capacity of the host pools and the scaling plan schedule you define.
Scaling tool
Azure Virtual Desktop’s scaling tool uses Azure Automation and Azure Logic Apps to
scale the VMs in a host pool based on how many user sessions per CPU core there are
during peak and off-peak hours.
Scaling plan
A scaling plan is an Azure Virtual Desktop Azure Resource Manager object that defines
the schedules for scaling session hosts in a host pool. You can assign one scaling plan to
multiple host pools. When creating a scaling plan, you have to choose between pooled
or personal host pools. You can only assign the scaling plan to the host pools with the
same type (pooled or personal). The scaling plan type can't be changed after it is
created.
Schedule
Schedules are sub-resources of scaling plans. Scaling plans for pooled host pools have
schedules that specify the start time, capacity threshold, minimum percentage of hosts,
load-balancing algorithm, and other configuration settings for the different phases of
the day. Scaling plans for personal host pools have schedules that specify the start time
and what operation to perform based on user session state (signed out or disconnected)
for the different phases of the day.
Ramp-up
The ramp-up phase of a scaling plan schedule is usually at the beginning of the work
day, when users start to sign in and start their sessions. In this phase, the number of
active user sessions usually increases at a rapid pace without reaching the maximum
number of active sessions for the day yet.
Peak
The peak phase of a scaling plan schedule is when your host pool reaches the maximum
number of active user sessions for the day. In this phase, the number of active sessions
usually holds steady until the peak phase ends. New active user sessions can be
established during this phase, but usually at a slower rate than the ramp-up phase.
Ramp-down
The ramp-down phase of a scaling plan schedule is usually at the end of the work day,
when users start to sign out and end their sessions for the evening. In this phase, the
number of active user sessions usually decreases rapidly.
Off-peak
The off-peak phase of the scaling plan schedule is when the host pool usually reaches
the minimum number of active user sessions for the day. During this phase, there aren't
usually many active users, but you may keep a small amount of resources on to
accommodate users who work after the peak and ramp-down phases.
Capacity threshold
The capacity threshold is the percentage of a host pool's capacity that, when reached,
triggers a scaling action to happen.
For example:
If the used host pool capacity is below the capacity threshold and autoscale can
turn off virtual machines (VMs) without going over the capacity threshold, then the
feature will turn off the VMs.
If the used host pool capacity goes over the capacity threshold, then autoscale will
turn on more VMs until the used host pool capacity goes below the capacity
threshold.
In other words:
Host pool maximum session limit × number of available session hosts = available host
pool capacity.
In other words:
The number of active and disconnected user sessions ÷ the host pool capacity = used
host pool capacity.
Scaling action
Scaling actions are when autoscale turns VMs on or off.
Shut down
Autoscale for pooled and personal host pools shuts down VMs based on the defined
schedule. When autoscale shuts down a VM, it deallocates and stops the VM, ensuring
you aren't charged for the compute resources.
Force log-off
A force log-off, or forced sign-out, is when the service ends an active user session or a
disconnected user session without the user's consent.
Exclusion tag
An exclusion tag is a property of a scaling plan that's a tag name you can apply to VMs
that you want to exclude from scaling actions. Autoscale only performs scaling actions
on VMs without tag names that match the exclusion tag.
Next steps
For more information about autoscale, see the autoscale feature document.
For examples of how autoscale works, see Autoscale example scenarios.
For more information about the scaling script, see the scaling script document.
Azure Virtual Desktop autoscale
FAQ
FAQ
This article answers frequently asked questions about how to use autoscale for Azure
Virtual Desktop.
General questions
Does autoscale create or delete virtual machines
(VMs) based on service load?
No.
Feedback
Was this page helpful? Yes No
) Important
Dynamic autoscaling for pooled host pools with session host configuration is
currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure
Previews for legal terms that apply to Azure features that are in beta, preview, or
otherwise not yet released into general availability.
Autoscale lets you scale your session host virtual machines (VMs) in a host pool up or
down according to schedule to optimize deployment costs.
When using autoscale, you can choose from two different scaling methods: power
management or dynamic. To learn more about autoscale, see Autoscale scaling plans
and example scenarios in Azure Virtual Desktop.
7 Note
For best results, we recommend using autoscale with session hosts you deployed with
Azure Virtual Desktop Azure Resource Manager templates or first-party tools from
Microsoft.
Prerequisites
To use a power management scaling plan, make sure you follow these guidelines:
Scaling plan configuration data must be stored in the same region as the host pool
configuration. Deploying session host VMs is supported in all Azure regions.
When using autoscale for pooled host pools, you must have a configured
MaxSessionLimit parameter for that host pool. Don't use the default value. You can
configure this value in the host pool settings in the Azure portal or run the New-
AzWvdHostPool or Update-AzWvdHostPool PowerShell cmdlets.
You must grant Azure Virtual Desktop access to manage the power state of your
session host VMs. You must have the
Microsoft.Authorization/roleAssignments/write permission on your subscriptions
in order to assign the role-based access control (RBAC) role for the Azure Virtual
Desktop service principal on those subscriptions. This is part of User Access
Administrator and Owner built in roles.
If you want to use personal desktop autoscale with hibernation, you'll need to
enable the hibernation feature for VMs in your personal host pool. FSLogix and
app attach currently don't support hibernate. Don't enable hibernate if you're
using FSLogix or app attach for your personal host pools. For more information on
using hibernation, including how hibernation works, limitations, and prerequisites,
see Hibernation for Azure virtual machines.
If you're using PowerShell to create and assign your scaling plan, you need module
Az.DesktopVirtualization version 4.2.0 or later.
You need to add each Azure subscription as an assignable scope that contains host
pools and session host VMs you want to use with autoscale. This role and assignment
allows Azure Virtual Desktop to manage the power state of any VMs in those
subscriptions. It also lets the service apply actions on both host pools and VMs when
there are no active user sessions.
To learn how to assign the Desktop Virtualization Power On Off Contributor role to the
Azure Virtual Desktop service principal, see Assign Azure RBAC roles or Microsoft Entra
roles to the Azure Virtual Desktop service principals.
Now that you've assigned the Desktop Virtualization Power On Off Contributor role
to the service principal on your subscriptions, you can create a scaling plan. To
create a scaling plan using the portal:
2. In the search bar, type Azure Virtual Desktop and select the matching service
entry.
ノ Expand table
Parameter Value/Description
Subscription Select the subscription you want to create the host pool in from the
drop-down list.
Resource Select an existing resource group or select Create new and enter a
group name.
Scaling plan Enter a name for the scaling plan. Optionally, you can also add a
name "friendly" name that will be displayed to your users and a description
for your plan.
Location Select the Azure region where you want to create your scaling plan.
Time zone Select the time zone you'll use with your plan.
Host pool Select the type of host pool that you want your scaling plan to apply
type to.
Exclusion tag Enter a tag name for VMs you don't want to include in scaling
operations. For example, you might want to tag VMs that are set to
Parameter Value/Description
Scaling This option appears if you selected Pooled for Host pool type. Select
method Power management autoscaling.
7 Note
5. Select Next, which should take you to the Schedules tab. Schedules let you
define when autoscale turns VMs on and off throughout the day. The schedule
parameters are different based on the Host pool type you chose for the
scaling plan.
In each phase of the schedule, autoscale only turns off VMs when in doing so
the used host pool capacity won't exceed the capacity threshold. The default
values you see when you try to create a schedule are the suggested values for
weekdays, but you can change them as needed.
a. In the Schedules tab, select Add schedule and complete the following
information:
ノ Expand table
Parameter Value/Description
ノ Expand table
Parameter Value/Description
Start time Select a time from the drop-down menu to start preparing VMs for
peak business hours.
Minimum Enter the percentage of session hosts you want to always remain
percentage on in this phase. If the percentage you enter isn't a whole number,
of hosts it's rounded up to the nearest whole number. For example, in a
host pool of seven session hosts, if you set the minimum
percentage of hosts during ramp-up hours to 10%, one VM will
always stay on during ramp-up hours, and it won't be turned off by
autoscale.
Capacity Enter the percentage of available host pool capacity that will
threshold trigger a scaling action to take place. For example, if two session
hosts in the host pool with a max session limit of 20 are turned on,
the available host pool capacity is 40. If you set the capacity
threshold to 75% and the session hosts have more than 30 user
sessions, autoscale will turn on a third session host. This will then
change the available host pool capacity from 40 to 60.
ノ Expand table
Parameter Value/Description
Start time Enter a start time for when your usage rate is highest during the day.
Make sure the time is in the same time zone you specified for your
scaling plan. This time is also the end time for the ramp-up phase.
7 Note
You can't change the capacity threshold here. Instead, the setting you
entered in Ramp-up will carry over to this setting.
d. For Ramp-down, you'll enter values into similar fields to Ramp-up, but this
time it will be for when your host pool usage drops off. This will include the
following fields:
Start time
Load-balancing algorithm
Minimum percentage of hosts (%)
Capacity threshold (%)
Force logoff users
) Important
You can also configure a time limit policy that will apply to all
phases to sign out all disconnected users to reduce the used
host pool capacity. For more information, see Configure a time
limit policy.
a. In the Schedules tab, select Add schedule and complete the following
information:
ノ Expand table
Parameter Value/Description
ノ Expand table
Parameter Value/Description
Start time Select the time you want the ramp-up phase to start from the drop-
down menu.
VMs to start Select whether you want only personal desktops that have a user
assigned to them at the start time to be started, you want all
personal desktops in the host pool (regardless of user assignment)
to be started, or you want no personal desktops in the pool to be
started.
Disconnect For When disconnected for (min), specify the number of minutes a
settings user session has to be disconnected before performing a specific
action. This number can be anywhere between 0 and 360.
For Perform, specify what action the service should take after a user
session has been disconnected for the specified time. The options
are to either deallocate (shut down) the VMs, hibernate the
personal desktop, or do nothing.
Sign out For When logged off for (min), specify the number of minutes a
settings user session has to be logged off before performing a specific
action. This number can be anywhere between 0 and 360.
For Perform, specify what action the service should take after a user
session has been logged off for the specified time. The options are
to either deallocate (shut down) the VMs, hibernate the personal
desktop, or do nothing.
c. In the Peak hours, Ramp-down, and Off-peak hours tabs, fill out the
following fields:
ノ Expand table
Parameter Value/Description
Start time Enter a start time for each phase. This time is also the end time for
the previous phase.
Disconnect For When disconnected for (min), specify the number of minutes a
settings user session has to be disconnected before performing a specific
action. This number can be anywhere between 0 and 360.
For Perform, specify what action the service should take after a
user session has been disconnected for the specified time. The
options are to either deallocate (shut down) the VMs, hibernate the
personal desktop, or do nothing.
Sign out For When logged off for (min), specify the number of minutes a
settings user session has to be logged off before performing a specific
action. This number can be anywhere between 0 and 360.
For Perform, specify what action the service should take after a
user session has been logged off for the specified time. The options
are to either deallocate (shut down) the VMs, hibernate the
personal desktop, or do nothing.
6. Select Next to take you to the Host pool assignments tab. Select the check
box next to each host pool you want to include. If you don't want to enable
autoscale, unselect all check boxes. You can always return to this setting later
and change it. You can only assign the scaling plan to host pools that match
the host pool type specified in the plan.
7 Note
7. After that, you'll need to enter tags. Tags are name and value pairs that
categorize resources for consolidated billing. You can apply the same tag to
multiple resources and resource groups. To learn more about tagging
resources, see Use tags to organize your Azure resources.
7 Note
If you change resource settings on other tabs after creating tags, your
tags will be automatically updated.
8. Once you're done, go to the Review + create tab and select Create to create
and assign your scaling plan to the host pools you selected.
Microsoft Intune
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Session Time Limits profile type.
4. Check the box for Set time limit for disconnected sessions, then close the
settings picker.
5. Expand the Administrative templates category, then toggle the switch for Set
time limit for disconnected sessions to Enabled, then select a time value from
the drop-down list.
6. Select Next.
7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
9. On the Review + create tab, review the settings, then select Create.
10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
Edit an existing scaling plan
Select the relevant tab for your scenario.
Azure portal
2. In the search bar, type Azure Virtual Desktop and select the matching service
entry.
3. Select Scaling plans, then select the name of the scaling plan you want to edit.
The overview blade of the scaling plan should open.
4. To change the scaling plan host pool assignments, under the Manage heading
select Host pool assignments and then select + Assign. Select the host pools
you want to assign the scaling plan to and select Assign. The host pools must
be in the same Azure region as the scaling plan and the scaling plan's host
pool type must match the type of host pools you're trying to assign it to.
Tip
If you've enabled the scaling plan during deployment, then you'll also
have the option to disable the plan for the selected host pool in the
Scaling plan menu by unselecting the Enable autoscale checkbox, as
shown in the following screenshot.
Next steps
Now that you've created your scaling plan, here are some things you can do:
If you'd like to learn more about terms used in this article, check out our autoscale
glossary. For examples of how autoscale works, see Autoscale example scenarios. You
can also look at our Autoscale FAQ if you have other questions.
Feedback
Was this page helpful? Yes No
Autoscale lets you scale your session host virtual machines (VMs) in a host pool up or
down according to schedule to optimize deployment costs. Autoscale diagnostic data,
integrated with Insights in Azure Virtual Desktop, enables you to monitor scaling
operations, identify issues that need to be fixed, and recognize opportunities to
optimize your scaling plan configuration to save cost.
To learn more about autoscale, see Autoscale scaling plans and example scenarios, and
for Insights in Azure Virtual Desktop, see Enable Insights to monitor Azure Virtual
Desktop.
7 Note
You can only monitor Autoscale operations with Insights with pooled host pools.
For personal host pools, see Set up diagnostics for Autoscale in Azure Virtual
Desktop.
Prerequisites
Before you can monitor Autoscale operations with Insights, you need:
A pooled host pool with a scaling plan assigned. Personal host pools aren't
supported.
Insights configured for your host pool and its related workspace. To learn how to
configure Insights, see Enable Insights to monitor Azure Virtual Desktop.
An Azure account that is assigned the following role-based access control (RBAC)
roles, depending on your scenario:
ノ Expand table
1. You can also create a custom role to reduce the scope of assignment on the Log Analytics workspace. For
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. From the Azure Virtual Desktop overview page, select Host pools, then select the
pooled host pool for which you want to enable Autoscale logs.
6. Select the following categories as a minimum. If you already have some of these
categories selected for this host pool as part of this diagnostic setting or an
existing one, don't select them again, otherwise you get an error when you save
the diagnostic setting.
Checkpoint
Error
Management
Connection
HostRegistration
AgentHealthStatus
Autoscale logs for pooled host pools
8. Select Save.
1. From the Azure Virtual Desktop overview page, select Workspaces, then select the
related workspace for the host pool you're monitoring.
Checkpoint
Error
Management
Feed
5. For Destination details, ensure you're sending data to the same Log Analytics
workspace as the host pool.
1. From the Azure Virtual Desktop overview page, select Host pools, then select the
pooled host pool you're monitoring.
2. From the host pool overview page, select Insights if you're using the Azure
Monitor Agent on your session hosts, or Insights (Legacy) if you're using the Log
Analytics Agent on your session hosts.
3. Ensure there aren't outstanding configuration issues. If there are, you see
messages such as:
You need to complete the configuration in the relevant workbook to resolve these
issues. For more information, see Enable Insights to monitor Azure Virtual Desktop.
When there are no configuration issues, Insights should look similar to the
following image:
1. From the Azure Virtual Desktop overview page, select Host pools, then select the
pooled host pool for which you want to view Autoscale insights.
2. From the host pool overview page, select Insights if you're using the Azure
Monitor Agent on your session hosts, or Insights (Legacy) if you're using the Log
Analytics Agent on your session hosts.
3. Select Autoscale from the row of tabs. Depending on your display's width, you
might need to select the ellipses ... button to show the full list with Autoscale.
4. Insights shows information about the Autoscale operations for your host pool,
such as a graph of the change in power state of your session hosts in the host pool
over time, and summary information.
ノ Expand table
Sample of data
The following query returns the 10 most recent rows of data for Autoscale:
Kusto
WVDAutoscaleEvaluationPooled
| take 10
The following query returns Autoscale evaluations that failed, including those that
partially failed. The query also joins to WVDErrors to provide more failure details where
available. The corresponding entries in WVDErrors only contain results where
ServiceError is false:
Kusto
WVDAutoscaleEvaluationPooled
| where ResultType != "Succeeded"
| join kind=leftouter WVDErrors
on CorrelationId
| order by _ResourceId asc, TimeGenerated asc, CorrelationId, TimeGenerated1
asc
Kusto
WVDAutoscaleEvaluationPooled
| where ResultType == "Succeeded"
| extend properties = parse_json(Properties)
| extend BeganStartVmCount = toint(properties.BeganStartVmCount)
| extend BeganDeallocateVmCount = toint(properties.BeganDeallocateVmCount)
| extend BeganForceLogoffOnSessionHostCount =
toint(properties.BeganForceLogoffOnSessionHostCount)
| summarize sum(BeganStartVmCount), sum(BeganDeallocateVmCount),
sum(BeganForceLogoffOnSessionHostCount) by _ResourceId, bin(TimeGenerated,
1d), ConfigScheduleName, ConfigSchedulePhase
| order by _ResourceId asc, TimeGenerated asc, ConfigScheduleName,
ConfigSchedulePhase asc
Kusto
WVDAutoscaleEvaluationPooled
| where ResultType == "Succeeded"
| summarize max(SessionOccupancyPercent), max(SessionCount),
max(ActiveSessionHostsPercent), max(ActiveSessionHostCount) by _ResourceId,
bin(TimeGenerated, 1d), ConfigScheduleName, ConfigSchedulePhase
| order by _ResourceId asc, TimeGenerated asc, ConfigScheduleName,
ConfigSchedulePhase asc
Related content
For more information about the time for log data to become available after collection,
see Log data ingestion time in Azure Monitor.
Feedback
Was this page helpful? Yes No
Diagnostics lets you monitor potential issues and fix them before they interfere with
your Autoscale scaling plan.
Currently, you can either send diagnostic logs for Autoscale to an Azure Storage account
or consume logs with Microsoft Azure Event Hubs. If you're using an Azure Storage
account, make sure it's in the same region as your scaling plan. Learn more about
diagnostic settings at Create diagnostic settings. For more information about resource
log data ingestion time, see Log data ingestion time in Azure Monitor.
Tip
For pooled host pools, we recommend you use Autoscale diagnostic data
integrated with Insights in Azure Virtual Desktop, which providing a more
comprehensive view of your Autoscale operations. For more information, see
Monitor Autoscale operations with Insights in Azure Virtual Desktop.
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. Select Scaling plans, then select the scaling plan you'd like the report to track.
6. Next, select Autoscale logs and choose either Archive to a storage account or
Stream to an event hub depending on where you want to send the report.
7. Select Save.
7 Note
If you select Archive to a storage account, you'll need to Migrate from diagnostic
settings storage retention to Azure Storage lifecycle management.
1. In the Azure portal, go to the storage account you sent the diagnostic logs to.
4. Finally, open the JSON file in the text editor of your choice.
The CorrelationID is the ID that you need to show when you create a support case.
ResultType is the result of the operation. This item can show you where issues are
if you notice any incomplete results.
The following JSON file is an example of what you'll see when you open a report:
JSON
{
"host_Ring": "R0",
"Level": 4,
"ActivityId": "c1111111-1111-1111-b111-11111cd1ba1b1",
"time": "2021-08-31T16:00:46.5246835Z",
"resourceId": "/SUBSCRIPTIONS/AD11111A-1C21-1CF1-A7DE-
CB1111E1D111/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.DESKTOPVIRTUALIZATION/S
CALINGPLANS/TESTPLAN",
"operationName": "HostPoolLoadBalancerTypeUpdated",
"category": "Autoscale",
"resultType": "Succeeded",
"level": "Informational",
"correlationId": "35ec619b-b5d8-5b5f-9242-824aa4d2b878",
"properties": {
"Message": "Host pool's load balancing algorithm updated",
"HostPoolArmPath": "/subscriptions/AD11111A-1C21-1CF1-A7DE-
CB1111E1D111/resourcegroups/test/providers/microsoft.desktopvirtualization/h
ostpools/testHostPool ",
"PreviousLoadBalancerType": "BreadthFirst",
"NewLoadBalancerType": "DepthFirst"
}
}
Next steps
Review how to create a scaling plan at Autoscale for Azure Virtual Desktop session
hosts.
Assign your scaling plan to new or existing host pools.
Learn more about terms used in this article at our autoscale glossary.
For examples of how autoscale works, see Autoscale example scenarios.
View our autoscale FAQ to answer commonly asked questions.
Scale session hosts using Azure
Automation and Azure Logic Apps for
Azure Virtual Desktop
Article • 11/15/2023
You can reduce your total Azure Virtual Desktop deployment cost by scaling your virtual
machines (VMs). This means shutting down and deallocating session host VMs during
off-peak usage hours, then turning them back on and reallocating them during peak
hours.
In this article, you'll learn about the scaling tool built with the Azure Automation account
and Azure Logic Apps that automatically scales session host VMs in your Azure Virtual
Desktop environment. To learn how to use the scaling tool, see Set up scaling of session
hosts using Azure Automation and Azure Logic Apps.
7 Note
Azure Virtual Desktop's native Autoscale solution is generally available for pooled
and personal host pool(s) and will automatically scale in or out session host VMs
based on scaling schedule. We recommend using Autoscale for easier
configuration. For more information, see Autoscale scaling plans.
Schedule VMs to start and stop based on peak and off-peak business hours.
Scale out VMs based on number of sessions per CPU core.
Scale in VMs during off-peak hours, leaving the minimum number of session host
VMs running.
During peak usage time, the job checks the current number of sessions and the VM
capacity of the current running session host for each host pool. It uses this information
to calculate if the running session host VMs can support existing sessions based on the
SessionThresholdPerCPU parameter defined for the CreateOrUpdateAzLogicApp.ps1 file.
If the session host VMs can't support existing sessions, the job starts extra session host
VMs in the host pool.
7 Note
During the off-peak usage time, the job determines how many session host VMs should
be shut down based on the MinimumNumberOfRDSH parameter. If you set the
LimitSecondsToForceLogOffUser parameter to a non-zero positive value, the job will set
the session host VMs to drain mode to prevent new sessions from connecting to the
hosts. The job will then notify any currently signed in users to save their work, wait the
configured amount of time, and then force the users to sign out. Once all user sessions
on the session host VM have been signed out, the job will shut down the VM. After the
VM shuts down, the job will reset its session host drain mode.
7 Note
If you manually set the session host VM to drain mode, the job won't manage the
session host VM. If the session host VM is running and set to drain mode, it will be
treated as unavailable, which will make the job start additional VMs to handle the
load. We recommend you tag any Azure VMs before you manually set them to
drain mode. You can name the tag with the MaintenanceTagName parameter when
you create Azure Logic App Scheduler later. Tags will help you distinguish these
VMs from the ones the scaling tool manages. Setting the maintenance tag also
prevents the scaling tool from making changes to the VM until you remove the tag.
If you set the LimitSecondsToForceLogOffUser parameter to zero, the job allows the
session configuration setting in specified group policies to handle signing off user
sessions. To see these group policies, go to Computer Configuration > Policies >
Administrative Templates > Windows Components > Remote Desktop Services >
Remote Desktop Session Host > Session Time Limits. If there are any active sessions on
a session host VM, the job will leave the session host VM running. If there aren't any
active sessions, the job will shut down the session host VM.
At any time, the job also takes host pool's MaxSessionLimit into account to determine if
the current number of sessions is more than 90% of the maximum capacity. If it is, the
job will start extra session host VMs.
The job runs periodically based on a set recurrence interval. You can change this interval
based on the size of your Azure Virtual Desktop environment, but remember that
starting and shutting down VMs can take some time, so remember to account for the
delay. We recommend setting the recurrence interval to every 15 minutes.
7 Note
The scaling tool controls the load balancing mode of the host pool it's currently
scaling. The tool uses breadth-first load balancing mode for both peak and off-
peak hours.
Next steps
Learn how to set up scaling of session hosts using Azure Automation and Azure
Logic Apps.
Set up scaling tool using Azure
Automation and Azure Logic Apps for
Azure Virtual Desktop
Article • 11/01/2023
In this article, you'll learn about the scaling tool that uses an Azure Automation runbook
and Azure Logic App to automatically scale session host VMs in your Azure Virtual
Desktop environment. To learn more about the scaling tool, see Scale session hosts
using Azure Automation and Azure Logic Apps.
7 Note
You can't scale session hosts using Azure Automation and Azure Logic Apps
together with autoscale on the same host pool. You must use one or the
other.
Prerequisites
Before you start setting up the scaling tool, make sure you have the following things
ready:
7 Note
If you already have an Azure Automation account with a runbook running an older
version of the scaling script, all you need to do is follow the instructions below to
make sure it's updated.
First, you'll need an Azure Automation account to run the PowerShell runbook. The
process this section describes is valid even if you have an existing Azure Automation
account that you want to use to set up the PowerShell runbook. Here's how to set it up:
1. Open PowerShell.
PowerShell
Login-AzAccount
7 Note
Your account must have contributor rights on the Azure subscription where
you want to deploy the scaling tool.
3. Run the following cmdlet to download the script for creating the Azure
Automation account:
PowerShell
PowerShell
$Params = @{
"AADTenantId" = "<Azure_Active_Directory_tenant_ID>" #
Optional. If not specified, it will use the current Azure context
"SubscriptionId" = "<Azure_subscription_ID>" #
Optional. If not specified, it will use the current Azure context
"UseARMAPI" = $true
"ResourceGroupName" = "<Resource_group_name>" #
Optional. Default: "WVDAutoScaleResourceGroup"
"AutomationAccountName" = "<Automation_account_name>" #
Optional. Default: "WVDAutoScaleAutomationAccount"
"Location" = "<Azure_region_for_deployment>"
"WorkspaceName" = "<Log_analytics_workspace_name>" #
Optional. If specified, Log Analytics will be used to configure the
custom log table that the runbook PowerShell script can send logs to
}
.\CreateOrUpdateAzAutoAccount.ps1 @Params
7 Note
If your policy doesn't let you create scaling script resources in a specific
region, update the policy assignment and add the region you want to the list
of allowed regions.
5. If you haven't created an automation account before, the cmdlet's output will
include an encrypted webhook URI in the automation account variable. Make sure
to keep a record of the URI because you'll use it as a parameter when you set up
the execution schedule for the Azure Logic App. If you're updating an existing
automation account, you can retrieve the webhook URI using PowerShell to access
variables.
6. If you specified the parameter WorkspaceName for Log Analytics, the cmdlet's
output will also include the Log Analytics Workspace ID and its Primary Key. Make
a note of the Workspace ID and Primary Key because you'll need to use them
again later with parameters when you set up the execution schedule for the Azure
Logic App.
7. After you've set up your Azure Automation account, sign in to your Azure
subscription and check to make sure your Azure Automation account and the
relevant runbook have appeared in your specified resource group, as shown in the
following image:
To check if your webhook is where it should be, select the name of your runbook.
Next, go to your runbook's Resources section and select Webhooks.
) Important
Autoscale is an alternative way to scale session host VMs and is a native feature of
Azure Virtual Desktop. We recommend you use Autoscale instead. For more
information, see Autoscale scaling plans.
Create the Azure Logic App and execution
schedule
Finally, you'll need to create the Azure Logic App and set up an execution schedule for
your new scaling tool. First, download and import the Desktop Virtualization PowerShell
module to use in your PowerShell session if you haven't already.
1. Open PowerShell.
PowerShell
Login-AzAccount
3. Run the following cmdlet to download the script for creating the Azure Logic App.
PowerShell
4. Run the following PowerShell script to create the Azure Logic App and execution
schedule for your host pool
7 Note
You'll need to run this script for each host pool you want to autoscale, but you
need only one Azure Automation account.
PowerShell
$AADTenantId = (Get-AzContext).Tenant.Id
$WebhookURI = Read-Host -Prompt "Enter the webhook URI that has already
been generated for this Azure Automation account. The URI is stored as
encrypted in the above Automation Account variable. To retrieve the
value, see https://learn.microsoft.com/azure/automation/shared-
resources/variables?tabs=azure-powershell#powershell-cmdlets-to-access-
variables"
$Params = @{
"AADTenantId" = $AADTenantId
# Optional. If not specified, it will use the current Azure context
"SubscriptionID" = $AzSubscription.Id
# Optional. If not specified, it will use the current Azure context
"ResourceGroupName" = $ResourceGroup.ResourceGroupName
# Optional. Default: "WVDAutoScaleResourceGroup"
"Location" = $ResourceGroup.Location
# Optional. Default: "West US2"
"UseARMAPI" = $true
"HostPoolName" = $WVDHostPool.Name
"HostPoolResourceGroupName" = $WVDHostPool.ResourceGroupName
# Optional. Default: same as ResourceGroupName param value
"LogAnalyticsWorkspaceId" = $LogAnalyticsWorkspaceId
# Optional. If not specified, script will not log to the Log Analytics
"LogAnalyticsPrimaryKey" = $LogAnalyticsPrimaryKey
# Optional. If not specified, script will not log to the Log Analytics
"RecurrenceInterval" = $RecurrenceInterval
# Optional. Default: 15
"BeginPeakTime" = $BeginPeakTime
# Optional. Default: "09:00"
"EndPeakTime" = $EndPeakTime
# Optional. Default: "17:00"
"TimeDifference" = $TimeDifference
# Optional. Default: "-7:00"
"SessionThresholdPerCPU" = $SessionThresholdPerCPU
# Optional. Default: 1
"MinimumNumberOfRDSH" = $MinimumNumberOfRDSH
# Optional. Default: 1
"MaintenanceTagName" = $MaintenanceTagName
# Optional.
"LimitSecondsToForceLogOffUser" = $LimitSecondsToForceLogOffUser
# Optional. Default: 1
"LogOffMessageTitle" = $LogOffMessageTitle
# Optional. Default: "Machine is about to shutdown."
"LogOffMessageBody" = $LogOffMessageBody
# Optional. Default: "Your session will be logged off. Please save and
close everything."
"WebhookURI" = $WebhookURI
}
.\CreateOrUpdateAzLogicApp.ps1 @Params
After you run the script, the Azure Logic App should appear in a resource group, as
shown in the following image.
On the right of your selected Azure Automation account, under "Job Statistics," you can
view a list of summaries of all runbook jobs. Opening the Jobs page on the left side of
the window shows current job statuses, start times, and completion times.
View logs and scaling tool output
You can view the logs of scale-out and scale-in operations by opening your runbook
and selecting the job.
Navigate to the runbook in your resource group hosting the Azure Automation account
and select Overview. On the overview page, select a job under Recent Jobs to view its
scaling tool output, as shown in the following image.
Reporting issues
When you report an issue, you'll need to provide the following information to help us
troubleshoot:
A complete log from the All Logs tab in the job that caused the issue. To learn how
to get the log, follow the instructions in View logs and scaling tool output. If
there's any sensitive or private information in the log, you can remove it before
submitting the issue to us.
The version of the runbook script you're using. To find out how to get the version
number, see Check the runbook script version number
The version number of each of the following PowerShell modules installed in your
Azure Automation account. To find these modules, open Azure Automation
account, select Modules under the Shared Resources section in the pane on the
left side of the window, and then search for the module's name.
Az.Accounts
Az.Compute
Az.Resources
Az.Automation
OMSIngestionAPI
Az.DesktopVirtualization
Log Analytics
If you decided to use Log Analytics, you can view all the log data in a custom log named
WVDTenantScale_CL under Custom Logs in the Logs view of your Log Analytics
Workspace. We've listed some sample queries you might find helpful.
To see all logs for a host pool, enter the following query:
Kusto
WVDTenantScale_CL
| where hostpoolName_s == "<host_pool_name>"
| project TimeStampUTC = TimeGenerated, TimeStampLocal = TimeStamp_s,
HostPool = hostpoolName_s, LineNumAndMessage = logmessage_s,
AADTenantId = TenantId
To view the total number of currently running session host VMs and active user
sessions in your host pool, enter the following query:
Kusto
WVDTenantScale_CL
| where logmessage_s contains "Number of running session hosts:"
or logmessage_s contains "Number of user sessions:"
or logmessage_s contains "Number of user sessions per Core:"
| where hostpoolName_s == "<host_pool_name>"
| project TimeStampUTC = TimeGenerated, TimeStampLocal = TimeStamp_s,
HostPool = hostpoolName_s, LineNumAndMessage = logmessage_s,
AADTenantId = TenantId
To view the status of all session host VMs in a host pool, enter the following query:
Kusto
WVDTenantScale_CL
| where logmessage_s contains "Session host:"
| where hostpoolName_s == "<host_pool_name>"
| project TimeStampUTC = TimeGenerated, TimeStampLocal = TimeStamp_s,
HostPool = hostpoolName_s, LineNumAndMessage = logmessage_s,
AADTenantId = TenantId
Kusto
WVDTenantScale_CL
| where logmessage_s contains "ERROR:" or logmessage_s contains "WARN:"
| project TimeStampUTC = TimeGenerated, TimeStampLocal = TimeStamp_s,
HostPool = hostpoolName_s, LineNumAndMessage = logmessage_s,
AADTenantId = TenantId
Limitations
Here are some limitations with scaling session host VMs with this scaling script:
The scaling script doesn’t consider time changes between standard and daylight
savings.
Configure Start VM on Connect
Article • 10/07/2024
Start VM on Connect lets you reduce costs by enabling end users to power on the
virtual machines (VMs) used as session hosts only when they're needed. You can then
power off VMs when they're not needed.
For personal host pools, Start VM on Connect only powers on an existing session host
VM that is already assigned or can be assigned to a user. For pooled host pools, Start
VM on Connect only powers on a session host VM when none are turned on and more
VMs are only be turned on when the first VM reaches the session limit.
The time it takes for a user to connect to a remote session on a session host that is
powered off (deallocated) increases because the VM needs time to power on again,
much like turning on a physical computer. When a user uses Windows App and the
Remote Desktop app to connect to Azure Virtual Desktop, they're told a VM is being
powered on while they're connecting.
You can enable Start VM on Connect for session hosts on Azure and Azure Stack HCI in
personal or pooled host pools using the Azure portal, Azure PowerShell, or Azure CLI.
Start VM on Connect is configured per host pool.
Prerequisites
Before you can use Start VM on Connect, you need:
An existing host pool that's associated with an application group and workspace.
You can only configure Start VM on Connect on existing host pools. You can't
enable it at the same time you create a new host pool.
The Azure account you use to configure Start VM on Connect must have the
Desktop Virtualization Host Pool Contributor role-based access control (RBAC) role
assigned.
Windows App or the Remote Desktop app installed on a local device with a user
account assigned to a desktop or application in the application group you can test
with.
Make sure that the name of the host pool, session hosts in that host pool, and the
resource group only have ANSI characters.
If you want to use Azure PowerShell or Azure CLI locally, see Use Azure PowerShell
and Azure CLI with Azure Virtual Desktop to make sure you have the
Az.DesktopVirtualization PowerShell module or the desktopvirtualization Azure CLI
extension installed. Alternatively, use the Azure Cloud Shell.
You need to add each Azure subscription that contains host pools and session host VMs
you want to use with Start VM on Connect as an assignable scope. This role assignment
allows Azure Virtual Desktop to power on VMs, check their status, and report diagnostic
information for those subscriptions.
To learn how to assign the Desktop Virtualization Power On Contributor role to the Azure
Virtual Desktop service principal, see Assign RBAC roles to the Azure Virtual Desktop
service principal.
Azure portal
2. In the search bar, enter Azure Virtual Desktop and select the matching service
entry.
3. Select Host pools, then select the name of the host pool where you want to
enable the setting.
4. Select Properties.
5. In the configuration section, set Start VM on connect to Yes to enable it, or
No to disable it.
7 Note
For pooled host pools, Start VM on Connect will start a VM every five minutes at
most. If other users try to sign in during this five-minute period and there still aren't
any available resources, Start VM on Connect won't start a new VM. Instead, the
users trying to sign in will receive an error message that says, No resources
available. They should wait a few minutes and try to connect again.
Troubleshooting
If the session host VM doesn't power on, you need to check the health of the VM you
tried to power on as a first step. You can also view Azure Virtual Desktop logs in Log
Analytics to check for problems. If you receive an error message, make sure to pay close
attention to the message content and make a note of the error name for reference. You
can also use Azure Virtual Desktop Insights to get suggestions for how to resolve issues.
7 Note
Connecting to a session host outside of the Azure Virtual Desktop service that is
powered off, such as by directly connecting to a VM by IP address or name, the VM
isn't started.
Related content
For more information about Start VM on Connect, see our Start VM on Connect FAQ.
Feedback
Was this page helpful? Yes No
This article covers frequently asked questions about the Start Virtual Machine (VM) on
Connect feature for Azure Virtual Desktop host pools.
1. Connect remotely to the VM that you want to set the policy for.
2. Open the Group Policy Editor, then go to Local Computer Policy > Computer
Configuration > Administrative Templates > Windows Components > Remote
Desktop Services > Remote Desktop Session Host > Session Time Limits.
3. Find the policy that says Set time limit for disconnected sessions, then change its
value to Enabled.
7 Note
Make sure to set the time limit for the "End a disconnected session" policy to a
value greater than five minutes. A low time limit can cause users' sessions to end if
their network loses connection for too long, resulting in lost work.
Signing users out won't deallocate their VMs. To learn how to deallocate VMs, see
Autoscale for pooled and personal host pools.
For example, let's say your host pool has three VMs and has a maximum session limit of
five users per machine. If you turn on two VMs, Start VM on Connect won't turn on the
third machine until both VMs reach their maximum session limit of five users.
Next steps
To learn how to configure Start VM on Connect, see Start virtual machine on connect.
If you have more general questions about Azure Virtual Desktop, check out our general
FAQ.
Add the administrative template for
Azure Virtual Desktop to Group Policy
Article • 09/19/2024
We've created an administrative template for Azure Virtual Desktop to configure some
features of Azure Virtual Desktop. The template is available for:
Microsoft Intune, which enables you to centrally configure session hosts that are
enrolled in Intune and joined to Microsoft Entra ID or Microsoft Entra hybrid
joined. The administrative template is available in the Intune settings catalog
without any further configuration.
Group Policy with Active Directory (AD), which enables you to centrally configure
session hosts that are joined to an AD domain.
Group Policy locally on each session host, but we don't recommend this to manage
session hosts at scale.
You can configure the following features with the administrative template:
Prerequisites
Before you can configure the template settings, you need to meet the following
prerequisites. Select a tab for your scenario.
For Group Policy in an Active Directory (AD) domain, you need the following
permission:
1. Download the latest Azure Virtual Desktop administrative template files and
extract the contents of the .cab file and .zip archive.
2. On your domain controllers, copy and paste the following files to the relevant
location, depending if you store Group Policy templates in the local
PolicyDefinitions folder or the Group Policy Central Store. Replace
contoso.com with your domain name, and en-US if you're using a different
language.
Filename: terminalserver-avd.admx
Local location: C:\Windows\PolicyDefinitions\
Central Store:
\\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions
Filename: en-US\terminalserver-avd.adml
Local location: C:\Windows\PolicyDefinitions\en-US\
Central Store:
\\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions\en-US
3. On a device you use to manage Group Policy, open the Group Policy
Management Console (GPMC) and create or edit a policy that targets your
session hosts.
5. Refer to the feature you want to configure for detailed instructions on how to
configure the settings:
Related content
Learn how to use the administrative template with the following features:
Feedback
Was this page helpful? Yes No
This article provides steps to apply the principles of Zero Trust to an Azure Virtual
Desktop deployment in the following ways:
ノ Expand table
Verify Always authenticate and Verify the identities and endpoints of Azure
explicitly authorize based on all available Virtual Desktop users and secure access to
data points. session hosts.
Use least Limit user access with Just-In- Confine access to session hosts and their
privileged Time and Just-Enough-Access data.
access (JIT/JEA), risk-based adaptive Storage: Protect data in all three modes:
policies, and data protection. data at rest, data in transit, data in use.
Virtual networks (VNets): Specify allowed
network traffic flows between hub and
spoke VNets with Azure Firewall.
Virtual machines: Use Role Based Access
Control (RBAC).
Reference architecture
In this article, we use the following reference architecture for Hub and Spoke to
demonstrate a commonly deployed environment and how to apply the principles of
Zero Trust for Azure Virtual Desktop with users’ access over the Internet. Azure Virtual
WAN architecture is also supported in addition to private access over a managed
network with RDP Shortpath for Azure Virtual Desktop.
Internet Azure
Azure Virtual Desktop Control Plane Azure Virtual Desktop Management Plane
User Workspace
Private Endpoint
Microsoft MDC RBAC Azure · Web access
Entra ID Monitor
· Gateway Personal
Applica on
Pooled Pool AVD Scaling
Pool Applica on Plan
F · Broker Group Group Start VM on
Start VM on Connect
· Diagnostics
Connect
Endpoints
Schedules
B
Bastion Subnet
Azure Firewall
Subnet Azure Virtual Desktop (SPOKE) VNET Azure Virtual Desktop (SPOKE) VNET
Bastion
Session host virtual machines (Personal) C Session host virtual machines (Pooled) C Key Vault
Keys
Azure Firewall
Premium
AVD Shared Services
DNS
VPN GW Subnet Zone
Custom Custom NSG NSG
DNS DNS Key Vault
Azure
Server 1 Server 2 Secrets
Compute
VPN GW Gallery
DDoS
Protec on VM Image
Definition
Office location
Image Template
G Private Endpoint Private Endpoint
Azure Storage Azure Storage
(file) (file)
A A
Azure Storage Services Azure Storage Services
Admin
On-premises datacenter
Router Admin AD DS
Microsoft
Entra Connect
ノ Expand table
Component Description
C A spoke VNet with Azure Virtual Desktop session host virtual machine-based
workloads.
F Dependent PaaS services including Microsoft Entra ID, Microsoft Defender for
Cloud, role-based access control (RBAC), and Azure Monitor.
Component Description
Users or admins that access the Azure environment can originate from the internet,
office locations, or on-premises datacenters.
Logical architecture
In this diagram, the Azure infrastructure for an Azure Virtual Desktop deployment is
contained within a Microsoft Entra ID tenant.
Resource group: Resource group: Resource group: Resource group: Resource group: Resource group:
Azure Virtual Desktop Storage account Session host Spoke Virtual Network Azure Compute Hub Virtual Network
Azure Files service virtual machines (Azure Virtual Gallery
Desktop)
Key Vault - PE VPN GW
AVD Virtual
Service objects Data Sets VNet RBAC VNet
machines
You can distribute the resources in more than one subscription, where each
subscription may hold different roles, such as network subscription, or security
subscription. This is described in Cloud Adoption Framework and Azure Landing
Zone. The different subscriptions may also hold different environments, such as
production, development, and tests environments. It depends on how you want to
separate your environment and the number of resources you have in each. One or
more subscriptions can be managed together using a Management Group. This
gives you the ability to apply permissions with RBAC and Azure policies to a group
of subscriptions instead of setting up each subscription individually.
A storage resource group isolates Azure Files service private endpoints and data
sets.
A dedicated resource group isolates the virtual machines for their session hosts
Virtual Machines, Disk Encryption Set and an Application Security Group.
A dedicated resource group isolates the spoke VNet resources and a Network
Security Group, which networking specialists in your organization can manage.
ノ Expand table
3 Apply Zero Trust principles to Azure Virtual Desktop storage Verify explicitly
resources. Use least privileged access
Assume breach
4 Apply Zero Trust principles to hub and spoke Azure Virtual Verify explicitly
Desktop VNets. Use least privileged access
Assume breach
5 Apply Zero Trust principles to Azure Virtual Desktop session Verify explicitly
host. Use least privileged access
Assume breach
Azure Virtual Desktop supports different types of identities. Use the information in
Securing identity with Zero Trust to ensure that your chosen identity types adhere
to Zero Trust principles.
Create a dedicated user account with least privileges to join session hosts to a
Microsoft Entra Domain Services or AD DS domain during session host
deployment.
Secure your Azure Virtual Desktop data at rest, in transit, and in use.
Verify users and control access to storage data with the least privileges.
Implement private endpoints for storage accounts.
Logically separate critical data with network controls. Such as separate storage
accounts for different host pools and other purposes such as with MSIX app attach
file shares.
Use Defender for Storage for automated threat protection.
7 Note
In some designs, Azure NetApp files is the storage service of choice for FSLogix
profiles for Azure Virtual Desktop via an SMB share. Azure NetApp Files provides
built-in security features that include delegated subnets and security benchmarks.
A spoke VNet isolates the Azure Virtual Desktop workload and contains the session host
virtual machines. Implement the steps in Apply Zero Trust principles to spoke virtual
network in Azure for the spoke VNet that contains the session host/virtual machines.
Isolate different host pools on separate VNets using NSG with the required URL
necessary for Azure Virtual Desktop for each subnet. When deploying the private
endpoints place them in the appropriate subnet in the VNet based on their role.
Azure Firewall or a network virtual appliance (NVA) firewall can be used to control and
restrict outbound traffic Azure Virtual Desktop session hosts. Use the instructions here
for Azure Firewall to protect session hosts. Force the traffic through the firewall with
User-Defined Routes (UDRs) linked to the host pool subnet. Review the full list of
required Azure Virtual Desktop URLs to configure your firewall. Azure Firewall provides
an Azure Virtual Desktop FQDN Tag to simplify this configuration.
Host pools should have separated organizational units (OUs) if managed by group
policies on Active Directory Domain Services (AD DS).
Azure Virtual Desktop has built-in advanced security features to protect session hosts.
However, see the following articles to improve the security defenses of your Azure
Virtual Desktop environment and session hosts:
In addition, see the key design considerations and recommendations for security,
governance, and compliance in Azure Virtual Desktop landing zones in accordance with
Microsoft's Cloud Adoption Framework.
Recommended training
ノ Expand table
Training Secure an Azure Virtual Desktop deployment
Learn about the Microsoft security capabilities that help keep your applications
and data secure in your Microsoft Azure Virtual Desktop deployment.
Start >
ノ Expand table
Deploy Azure Firewall, route all network traffic through Azure Firewall, and
configure rules. Route the outbound network traffic from the Azure Virtual Desktop
host pool to the service through Azure Firewall.
Start >
ノ Expand table
Learn how to plan and implement Azure roles for Azure Virtual Desktop and
implement Conditional Access policies for remote connections. This learning
path aligns with exam AZ-140: Configuring and Operating Microsoft Azure
Virtual Desktop.
Start >
ノ Expand table
Training Design for user identities and profiles
Your users require access to those applications both on-premises and in the cloud.
You use the Remote Desktop client for Windows Desktop to access Windows apps
and desktops remotely from a different Windows device.
Start >
For more training on security in Azure, see these resources in the Microsoft catalog:
Security in Azure
Next Steps
See these additional articles for applying Zero Trust principles to Azure:
Technical illustrations
You can download the illustrations used in this article. Use the Visio file to modify these
illustrations for your own use.
PDF | Visio
References
Refer to the links below to learn about the various services and technologies mentioned
in this article.
Feedback
Was this page helpful? Yes No
Azure security baseline for Azure Virtual
Desktop
Article • 09/20/2023
This security baseline applies guidance from the Microsoft cloud security benchmark
version 1.0 to Azure Virtual Desktop. The Microsoft cloud security benchmark provides
recommendations on how you can secure your cloud solutions on Azure. The content is
grouped by the security controls defined by the Microsoft cloud security benchmark and
the related guidance applicable to Azure Virtual Desktop.
You can monitor this security baseline and its recommendations using Microsoft
Defender for Cloud. Azure Policy definitions will be listed in the Regulatory Compliance
section of the Microsoft Defender for Cloud portal page.
When a feature has relevant Azure Policy Definitions, they are listed in this baseline to
help you measure compliance with the Microsoft cloud security benchmark controls and
recommendations. Some recommendations may require a paid Microsoft Defender plan
to enable certain security scenarios.
7 Note
Features not applicable to Azure Virtual Desktop have been excluded. To see how
Azure Virtual Desktop completely maps to the Microsoft cloud security benchmark,
see the full Azure Virtual Desktop security baseline mapping file .
Security profile
The security profile summarizes high-impact behaviors of Azure Virtual Desktop, which
may result in increased security considerations.
ノ Expand table
Features
ノ Expand table
Feature notes: Virtual machines within the host pool must be placed in a virtual
network.
Configuration Guidance: Deploy the service into a virtual network. Assign private IPs to
the resource (where applicable) unless there is a strong reason to assign public IPs
directly to the resource.
Description: Service network traffic respects Network Security Groups rule assignment
on its subnets. Learn more.
ノ Expand table
Feature notes: Virtual machines used within the host pool support use of network
security groups.
Configuration Guidance: Use network security groups (NSG) to restrict or monitor traffic
by port, protocol, source IP address, or destination IP address. Create NSG rules to
restrict your service's open ports (such as preventing management ports from being
accessed from untrusted networks). Be aware that by default, NSGs deny all inbound
traffic but allow traffic from virtual network and Azure Load Balancers.
Features
Description: Service native IP filtering capability for filtering network traffic (not to be
confused with NSG or Azure Firewall). Learn more.
ノ Expand table
Feature notes: Private link with Azure Virtual Desktop is currently in preview.
Configuration Guidance: Deploy private endpoints for all Azure resources that support
the Private Link feature, to establish a private access point for the resources.
Reference: Use Azure Private Link with Azure Virtual Desktop (preview)
Description: Service supports disabling public network access either through using
service-level IP ACL filtering rule (not NSG or Azure Firewall) or using a 'Disable Public
Network Access' toggle switch. Learn more.
ノ Expand table
Features
Description: Service supports using Azure AD authentication for data plane access.
Learn more.
ノ Expand table
Configuration Guidance: Use Azure Active Directory (Azure AD) as the default
authentication method to control your data plane access.
Features
Managed Identities
Description: Data plane actions support authentication using managed identities. Learn
more.
ノ Expand table
Service Principals
Description: Data plane supports authentication using service principals. Learn more.
ノ Expand table
Reference: Tutorial: Create service principals and role assignments with PowerShell in
Azure Virtual Desktop (classic)
Features
Description: Data plane access can be controlled using Azure AD Conditional Access
Policies. Learn more.
ノ Expand table
Configuration Guidance: Define the applicable conditions and criteria for Azure Active
Directory (Azure AD) conditional access in the workload. Consider common use cases
such as blocking or granting access from specific locations, blocking risky sign-in
behavior, or requiring organization-managed devices for specific applications.
Features
Description: Data plane supports native use of Azure Key Vault for credential and secrets
store. Learn more.
ノ Expand table
Privileged access
For more information, see the Microsoft cloud security benchmark: Privileged access.
Features
Description: Service has the concept of a local administrative account. Learn more.
ノ Expand table
Supported Enabled By Default Configuration Responsibility
Feature notes: A local virtual machine administrator account is created for virtual
machines that are added to the host pool. Avoid the usage of local authentication
methods or accounts, these should be disabled wherever possible. Instead use Azure AD
to authenticate where possible.
Features
Description: Azure Role-Based Access Control (Azure RBAC) can be used to managed
access to service's data plane actions. Learn more.
ノ Expand table
Configuration Guidance: Use Azure role-based access control (Azure RBAC) to manage
Azure resource access through built-in role assignments. Azure RBAC roles can be
assigned to users, groups, service principals, and managed identities.
Features
Customer Lockbox
Description: Customer Lockbox can be used for Microsoft support access. Learn more.
ノ Expand table
Data protection
For more information, see the Microsoft cloud security benchmark: Data protection.
Features
Description: Tools (such as Azure Purview or Azure Information Protection) can be used
for data discovery and classification in the service. Learn more.
ノ Expand table
Feature notes: Use Azure Information Protection (and its associated scanning tool) for
sensitive information within Office documents on Azure, on-premises, Office 365 and
other locations.
Configuration Guidance: Use tools such as Azure Purview, Azure Information Protection,
and Azure SQL Data Discovery and Classification to centrally scan, classify and label any
sensitive data that resides in Azure, on-premises, Microsoft 365, or other locations.
Features
Data Leakage/Loss Prevention
Description: Service supports DLP solution to monitor sensitive data movement (in
customer's content). Learn more.
ノ Expand table
Feature notes: Use data loss prevention solutions, such as host-based ones, to enforce
detective and/or preventative controls to prevent data exfiltration.
Solutions such as DLP for Microsoft Azure may also be used for your Virtual Desktop
Environment. For more information, please visit: Data Loss Prevention (DLP) for
Microsoft Azure Azure Information protection (AIP) provides monitoring capabilities
for information that has been classified and labeled.
Configuration Guidance: If required for compliance of data loss prevention (DLP), you
can use a host based DLP solution from Azure Marketplace or a Microsoft 365 DLP
solution to enforce detective and/or preventative controls to prevent data exfiltration.
Features
Description: Service supports data in-transit encryption for data plane. Learn more.
ノ Expand table
Reference: Networking
Description: Data at-rest encryption using platform keys is supported, any customer
content at rest is encrypted with these Microsoft managed keys. Learn more.
ノ Expand table
Features
ノ Expand table
Features
Key Management in Azure Key Vault
Description: The service supports Azure Key Vault integration for any customer keys,
secrets, or certificates. Learn more.
ノ Expand table
Features
Description: The service supports Azure Key Vault integration for any customer
certificates. Learn more.
ノ Expand table
Asset management
For more information, see the Microsoft cloud security benchmark: Asset management.
Features
ノ Expand table
Configuration Guidance: Use Microsoft Defender for Cloud to configure Azure Policy to
audit and enforce configurations of your Azure resources. Use Azure Monitor to create
alerts when there is a configuration deviation detected on the resources. Use Azure
Policy [deny] and [deploy if not exists] effects to enforce secure configuration across
Azure resources.
Features
Description: Service can limit what customer applications run on the virtual machine
using Adaptive Application Controls in Microsoft Defender for Cloud. Learn more.
ノ Expand table
Feature notes: Though Adaptive Application Control through Microsoft Defender for
Cloud is not supported, when choosing a deployment model, you can either provide
remote users access to entire virtual desktops or only select applications. Remote
applications, or RemoteApps, provide a seamless experience as the user works with apps
on their virtual desktop. RemoteApps reduce risk by only letting the user work with a
subset of the remote machine exposed by the application.
Features
ノ Expand table
Configuration Guidance: Use Azure Active Directory (Azure AD) as the default
authentication method to control your management plane access. When you get an
alert from Microsoft Defender for Key Vault, investigate and respond to the alert.
Features
Description: Service produces resource logs that can provide enhanced service-specific
metrics and logging. The customer can configure these resource logs and send them to
their own data sink like a storage account or log analytics workspace. Learn more.
ノ Expand table
Features
Description: Azure Automation State Configuration can be used to maintain the security
configuration of the operating system. Learn more.
ノ Expand table
ノ Expand table
Custom VM Images
ノ Expand table
ノ Expand table
Features
Description: Service can be scanned for vulnerability scan using Microsoft Defender for
Cloud or other Microsoft Defender services embedded vulnerability assessment
capability (including Microsoft Defender for server, container registry, App Service, SQL,
and DNS). Learn more.
ノ Expand table
Features
Description: Service can use Azure Automation Update Management to deploy patches
and updates automatically. Learn more.
ノ Expand table
Endpoint security
For more information, see the Microsoft cloud security benchmark: Endpoint security.
Features
EDR Solution
Description: Endpoint Detection and Response (EDR) feature such as Azure Defender for
servers can be deployed into the endpoint. Learn more.
ノ Expand table
Configuration Guidance: Azure Defender for servers (with Microsoft Defender for
Endpoint integrated) provides EDR capability to prevent, detect, investigate, and
respond to advanced threats. Use Microsoft Defender for Cloud to deploy Azure
Defender for servers for your endpoint and integrate the alerts to your SIEM solution
such as Azure Sentinel.
Features
Anti-Malware Solution
ノ Expand table
Configuration Guidance: For Windows Server 2016 and above, Microsoft Defender for
Antivirus is installed by default. For Windows Server 2012 R2 and above, customers can
install SCEP (System Center Endpoint Protection). For Linux, customers can have the
choice of installing Microsoft Defender for Linux. Alternatively, customers also have the
choice of installing third-party anti-malware products.
Features
Anti-Malware Solution Health Monitoring
ノ Expand table
Features
Azure Backup
Description: The service can be backed up by the Azure Backup service. Learn more.
ノ Expand table
Configuration Guidance: Enable Azure Backup and configure the backup source (such
as Azure Virtual Machines, SQL Server, HANA databases, or File Shares) on a desired
frequency and with a desired retention period. For Azure Virtual Machines, you can use
Azure Policy to enable automatic backups.
Description: Service supports its own native backup capability (if not using Azure
Backup). Learn more.
ノ Expand table
Next steps
See the Microsoft cloud security benchmark overview
Learn more about Azure security baselines
Enable screen capture protection in
Azure Virtual Desktop
Article • 06/28/2024
There are two supported scenarios for screen capture protection, depending on the
version of Windows you're using:
Block screen capture on client: the session host instructs a supported Remote
Desktop client to enable screen capture protection for a remote session. This
option prevents screen capture from the client of applications running in the
remote session.
Block screen capture on client and server: the session host instructs a supported
Remote Desktop client to enable screen capture protection for a remote session.
This option prevents screen capture from the client of applications running in the
remote session, but also prevents tools and services within the session host from
capturing the screen.
When screen capture protection is enabled, users can't share their Remote Desktop
window using local collaboration software, such as Microsoft Teams. With Teams, neither
the local Teams app or using Teams with media optimization can share protected
content.
Tip
To increase the security of your sensitive information, you should also disable
clipboard, drive, and printer redirection. Disabling redirection helps prevent
users from copying content from the remote session. To learn about
supported redirection values, see Device redirection.
To discourage other methods of screen capture, such as taking a photo of a
screen with a physical camera, you can enable watermarking, where admins
can use a QR code to trace the session.
Prerequisites
Your session hosts must be running one of the following versions of Windows to
use screen capture protection:
Block screen capture on client is available with a supported version of Windows
10 or Windows 11.
Block screen capture on client and server is available starting with Windows 11,
version 22H2.
Users must connect to Azure Virtual Desktop with Windows App or the Remote
Desktop app to use screen capture protection. The following table shows
supported scenarios. If a user tries to connect with a different app or version, the
connection is denied and shows an error message with the code 0x1151 .
ノ Expand table
Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.
A security group or organizational unit (OU) containing the devices you want to
configure.
Microsoft Intune
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
4. Check the box for Enable screen capture protection, then close the settings
picker.
5. Expand the Administrative templates category, then toggle the switch for
Enable screen capture protection to Enabled.
6. Toggle the switch for Screen Capture Protection Options (Device) to off for
Block screen capture on client, or on for Block screen capture on client and
server based on your requirements, then select OK.
7. Select Next.
8. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
9. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
10. On the Review + create tab, review the settings, then select Create.
11. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
2. Take a screenshot or share your screen in a Teams call or meeting. The content
should be blocked or hidden. Any existing sessions need to sign out and back in
again for the change to take effect.
Related content
Enable watermarking, where admins can use a QR code to trace the session.
Learn about how to secure your Azure Virtual Desktop deployment at Security best
practices.
Feedback
Was this page helpful? Yes No
Here's a screenshot showing what watermarking looks like when it's enabled:
) Important
Prerequisites
You'll need the following things before you can use watermarking:
A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.
If you manage your session hosts with Microsoft Intune, you need:
Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.
If you manage your session hosts with Group Policy in an Active Directory domain,
you need:
Enable watermarking
Select the relevant tab for your scenario.
Microsoft Intune
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
4. Check the box for Enable watermarking, then close the settings picker.
) Important
5. Expand the Administrative templates category, then toggle the switch for
Enable watermarking to Enabled.
ノ Expand table
QR code bitmap 100 to 9999 How transparent the watermark is, where 100
opacity (default = is fully transparent.
Option Values Description
2000)
Width of grid box 100 to 1000 Determines the distance between the QR
in percent relevant (default = codes in percent. When combined with the
to QR code bitmap 320) height, a value of 100 would make the QR
width codes appear side-by-side and fill the entire
screen.
Height of grid box 100 to 1000 Determines the distance between the QR
in percent relevant (default = codes in percent. When combined with the
to QR code bitmap 180) width, a value of 100 would make the QR
width codes appear side-by-side and fill the entire
screen.
Tip
7. Select Next.
8. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
9. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
10. On the Review + create tab, review the settings, then select Create.
11. Sync your session hosts with Intune for the settings to take effect.
2. Select the relevant subscription, resource group, host pool and time range, then
select the Connection Diagnostics tab.
2. In the search bar, type Log Analytics workspaces and select the matching service
entry.
3. Select to open the Log Analytics workspace that is connected to your Azure Virtual
Desktop environment.
5. Start a new query, then run the following query to get session information for a
specific connection ID (represented as CorrelationId in Log Analytics), replacing
<connection ID> with the full or partial value from the QR code:
Kusto
WVDConnections
| where CorrelationId contains "<connection ID>"
Related content
Enable screen capture protection in Azure Virtual Desktop.
Feedback
Was this page helpful? Yes No
You set the right policies for your organization, including what risky events are the
highest priority for capturing forensic evidence, what data is most sensitive, and whether
users are notified when forensic capturing is activated.
When using Azure Virtual Desktop with forensic evidence, you can set policies to trigger
recordings of desktop and RemoteApp sessions automatically. Forensic evidence
capturing is off by default and policy creation requires dual authorization.
Prerequisites
Before you can use forensic evidence for Azure Virtual Desktop, you need:
A personal desktop host pool with direct assignment. Pooled host pools aren't
supported.
Session hosts running Windows 11 Enterprise, version 23H2, and using a VM SKU
with minimum of 8 vCPU and 16 GB memory, such as Standard D8as v5.
Microsoft 365 E5 license, which contains both Intune and Insider Risk Management
licenses.
1. Ensure a user is assigned to a personal desktop using direct assignment. Follow the
steps in Configure direct assignment to assign a user to a personal desktop.
2. You need to onboard your session hosts to Purview. Follow the steps in Onboard
Windows devices into Microsoft Purview to onboard your session hosts.
3. Install the Purview client and configure forensic evidence. Follow the steps in Get
started with insider risk management forensic evidence to install the Purview client
and configure forensic evidence.
Related content
Manage insider risk management forensic evidence
Feedback
Was this page helpful? Yes No
Per-user access pricing lets you pay for Azure Virtual Desktop access rights on behalf of
external users. External users aren't members of your organization, such as customers of
a business. To learn more about licensing options, see Licensing Azure Virtual Desktop.
Before external users can connect to your deployment, you need to enroll your Azure
subscriptions that you use for Azure Virtual Desktop in per-user access pricing. Your
enrolled subscription is charged each month based on the number of distinct users that
connect to Azure Virtual Desktop resources. All Azure subscriptions are applicable, such
as those from an Enterprise Agreement (EA), Cloud Solution Provider (CSP), or Microsoft
Customer Agreement.
) Important
Per-user access pricing with Azure Virtual Desktop doesn't currently support Citrix
DaaS and VMware Horizon Cloud.
2. In the search bar, type Azure Virtual Desktop and select the matching service
entry.
3. In the Azure Virtual Desktop overview page, select Per-user access pricing.
4. In the list of subscriptions, check the box for the subscription where you deploy
Azure Virtual Desktop resources for external users.
5. Select Enroll.
6. Review the Product Terms, then select Enroll to begin enrollment. It might take up
to an hour for the enrollment process to finish. The Per-user access pricing column
of the subscriptions list shows Enrolling while the enrollment process is running.
7. After enrollment completes, check the value in the Per-user access pricing column
of the subscriptions list changes to Enrolled.
2. In the search bar, type Azure Virtual Desktop and select the matching service
entry.
3. In the Azure Virtual Desktop overview page, select Per-user access pricing.
4. In the list of subscriptions, check the box for the subscription you want to unenroll
from per-user access pricing.
5. Select Unenroll.
7. After unenrollment completes, check the value in the Per-user access pricing
column of the subscriptions list changes to Not enrolled.
Next steps
To learn more about per-user access pricing, see Licensing Azure Virtual Desktop.
For estimating total deployment costs, see Understand and estimate costs for
Azure Virtual Desktop.
Apply Windows license to session host
virtual machines
Article • 03/10/2023
Customers who are properly licensed to run Azure Virtual Desktop workloads are
eligible to apply a Windows license to their session host virtual machines and run them
without paying for another license. For more information, see Azure Virtual Desktop
pricing .
You can apply an Azure Virtual Desktop license to your VMs with the following methods:
You can create a host pool and its session host virtual machines in the Azure
portal. Creating VMs in the Azure portal automatically applies the license.
You can create a host pool and its session host virtual machines using the GitHub
Azure Resource Manager template . Creating VMs with this method automatically
applies the license.
You can manually apply a license to an existing session host virtual machine. To
apply the license this way, first follow the instructions in Create a host pool with
PowerShell or the Azure CLI to create a host pool and associated VMs, then return
to this article to learn how to apply the license.
7 Note
The directions in this section apply to Windows client VMs, not Windows Server
VMs.
Before you start, make sure you've installed and configured the latest version of Azure
PowerShell.
Next, run the following PowerShell cmdlet to apply the Windows license:
PowerShell
PowerShell
A session host VM with the applied Windows license will show you something like this:
PowerShell
Type : Microsoft.Compute/virtualMachines
Location : westus
LicenseType : Windows_Client
VMs without the applied Windows license will show you something like this:
PowerShell
Type : Microsoft.Compute/virtualMachines
Location : westus
LicenseType :
Run the following cmdlet to see a list of all session host VMs that have the Windows
license applied in your Azure subscription:
PowerShell
$vms = Get-AzVM
$vms | Where-Object {$_.LicenseType -like "Windows_Client"} | Select-Object
ResourceGroupName, Name, LicenseType
Using Windows Server as session hosts
If you deploy Windows Server as session hosts in Azure Virtual Desktop, a Remote
Desktop Services license server must be accessible from those virtual machines. The
Remote Desktop Services license server can be located on-premises or in Azure, as long
as there is network connectivity between the session hosts and license server. For more
information, see Activate the Remote Desktop Services license server.
Known limitations
If you create a Windows Server session host using the Azure Virtual Desktop host pool
creation process, the process might automatically assign it an incorrect license type. To
change the license type using PowerShell, follow the instructions in Convert an existing
VM using Azure Hybrid Benefit for Windows Server.
Azure Virtual Desktop business
continuity and disaster recovery
concepts
Article • 06/28/2024
Many users now work remotely, so organizations require solutions with high availability,
rapid deployment speed, and reduced costs. Users also need to have a remote work
environment with guaranteed availability and resiliency that lets them access their
resources even during disasters.
To prevent system outages or downtime, every system and component in your Azure
Virtual Desktop deployment must be fault-tolerant. Fault tolerance is when you have a
duplicate configuration or system in another Azure region that takes over for the main
configuration during an outage. This secondary configuration or system reduces the
impact of a localized outage. There are many ways you can set up fault tolerance, but
this article focuses on the methods currently available in Azure for dealing with business
continuity and disaster recovery (BCDR).
Responsibility for components that make up Azure Virtual Desktop are divided between
those components that are Microsoft-managed, and those components that are
customer-managed, or partner managed.
Azure Virtual Desktop doesn't have any native features for managing disaster recovery
scenarios, but you can use many other Azure services for each scenario depending on
your requirements, such as Availability sets, availability zones, Azure Site Recovery, and
Azure Files data redundancy options for user profiles and data.
You can also distribute session hosts across multiple Azure regions provides even more
geographical distribution, which further reduces outage impact. All these and other
Azure features provide a certain level of protection within Azure Virtual Desktop, and
you should carefully consider them along with any cost implications.
We have further documentation that goes into much more detail about each of the
technology areas you need to consider as part of your business continuity and disaster
recovery strategy and how to plan for and mitigate disruption to your organization
based on your requirements. The following table lists the technology areas you need to
consider as part of your disaster recovery strategy and links to other Microsoft
documentation that provides guidance for each area:
ノ Expand table
Backup Backup
Related content
For more in-depth information about disaster recovery in Azure, check out these articles:
Cloud Adoption Framework: Azure Virtual Desktop business continuity and disaster
recovery documentation
Feedback
Was this page helpful? Yes No
There's an Azure CLI extension and an Azure PowerShell module for Azure Virtual
Desktop that you can use to create, update, delete, and interact with Azure Virtual
Desktop service objects as alternatives to using the Azure portal. They're part of Azure
CLI and Azure PowerShell, which cover a wide range of Azure services.
This article explains how you can use the Azure CLI extension and an Azure PowerShell
module, and provides some useful example commands.
Both Azure CLI and Azure PowerShell are available to use in the Azure Cloud Shell
natively in the Azure portal with no installation, or you can install them locally on your
device for Windows, macOS, and Linux.
To learn how to install Azure CLI and Azure PowerShell across all supported platforms,
see the following links:
Example commands
Here are some example commands you can use to get information and values about
your Azure Virtual Desktop resources you might find useful. Select the relevant tab for
your scenario.
Azure CLI
) Important
In the following examples, you'll need to change the <placeholder> values for
your own.
Azure PowerShell
Azure CLI
Azure CLI
Tip
The Azure CLI extension for Azure Virtual Desktop doesn't have commands for
applications. Use Azure PowerShell instead.
Next steps
Now that you know how to use Azure CLI and Azure PowerShell with Azure Virtual
Desktop, here are some articles that use them:
Create an Azure Virtual Desktop host pool with PowerShell or the Azure CLI
Manage application groups using PowerShell or the Azure CLI
For the full PowerShell reference documentation, see Az.DesktopVirtualization.
Move Azure Virtual Desktop resource
between regions
Article • 04/14/2023
In this article, we'll tell you how to move Azure Virtual Desktop resources between Azure
regions.
7 Note
This process doesn't perform an actual resource move. Instead, you delete the old
resources and recreate them in the region you want to move the resources to. We
recommend you test this process before using it on production workloads to
understand how it will impact your deployment.
The information in this article applies to all Azure Virtual Desktop resources,
including host pools, application groups, scaling plans, and workspaces.
Important information
When you move Azure Virtual Desktop resources between regions, these are some
things you should keep in mind:
When exporting resources, you must move them as a set. All resources associated
with a specific host pool have to stay together. A host pool and its associated
application groups need to be in the same region.
Workspaces and their associated application groups also need to be in the same
region.
Scaling plans and the host pools they are assigned to also need to be in the same
region.
Once you're done moving your resources to a new region, you must delete the
original resources. The resource ID of your resources won't change during the
moving process, so there will be a name conflict with your old resources if you
don't delete them.
Existing session hosts attached to a host pool that you move will stop working.
You'll need to recreate the session hosts in the new region.
Export a template
The first step to move your resources is to create a template that contains everything
you want to move to the new region.
To export a template:
1. In the Azure portal, go to Resource Groups, then select the resource group that
contains the resources you want to move.
2. Once you've selected the resource group, go to Overview > Resources and select
all the resources you want to move.
3. Select the ... button in the upper right-hand corner of the Resources tab. Once the
drop-down menu opens, select Export template.
1. Open the template.json file you extracted from the zip folder and a text editor of
your choice, such as Notepad.
2. In each resource inside the template file, find the "location" property and modify it
to the location you want to move them to. For example, if your deployment's
currently in the East US region but you want to move it to the West US region,
you'd change the "eastus" location to "westus." Learn more about which Azure
regions you can use at Azure geographies .
1. Go back to the Resources tab mentioned in Export a template and select all the
resources you exported to the template.
2. Next, select the ... button again, then select Delete from the drop-down menu.
3. If you see a message asking you to confirm the deletion, select Confirm.
4. Wait a few minutes for the resources to finish deleting. Once you're done, they
should disappear from the resource list.
1. In the Azure portal, search for and select Deploy a custom template.
2. In the custom deployment menu, select Build your own template in the editor.
3. Next, select Load file and upload your modified template file.
7 Note
Make sure to upload the template.json file, not the parameters.json file.
6. Under Instance details, make sure the Region shows the region you changed the
location to in Modify the exported template. If not, select the correct region from
the drop-down menu.
8. Wait a few minutes for the template to deploy. Once it's finished, the resources
should appear in your resource list.
Next steps
Find out which Azure regions are currently available at Azure Geographies .
See our Azure Resource Manager templates for Azure Virtual Desktop for more
templates you can use in your deployments after you move your resources.
Set up email discovery to subscribe to
your RDS feed
Article • 07/03/2024
Have you ever had trouble getting your end users connected to their published RDS
feed, either because of a single missing character in the feed URL or because they lost
the email with the URL? Nearly all Remote Desktop client applications support finding
your subscription by entering your email address, making it easier than ever to get your
users connected to their RemoteApps and desktops.
Make sure you have permission to add a TXT record to the domain associated with
your email (for example, if your users have @contoso.com email addresses, you
would need permissions for the contoso.com domain)
Create an RD Web feed URL (https://<rdweb-dns-
name>.domain/RDWeb/Feed/webfeed.aspx, such as
https://rdweb.contoso.com/RDWeb/Feed/webfeed.aspx )
7 Note
If you're using Azure Virtual Desktop instead of Remote Desktop, you'll want to use
these URLs instead:
1. In your browser, connect to the website of the domain name registrar where your
domain is registered.
2. Navigate to the appropriate page for your registered domain where you can view,
add, and edit DNS records.
Host: _msradc
Text: <RD Web Feed URL>
TTL: 300 seconds
The names of the DNS records fields vary by domain name registrar, but this
process will result in a TXT record named _msradc.<domain_name> (such as
_msradc.contoso.com) that has a value of the full RD Web feed.
That's it! Now, launch the Remote Desktop application on your device and subscribe
yourself!
Feedback
Was this page helpful? Yes No
Tag Azure Virtual Desktop resources to
manage costs
Article • 08/10/2022
Tagging is a tool available across Azure services that helps you organize resources inside
their Azure subscription. Organizing resources makes it easier to track costs across
multiple services. Tags also help you understand how much each grouping of Azure
resources costs per billing cycle. If you'd like to learn more about tagging in general, see
Use tags to organize your Azure resources and management hierarchy. You can also
watch a quick video about some other ways to use Azure tags.
Once your deployment reports tagged usage information to Azure Cost Management,
you can use your tagging structure to filter cost data. To learn how to filter by tags in
Azure Cost Management, see Quickstart: Explore and analyze costs with cost analysis.
If you edit a tag name, the associated resources will now associate costs with its new
key-value pair. You can still filter data with the old tag, but all new data from after the
change will be reported with the new tag.
If you delete a tag, Azure Virtual Desktop will no longer report data associated with the
deleted tag to Azure Cost Management. You can still filter with deleted tags for data
reported before you deleted the tag.
) Important
Tagged Azure resources that haven't been active since you applied new or updated
tags to them won't report any activity associated with the changed tags to Azure
Cost Management. You won't be able to filter for specific tags until their associated
activity is reported to Azure Cost Management by the service.
To learn more about how tags work in Azure Cost Management, see How tags are used
in cost and usage data.
For a list of known Azure tag limitations, see Use tags to organize your Azure resources
and management hierarchy.
You can use Azure tags to organize costs for creating, managing, and deploying
virtualized experiences for your customers and users. Tagging can also help you track
resources you buy directly through Azure Virtual Desktop and other Azure services
connected to Azure Virtual Desktop deployments.
Become familiar with your purchased Azure services so you understand the extent
of what you want to tag. As you learn how to use the Azure portal, keep a list of
service groups and objects where you can apply tags. Some resources that you
should keep track of include resource groups, virtual machines, disks, and network
interface cards (NICs). For a more comprehensive list of cost generating service
components you can tag, see Understanding total Azure Virtual Desktop
deployment costs.
Create a cost reporting aggregation to organize your tags. You can either follow a
common tagging pattern or create a new pattern that meets your organization’s
needs.
Keep your tags consistent wherever you apply them. Even the smallest typo can
impact data reporting, so make sure you're adding the exact key-value pair you
want to look up later.
Keep a record of any tags you update or edit. This record will let you combine each
tag's historic data as needed. When you edit or update a tag, you should also
apply those changes across all resources that include the changed tag.
Like with the general suggestions, there's no universal system for tagging host pools.
However, we do have a few suggestions to help you organize your host pool tags:
Tagging host pools while you're creating them is optional, but tagging during the
creation process will make it easier for you to view all tagged usage in Azure Cost
Management later. Your host pool tags will follow all cost-generating components
of the session hosts within your host pool. Learn more about session host-specific
costs at Understanding total Azure Virtual Desktop deployment costs.
If you use the Azure portal to create a new host pool, the creation workflow will
give you the chance to add existing tags. These tags will be passed along to all
resources you create during the host pool creation process. Tags will also be
applied to any session hosts you add to an existing host pool in the Azure portal.
However, you'll need to enter the tags manually every time you add a new session
host.
It's unlikely you'll ever get a complete cost report of every supporting Azure
service working with your host pools, since configuration options are both limitless
and unique to each customer. It's up to you to decide how closely you want to
track costs across any Azure services associated with your Azure Virtual Desktop
deployment. The more thoroughly you track these costs by tagging, the more
accurate your monthly Azure Virtual Desktop cost report will become.
If you build your tagging system around your host pools, make sure to use key-
value pairs that make sense to add to other Azure services later.
Separating your services will give you a clearer idea of costs for each service, but
may end up being more expensive in the end. You may need to purchase extra
storage for these services to make sure your Azure Virtual Desktop has its own
designated storage.
Combining your purchased services is less expensive, but may inflate your cost
report because the usage data for shared resources won't be as accurate. To make
up for the lack of accuracy, you can add multiple tags to your resources to see
shared costs through filters that track different factors.
If you started building your tagging system with a different Azure service, make
sure the key-value pairs you create can be applied to your Azure Virtual Desktop
deployment or other services later.
Next steps
If you’d like to learn more about common Azure Virtual Desktop related costs, check out
Understanding total Azure Virtual Desktop deployment costs.
If you’d like to learn more about Azure tags, check out the following resources:
If you’d like to learn more about Azure Cost Management, check out the following
articles:
Windows App is your gateway to Azure Virtual Desktop, Windows 365, Microsoft Dev
Box, Remote Desktop Services, and remote PCs, securely connecting you to Windows
devices and apps.
You can use Windows App on many different types of devices on different platforms and
form factors, such as desktops and laptops, tablets, smartphones, and through a web
browser. When using a web browser on a desktop or laptop, you can connect without
having to download and install any software.
Windows
macOS
iOS/iPadOS
Android/Chrome OS (preview)
Web browsers
Introductory video
Learn about Windows App in this video:
https://www.youtube-nocookie.com/embed/j0XU59VbKOc
There are many features to enhance your remote experience, such as:
Feedback
Was this page helpful? Yes No
Get started with Windows App to
connect to desktops and apps
Article • 11/27/2024
Tip
This article is shared across different services and products. Select what you want to
connect to using the buttons at the top of this article.
Windows App securely connects you to Windows desktops and apps on a device of your
choice from:
Windows
macOS
iOS/iPadOS
Android/Chrome OS (preview)
Web browsers
The following table shows what services and products you can connect to from different
platforms:
ノ Expand table
Windows 365 ✅ ✅ ✅ ✅ ✅
Remote PC ❌² ✅ ✅ ✅ ❌
This article shows you how to get started with Windows App on each platform. Make
sure you select what you want to connect to using the buttons at the top of this article
before continuing.
Prerequisites
Select a tab for the platform you're using.
Windows
Before you can download Windows App and connect to your desktops and apps
from Windows, you need:
Internet access to download Windows App from the Microsoft Store and
connect to Azure Virtual Desktop. Most networks don't block access to the
internet, but if your network does, you need to allow access to the list at
Required FQDNs and endpoints for Azure Virtual Desktop. Contact your
network administrator if you need help.
Your user account for Azure Virtual Desktop, and you're assigned devices or
apps by your administrator. You can also sign in with multiple accounts and
easily switch between them.
Windows
To connect to your desktops and apps from Azure Virtual Desktop on Windows,
follow these steps:
1. Download and install Windows App from the Microsoft Store . When
Windows App is installed, open it.
2. Select Sign in and sign in with your user account for Azure Virtual Desktop. If
you're signed in to your local Windows device with a work or school account
on a managed device, you're signed in automatically.
3. If it's your first time using Windows App, navigate through the tour to learn
more about Windows App, then select Done, or select Skip.
4. After you sign in, select the Devices tab or Apps tab to show your remote
resources from Azure Virtual Desktop and any other services you have access
to. Tabs are hidden if you don't have that type of resource assigned to you. If
you don't see any devices or apps, contact your administrator.
5. Find the device or app you want to connect to. You can use the search box
and filters to help you.
7. Once the connection to your device or app is complete, you're ready to start
using it.
Tip
You can pin your favorite desktops and apps to the Favorites tab for
quick access. To learn more, see Device and app actions in Windows
App.
For administrators: you can also download Windows App for Windows
outside of the Microsoft Store as a .msix installer from What's new in
Windows App.
Provide feedback
You can provide feedback about Windows App using Feedback Hub , which is
installed on Windows by default, whether you want to make a suggestion or report
a problem.
4. Once you've completed the form, select Submit. Feedback you post is public.
Next steps
Learn how to use the features and functionality of Windows App and configure settings
in the following articles:
Device actions
Display settings
User account settings
Keyboard, mouse, touch, and pen
Device, audio, and folder redirection
Feedback
Was this page helpful? Yes No
Windows App documentation
Windows App is your gateway to Azure Virtual Desktop, Windows 365, Microsoft Dev Box,
Remote Desktop Services, and remote PCs, securely connecting you to Windows devices and
apps on a device of your choice.
Get started
Learn more
Discover more articles to help you use Windows App.
Users Admins
p Documentation tailored to end-users. p Comprehensive documentation for admins who
manage Windows App.
Related products and services
Discover some of the services you can connect to with Windows App.
Azure Virtual
Windows 365 Microsoft Dev Box
Desktop
Remote Desktop clients for Azure
Virtual Desktop
Article • 10/16/2024
With the Microsoft Remote Desktop clients, you can connect to Azure Virtual Desktop
and use and control desktops and apps that your admin has made available to you.
There are clients available for many different types of devices on different platforms and
form factors, such as desktops and laptops, tablets, smartphones, and through a web
browser. Using your web browser on desktops and laptops, you can connect without
having to download and install any software.
There are many features you can use to enhance your remote experience, such as:
Some features are only available with certain clients, so it's important to check Compare
the features of the Remote Desktop clients to understand the differences when
connecting to Azure Virtual Desktop.
Tip
You can use most versions of the Remote Desktop client to connect to Remote
Desktop Services in Windows Server or to a remote PC, as well as to Azure Virtual
Desktop. If you'd prefer to use Remote Desktop Services instead, learn more at
Remote Desktop clients for Remote Desktop Services.
Here's a list of the Remote Desktop client apps and our documentation for connecting
to Azure Virtual Desktop, where you can find download links, what's new, and learn how
to install and use each client.
ノ Expand table
Windows Connect to Azure Virtual Desktop with the Remote What's new
Desktop client for Windows
Platform Documentation and download links Version
information
Web Connect to Azure Virtual Desktop with the Remote What's new
Desktop client for Web
macOS Connect to Azure Virtual Desktop with the Remote What's new
Desktop client for macOS
iOS/iPadOS Connect to Azure Virtual Desktop with the Remote What's new
Desktop client for iOS and iPadOS
Android/Chrome Connect to Azure Virtual Desktop with the Remote What's new
OS Desktop client for Android and Chrome OS
Here's a list of legacy Remote Desktop client apps for Windows. See the below
documentation links for more information.
ノ Expand table
Azure Virtual Desktop Store Connect to Azure Virtual Desktop with the What's new
app for Windows Remote Desktop client for Windows
Remote Desktop Store app Connect to Azure Virtual Desktop with the What's new
for Windows Remote Desktop client for Windows
Feedback
Was this page helpful? Yes No
) Important
The Microsoft Remote Desktop client is used to connect to Azure Virtual Desktop to
access your desktops and applications. This article shows you how to connect to Azure
Virtual Desktop with the Remote Desktop client.
You can find a list of all the Remote Desktop clients at Remote Desktop clients overview.
Prerequisites
Select a tab for the platform you're using.
Windows
Before you can connect to your devices and apps from Windows, you need:
Internet access.
) Important
Support for Windows 7 ended on January 10, 2023.
Support for Windows Server 2012 R2 ended on October 10, 2023.
.NET Framework 4.6.2 or later. You may need to install this on Windows Server
2016, and some versions of Windows 10. To download the latest version, see
Download .NET Framework .
Download and install the Remote Desktop client using the MSI installer.
1. Download the Remote Desktop client installer, choosing the correct version
for your device:
4. To accept the end-user license agreement, check the box for I accept the
terms in the License Agreement, then select Next.
Install just for you: Remote Desktop will be installed in a per-user folder
and be available just for your user account. You don't need local
Administrator privileges.
Install for all users of this machine: Remote Desktop will be installed in a
per-machine folder and be available for all users. You must have local
Administrator privileges
6. Select Install.
8. If you left the box for Launch Remote Desktop when setup exits selected, the
Remote Desktop client will automatically open. Alternatively to launch the
client after installation, use the Start menu to search for and select Remote
Desktop.
) Important
If you have the Remote Desktop client (MSI) and the Azure Virtual Desktop app
from the Microsoft Store installed on the same device, you may see the
message that begins A version of this application called Azure Virtual
Desktop was installed from the Microsoft Store. Both apps are supported, and
you have the option to choose Continue anyway, however it could be
confusing to use the same remote resource across both apps. We recommend
using only one version of the app at a time.
Windows
Subscribe to a workspace
A workspace combines all the desktops and applications that have been made
available to you by your admin. To be able to see these in the Remote Desktop
client, you need to subscribe to the workspace by following these steps:
2. The first time you subscribe to a workspace, from the Let's get started screen,
select Subscribe or Subscribe with URL.
If you selected Subscribe with URL, in the Email or Workspace URL box,
enter the relevant URL from the following table. After a few seconds, the
message We found Workspaces at the following URLs should be
displayed.
ノ Expand table
3. Select Next.
4. Sign in with your user account when prompted. After a few seconds, the
workspace should show the desktops and applications that have been made
available to you by your admin.
Insider releases
If you want to help us test new builds before they're released, you should download
our Insider releases. Organizations can use the Insider releases to validate new
versions for their users before they're generally available. For more information, see
Enable Insider releases.
Next steps
To learn more about the features of the Remote Desktop client for Windows, check
out Use features of the Remote Desktop client for Windows when connecting to
Azure Virtual Desktop.
To learn more about the features of the Remote Desktop client for macOS, check
out Use features of the Remote Desktop client for macOS when connecting to
Azure Virtual Desktop.
To learn more about the features of the Remote Desktop client for iOS and iPadOS,
check out Use features of the Remote Desktop client for iOS and iPadOS when
connecting to Azure Virtual Desktop.
To learn more about the features of the Remote Desktop Web client, check out Use
features of the Remote Desktop Web client when connecting to Azure Virtual
Desktop.
To learn more about the features of the Remote Desktop client for Android and
Chrome OS, check out Use features of the Remote Desktop client for Android and
Chrome OS when connecting to Azure Virtual Desktop.
If you want to use Teams on Azure Virtual Desktop with media optimization, see
Use Microsoft Teams on Azure Virtual Desktop.
Feedback
Was this page helpful? Yes No
Once you've connected to Azure Virtual Desktop using the Remote Desktop client, it's
important to know how to use the features. This article shows you how to use the
features available in the Remote Desktop client for Windows. If you want to learn how to
connect to Azure Virtual Desktop, see Connect to Azure Virtual Desktop with the
Remote Desktop client for Windows.
There are three versions of the Remote Desktop client for Windows, which are all
supported for connecting to Azure Virtual Desktop:
Standalone download as an MSI installer. This is the most common version of the
Remote Desktop client for Windows.
Azure Virtual Desktop app from the Microsoft Store. This is a preview version of
the Remote Desktop client for Windows.
Remote Desktop app from the Microsoft Store. This version is no longer being
developed.
Tip
You can also connect to Azure Virtual Desktop with Windows App, a single app to
securely connect you to Windows devices and apps from Azure Virtual Desktop,
Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs. For
more information, see What is Windows App?
You can find a list of all the Remote Desktop clients at Remote Desktop clients overview.
For more information about the differences between the clients, see Compare the
Remote Desktop clients.
7 Note
Your admin can choose to override some of these settings in Azure Virtual Desktop,
such as being able to copy and paste between your local device and your remote
session. If some of these settings are disabled, please contact your admin.
Refresh or unsubscribe from a workspace or
see its details
Select a tab below for the version of the Remote Desktop client for Windows that you're
using.
2. Select the three dots to the right-hand side of the name of a workspace where
you'll see a menu with options for Details, Refresh, and Unsubscribe.
User accounts
Select a tab below for the version of the Remote Desktop client for Windows that you're
using.
User accounts are stored and managed in Credential Manager in Windows as a generic
credential.
1. Open Credential Manager from the Control Panel. You can also open Credential
Manager by searching the Start menu.
3. Under Generic Credentials, find your saved user account and expand its details. It
will begin with RDPClient.
4. To edit the user account, select Edit. You can update the username and password.
Once you're done, select Save.
5. To remove the user account, select Remove and confirm that you want to delete it.
Display preferences
Select a tab below for the version of the Remote Desktop client for Windows that you're
using.
4. On the Display tab, you can select from the following options:
ノ Expand table
Display Description
configuration
All displays Automatically use all displays for the desktop. If you have multiple
displays, all of them will be used.
Display Description
configuration
Single display Only a single display will be used for the remote desktop.
Select displays Only select displays will be used for the remote desktop.
Each display configuration in the table above has its own settings. Use the
following table to understand each setting:
ノ Expand table
Single display All displays Only use a single display when running in windows
when in Select displays mode, rather than full screen.
windowed
mode
Start in full Single display The desktop will be displayed full screen.
screen
Fit session to All displays When you resize the window, the scaling of the desktop
window Single display will automatically adjust to fit the new window size. The
Select displays resolution will stay the same.
Update the Single display When you resize the window, the resolution of the
resolution on desktop will automatically change to match.
resize
If this is disabled, a new option for Resolution is
displayed where you can select from a pre-defined list
of resolutions.
Choose which Select displays Select which displays you want to use. All selected
display to use displays must be next to each other.
for this
session
Maximize to Select displays The remote desktop will show full screen on the current
current display(s) the window is on, even if this isn't the display
displays selected in the settings. If this is off, the remote desktop
will show full screen the same display(s) regardless of
the current display the window is on. If your window
overlaps multiple displays, those displays will be used
when maximizing the remote desktop.
Input methods
You can use touch input, or a built-in or external PC keyboard, trackpad and mouse to
control desktops or apps. Select a tab below for the version of the Remote Desktop
client for Windows that you're using.
The following table shows which mouse operations map to which gestures:
ノ Expand table
Left-click and drag Double-tap and hold with one finger, then drag
Right-click and drag Double-tap and hold with two fingers, then drag
Mouse wheel Tap and hold with two fingers, then drag up or down
Zoom With two fingers, pinch to zoom out and move fingers apart to zoom in
Keyboard
There are several keyboard shortcuts you can use to help use some of the features.
Some of these are for controlling how the Remote Desktop client displays the session.
These are:
ノ Expand table
CTRL + ALT + Activates the connection bar when in full-screen mode and the connection
HOME bar isn't pinned.
Key combination Description
CTRL + ALT + Switches the client between full-screen mode and window mode.
PAUSE
Most common Windows keyboard shortcuts, such as CTRL + C for copy and CTRL + Z
for undo, are the same when using Azure Virtual Desktop. When you're using a remote
desktop or app in windowed mode, there are some keyboard shortcuts that are different
so Windows knows when to use them in Azure Virtual Desktop or on your local device.
These are:
ノ Expand table
CTRL + ALT + CTRL + ALT + END Shows the Windows Security dialog box. Also
DELETE applicable in fullscreen mode.
ALT + TAB ALT + PAGE UP Switches between programs from left to right.
ALT + SHIFT + ALT + PAGE DOWN Switches between programs from right to left.
TAB
PRINT SCREEN CTRL + ALT + + Takes a snapshot of the entire remote session, and
(plus sign) places it in the clipboard.
ALT + CTRL + ALT + - Takes a snapshot of the active window in the remote
PRINT SCREEN (minus sign) session, and places it in the clipboard.
7 Note
Keyboard shortcuts will not work when using remote desktop or RemoteApp
sessions that are nested.
Keyboard language
By default, remote desktops and apps will use the same keyboard language, also known
as locale, as your Windows PC. For example, if your Windows PC uses en-GB for English
(United Kingdom), that will also be used by Windows in the remote session.
You can manually set which keyboard language to use in the remote session by
following the steps at Managing display language settings in Windows . You might
need to close and restart the application you're currently using for the keyboard
changes to take effect.
Redirections
Select a tab below for the version of the Remote Desktop client for Windows that you're
using.
Folder redirection
The Remote Desktop client can make local folders available in your remote session. This
is known as folder redirection. This means you can open files from and save files to your
Windows PC with your remote session. Redirected folders appear as a network drive in
Windows Explorer.
Folder redirection can't be configured using the Remote Desktop client for Windows.
This behavior is configured by your admin in Azure Virtual Desktop. By default, all local
drives are redirected to a remote session.
Printers
USB devices
Audio output
Smart cards
Clipboard
Microphones
Cameras
You can configure the Remote Desktop client to be displayed in light or dark mode, or
match the mode of your system:
2. Select Settings.
3. Under App mode, select Light, Dark, or Use System Mode. The change is applied
instantly.
Views
You can view your remote desktops and apps as either a tile view (default) or list view:
2. If you want to switch to List view, select Tile, then select List view.
3. If you want to switch to Tile view, select List, then select Tile view.
By default, you'll be notified whenever a new version of the client is available as long as
your admin hasn't disabled notifications. The notification will appear in the client and
the Windows Action Center. To update your client, just select the notification.
You can also manually search for new updates for the client:
2. Select the three dots at the top right-hand corner to show the menu, then select
About. The client will automatically search for updates.
3. If there's an update available, tap Install update to update the client. If the client is
already up to date, you'll see a green check box, and the message You're up to
date.
Tip
Admins can control notifications about updates and when updates are installed. For
more information, see Update behavior.
If you want to help us test new builds of the Remote Desktop client for Windows before
they're released, you should download our Insider releases. Organizations can use the
Insider releases to validate new versions for their users before they're generally
available.
7 Note
Insider releases are made available in the Remote Desktop client once you've configured
the client to use Insider releases. To configure the client to use Insider releases:
Key: HKLM\Software\Microsoft\MSRDC\Policies
Type: REG_SZ
Name: ReleaseRing
Data: insider
You can do this with PowerShell. On your local device, open PowerShell as an
administrator and run the following commands:
PowerShell
3. Open the Remote Desktop client. The title in the top left-hand corner should be
Remote Desktop (Insider):
If you already have configured the Remote Desktop client to use Insider releases, you
can check for updates to ensure you have the latest Insider release by checking for
updates in the normal way. For more information, see Update the client.
Admin management
Enterprise deployment
To deploy the Remote Desktop client in an enterprise, you can use msiexec from a
command line to install the MSI file. You can install the client per-device or per-user by
running the relevant command from Command Prompt as an administrator:
Per-device installation:
Per-user installation:
) Important
If you want to deploy the Remote Desktop client per-user with Intune or
Configuration Manager, you'll need to use a script. For more information, see
Install the Remote Desktop client for Windows on a per-user basis with Intune or
Configuration Manager.
Update behavior
You can control notifications about updates and when updates are installed. The update
behavior of the client depends on two factors:
Whether the app is installed for only the current user or for all users on the
machine
Notification-based updates, where the client shows the user a notification in the
client UI or a pop-up message in the taskbar. The user can choose to update the
client by selecting the notification.
Silent on-close updates, where the client automatically updates after the user has
closed the Remote Desktop client.
Silent background updates, where a background process checks for updates a few
times a day and will update the client if a new update is available.
To avoid interrupting users, silent updates won't happen while users have the client
open, have a remote connection active, or if you've disabled automatic updates. If the
client is running while a silent background update occurs, the client will show a
notification to let users know an update is available.
You can set the AutomaticUpdates registry key to one of the following values:
ノ Expand table
Value Update behavior (per user Update behavior (per machine installation)
installation)
0 Disable notifications and turn off Disable notifications and turn off auto-update.
auto-update.
For more information and the available commands, see Uniform Resource Identifier
schemes with the Remote Desktop client for Azure Virtual Desktop
Provide feedback
If you want to provide feedback to us on the Remote Desktop client for Windows, you
can do so by selecting the button that looks like a smiley face emoji in the client app, as
shown in the following image. This will open the Feedback Hub.
To best help you, we need you to give us as detailed information as possible. Along with
a detailed description, you can include screenshots, attach a file, or make a recording.
For more tips about how to provide helpful feedback, see Feedback.
Next steps
If you're having trouble with the Remote Desktop client, see Troubleshoot the Remote
Desktop client.
Feedback
Was this page helpful? Yes No
Autoscale support for Azure Local with Azure Virtual Desktop is currently in PREVIEW.
See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that
apply to Azure features that are in beta, preview, or otherwise not yet released into
general availability.
Once you've connected to Azure Virtual Desktop using the Remote Desktop client, it's
important to know how to use the features. This article shows you how to use the
features available in the Remote Desktop Web client. If you want to learn how to
connect to Azure Virtual Desktop, see Connect to Azure Virtual Desktop with the
Remote Desktop Web client.
You can find a list of all the Remote Desktop clients at Remote Desktop clients overview.
For more information about the differences between the clients, see Compare the
Remote Desktop clients.
7 Note
Your admin can choose to override some of these settings in Azure Virtual
Desktop, such as being able to copy and paste between your local device and
your remote session. If some of these settings are disabled, please contact
your admin.
Users can now only see the new client version of the Azure Virtual Desktop
Web client user experience.
Display preferences
A remote desktop will automatically fit the size of the browser window. If you resize the
browser window, the remote desktop will resize with it. You can also enter fullscreen by
selecting fullscreen (the diagonal arrows icon) on the taskbar.
If you use a high-DPI display, the Remote Desktop Web client supports using native
display resolution during remote sessions. In sessions running on a high-DPI display,
native resolution can provide higher-fidelity graphics and improved text clarity.
7 Note
Enabling native display resolution with a high-DPI display may cause increased CPU
or network usage.
1. Sign in to the Remote Desktop Web client, then select Settings on the taskbar.
1. Sign in to the Remote Desktop Web client and select Settings on the taskbar.
2. In the top-right hand corner, select the Grid View icon or the List View icon. The
change will take effect immediately.
1. Sign in to the Remote Desktop Web client and select Settings on the taskbar.
2. Toggle Dark Mode to On to use dark mode, or Off to use light mode. The change
will take effect immediately.
Input methods
You can use a built-in or external PC keyboard, trackpad and mouse to control desktops
or apps.
Keyboard
There are several keyboard shortcuts you can use to help use some of the features. Most
common Windows keyboard shortcuts, such as CTRL + C for copy and CTRL + Z for
undo, are the same when using Azure Virtual Desktop. There are some keyboard
shortcuts that are different so Windows knows when to use them in Azure Virtual
Desktop or on your local device. These are:
ノ Expand table
CTRL + ALT + CTRL + ALT + END (Windows) Shows the Windows Security dialog
DELETE box.
FN + Control + Option + Delete
(macOS)
7 Note
You can copy and paste text only. Files can't be copied or pasted to and from
the web client. Additionally, you can only use CTRL + C and CTRL + V to copy
and paste text.
When you're connected to a desktop or app, you can access the resources
toolbar at the top of window by using CTRL + ALT + HOME on Windows, or FN +
Control + Option + Home on macOS.
The web client supports Input Method Editor (IME) in the remote session. Before you
can use the IME in a remote session, the language pack for the keyboard you want to
use must be installed on your session host by your admin. To learn more about setting
up language packs in the remote session, see Add language packs to a Windows 10
multi-session image.
1. Sign in to the Remote Desktop Web client, then select Settings on the taskbar.
2. Set Enable Input Method Editor to On.
3. In the drop-down menu, select the keyboard you want to use in a remote session.
The web client will suppress the local IME window when you're focused on the remote
session. If you change the IME settings after you've already connected to the remote
session, the setting changes won't have any effect.
7 Note
The web client doesn't support IME input while using a private browsing window.
If the language pack isn't installed on the session host, the keyboard in the remote
session will default to English (United States).
Redirections
You can allow the remote computer to access to files, printers, and the clipboard on
your local device. When you connect to a remote session, you'll be prompted whether
you want to allow access to local resources.
Transfer files
To transfer files between your local device and your remote session:
1. Sign in to the Remote Desktop Web client and launch a remote session.
2. For the prompt Access local resources, check the box for File transfer, then select
Allow.
3. Once you're remote session has started, open File Explorer, then select This PC.
Downloads prompts your local browser to download any files you copy to
this folder.
Uploads contains the files you uploaded through the Remote Desktop Web
client.
5. To download from your remote session to your local device, copy and paste files to
the Downloads folder. Before the paste can complete, the Remote Desktop Web
client will prompt you Are you sure you want to download N file(s)?. Select
Confirm. Your browser will download the files in its normal way.
If you don't want to see this prompt every time you download files from the
current browser, check the box for Don’t ask me again on this browser before
confirming.
6. To upload files from your local device to your remote session, use the button in the
Remote Desktop Web client taskbar for Upload new file (the upwards arrow icon).
Selecting this will open a file explorer window on your local device.
Browse to and select files you want to upload to the remote session. You can select
multiple files by holding down the CTRL key on your keyboard for Windows, or the
Command key for macOS, then select Open. There is a file size limit of 255MB.
) Important
We recommend using Copy rather than Cut when transferring files from your
remote session to your local device as an issue with the network connection
can cause the files to be lost.
Uploaded files are available in a remote session until you sign out of the
Remote Desktop Web client.
Don't download files directly from your browser in a remote session to the
Remote Desktop Virtual Drive on RDWebClient\Downloads folder as it
triggers your local browser to download the file before it is ready. Download
files in a remote session to a different folder, then copy and paste them to the
Remote Desktop Virtual Drive on RDWebClient\Downloads folder.
Clipboard
To use the clipboard between your local device and your remote session:
1. Sign in to the Remote Desktop Web client and launch a remote session.
2. For the prompt Access local resources, check the box for Clipboard, then select
Allow.
The Remote Desktop Web client supports copying and pasting text only. Files can't
be copied or pasted to and from the web client. To transfer files, see Transfer files.
Printer
You can enable the Remote Desktop Virtual Printer in your remote session. When you
print to this printer, a PDF file of your print job will be generated for you to download
and print on your local device. To enable the Remote Desktop Virtual Printer:
1. Sign in to the Remote Desktop Web client and launch a remote session.
2. For the prompt Access local resources, check the box for Printer, then select
Allow.
3. Start the printing process as you would normally for the app you want to print
from.
5. If you wish, you can set the orientation and paper size. When you're ready, select
Print. A PDF file of your print job will be generated and your browser will
download the files in its normal way. You can choose to either open the PDF and
print its contents to your local printer or save it to your PC for later use.
1. Sign in to the Remote Desktop Web client, then select Settings on the taskbar.
3. Select the resource you want to open (for example, Excel). Your browser will
download the RDP in its normal way.
4. Open the downloaded RDP file in your Remote Desktop client to launch a remote
session.
1. Sign in to the Remote Desktop Web client and select Settings on the taskbar.
2. Select Reset user settings. You'll need to confirm that you want reset the web
client settings to default.
Provide feedback
If you want to provide feedback to us on the Remote Desktop Web client, you can do so
in the Web client:
1. Sign in to the Remote Desktop Web client, then select the three dots (...) on the
taskbar to show the menu.
Next steps
If you're having trouble with the Remote Desktop client, see Troubleshoot the Remote
Desktop client.
Feedback
Was this page helpful? Yes No
Once you've connected to Azure Virtual Desktop using the Remote Desktop client, it's
important to know how to use the features. This article shows you how to use the
features available in the Remote Desktop client for macOS. If you want to learn how to
connect to Azure Virtual Desktop, see Connect to Azure Virtual Desktop with the
Remote Desktop client for macOS.
You can find a list of all the Remote Desktop clients at Remote Desktop clients overview.
For more information about the differences between the clients, see Compare the
Remote Desktop clients.
7 Note
Some of the settings in this article can be overridden by your admin, such as being
able to copy and paste between your local device and your remote session. If some
of these settings are disabled, please contact your admin.
1. Open the Microsoft Remote Desktop application on your device, then select
Workspaces.
2. Right-click the name of a workspace or hover your mouse cursor over it and you'll
see a menu with options for Edit, Refresh, and Delete.
Edit allows you to specify a user account to use each time you connect to the
workspace without having to enter the account each time. To learn more, see
Manage user accounts.
Refresh makes sure you have the latest desktops and apps and their settings
provided by your admin.
Delete removes the workspace from the Remote Desktop client.
User accounts
1. Open the Microsoft Remote Desktop application on your device, then select
Workspaces.
3. For User account, select Add User Account... to add a new account, or select an
account you've previously added.
4. If you selected Add User Account..., enter a username, password, and optionally a
friendly name, then select Add.
5. Select Save.
2. From the macOS menu bar, select Microsoft Remote Desktop, then select
Preferences.
4. Enter a username, password, and optionally a friendly name, then select Add. You
can then add this account to a workspace by following the steps in Add user
credentials to a workspace.
5. Close Preferences.
3. Select the User Accounts tab, then select the account you want to remove.
4. Select the - (minus) icon, then confirm you want to delete the user account.
5. Close Preferences.
Display preferences
2. From the macOS menu bar, select Microsoft Remote Desktop, then select
Preferences.
4. To add a custom resolution, select the + (plus) icon and enter in the width and
height in pixels, then select Add.
5. To remove a resolution, select the resolution you want to remove, then select the -
(minus) icon. Confirm you want to delete the resolution by selecting Delete.
1. Open the Microsoft Remote Desktop application on your device, then select
Workspaces.
2. Right-click the name of a desktop, for example SessionDesktop, then select Edit.
4. On the Display tab, you can select from the following options:
ノ Expand table
Option Description
Resolution Select the resolution to use for the desktop. You can select from a
predefined list, or add custom resolutions.
Use all monitors Automatically use all monitors for the desktop. If you have multiple
monitors, all of them will be used.
Start session in full The desktop will be displayed full screen, rather than windowed.
screen
Fit session to window When you resize the window, the scaling of the desktop will
automatically adjust to fit the new window size. The resolution will stay
the same.
Color quality The quality and number of colors used. Higher quality will use more
bandwidth.
Optimize for Retina Scale the desktop to match the scaling used on the Mac client. This will
displays use four times more bandwidth.
Update the session When you resize the window, the resolution of the desktop will
resolution on resize automatically change to match.
When separate Spaces are disabled, if the Remote Desktop client has Start session in
full screen enabled, but Use all monitors disabled, only one monitor will be used and
the others will be blank. Either enable Use all monitors so the remote desktop is
displayed on all monitors, or enable Displays have separate spaces in Mission Control
so that the remote desktop will be displayed full screen on one monitor, but others will
show the macOS desktop.
Sidecar
You can use Apple Sidecar during a remote session, allowing you to extend a Mac
desktop display using an iPad as an extra monitor.
Input methods
You can use a built-in or external Mac keyboard, trackpad and mouse to control
desktops or apps.
Keyboard
Mac and Windows keyboard layouts differ slightly - for example, the Command key on a
Mac keyboard equals the Windows key on a Windows keyboard. To help with the
differences this makes when using keyboard shortcuts, the Remote Desktop client
automatically maps common shortcuts found in macOS so they'll work in Windows.
These are:
ノ Expand table
CMD + C Copy
CMD + X Cut
CMD + V Paste
CMD + Z Undo
CMD + F Find
In addition, the Alt key to the right of the space bar on a Mac keyboard equals the
Alt Gr in Windows.
Keyboard language
By default, remote desktops and apps will use the same keyboard language, also known
as locale, as your Mac. For example, if your Mac uses en-GB for English (United
Kingdom), that will also be used by Windows in the remote session.
There are some Mac-specific layouts or custom layouts for which an exact match may
not be available on the version of Windows you're connecting to. Your Mac keyboard
will be matched to the best available on the remote session.
If your keyboard layout is set to a variation of a language, such as Canadian-French, and
if the remote session can't map you to that exact variation, it will map the closest
available language instead. For example, if you chose the Canadian-French locale and it
wasn't available, the closest language would be French. However, some of the Mac
keyboard shortcuts you're used to using on your Mac may not work as expected in the
remote session.
There are some scenarios where characters in the remote session don't match the
characters you typed on the Mac keyboard:
Using a keyboard that the remote session doesn't recognize. When Azure Virtual
Desktop doesn't recognize the keyboard, it defaults to the language last used with
the remote PC.
Connecting to a previously disconnected session from Azure Virtual Desktop where
that session uses a different keyboard language than the language you're currently
trying to use.
Needing to switch keyboard modes between unicode and scancode. To learn
more, see Keyboard modes.
You can manually set which keyboard language to use in the remote session by
following the steps at Managing display language settings in Windows . You might
need to close and restart the application you're currently using for the keyboard
changes to take effect.
Keyboard modes
There are two different modes you can use that control how keyboard input is
interpreted in a remote session: Scancode and Unicode.
With Scancode, user input is redirected by sending key press up and down information
to the remote session. Each key is identified by its physical position on the keyboard and
uses the keyboard layout of the remote session, not the keyboard of the local device.
For example, scancode 31 is the key next to Caps Lock . On a US keyboard this key would
produce the character "A", while on a French keyboard this key would produce the
character "Q".
With Unicode, user input is redirected by sending each character to the remote session.
When a key is pressed, the locale of the user is used to translate this input to a
character. This can be as simple as the character "a" by simply pressing the "a" key, but
it can enable an Input Method Editor (IME), allowing you to input multiple keystrokes to
create more complex characters, such as for Chinese and Japanese input sources. Below
are some examples of when to use each mode.
When to use Scancode:
Certain applications that don't accept Unicode input for characters such as: Hyper-
V VMConnect (for example, no way to input a BitLocker password), VMware
Remote Console, all applications written using the Qt framework (for example R
Studio, TortoiseHg, QtCreator).
Applications that utilize scancode input for actions, such as Space bar to
check/uncheck a checkbox, or individual keys as shortcuts, for example
applications in browser.
When the keyboard layout used on the client might not be available on the server.
2. From the macOS menu bar, select Connections, then select Keyboard Mode.
Alternatively, you can use the following keyboard shortcut to select each mode:
The Remote Desktop client supports Input Method Editor (IME) in a remote session for
input sources. The local macOS IME experience will be accessible in the remote session.
) Important
For an IME to work, the input mode needs to be in Unicode Mode. To learn more,
see Keyboard modes.
Mouse and trackpad
You can use a mouse or trackpad with the Remote Desktop client. In order to use the
right-click or secondary-click, you may need to configure macOS to enable right-click, or
you can plug in a standard PC two-button USB mouse. To enable right-click in macOS:
2. For the Apple Magic Mouse, select Mouse, then check the box for Secondary click.
3. For the Apple Magic Trackpad of MacBook Trackpad, select Trackpad, then check
the box for Secondary click.
Redirections
Folder redirection
The Remote Desktop client enables you to make local folders available in your remote
session. This is known as folder redirection. This means you can open files from and save
files to your Mac with your remote session. Folders can also be redirected as read-only.
Redirected folders appear in the remote session as a network drive in Windows Explorer.
2. From the macOS menu bar, select Microsoft Remote Desktop, then select
Preferences.
3. Select the General tab, then for If folder redirection is enabled for RDP files or
managed resources, redirect:, select Choose Folder....
4. Navigate to the folder you want to be available in all your remote desktop
sessions, then select Choose.
5. Close the Preferences window. Optionally, if you want to make this folder available
as read-only, check the box before closing the window.
1. Open the Microsoft Remote Desktop application on your device, then select
Workspaces.
2. Right-click the name of a desktop, for example SessionDesktop, then select Edit.
4. On the Folders tab, check the box Redirect folders, then select the + (plus) icon.
5. Navigate to the folder you want to be available when accessing this remote
resource, then select Open. You can add multiple folders by repeating the previous
step and this step.
6. Select Save. Optionally, if you want to make this folder available as read-only,
check the box, then select Save.
Printers
Smart cards
Clipboard
Microphones
Cameras
1. Open the Microsoft Remote Desktop application on your device, then select
Workspaces.
2. Right-click the name of a desktop, for example SessionDesktop, then select Edit.
4. On the Devices & Audio tab, check the box for each device you want to use in the
remote desktop.
5. Select whether you want to play sound On this computer, On the remote PC, or
Never.
6. Select Save.
Starting with version 10.7.7 of the Remote Desktop client for macOS, optimizations for
Teams is enabled by default. If you need to enable optimizations for Microsoft Teams:
2. From the macOS menu bar, select Microsoft Remote Desktop, then select
Preferences.
3. Select the General tab, then check the box Enable optimizations for Microsoft
Teams.
2. From the macOS menu bar, select Microsoft Remote Desktop, then select
Preferences.
3. Select the General tab. You can change the following settings:
ノ Expand table
Use Mac shortcuts for Check On or Off Use these shortcuts in remote sessions.
copy, cut, paste and
select all, undo, and find
Setting Value Description
Use system proxy Check On or Off Use the proxy specified in macOS network
configuration settings.
2. If you see the prompt This site is trying to open Microsoft Remote Desktop.app,
select Open. The Microsoft Remote Desktop application should open and
automatically show a sign-in prompt.
3. Enter your user account, then select Sign in. After a few seconds, your workspaces
should show the desktops and applications that have been made available to you
by your admin.
7 Note
If you already have the beta client, you can check for updates to ensure you have the
latest version by following these steps:
2. From the macOS menu bar, select Microsoft Remote Desktop, then select Check
for updates.
Provide feedback
If you want to provide feedback to us on the Remote Desktop client for macOS, you can
do so in the app:
2. From the macOS menu bar, select Help, then select Submit Feedback.
Next steps
If you're having trouble with the Remote Desktop client, see Troubleshoot the Remote
Desktop client.
Feedback
Was this page helpful? Yes No
Once you've connected to Azure Virtual Desktop using the Remote Desktop client, it's
important to know how to use the features. This article shows you how to use the
features available in the Remote Desktop client for iOS and iPadOS. If you want to learn
how to connect to Azure Virtual Desktop, see Connect to Azure Virtual Desktop with the
Remote Desktop client for iOS and iPadOS.
You can find a list of all the Remote Desktop clients at Remote Desktop clients overview.
For more information about the differences between the clients, see Compare the
Remote Desktop clients.
7 Note
Your admin can choose to override some of these settings in Azure Virtual Desktop,
such as being able to copy and paste between your local device and your remote
session. If some of these settings are disabled, please contact your admin.
2. Tap and hold the name of a workspace and you'll see a menu with options for Edit,
Refresh, and Delete. You can also pull down to refresh all workspaces.
Edit allows you to specify a user account to use each time you connect to the
workspace without having to enter the account each time. To learn more, see
Manage user accounts.
Refresh makes sure you have the latest desktops and apps and their settings
provided by your admin.
Delete removes the workspace from the Remote Desktop client.
User accounts
Learn how to add user credentials to a workspace and manage them.
3. Tap User account, then select Add User Account to add a new account, or select
an account you've previously added.
4. If you selected Add User Account, enter a username, password, and optionally a
friendly name, then tap the back arrow (<).
2. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.
4. Enter a username, password, and optionally a friendly name, then tap the back
arrow (<). You can then add this account to a workspace by following the steps in
Add user credentials to a workspace.
2. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.
3. Tap User Accounts, then select the account you want to remove.
Display preferences
Learn how to set display preferences, such as orientation and resolution.
Set orientation
You can set the orientation of the Remote Desktop client to landscape, portrait, or auto-
adjust, where it will match the orientation of your device. Auto-adjust is supported when
your remote session is running Windows 10 or later. The window will maintain the same
scaling and update the resolution to match the new orientation. This setting applies to
all workspaces.
2. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.
5. You can also set Use Home Indicator Area. Toggling this on will show graphics
from the remote session in the area at the bottom of the screen occupied by the
Home indicator. This setting only applies in landscape orientation.
7 Note
Changes to the display resolution only take effect for new connections. For current
connections, you'll need to disconnect and reconnect from a remote session
2. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.
3. Tap Display.
2. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.
3. Tap Display.
On iOS, you can set Use Home Indicator Area. Toggling this on will show graphics from
the remote session in the area at the bottom of the screen occupied by the Home
indicator. This setting only applies in landscape orientation. For more information about
display orientation, see Set orientation. To set Use Home Indicator Area:
2. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.
3. Tap Display.
The middle icon in the connection bar is of the Remote Desktop logo. If you tap this, it
shows the session overview screen. The session overview screen enables you to:
Pressing Tab on a keyboard will switch between the PCs and Apps tab in the session
overview menu. You can also use arrow keys to navigate and select an active session to
open.
You can return back to an active session from the Connection Center using the Return
Arrow button found in the bottom right corner of the Connection Center.
Input methods
The Remote Desktop client supports native touch gestures, keyboard, mouse, and
trackpad.
Direct touch: where you tap on the screen is the equivalent to clicking a mouse in
that position. The mouse pointer isn't shown on screen.
Mouse pointer: The mouse pointer is shown on screen. When you tap the screen
and move your finger, the mouse pointer will move.
If you connect to Windows 10 or later with Azure Virtual Desktop, native Windows touch
and multi-touch gestures are supported in direct touch mode.
The following table shows which mouse operations map to which gestures in specific
mouse modes:
ノ Expand table
Mouse Left-click and Double-tap and hold with one finger, then drag
pointer drag
Mouse Right-click Tap with two fingers, or tap and hold with one finger
pointer
Mouse Right-click drag Double-tap and hold with two fingers, then drag
pointer
Mouse Mouse wheel Tap and hold with two fingers, then drag up or down
pointer
Mouse Zoom With two fingers, pinch to zoom out and spread fingers apart
pointer to zoom in
Keyboard
You can use familiar keyboard shortcuts when using a keyboard with your iPad or
iPhone and Azure Virtual Desktop. Mac and Windows keyboard layouts differ slightly -
for example, the Command key on a Mac keyboard equals the Windows key on a Windows
keyboard. To help with the differences this makes when using keyboard shortcuts, the
Remote Desktop client automatically maps common shortcuts found in iOS and iPadOS
so they'll work in Windows. These are:
ノ Expand table
Key combination Function
CMD + C Copy
CMD + X Cut
CMD + V Paste
CMD + Z Undo
CMD + F Find
CMD + + Zoom in
In addition, the Alt key to the right of the space bar on a Mac keyboard equals the
Alt Gr in Windows.
On iOS, the only native support for a mouse and trackpad is through AssistiveTouch.
AssistiveTouch provides a cursor emulating touch input, so it doesn't support right-click
actions or external monitor support, so we don't recommend using it with the Remote
Desktop app. For iPhone users projecting a remote session to a larger external monitor,
we recommend the following options:
1. Use the Remote Desktop app as touchpad, where the iPhone itself can serve as a
touchpad for the remote session. The app will automatically convert to a touchpad
once connected to external monitor.
2. Use a bluetooth mouse from the SwiftPoint PenGrip Models, which are compatible
with the Remote Desktop app. The following models are supported:
Swiftpoint ProPoint
Swiftpoint PadPoint
SwiftPoint GT
In order to benefit from the Swiftpoint integration, you must connect a Swiftpoint
mouse to your iPhone and in the Remote Desktop app:
c. The mouse should be listed under Other devices. Tap the name of the mouse to
pair it.
e. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.
f. Tap Input Devices, then in the list of the devices, tap the name of the Swiftpoint
mouse you want to use.
g. Tap the back arrow (<), then tap the X mark. You're ready to connect to a
remote session and use the Swiftpoint mouse.
Redirections
The Remote Desktop client enables you to make your local clipboard available in your
remote session. By default, text you copy on your iOS or iPadOS device is available to
paste in your remote session, and text you copy in your remote session is available to
paste on your iOS or iPadOS device.
2. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.
ノ Expand table
Setting Value Description
Allow Display Toggle On or Off Allow your device to turn off its screen.
Auto-Lock
Use HTTP Proxy Toggle On or Off Use the HTTP proxy specified in iOS/iPadOS
network settings.
Appearance Select from Light, Set the appearance of the Remote Desktop
Dark, or System client.
Send Data to Toggle On or Off Help improve the Remote Desktop client by
Microsoft sending anonymous data to Microsoft.
7 Note
You can download the beta client for iOS and iPadOS from TestFlight. To get started, see
Microsoft Remote Desktop for iOS .
Provide feedback
If you want to provide feedback to us on the Remote Desktop client for iOS and iPadOS,
you can do so in the app:
2. In the top left-hand corner, tap the menu icon (the circle with three dots inside),
then tap Settings.
3. Tap Submit feedback, which will open the feedback page in your browser.
Next steps
If you're having trouble with the Remote Desktop client, see Troubleshoot the Remote
Desktop client.
Feedback
Was this page helpful? Yes No
Once you've connected to Azure Virtual Desktop using the Remote Desktop client, it's
important to know how to use the features. This article shows you how to use the
features available in the Remote Desktop client for Android and Chrome OS. If you want
to learn how to connect to Azure Virtual Desktop, see Connect to Azure Virtual Desktop
with the Remote Desktop client for Android and Chrome OS.
You can find a list of all the Remote Desktop clients at Remote Desktop clients overview.
For more information about the differences between the clients, see Compare the
Remote Desktop clients.
7 Note
Your admin can choose to override some of these settings in Azure Virtual Desktop,
such as being able to copy and paste between your local device and your remote
session. If some of these settings are disabled, please contact your admin.
2. Tap the three dots to the right-hand side of the name of a workspace where you'll
see a menu with options for Edit, Refresh, and Delete.
Edit allows you to specify a user account to use each time you connect to the
workspace without having to enter the account each time. To learn more, see
Manage user accounts.
Refresh makes sure you have the latest desktops and apps and their settings
provided by your admin.
Delete removes the workspace from the Remote Desktop client.
User accounts
Add user credentials to a workspace
You can save a user account and associate it with workspaces to simplify the connection
sequence, as the sign-in credentials will be used automatically.
2. Tap the three dots to the right-hand side of the name of a workspace, then select
Edit.
3. For User account, tap the drop-down menu, then select Add User Account to add
a new account, or select an account you've previously added.
4. If you selected Add User Account, enter a username and password, then tap Save.
2. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap
User Accounts.
4. Enter a username and password, then tap Save. You can then add this account to a
workspace by following the steps in Add user credentials to a workspace.
2. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap
User Accounts.
4. Tap delete (the bin icon). Confirm you want to delete the account.
5. Tap the back arrow (<) to return to Workspaces.
Display preferences
Set orientation
You can set the orientation of the Remote Desktop client to landscape, portrait, or auto-
adjust, where it will match the orientation of your device. Auto-adjust is supported when
your remote session is running Windows 10 or later. The window will maintain the same
scaling and update the resolution to match the new orientation. This setting applies to
all workspaces.
2. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap
Display.
3. For orientation, tap your preference from Auto-adjust, Lock to landscape or Lock
to portrait.
2. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap
Display.
3. You can tap Default, Match this device, or tap + Customized for a drop-down list
of predefined resolutions. If you choose a customized resolution, you can also
choose the scaling percentage.
The middle icon in the connection bar is of the Remote Desktop logo. If you tap this, it
shows the session overview screen. The session overview screen enables you to:
You can return back to an active session from the Connection Center using the Return
Arrow button found in the bottom right corner of the Connection Center.
Input methods
The Remote Desktop client supports native touch gestures, keyboard, mouse, and
trackpad.
Direct touch: where you tap on the screen is the equivalent to clicking a mouse in
that position. The mouse pointer isn't shown on screen.
Mouse pointer: The mouse pointer is shown on screen. When you tap the screen
and move your finger, the mouse pointer will move.
If you connect to Windows 10 or later with Azure Virtual Desktop, native Windows touch
and multi-touch gestures are supported in direct touch mode.
The following table shows which mouse operations map to which gestures in specific
mouse modes:
ノ Expand table
Mouse Left-click and Double-tap and hold with one finger, then drag
pointer drag
Mouse Right-click Tap with two fingers, or tap and hold with one finger
pointer
Mouse Right-click drag Double-tap and hold with two fingers, then drag
pointer
Mouse Mouse wheel Tap and hold with two fingers, then drag up or down
pointer
Mouse Zoom With two fingers, pinch to zoom out and spread fingers apart
pointer to zoom in
) Important
For an IME to work, the input mode needs to be in Unicode Mode. To learn more,
see Keyboard modes.
Keyboard
You can use some familiar keyboard shortcuts when using a keyboard with your Android
or Chrome OS device and Azure Virtual Desktop, for example using CTRL + C for copy.
Some Windows keyboard shortcuts are also used as shortcuts on Android and Chrome
OS devices, for example using ALT + TAB to switch between open applications. By
default, these shortcuts won't be passed through to a remote session. Depending on
your Android or Chrome OS device, you may be able to disable certain shortcuts being
used locally, where they'll then be passed through to a remote session.
Keyboard modes
There are two different modes you can use that control how keyboard input is
interpreted in a remote session: Scancode and Unicode.
With Scancode, user input is redirected by sending key press up and down information
to the remote session. Each key is identified by its physical position on the keyboard and
uses the keyboard layout of the remote session, not the keyboard of the local device.
For example, scancode 31 is the key next to Caps Lock . On a US keyboard this key would
produce the character "A", while on a French keyboard this key would produce the
character "Q".
With Unicode, user input is redirected by sending each character to the remote session.
When a key is pressed, the locale of the user is used to translate this input to a
character. This can be as simple as the character "a" by simply pressing the "a" key, but
it can enable an Input Method Editor (IME), allowing you to input multiple keystrokes to
create more complex characters, such as for Chinese and Japanese input sources. Below
are some examples of when to use each mode.
Certain applications that don't accept Unicode input for characters such as: Hyper-
V VMConnect (for example, no way to input a BitLocker password), VMware
Remote Console, all applications written using the Qt framework (for example R
Studio, TortoiseHg, QtCreator).
Applications that utilize scancode input for actions, such as Space bar to
check/uncheck a checkbox, or individual keys as shortcuts, for example
applications in browser.
When the keyboard layout used on the client might not be available on the server.
By default, the Remote Desktop client uses Unicode. To switch between keyboard
modes:
2. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap
General.
3. Toggle Use scancode input when available to On to use scancode, or Off to use
Unicode.
Redirections
You can allow the remote computer to the clipboard on your local device. When you
connect to a remote session, you'll be prompted whether you want to allow access to
local resources. The Remote Desktop client supports copying and pasting text only.
To use the clipboard between your local device and your remote session:
3. For the prompt Make sure you trust the remote PC before you connect, check the
box for Clipboard, then select Connect.
2. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap
General.
ノ Expand table
Setting Value Description
Use HTTP Proxy Toggle On or Off Use the HTTP proxy specified in Android or
Chrome OS network settings.
Theme Select from Light, Set the appearance of the Remote Desktop
Dark, or System client.
7 Note
You can download the beta client for Android and Chrome OS from Google Play .
You'll need to give consent to access preview versions and download the client. You'll
receive preview versions directly through the Google Play Store.
Provide feedback
If you want to provide feedback to us on the Remote Desktop client for Android and
Chrome OS, you can do so in the app:
2. In the top left-hand corner, tap the menu icon (three horizontal lines), then tap
General.
3. Tap Submit feedback, which will open the feedback page in your browser.
Next steps
If you're having trouble with the Remote Desktop client, see Troubleshoot the Remote
Desktop client.
Feedback
Was this page helpful? Yes No
Tip
This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.
Use the buttons at the top of this article to select what you want to connect to so
the article shows the relevant information.
The Remote Desktop app is available on Windows, macOS, iOS and iPadOS, Android and
Chrome OS, and in a web browser. However, support for some features differs across
these platforms. This article details which features are supported on which platforms.
There are three versions of the Remote Desktop app for Windows, which are all
supported for connecting to Azure Virtual Desktop:
Standalone download as an MSI installer. This is the most common version of the
Remote Desktop app for Windows and is referred to in this article as Windows
(MSI).
Azure Virtual Desktop app from the Microsoft Store. This is a preview version of
the Remote Desktop app for Windows and is referred to in this article as Windows
(AVD Store).
Remote Desktop app from the Microsoft Store. This version is no longer being
developed and is referred to in this article as Windows (RD Store).
Experience
The following table compares which Remote Desktop app experience features are
supported on which platforms:
ノ Expand table
Feature Windows Windows Windows macOS iOS/ Android/ Web
(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS
Appearance ✔ ✔ ✔ ✔ ✔ ✔ ✔
(dark or light)
Integrated ✔ ✔ X X X X X
apps
Localization ✔ ✔ ✔ X ✔ X ✔
Pin to Start X X ✔ X X X X
Menu
Search X X X ✔ ✔ ✔ ✔
URI schemes ✔ ¹ ✔ ¹ X X X X X
The following table provides a description for each of the experience features:
ノ Expand table
Feature Description
Appearance (dark or light) Change the appearance of the Remote Desktop app to be light or
dark.
Integrated apps Individual apps using RemoteApp are integrated with the local
device as if they're running locally.
Pin to Start Menu Pin your favorite devices and apps to the Windows Start Menu for
quick access.
Uniform Resource Identifier Start the Remote Desktop app or connect to a remote session with
(URI) schemes specific parameters and values with a URI.
Display
The following table compares which display features are supported on which platforms:
ノ Expand table
Dynamic ✔ ✔ ✔ ✔ ✔ ✔ ✔
resolution
External ✔ ✔ X ✔ ✔ X X
monitor
Multiple ✔ ✔ X ✔ X X X
monitors¹
Selected ✔ ✔ X X ✔ X X
monitors
Smart sizing ✔ ✔ ✔ ✔ X X X
1. Up to 16 monitors.
The following table provides a description for each of the display features:
ノ Expand table
Feature Description
Dynamic The resolution and orientation of local displays is dynamically reflected in the
resolution remote session for desktops. If the session is running in windowed mode, the
desktop is dynamically resized to the size of the window.
Selected Specifies which local displays to use for the remote session.
displays
Smart sizing A desktop in windowed mode is dynamically scaled to the window's size.
Multimedia
The following table shows which multimedia features are available on each platform:
ノ Expand table
Multimedia ✔ ✔ X X X X X
redirection
Teams media ✔ ✔ X ✔ X X X
optimizations
The following table provides a description for each of the multimedia features:
ノ Expand table
Feature Description
Multimedia Redirect media content from the desktop or app to the physical machine
redirection for faster processing and rendering.
Redirection
The following sections detail the redirection support available on each platform.
Tip
Device redirection
The following table shows which local devices you can redirect to a remote session on
each platform:
ノ Expand table
Cameras ✔ ✔ X ✔ ✔ ✔ ✔ ¹
Local ✔ ✔ X ✔ ✔ ✔ ✔ ²
drive/storage
Microphones ✔ ✔ ✔ ✔ ✔ ✔ ✔
Printers ✔ ✔ X ✔ ³ X X ✔ ⁴
Scanners⁵ ✔ ✔ X X X X X
Smart cards ✔ ✔ X ✔ X X X
Speakers ✔ ✔ ✔ ✔ ✔ ✔ ✔
The following table provides a description for each type of device you can redirect:
ノ Expand table
Cameras Redirect a local camera to use with apps like Microsoft Teams.
Microphones Redirect a local microphone to use with apps like Microsoft Teams.
Input redirection
The following table shows which input methods you can redirect:
ノ Expand table
Keyboard ✔ ✔ ✔ ✔ ✔ ✔ ✔
Keyboard input ✔ ✔ ✔ ✔ X X ✔ ¹
language
Keyboard ✔ ✔ ✔ ✔ ✔ ✔ ✔
shortcuts
Mouse/trackpad ✔ ✔ ✔ ✔ ✔ ² ✔ ✔
Multi-touch ✔ ✔ ✔ X ✔ ✔ X
Pen ✔ ✔ X X ✔ ✔ ✔
Touch ✔ ✔ ✔ X ✔ ✔ ✔
The following table provides a description for each type of input you can redirect:
ノ Expand table
ノ Expand table
Serial ✔ ✔ X X X X X
USB ✔ ✔ X X X X X
The following table provides a description for each port you can redirect:
ノ Expand table
Serial Redirect serial (COM) ports on the local device to the remote session.
USB Redirect supported USB devices on the local device to the remote session.
Other redirection
The following table shows which other features you can redirect:
ノ Expand table
Clipboard - ✔ ✔ ✔ ✔ ✔ ¹ ✔ ² ✔ ²
bidirectional
Clipboard - ✔ ✔ ✔ ✔ ✔ ✔ ✔
unidirectional³
Location ✔ ⁴ ✔ ⁴ X X ✔ X ✔
Third-party ✔ ✔ X X X X X
virtual channel
plugins
Feature Windows Windows Windows macOS iOS/ Android/ Web
(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS
Time zone ✔ ✔ ✔ ✔ ✔ ✔ ✔
WebAuthn ✔ ✔ X X X X X
The following table provides a description for each other redirection feature you can
redirect:
ノ Expand table
Feature Description
Clipboard - Redirect the clipboard on the local device is to the remote session and
bidirectional from the remote session to the local device.
Clipboard - Control the direction in which the clipboard can be used and restrict the
unidirectional types of data that can be copied.
Location The location of the local device can be available in the remote session.
Third-party virtual Enables third-party virtual channel plugins to extend Remote Desktop
channel plugins Protocol (RDP) capabilities.
Time zone The time zone of the local device can be available in the remote session.
Authentication
The following sections detail the authentication support available on each platform and
the following table provides a description for each credential type:
ノ Expand table
Credential type Description
Microsoft The Microsoft Authenticator app helps sign in to Microsoft Entra ID without
Authenticator using a password, or provides an extra verification option for multifactor
authentication. Microsoft Authenticator uses key-based authentication to
enable a user credential that is tied to a device, where the device uses a PIN
or biometric.
Windows Hello for Uses an enterprise managed public key infrastructure (PKI) for issuing and
Business certificate managing end user certificates.
trust
Windows Hello for Uses Microsoft Entra Kerberos, which enables a simpler deployment when
Business cloud compared to the key trust model.
trust
Windows Hello for Uses hardware-bound keys created during the provisioning experience.
Business key trust
The following table shows which credential types are available for each platform:
ノ Expand table
Passkeys ✔ ✔ ✔ ✔ ¹ ✔ ¹ X ✔
(FIDO2)
Microsoft ✔ ✔ ✔ ✔ ✔ ✔ ✔
Authenticator
Password ✔ ✔ ✔ ✔ ✔ ✔ ✔
Federation
Services
Windows Hello ✔ ✔ ✔ X X X ✔ ²
for Business
certificate trust
Windows Hello ✔ ✔ ✔ X X X ✔ ²
for Business
cloud trust
Windows Hello ✔ ✔ ✔ X X X ✔ ²
for Business key
trust
1. Available in preview. Requires macOS client version 10.9.8 or later. Requires iOS
client version 10.5.9 or later. For more information, see Support for FIDO2
authentication with Microsoft Entra ID.
2. Available when using a web browser on a local Windows device only.
ノ Expand table
Passkeys X X X X X X X
(FIDO2)
Feature Windows Windows Windows macOS iOS/ Android/ Web
(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS
Microsoft X X X X X X X
Authenticator
Password ✔ ✔ ✔ ✔ ✔ ✔ ✔
Smart card ✔ ¹ ✔ ¹ X ✔ ² X X X
Windows Hello ✔ ✔ X X X X X
for Business
certificate trust
Windows Hello X X X X X X X
for Business
cloud trust
Windows Hello ✔ ³ ✔ ³ X X X X X
for Business key
trust
In-session authentication
The following table shows which types of credential are available when authenticating
within a remote session:
ノ Expand table
Passkeys ✔ ² ✔ ² X X X X X
(FIDO2)
Password ✔ ✔ ✔ ✔ ✔ ✔ ✔
Smart card ✔ ¹ ✔ ¹ X ✔ ¹ X X X
Windows Hello ✔ ² ✔ ² X X X X X
for Business
Feature Windows Windows Windows macOS iOS/ Android/ Web
(MSI) (AVD (RD iPadOS Chrome browser
Store) Store) OS
certificate trust
Windows Hello ✔ ² ✔ ² X X X X X
for Business
cloud trust
Windows Hello ✔ ² ✔ ² X X X X X
for Business
key trust
Security
The following table shows which security features are available on each platform:
ノ Expand table
Screen capture ✔ ✔ X ✔ X X X
protection
Watermarking ✔ ✔ X ✔ ✔ ✔ ✔
ノ Expand table
Feature Description
Screen capture Helps prevent sensitive information in the remote session from being
protection screen captured from the physical device.
Network
The following table shows which network features are available on each platform:
ノ Expand table
Connection ✔ ✔ X ✔ X X ✔
information
RDP Shortpath ✔ ✔ X ✔ ✔ X X
for managed
networks
RDP Shortpath ✔ ✔ X ✔ ✔ X X
for public
networks
Private Link ✔ ✔ ✔ ✔ ✔ ✔ ✔
ノ Expand table
Feature Description
RDP Shortpath for Better connection reliability and more consistent latency through direct
managed networks UDP-based transport on a private/managed network connection.
RDP Shortpath for Better connection reliability and more consistent latency through direct
public networks UDP-based transport on a public network connection.
Feedback
Was this page helpful? Yes No
You can install the Remote Desktop client for Windows on either a per-system or per-
user basis. Installing it on a per-system basis installs the client on the machines for all
users by default, and administrators control updates. Per-user installation installs the
application to a subfolder within the local AppData folder of each user's profile,
enabling users to install updates without needing administrative rights.
When you install the client using msiexec.exe , per-system is the default method of
client installation. You can use the parameters ALLUSERS=2 MSIINSTALLPERUSER=1 with
msiexec to install the client per-user, however if you're deploying the client with Intune
Prerequisites
In order to install the Remote Desktop client for Windows on a per-user basis with
Intune or Configuration Manager, you need the following things:
Download the latest version of the Remote Desktop client for Windows.
For Intune, you need a local Windows device to use the Microsoft Win32 Content
Prep Tool .
Intune
Here's how to install the client on a per-user basis using a PowerShell script with
Intune as a Windows app (Win32).
1. Create a new folder on your local Windows device and add the Remote
Desktop client .msi file you downloaded.
2. Within that folder, create a PowerShell script file called Install.ps1 and add
the following content, replacing <RemoteDesktop> with the filename of the
.msi file you downloaded:
PowerShell
3. In the same folder, create a PowerShell script file called Uninstall.ps1 and
add the following content:
PowerShell
4. In the same folder, create a PowerShell script file called Detection.ps1 and
add the following content:
PowerShell
If (([string](Get-ChildItem
Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
| Where-Object {$_.GetValue('DisplayName') -eq 'Remote Desktop'}))
-and (Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -
eq 'Remote Desktop' -and $_.Vendor -eq 'Microsoft Corporation'})) {
Write-Host "Microsoft Remote Desktop client is installed"
exit 0
} else {
Write-Host "Microsoft Remote Desktop client isn't installed"
exit 1
}
5. Follow the steps in Prepare Win32 app content for upload to package the
contents of the folder into an .intunewin file.
6. Follow the steps in Add, assign, and monitor a Win32 app in Microsoft Intune
to add the Remote Desktop client. Here's some of the information you need
to specify during the process. You can leave the rest of the settings as default
or update them as needed.
ノ Expand table
Parameter Value/Description
Detection script file Select the file Detection.ps1 you created earlier.
Next steps
Learn more about the Remote Desktop client at Use features of the Remote Desktop
client for Windows.
Uniform Resource Identifier schemes
with the Remote Desktop client for
Azure Virtual Desktop
Article • 06/04/2024
You can use Uniform Resource Identifier (URI) schemes to invoke the Remote Desktop
client with specific commands, parameters, and values for use with Azure Virtual
Desktop. For example, you can subscribe to a workspace or connect to a particular
desktop or RemoteApp.
This article details the available commands and parameters, along with some examples.
Supported clients
The following table lists the supported clients for use with the URI schemes:
ノ Expand table
Client Version
The following sections detail the commands and parameters you can use with each URI
scheme.
ms-avd
The ms-avd Uniform Resource Identifier scheme for Azure Virtual Desktop is now
generally available. Here's the list of currently supported commands for ms-avd and
their corresponding parameters.
ms-avd:connect
ms-avd:connect locates a specified Azure Virtual Desktop resource and initiates the RDP
Command parameters:
ノ Expand table
user User Principal Name Specify a valid user with access to specified
(UPN), for example resource.
[email protected] .
env (optional) avdarm (commercial Specify the Azure cloud where resources are
Azure) located.
avdgov (Azure
Government)
usemultimon true or false Specify whether the remote session will use one or
multiple displays from the local computer.
Example:
ms-avd:connect?workspaceId=1638e073-63b2-46d8-bd84-
ea02ea905467&resourceid=c2f5facc-196f-46af-991e-
a90f3252c185&[email protected]&version=0
ms-rd
Here's the list of currently supported commands for ms-rd and their corresponding
parameters.
Tip
Using ms-rd: without any commands launches the Remote Desktop client.
ms-rd:subscribe
ms-rd:subscribe launches the Remote Desktop client and starts the subscription
process.
Command parameters:
ノ Expand table
Example:
ms-rd:subscribe?url=https://rdweb.wvd.microsoft.com
Known Limitations
Here are known limitations with the URI schemes:
Display properties cannot be configured via URI. You can configure display
properties as an admin on a host pool or end users can configure display
properties in the Azure Virtual Desktop client.
Next steps
Learn how to Connect to Azure Virtual Desktop with the Remote Desktop client for
Windows.
Peripheral and resource redirection over
the Remote Desktop Protocol
Article • 08/09/2024
Redirection enables users to share resources and peripherals, such as the clipboard,
webcams, USB devices, printers, and more, between their local device (client-side) and a
remote session (server-side) over the Remote Desktop Protocol (RDP). Redirection aims
to provide a seamless remote experience, comparable to the experience using their local
device. This experience helps users be more productive and efficient when working
remotely. As an administrator, you can configure redirection to help balance between
your security requirements and the needs of your users.
This article provides detailed information about redirection methods across difference
peripheral classes, redirection classifications, and the supported types of resources and
peripherals you can redirect.
Opaque low-level redirection is used for peripherals that connect via USB where a
suitable high-level peripheral reflection redirection solution doesn't exist, and for
peripherals that have particular driver or software requirements in the remote
session to work properly. USB redirection happens at the port and protocol level
using USB request blocks (URB). Opaque low-level redirection is also used for
peripherals that connect via serial/COM ports.
Within high-level redirection, there are four overarching techniques that are used, which
are classified based on the direction of the redirection and the type of resource or
peripheral being redirected. The four high-level redirection classifications are:
Peripheral reflection: reflects a specific class of peripheral connected to the local
device into a remote session. This classification includes input devices, such as
keyboard, mouse, touch, pen, and trackpad.
Data sharing: shares and transfers data between the local device and a remote
session for the clipboard.
State reflection: reflects the local device state into a remote session, such as its
battery status and location.
The redirection method used can vary based on the peripheral class, such as Windows,
macOS, iOS/iPadOS, or Android, and its available resources, peripherals, and capabilities.
What redirection is available in a remote session is also dependent on the application
used. For a comparison of the support for redirection using Windows App across
different platforms, see Compare Windows App features across platforms and devices.
) Important
You should use high-level redirection whenever possible, as it provides the best
performance and user experience. Opaque low-level redirection is effectively a
fallback scenario, so performance, reliability, and the supported feature set of such
peripherals isn't guaranteed by default.
ノ Expand table
Requires the driver for the USB peripheral to be Requires the driver for the peripheral to be
installed in the remote session. Doesn't require installed on the local device. In most cases, it
the driver to be installed on the local device. doesn't require the driver to be installed in the
remote session.
Opaque low-level USB redirection High-level redirection
Uses a single redirection method for many Uses a specific redirection method for each
peripheral classes. peripheral class.
Forwards USB request blocks to and from the Exposes high-level peripheral functionality in a
USB peripheral over the RDP connection. remote session by using an optimized protocol
for the peripheral class.
The USB peripheral can't be used on the local The peripheral can be used simultaneously on
device while it's being used in a remote the local device and in a remote session.
session. It can only be used in one remote
session at a time.
Optimized for low latency connections. Variable Optimized for LAN and WAN connections and
based on peripheral driver implementation. is aware of changes in conditions, such as
bandwidth and latency.
For some products and services, such as Azure Virtual Desktop, you can control
redirection behavior by setting the RDP property value as follows:
Some USB peripherals might have functions that use opaque low-level USB
redirection or high-level redirection. By default, these peripherals are redirected
using high-level redirection. You can use the RDP property to force these
peripherals to use opaque low-level USB redirection. To use USB audio peripherals
with opaque low-level USB redirection, the audio output location must be set to
play sounds on the local computer.
Use class GUIDs to redirect or not redirect an entire class of USB peripherals.
Use the wildcard * as the value will redirect most peripherals that don't have high-
level redirection mechanisms or drivers installed. Class GUIDs can be used to
redirect additional peripherals that aren't matched automatically.
Values can be used on their own, or a combination of these values can be used in
conjunction with each other when separated with a semicolon, subject to a processing
order. The following table lists the valid values and the processing order:
ノ Expand table
Processing Value Description
order
N/A No value specified Don't redirect any supported USB peripherals using
opaque low-level redirection.
When constructed as a string in the correct processing order, the syntax is:
uri
usbdevicestoredirect:s:*;{<DeviceClassGUID>};<USBInstanceID>;<-
USBInstanceID>
The device instance path for USB devices, is constructed in three sections in the format
USB\<Device ID>\<USB instance ID> . You can find this value in Device Manager, or by
using the Get-PnpDevice PowerShell cmdlet. The three sections in order are:
When specifying USB peripherals to redirect over RDP, you can use the device instance
path. When using the device instance path, the value is specific to the port on the local
device to which it's connected. For example, a peripheral connected to the first USB port
has the device instance path USB\VID_045E&PID_0779\5&21F6DCD1&0&5 , but connecting the
same peripheral to the second USB port has the device instance path
USB\VID_045E&PID_0779\5&21F6DCD1&0&6 . For USB peripherals, specifying the device
instance path means the peripheral is only redirected when connected to the same port.
Alternatively you can redirect an entire device setup class of USB peripherals by using
the class GUID. When using the class GUID, all peripherals on the local device that have
the corresponding class GUID are redirected, regardless of the port to which they're
connected. For example, using the class GUID {4d36e96c-e325-11ce-bfc1-08002be10318}
redirects all multimedia devices. A list of all the class GUIDs is available at System-
Defined Device Setup Classes Available to Vendors.
For some examples of how to use the RDP property, see usbdevicestoredirect RDP
property.
ノ Expand table
reflection
7 Note
Battery redirection is only available for Azure Virtual Desktop and Windows
365. It's automatically available and not configurable.
The following diagram shows the redirection methods used for each peripheral class:
Windows App
(local device)
Opaque low-level High-level
Video encoding
Camera/webcam
Video capture
Desktop Services also have a broker service where RDP properties can be specified
instead.
However, certain settings can be overridden on the local device where a more restrictive
configuration is required. A more restrictive setting takes precedence wherever it's
configured; for example, if an administrator configures the clipboard to be redirected by
default for all remote sessions, but the local device is configured to disable clipboard
redirection, the clipboard isn't available in the remote session. This provides flexibility in
scenarios where a subset of users or devices require more restrictive settings than the
default configuration.
Related content
Configure audio and video redirection over the Remote Desktop Protocol.
Configure camera, webcam, and video capture redirection over the Remote
Desktop Protocol.
Configure clipboard redirection over the Remote Desktop Protocol.
Configure fixed, removable, and network drive redirection over the Remote
Desktop Protocol.
Configure location redirection over the Remote Desktop Protocol.
Configure Media Transfer Protocol and Picture Transfer Protocol redirection on
Windows over the Remote Desktop Protocol.
Configure printer redirection over the Remote Desktop Protocol.
Configure serial or COM port redirection over the Remote Desktop Protocol.
Configure smart card redirection over the Remote Desktop Protocol.
Configure USB redirection on Windows over the Remote Desktop Protocol.
Configure WebAuthn redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.
Feedback
Was this page helpful? Yes No
Tip
This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.
Select a product using the buttons at the top of this article to show the relevant
content.
You can configure the redirection behavior of audio peripherals, such as microphones
and speakers, between a local device and a remote session over the Remote Desktop
Protocol (RDP).
For Azure Virtual Desktop, we recommend you enable audio and video redirection on
your session hosts using Microsoft Intune or Group Policy, then control redirection using
the host pool RDP properties.
This article provides information about the supported redirection methods and how to
configure the redirection behavior for audio and video peripherals. To learn more about
how redirection works, see Redirection over the Remote Desktop Protocol.
Tip
If you use the following features in a remote session, they have their own
optimizations that are independent from the redirection configuration on the
session host, host pool RDP properties, or local device.
Prerequisites
Before you can configure audio and video redirection, you need:
You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.
Session host configuration controls whether audio and video playback redirection is
enabled together with the audio playback quality and is set using Microsoft Intune or
Group Policy. A host pool RDP property controls whether to play audio and the audio
output location over the Remote Desktop Protocol.
Windows operating system: Audio and video playback redirection isn't blocked.
Azure Virtual Desktop host pool RDP properties: Play sounds on the local
computer.
Resultant default behavior: Audio is redirected to the local computer.
) Important
Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable audio and video playback redirection
on a session host with Microsoft Intune or Group Policy, but enable it with the host
pool RDP property, redirection is disabled.
To configure the audio output location using host pool RDP properties:
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. Select Host pools, then select the host pool you want to configure.
5. For Audio output location, select the drop-down list, then select one of the
following options:
6. Select Save.
7. To test the configuration, connect to a remote session and play audio. Verify that
you can hear audio as expected. Make sure you're not using Microsoft Teams or a
web page that's redirected with multimedia redirection for this test.
Microsoft Intune
To allow or disable audio and video playback redirection, and limit audio playback
quality using Microsoft Intune:
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
4. Check the box for Allow audio and video playback redirection, and optionally
Limit audio playback quality, then close the settings picker.
5. Expand the Administrative templates category, then toggle the switch for
Allow audio and video playback redirection, depending on your
requirements:
6. If you selected Limit audio playback quality, select the audio quality from the
drop-down list.
7. Select Next.
8. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
9. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
10. On the Review + create tab, review the settings, then select Create.
11. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
12. To test the configuration, connect to a remote session and play audio. Verify
that you can hear audio as expected. Make sure you're not using Microsoft
Teams or a web page that's redirected with multimedia redirection for this
test.
Session host configuration controls whether audio recording redirection is enabled and
is set using Microsoft Intune or Group Policy. A host pool RDP property controls
whether microphones are redirected over the Remote Desktop Protocol.
) Important
Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable audio recording redirection on a
session host with Microsoft Intune or Group Policy, but enable it with the host pool
RDP property, redirection is disabled.
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. Select Host pools, then select the host pool you want to configure.
5. For Microphone redirection, select the drop-down list, then select one of the
following options:
6. Select Save.
7. To test the configuration, connect to a remote session and verify that the audio
input redirection is as expected, such as recording audio from a microphone in an
application in the remote session.
Microsoft Intune
To allow or disable audio input redirection using Microsoft Intune:
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
4. Check the box for Allow audio recording redirection, then close the settings
picker.
5. Expand the Administrative templates category, then toggle the switch for
Allow audio recording redirection to Enabled or Disabled, depending on
your requirements. Select Next.
6. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
7. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
8. On the Review + create tab, review the settings, then select Create.
9. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
10. To test the configuration, connect to a remote session and verify that the
audio input redirection is as expected, such as recording audio from a
microphone in an application in the remote session.
Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.
Feedback
Was this page helpful? Yes No
Tip
This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.
Select a product using the buttons at the top of this article to show the relevant
content.
You can configure the redirection behavior of cameras, webcams, and video capture
peripherals, and also video encoding and quality, from a local device to a remote
session over the Remote Desktop Protocol (RDP).
For Azure Virtual Desktop, we recommend you enable camera, webcam, and video
capture redirection on your session hosts using Microsoft Intune or Group Policy, then
control redirection using the host pool RDP properties.
This article provides information about the supported redirection methods and how to
configure the redirection behavior for camera, webcam, and video capture peripherals.
To learn more about how redirection works, see Redirection over the Remote Desktop
Protocol.
Tip
If you use the following features in a remote session, they have their own
optimizations that are independent from the redirection configuration on the
session host, host pool RDP properties, or local device.
Prerequisites
Before you can configure camera, webcam, and video capture redirection, you need:
An existing host pool with session hosts.
A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.
A camera, webcam, or video capture device you can use to test the redirection
configuration.
You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.
Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable camera, webcam, and video capture
peripheral redirection on a session host with Microsoft Intune or Group Policy, but
enable it with the host pool RDP property, redirection is disabled.
To configure camera, webcam and video capture redirection using host pool RDP
properties:
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. Select Host pools, then select the host pool you want to configure.
5. For Camera redirection, select the drop-down list, then select one of the following
options:
a. If you select Manually enter list of cameras, enter the Vendor ID (VID) and
Product ID (PID) of the cameras you want to redirect using a semicolon-
delimited list of KSCATEGORY_VIDEO_CAMERA interfaces. Characters \ , : , and ;
must be escaped with a backslash character \ , and cannot end with a backslash.
For example, the value \?\usb#vid_0bda&pid_58b0&mi needs to be entered as \\?
\\usb#vid_0bda&pid_58b0&mi . You can find the VID and PID in the device instance
path in Device Manager on the local device. For more information, see Device
instance path.
6. Select Save.
Microsoft Intune
To allow or disable video capture redirection, which includes cameras and webcams,
using Microsoft Intune:
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
4. Check the box for Do not allow video capture redirection, then close the
settings picker.
5. Expand the Administrative templates category, then toggle the switch for Do
not allow video capture redirection to Enabled or Disabled, depending on
your requirements:
6. Select Next.
7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
9. On the Review + create tab, review the settings, then select Create.
10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
11. To test the configuration, connect to a remote session with a camera, webcam,
or video capture peripheral and use it with a supported application for the
peripheral. Don't use Microsoft Teams to test as it uses its own redirection
optimizations that's independent of the Remote Desktop Protocol.
Tip
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. Select Host pools, then select the host pool you want to configure.
5. For Redirect video encoding, select the drop-down list, then select one of the
following options:
6. Select Save.
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. Select Host pools, then select the host pool you want to configure.
5. For Encoded video quality, select the drop-down list, then select one of the
following options:
High compression video. Quality may suffer when there is a lot of motion
Medium compression
Low compression video with high picture quality
Not configured (default)
6. Select Save.
Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.
Feedback
Was this page helpful? Yes No
Tip
This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.
Select a product using the buttons at the top of this article to show the relevant
content.
You can configure the redirection behavior of the clipboard between a local device and
a remote session over the Remote Desktop Protocol (RDP).
For Azure Virtual Desktop, we recommend you enable clipboard redirection on your
session hosts using Microsoft Intune or Group Policy, then control redirection using the
host pool RDP properties. Additionally, in Windows Insider Preview, you can configure
whether users can use the clipboard from session host to client, or client to session host,
and the types of data that can be copied. For more information, see Configure the
clipboard transfer direction and types of data that can be copied.
This article provides information about the supported redirection methods and how to
configure the redirection behavior for the clipboard. To learn more about how
redirection works, see Redirection over the Remote Desktop Protocol.
Prerequisites
Before you can configure clipboard redirection, you need:
A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.
You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.
) Important
Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable clipboard redirection on a session
host with Microsoft Intune or Group Policy, but enable it with the host pool RDP
property, redirection is disabled.
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. Select Host pools, then select the host pool you want to configure.
5. For Clipboard redirection, select the drop-down list, then select one of the
following options:
6. Select Save.
7. To test the configuration, connect to a remote session and copy and paste some
text between the local device and remote session. Verify that the text is as
expected.
Configure clipboard redirection using Microsoft Intune or
Group Policy
Select the relevant tab for your scenario.
Microsoft Intune
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
4. Check the box for Do not allow Clipboard redirection, then close the settings
picker.
5. Expand the Administrative templates category, then toggle the switch for Do
not allow Clipboard redirection to Enabled or Disabled, depending on your
requirements:
6. Select Next.
7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
9. On the Review + create tab, review the settings, then select Create.
10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
11. To test the configuration, connect to a remote session and copy and paste
some text between the local device and remote session. Verify that the text is
as expected.
) Important
If you disable drive redirection using Intune or Group Policy, it also prevents files
being transferred between the local device and remote session using the clipboard.
Other content, such as text or images, isn't affected.
On a local Windows device, you can disable clipboard redirection by configuring the
following registry key and value:
For iOS/iPadOS and Android devices, you can disable clipboard redirection using Intune.
For more information, see Configure client device redirection settings for Windows App
and the Remote Desktop app using Microsoft Intune.
Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.
Feedback
Was this page helpful? Yes No
Clipboard redirection in Azure Virtual Desktop allows users to copy and paste content,
such as text, images, and files between the user's device and the remote session in
either direction. You might want to limit the direction of the clipboard for users, to help
prevent data exfiltration or malicious files being copied to a session host. You can
configure whether users can use the clipboard from session host to client, or client to
session host, and the types of data that can be copied, from the following options:
Disable clipboard transfers from session host to client, client to session host, or
both.
Allow plain text only.
Allow plain text and images only.
Allow plain text, images, and Rich Text Format only.
Allow plain text, images, Rich Text Format, and HTML only.
You apply settings to your session hosts. It doesn't depend on a specific Remote
Desktop client or its version. This article shows you how to configure the direction the
clipboard and the types of data that can be copied using Microsoft Intune or Group
Policy.
Prerequisites
To configure the clipboard transfer direction, you need:
Host pool RDP properties must allow clipboard redirection, otherwise it will be
completely blocked.
Your session hosts must be running one of the following operating systems:
Windows 11 Enterprise or Enterprise multi-session, version 22H2 or 23H2 with
the 2024-06 cumulative update (KB5039212) or later installed.
Windows 11 Enterprise or Enterprise multi-session, version 21H2 with the 2024-
06 cumulative update (KB5039213) or later installed.
Windows Server 2022 with the 2024-07 cumulative update (KB5040437) or
later installed.
Depending on the method you use to configure the clipboard transfer direction:
For Intune, you need permission to configure and apply settings. For more
information, see Administrative template for Azure Virtual Desktop.
For configuring the local Group Policy or registry of session hosts, you need an
account that is a member of the local Administrators group.
Intune
To configure the clipboard using Intune, follow these steps. This process creates an
Intune settings catalog policy.
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
4. Check the box for the following settings, making sure you select the settings
with the correct scope for your requirements, then close the settings picker. To
determine which scope is correct for your scenario, see Settings catalog -
Device scope vs. user scope settings:
5. Expand the Administrative templates category, then toggle the switch for
each setting you added to Enabled.
6. Once each setting is enabled, a drop-down list appears from which you can
select the types of data that can be copied. Choose from the following
options:
7. Select Next.
8. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
9. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
10. On the Review + create tab, review the settings, then select Create.
11. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
12. Connect to a remote session with a supported client and test the clipboard
settings you configured are working by trying to copy and paste different
types of content.
Related content
Configure Watermarking.
Configure Screen Capture Protection.
Learn about how to secure your Azure Virtual Desktop deployment at Security best
practices.
Feedback
Was this page helpful? Yes No
Tip
This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.
Select a product using the buttons at the top of this article to show the relevant
content.
You can configure the redirection behavior of fixed, removable, and network drives from
a local device to a remote session over the Remote Desktop Protocol (RDP).
For Azure Virtual Desktop, we recommend you enable drive redirection on your session
hosts using Microsoft Intune or Group Policy, then control redirection using the host
pool RDP properties.
This article provides information about the supported redirection methods and how to
configure the redirection behavior for drives and storage. To learn more about how
redirection works, see Redirection over the Remote Desktop Protocol.
Prerequisites
Before you can configure drive redirection, you need:
A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.
Each drive you want to redirect must have a drive letter assigned on the local
device.
If you want to test drive redirection with a removable drive, you need a removable
drive connected to the local device.
To configure Microsoft Intune, you need:
Microsoft Entra ID account that is assigned the Policy and Profile manager built-
in RBAC role.
A group containing the devices you want to configure.
You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.
) Important
Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable drive and storage redirection on a
session host with Microsoft Intune or Group Policy, but enable it with the host pool
RDP property, redirection is disabled.
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. Select Host pools, then select the host pool you want to configure.
5. For Drive/storage redirection, select the drop-down list, then select one of the
following options:
6. If you select Manually enter drives and labels, an extra box shows. You need to
enter the drive letter for each fixed, removable, and network drive you want to
redirect, with each drive letter followed by a semicolon. For Azure Virtual Desktop,
the characters \ , : , and ; must be escaped using a backslash character. For
example, to redirect drives C:\ and D:\ from the local device, enter
C\:\\\;D\:\\\; .
7. Select Save.
8. To test the configuration, make sure the drives you configured to redirect are
connected to the local device, then connect to a remote session. Verify that drives
you redirected are available in File Explorer or Disk Management in the remote
session. If you selected Redirect all disk drives, including ones that are connected
later or Dynamic drives: redirect any drives that are connected later, you can
connect more drives to the local device after you connect to the remote session
and verify they're redirected too.
Microsoft Intune
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
4. Check the box for Do not allow drive redirection, then close the settings
picker.
5. Expand the Administrative templates category, then toggle the switch for Do
not allow drive redirection to Enabled or Disabled, depending on your
requirements:
6. Select Next.
7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
9. On the Review + create tab, review the settings, then select Create.
10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
) Important
Network drives that are disconnected aren't redirected. Once the network
drives are reconnected, they're not automatically redirected during the
remote session. You need to disconnect and reconnect to the remote session
to redirect the network drives.
If you disable drive redirection using Intune or Group Policy, it also prevents
files being transferred between the local device and remote session using the
clipboard. Other content, such as text or images, isn't affected.
1. Connect to a remote session using Window App or the Remote Desktop app on a
platform that supports drive redirection. For more information, see Compare
Windows App features across platforms and devices and Compare Remote
Desktop app features across platforms and devices.
2. Check the redirected drives available in the remote session. Here are some ways to
check:
a. Open File explorer in the remote session from the start menu. Select This PC,
then check the redirected drives appear in the list. When you redirect drives
from a local Windows device, it looks similar to the following image:
b. Open a PowerShell prompt in the remote session and run the following
command:
PowerShell
$CLSIDs = @()
foreach($registryKey in (Get-ChildItem
"Registry::HKEY_CLASSES_ROOT\CLSID" -Recurse)){
If (($registryKey.GetValueNames() | %
{$registryKey.GetValue($_)}) -eq "Drive or folder redirected using
Remote Desktop") {
$CLSIDs += $registryKey
}
}
$drives = @()
foreach ($CLSID in $CLSIDs.PSPath) {
$drives += (Get-ItemProperty $CLSID)."(default)"
}
The output is similar to the following example when you redirect drives from a
local Windows device:
Output
On a local Windows device, you can disable drive redirection by configuring the
following registry key and value:
For iOS/iPadOS and Android devices, you can disable drive redirection using Intune. For
more information, see Configure client device redirection settings for Windows App and
the Remote Desktop app using Microsoft Intune.
Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.
Feedback
Was this page helpful? Yes No
Tip
This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.
Select a product using the buttons at the top of this article to show the relevant
content.
You can configure the redirection behavior of location information from a local device to
a remote session over the Remote Desktop Protocol (RDP). A user's location can be
important for some applications, such as mapping and regional services in browsers.
Without redirecting location information, the location of a remote session is near the
datacenter the user connects to for the remote session.
For Azure Virtual Desktop, location redirection must be configured at the following
points. If any of these components aren't configured correctly, location redirection won't
work as expected. You can use Microsoft Intune or Group Policy to configure your
session hosts and the local device.
Session host
Host pool RDP property
Local device
) Important
This article provides information about the supported redirection methods and how to
configure the redirection behavior for location information. To learn more about how
redirection works, see Redirection over the Remote Desktop Protocol.
Prerequisites
Before you can configure location redirection, you need:
A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.
You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.
) Important
If you use a multi-session edition of Windows, when you enable location services
on a session host, it's enabled for all users. You can specify which apps can access
location information on a per-user basis based on your requirements.
Microsoft Intune
3. In the settings picker, select System. Check the box for Allow Location, then
close the settings picker.
4. Expand the System category, then from the drop-down menu select Force
Location On. All Location Privacy settings are toggled on and grayed out.
Users cannot change the settings and all consent permissions will be
automatically suppressed.
5. Select Next.
6. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
7. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
8. On the Review + create tab, review the settings, then select Create.
9. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
10. You need to enable the location setting Allow location override for the
location to be updated in the remote session, which you can do by
configuring a registry value and is set per user. Users can still change this
setting in Windows location settings.
You can do this by creating a PowerShell script and using it as a custom script
remediation in Intune. When you create the custom script remediation, you
must set Run this script using the logged-on credentials to Yes.
PowerShell
try
{
New-ItemProperty -Path
"HKCU:\Software\Microsoft\Windows\CurrentVersion\CPSS\Store\UserLoc
ationOverridePrivacySetting" -Name Value -PropertyType DWORD -Value
1 -Force
exit 0
}
catch{
$errMsg = $_.Exception.Message
Write-Error $errMsg
exit 1
}
11. Once you have made the changes, location services in the Windows Settings
app should look similar to the following image:
Host pool configuration
The Azure Virtual Desktop host pool setting Location service redirection controls whether
to redirect location information from the local device to the remote session. The
corresponding RDP property is redirectlocation:i:<value> . For more information, see
Supported RDP properties.
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. Select Host pools, then select the host pool you want to configure.
5. For Location service redirection, select the drop-down list, then select Enable
location sharing from the local device and redirection to apps in the remote
session.
6. Select Save.
To view redirection support in Windows App and the Remote Desktop app, see Compare
Windows App features across platforms and devices and Compare Remote Desktop app
features across platforms and devices.
On Windows, you can enable location services in the Windows Settings app. For more
information, see Windows location service and privacy . The steps in this article to
enable location services in a remote session using Intune and Group Policy can also be
applied to local Windows devices.
1. Connect to a remote session using Window App or the Remote Desktop app on a
platform that supports location redirection. For more information, see Compare
Windows App features across platforms and devices and Compare Remote
Desktop app features across platforms and devices.
2. Check the user's location information is available in the remote session. Here are
some ways to check:
a. Open a web browser and go to a website that uses location information, such as
Bing Maps . In Bing Maps, select the icon for the button Locate me. The
website should show the user's location as the location of the local device.
b. Open a PowerShell prompt in the remote session and run the following
commands to get the latitude and longitude values. You can also run these
commands on a local Windows device to check they are consistent.
PowerShell
Output
Latitude : 47.64354
Longitude : -122.13082
Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.
Feedback
Was this page helpful? Yes No
Tip
This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.
Select a product using the buttons at the top of this article to show the relevant
content.
You can configure the redirection behavior of peripherals that use the Media Transfer
Protocol (MTP) or Picture Transfer Protocol (PTP), such as a digital camera, from a local
device to a remote session over the Remote Desktop Protocol (RDP).
For Azure Virtual Desktop, we recommend you enable MTP and PTP redirection on your
session hosts using Microsoft Intune or Group Policy, then control redirection using the
host pool RDP properties.
This article provides information about the supported redirection methods and how to
configure the redirection behavior for MTP and PTP peripherals. To learn more about
how redirection works, see Redirection over the Remote Desktop Protocol.
Both redirection methods redirect the device to the remote session listed under
Portable Devices in Device Manager. This device class is WPD and the device class GUID
is {eec5ad98-8080-425f-922a-dabf3de3f69a} . You can find a list of the device classes at
System-Defined Device Setup Classes Available to Vendors
Devices are redirected differently depending on the redirection method used. MTP and
PTP redirection uses high-level redirection; the peripheral is available locally and in the
remote session concurrently, and requires the relevant driver installed locally. Opaque
low-level USB redirection transports the raw communication of a peripheral, so requires
the relevant driver installed in the remote session. You should use high-level redirection
methods where possible. For more information, see Redirection methods.
The following example shows the difference when redirecting an Apple iPhone using the
two methods. Both methods achieve the same result where pictures can be imported
from the iPhone to the remote session.
Using MTP and PTP redirection, the iPhone is listed as Digital Still Camera to
applications and under Portable Devices in Device Manager:
Using USB redirection, the iPhone is listed as Apple iPhone to applications and
under Portable Devices in Device Manager:
The rest of this article covers MTP and PTP redirection. To learn how to configure USB
redirection, see Configure USB redirection on Windows over the Remote Desktop
Protocol.
Prerequisites
Before you can configure MTP and PTP redirection, you need:
A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.
A device that supports MTP or PTP you can use to test the redirection
configuration connected to a local device.
) Important
Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable MTP and PTP redirection on a
session host with Microsoft Intune or Group Policy, but enable it with the host pool
RDP property, redirection is disabled. You can also specify individual MTP and PTP
peripherals to redirect only.
To configure MTP and PTP redirection using host pool RDP properties:
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. Select Host pools, then select the host pool you want to configure.
4. Select RDP Properties, then select Device redirection.
5. For MTP and PTP device redirection, select the drop-down list, then select one of
the following options:
6. Select Save.
Tip
If you enable redirection using host pool RDP properties, you need the check that
redirection isn't blocked by a Microsoft Intune or Group Policy setting.
PowerShell
The output is similar to the following example. Make a note of the InstanceId value
for each device you want to redirect.
Output
3. In the Azure portal, return to the host pool RDP properties configuration, and
select Advanced.
4. In the text box, find the relevant RDP property, which by default is
devicestoredirect:s:* , then add the instance IDs you want to redirect, as shown
uri
devicestoredirect:s:USB\VID_05AC&PID_12A8&MI_00\B&1A733E8B&0&0000
5. Select Save.
Tip
If you refresh the Azure portal, the value you entered changes to lowercase
and each backslash character in the instance ID is escaped by another
backslash character.
When you navigate to the Device redirection tab, the value for MTP and PTP
device redirection is blank.
Microsoft Intune
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
4. Check the box for Do not allow supported Plug and Play device redirection,
then close the settings picker.
5. Expand the Administrative templates category, then set toggle the switch for
Do not allow supported Plug and Play device redirection, depending on your
requirements:
6. Select Next.
7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
9. On the Review + create tab, review the settings, then select Create.
10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
7 Note
When you configure the Intune policy setting Do not allow supported Plug
and Play device redirection, it also affects USB redirection.
1. Make sure a device that supports MTP or PTP is connected to the local device.
2. Connect to a remote session using Window App or the Remote Desktop app on a
platform that supports MTP and PTP redirection. For more information, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.
3. Check the MTP or PTP device is available in the remote session. Here are some
ways to check:
a. Open the Photos app (from Microsoft) in the remote session from the start
menu. Select Import and check the redirected device appears in the list of
connected devices.
b. Open a PowerShell prompt in the remote session and run the following
command:
PowerShell
Output
You can verify whether the device is redirected using MTP and PTP redirection
or USB redirection by the InstanceId value:
For MTP and PTP redirection, the InstanceId value begins with TSBUS .
Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.
Feedback
Was this page helpful? Yes No
Tip
This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.
Select a product using the buttons at the top of this article to show the relevant
content.
You can configure the redirection behavior of printers from a local device to a remote
session over the Remote Desktop Protocol (RDP). Printer redirection supports locally
attached and network printers. When you enable printer redirection, all printers
available on the local device are redirected; you can't select specific printers to redirect.
The default printer on the local device is automatically set as the default printer in the
remote session.
Printer redirection uses high-level redirection and doesn't require drivers to be installed
on session hosts. The Remote Desktop Easy Print driver is used automatically on session
hosts. The driver for the printer must be installed on the local device for redirection to
work correctly.
For Azure Virtual Desktop, we recommend you enable printer redirection on your
session hosts using Microsoft Intune or Group Policy, then control redirection using the
host pool RDP properties.
This article provides information about the supported redirection methods and how to
configure the redirection behavior for printers. To learn more about how redirection
works, see Redirection over the Remote Desktop Protocol.
Tip
A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.
A printer available on the local device. You need to make sure local device has the
printer driver is installed correctly. No driver is needed in the remote session as
redirected printers use the Remote Desktop Easy Print driver.
You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.
Printer redirection
Configuration of a session host using Microsoft Intune or Group Policy, or setting an
RDP property on a host pool governs the ability to redirect printers from a local device
to a remote session, which is subject to a priority order.
) Important
Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable printer redirection on a session host
with Microsoft Intune or Group Policy, but enable it with the host pool RDP
property, redirection is disabled.
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. Select Host pools, then select the host pool you want to configure.
5. For Printer redirection, select the drop-down list, then select one of the following
options:
The printers on the local computer are not available in remote session
The printers on the local computer are available in remote session (default)
Not configured
6. Select Save.
Microsoft Intune
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
3. In the settings picker, browse to Administrative templates > Windows
Components > Remote Desktop Services > Remote Desktop Session Host >
Printer Redirection.
4. Check the box for Do not allow client printer redirection, then close the
settings picker.
5. Expand the Administrative templates category, then toggle the switch for Do
not allow client printer redirection to Enabled or Disabled, depending on
your requirements:
6. Select Next.
7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
9. On the Review + create tab, review the settings, then select Create.
10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
Test printer redirection
Printer redirection uses high-level redirection; the printer is available locally and in the
remote session concurrently, and requires the relevant driver installed locally. The driver
for the printer doesn't need to be installed in the remote session as redirected printers
use the Remote Desktop Easy Print driver.
2. Connect to a remote session using Window App or the Remote Desktop app on a
platform that supports printer redirection. For more information, see Compare
Windows App features across platforms and devices and Compare Remote
Desktop app features across platforms and devices.
3. Check the printers available in the remote session. Here are some ways to check:
a. Open Printers & scanners in the remote session from the start menu. Check the
redirected printers appear in the list of printers. Redirected printers are
identified where the name of the printer is appended with (redirected n), where
n is the user's session ID. The session ID is appended to make sure redirected
printers are unique to the user's session.
b. Open a PowerShell prompt in the remote session and run the following
command:
PowerShell
Get-Printer | ? DriverName -eq "Remote Desktop Easy Print" | Sort-
Object | FT -AutoSize
Output
4. Open an application and print a test page to verify the printer is functioning
correctly.
1. As an Administrator on a local Windows device, open the Registry Editor app from
the start menu, or run regedit.exe from the command line.
2. Configure the following registry key and value. You don't need to restart the local
device for the settings to take effect.
Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.
Feedback
Was this page helpful? Yes No
Tip
This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.
Select a product using the buttons at the top of this article to show the relevant
content.
You can configure the redirection behavior of serial or COM ports between a local
device and a remote session over the Remote Desktop Protocol (RDP).
For Azure Virtual Desktop, we recommend you enable serial or COM port redirection on
your session hosts using Microsoft Intune or Group Policy, then control redirection using
the host pool RDP properties.
This article provides information about the supported redirection methods and how to
configure the redirection behavior serial or COM ports. To learn more about how
redirection works, see Redirection over the Remote Desktop Protocol.
Prerequisites
Before you can configure serial or COM port redirection, you need:
A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.
A serial or COM port on a local device and a peripheral that connects to the port.
Serial or COM port redirection uses opaque low-level redirection, so drivers need
to be installed in the remote session for the peripheral to function correctly.
You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.
) Important
Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable serial or COM port redirection on a
session host with Microsoft Intune or Group Policy, but enable it with the host pool
RDP property, redirection is disabled.
To configure serial or COM port redirection using host pool RDP properties:
1. Sign in to the Azure portal .
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. Select Host pools, then select the host pool you want to configure.
5. For COM ports redirection, select the drop-down list, then select one of the
following options:
COM ports on the local computer are not available in the remote session
COM ports on the local computer are available in the remote session
(default)
Not configured
6. Select Save.
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
4. Check the box for Do not allow COM port redirection, then close the settings
picker.
5. Expand the Administrative templates category, then toggle the switch for Do
not allow COM port redirection to Enabled or Disabled, depending on your
requirements:
7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
9. On the Review + create tab, review the settings, then select Create.
10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
Opaque low-level redirection is designed for LAN connections; with higher latency,
some peripherals connected to a serial or COM port might not function properly,
or the user experience might not suitable.
Peripherals connected to a serial or COM port aren't available on the local device
locally while it's redirected to the remote session.
Peripherals connected to a serial or COM port can only be used in one remote
session at a time.
Serial or COM port redirection is only available from a local Windows device.
1. Plug in the supported peripherals you want to use in a remote session to a serial or
COM port.
2. Connect to a remote session using Window App or the Remote Desktop app on a
platform that supports drive redirection. For more information, see Compare
Windows App features across platforms and devices and Compare Remote
Desktop app features across platforms and devices.
3. Check the device is functioning correctly in the remote session. As serial or COM
ports are redirected using opaque low-level redirection, the correct driver needs to
be installed in the remote session, which you need to do if it's not installed
automatically.
Here are some ways to check the USB peripherals are available in the remote
session, depending on the permission you have in the remote session:
a. Open Device Manager in the remote session from the start menu, or run
devmgmt.msc from the command line. Check the redirected peripherals appear in
b. Open a Command Prompt or PowerShell prompt on both the local device and
in the remote session, then run the following command in both locations. This
command shows the serial or COM ports available locally and enable you to
verify that they're available in the remote session.
chgport
Output
COM3 = \Device\Serial0
COM4 = \Device\Serial1
Output
COM3 = \Device\RdpDrPort\;COM3:2\tsclient\COM3
COM4 = \Device\RdpDrPort\;COM4:2\tsclient\COM4
4. Once the peripherals are redirected and functioning correctly, you can use them as
you would on a local device.
Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.
Feedback
Was this page helpful? Yes No
Tip
This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.
Select a product using the buttons at the top of this article to show the relevant
content.
You can configure the redirection behavior of smart card devices from a local device to a
remote session over the Remote Desktop Protocol (RDP).
For Azure Virtual Desktop, we recommend you enable smart card redirection on your
session hosts using Microsoft Intune or Group Policy, then control redirection using the
host pool RDP properties.
This article provides information about the supported redirection methods and how to
configure the redirection behavior for smart card devices. To learn more about how
redirection works, see Redirection over the Remote Desktop Protocol.
Prerequisites
Before you can configure smart card redirection, you need:
A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.
You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.
) Important
Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable smart card redirection on a session
host with Microsoft Intune or Group Policy, but enable it with the host pool RDP
property, redirection is disabled.
3. Select Host pools, then select the host pool you want to configure.
5. For Smart card redirection, select the drop-down list, then select one of the
following options:
The smart card device on the local computer is not available in remote
session
The smart card device on the local computer is available in remote session
(default)
Not configured
6. Select Save.
Microsoft Intune
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
4. Check the box for Do not allow smart card device redirection, then close the
settings picker.
5. Expand the Administrative templates category, then toggle the switch for Do
not allow smart card device redirection, depending on your requirements:
6. Select Next.
7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
9. On the Review + create tab, review the settings, then select Create.
10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
1. Connect to a remote session using Window App or the Remote Desktop app on a
platform that supports smart card redirection. For more information, see Compare
Windows App features across platforms and devices and Compare Remote
Desktop app features across platforms and devices.
2. Check your smart cards are available in the remote session. Run the following
command in the remote session in Command Prompt or from a PowerShell
prompt.
certutil -scinfo
If smart card redirection is working, the output starts similar to the following
output:
Output
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 2
0: Windows Hello for Business 1
1: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Windows Hello for Business 1
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
--- Card: Identity Device (Microsoft Generic Profile)
--- ATR:
aa bb cc dd ee ff 00 11 22 33 44 55 66 77 88 99
;.........AB12..
ab .
[continued...]
3. Open and use an application or website that requires your smart card. Verify that
the smart card is available and works as expected.
Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.
Feedback
Was this page helpful? Yes No
Tip
This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.
Select a product using the buttons at the top of this article to show the relevant
content.
You can configure the redirection of certain USB peripherals between a local Windows
device and a remote session over the Remote Desktop Protocol (RDP).
) Important
This article covers USB devices that use opaque low-level redirection only. USB
devices that use high-level redirection are covered by the article for the specific
device type. You should use high-level redirection methods where possible.
For a list of which device type uses which redirection method, see Supported
resources and peripherals. Peripherals redirected using opaque low-level
redirection require drivers installed in the remote session.
For Azure Virtual Desktop, USB redirection must be configured at the following points. If
any of these components aren't configured correctly, USB redirection won't work as
expected. You can use Microsoft Intune or Group Policy to configure your session hosts
and the local device.
Session host
Host pool RDP property
Local device
By default, the host pool RDP property will redirect all supported USB peripherals, but
you can also specify individual USB peripherals to redirect or exclude from redirection,
and redirect an entire device setup class, such as multimedia peripherals. Take care when
configuring redirection settings as the most restrictive setting is the resultant behavior.
Some USB peripherals might have functions that use opaque low-level USB redirection
or high-level redirection. By default, these peripherals are redirected using high-level
redirection. You can force these peripherals to use opaque low-level USB redirection
also by following the steps in this article.
Tip
If you use the following features in a remote session, they have their own
optimizations that are independent from the redirection configuration on the
session host, host pool RDP properties, or local device.
Prerequisites
Before you can configure USB redirection using opaque low-level redirection, you need:
A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.
You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.
Session host configuration
To configure a session host for USB redirection using opaque low-level redirection, you
need to enable Plug and Play redirection. You can do this using Microsoft Intune or
Group Policy.
Microsoft Intune
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
4. Check the box for Do not allow supported Plug and Play device redirection,
then close the settings picker.
5. Expand the Administrative templates category, then set toggle the switch for
Do not allow supported Plug and Play device redirection to Disabled.
6. Select Next.
7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
9. On the Review + create tab, review the settings, then select Create.
10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
Local Windows device configuration
To configure a local Windows device for USB redirection using opaque low-level
redirection, you need to allow RDP redirection of other supported USB peripherals for
users and administrators. You can do this using Group Policy.
) Important
Although the setting Allow RDP redirection of other supported RemoteFX USB
devices from this computer is available in Microsoft Intune, it doesn't currently
work as expected. You must use Group Policy to configure this setting.
Windows operating system: other supported USB peripherals aren't available for
RDP redirection by using any user account.
To allow RDP redirection of other supported USB peripherals using Group Policy:
1. Open the Group Policy Management console on a device you use to manage the
Active Directory domain.
2. Create or edit a policy that targets the computers providing a remote session you
want to configure.
6. Ensure the policy is applied to the local Windows devices, then you must restart
them for USB redirection to work.
2. Open the Remote Desktop Connection app from the start menu, or run mstsc.exe
from the command line.
5. From the list of devices and resources, check the box for Other supported
RemoteFX USB devices. This option only appears if you enable the setting Allow
RDP redirection of other supported RemoteFX USB devices from this computer
covered in the section Local Windows device configuration. You can select the +
(plus) icon to expand the list and see which devices are available to be redirected
using opaque low-level redirection.
7. Select the General tab, then select Save As... and save the .rdp file.
9. Run the following commands to match each supported USB device name with the
USB instance ID. You need to replace the <placeholder> value for the .rdp file you
saved previously.
PowerShell
If ($pnpDeviceProperties.KeyName -contains
"DEVPKEY_Device_Children") {
$pnpChildDeviceIds = ($pnpDeviceProperties | ? KeyName -
eq DEVPKEY_Device_Children).Data
Lookup-Device-Children -ChildDeviceIds
$pnpChildDeviceIds
}
}
}
# Get a list of the supported devices from the .rdp file and store
them in an array
[string]$usb = Get-Content -Path $rdpFile | Select-String USB
$devices = @($usb.Replace("usbdevicestoredirect:s:","").Replace("-
","").Split(";"))
If ($pnpDeviceProperties.KeyName -contains
"DEVPKEY_Device_Children") {
$pnpChildDeviceIds = ($pnpDeviceProperties | ? KeyName -eq
DEVPKEY_Device_Children).Data
Write-Output "This parent device has the following child
devices:"
Lookup-Device-Children -ChildDeviceIds $pnpChildDeviceIds
}
}
} else {
Write-Output "Error: file doesn't exist. Please check the file path
and try again."
}
Output
-------------------
Parent device name: USB Composite Device
USB device ID: USB\VID_0ECB&PID_1F58\9&2E5F6FA0&0&1
-------------------
-------------------
-------------------
1. Make a note of the device instance ID of any of the parent devices you want to use
for redirection. Only the parent device instance ID is applicable for USB redirection.
2. Run the following command, replacing <device class GUID> with the device class
GUID you want to search for and list the matching devices. For a list of device class
GUID values, see System-Defined Device Setup Classes Available to Vendors.
PowerShell
Output
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. Select Host pools, then select the host pool you want to configure.
5. For USB device redirection, select the drop-down list, then select one of the
following options:
Redirect all USB devices that are not already redirected by another high-
level redirection (default)
Redirect all devices that are members of the specified device setup class or
devices defined by specific instance ID
6. If you select Redirect all devices that are members of the specified device setup
class or devices defined by specific instance ID, an extra box shows. You need to
enter the device setup class or specific device instance path for the devices you
want to redirect, separated by a semicolon. For more information, see Controlling
opaque low-level USB redirection. To get the values for supported devices, see
Optional: Retrieve specific device instance IDs, and for device class GUIDs, see
Optional: Discover peripherals matching a device setup class. For Azure Virtual
Desktop, the characters \ , : , and ; must be escaped using a backslash character.
To redirect all peripherals that are members of a specific device setup class
(that is, all supported multimedia devices), enter the device class GUID,
including braces. For example, to redirect all multimedia devices, enter
{4d36e96c-e325-11ce-bfc1-08002be10318} . For multiple device class IDs,
Tip
7. Select Save. You can now test the USB redirection configuration.
Drivers for redirected USB peripherals are installed in the remote session using the
same process as the local device. Ensure that Windows Update is enabled in the
remote session, or that drivers are available for the peripheral.
USB peripherals aren't available on the local device locally while it's redirected to
the remote session.
2. Connect to a remote session using Window App or the Remote Desktop app on a
platform that supports USB redirection. For more information, see Compare
Windows App features across platforms and devices and Compare Remote
Desktop app features across platforms and devices.
3. Check the peripherals are connected to the remote session. With the display in full
screen, on the status bar select the icon to select devices to use. This icon only
shows when USB redirection is correctly configured.
4. Check the box for each USB peripheral you want to redirect to the remote session,
and uncheck the box for those peripherals you don't want to redirect. Some
devices might appear in this list as Remote Desktop Generic USB Device once
directed.
5. Check the device is functioning correctly in the remote session. The correct driver
needs to be installed in the remote session. Here are some ways to check the USB
peripherals are available in the remote session, depending on the permission you
have in the remote session:
a. Open Device Manager in the remote session from the start menu, or run
devmgmt.msc from the command line. Check the redirected peripherals appear in
PowerShell
The output is similar to the following example. Check the status column for any
entries that show Error. If there are any entries with an error, troubleshoot the
device according to the manufacturer's instructions.
Output
6. Once the peripherals are redirected and functioning correctly, you can use them as
you would on a local device.
ノ Expand table
N/A No value specified Don't redirect any supported USB peripherals using
opaque low-level redirection.
When constructed as a string in the correct processing order, the syntax is:
uri
usbdevicestoredirect:s:*;{<DeviceClassGUID>};<USBInstanceID>;<-
USBInstanceID>`
uri
usbdevicestoredirect:s:*
To redirect all supported USB peripherals with a device class GUID of {6bdd1fc6-
810f-11d0-bec7-08002be2092f} (imaging), use:
uri
usbdevicestoredirect:s:{6bdd1fc6-810f-11d0-bec7-08002be2092f}
(multimedia), use:
uri
usbdevicestoredirect:s:*;{6bdd1fc6-810f-11d0-bec7-08002be2092f};
{4d36e96c-e325-11ce-bfc1-08002be10318}
use:
uri
usbdevicestoredirect:s:USB\VID_095D&PID_9208\5&23639F31&0&2;USB\VID_045
E&PID_076F\5&14D1A39&0&7
uri
usbdevicestoredirect:s:*;-USB\VID_045E&PID_076F\5&14D1A39&0&7
uri
usbdevicestoredirect:s:*;{6bdd1fc6-810f-11d0-bec7-
08002be2092f};USB\VID_095D&PID_9208\5&23639F31&0&2;-
USB\VID_045E&PID_076F\5&14D1A39&0&7
Tip
For Azure Virtual Desktop, the characters \ , : , and ; must be escaped using a
backslash character. This includes any device instance paths, such as
USB\\VID_045E&PID_0779\\5&21F6DCD1&0&5 . It doesn't affect the redirection behavior.
Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.
Feedback
Was this page helpful? Yes No
Tip
This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.
Select a product using the buttons at the top of this article to show the relevant
content.
You can configure the redirection behavior of WebAuthn requests from a remote session
to a local device over the Remote Desktop Protocol (RDP). WebAuthn redirection
enables in-session passwordless authentication using Windows Hello for Business or
security devices like FIDO keys.
For Azure Virtual Desktop, we recommend you enable WebAuthn redirection on your
session hosts using Microsoft Intune or Group Policy, then control redirection using the
host pool RDP properties.
This article provides information about the supported redirection methods and how to
configure the redirection behavior for WebAuthn requests. To learn more about how
redirection works, see Redirection over the Remote Desktop Protocol.
Prerequisites
Before you can configure WebAuthn redirection, you need:
A Microsoft Entra ID account that is assigned the Desktop Virtualization Host Pool
Contributor built-in role-based access control (RBAC) roles on the host pool as a
minimum.
A local Windows device with Windows Hello for Business or a security device like a
FIDO USB key already configured.
You need to connect to a remote session from a supported app and platform. To
view redirection support in Windows App and the Remote Desktop app, see
Compare Windows App features across platforms and devices and Compare
Remote Desktop app features across platforms and devices.
WebAuthn redirection
Configuration of a session host using Microsoft Intune or Group Policy, or setting an
RDP property on a host pool governs the ability to redirect WebAuthn requests from a
remote session to a local device, which is subject to a priority order.
) Important
Take care when configuring redirection settings as the most restrictive setting is the
resultant behavior. For example, if you disable WebAuthn redirection on a session
host with Microsoft Intune or Group Policy, but enable it with the host pool RDP
property, redirection is disabled.
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. Select Host pools, then select the host pool you want to configure.
5. For WebAuthn redirection, select the drop-down list, then select one of the
following options:
WebAuthn requests in the remote session are not redirected to the local
computer
WebAuthn requests in the remote session are redirected to the local
computer (default)
Not configured
6. Select Save.
Microsoft Intune
2. Create or edit a configuration profile for Windows 10 and later devices, with
the Settings catalog profile type.
4. Check the box for Do not allow WebAuthn redirection, then close the settings
picker.
5. Expand the Administrative templates category, then toggle the switch for Do
not allow WebAuthn redirection to Enabled or Disabled, depending on your
requirements:
6. Select Next.
7. Optional: On the Scope tags tab, select a scope tag to filter the profile. For
more information about scope tags, see Use role-based access control (RBAC)
and scope tags for distributed IT.
8. On the Assignments tab, select the group containing the computers providing
a remote session you want to configure, then select Next.
9. On the Review + create tab, review the settings, then select Create.
10. Once the policy applies to the computers providing a remote session, restart
them for the settings to take effect.
1. If you're using a USB security key, make sure it's plugged in first.
2. Connect to a remote session using Window App or the Remote Desktop app on a
platform that supports WebAuthn redirection. For more information, see Compare
Windows App features across platforms and devices and Compare Remote
Desktop app features across platforms and devices.
3. In the remote session, open a website in an InPrivate window that uses WebAuthn
authentication, such as Windows App for web browsers at
https://windows.cloud.microsoft/ .
4. Follow the sign-in process. When the authentication comes to use Windows Hello
for Business or the security key, you should see a Windows Security prompt to
complete the authentication, as shown in the following image when using a
Windows local device.
The Windows Security prompt is on the local device and overlays the remote
session, indicating that WebAuthn redirection is working.
Related content
Redirection over the Remote Desktop Protocol.
Supported RDP properties.
Compare Windows App features across platforms and devices.
Compare Remote Desktop app features across platforms and devices.
Feedback
Was this page helpful? Yes No
) Important
Configure redirection settings for the Remote Desktop app on Android and
Windows App on Android using Microsoft Intune are currently in PREVIEW.
Configure redirection settings for Windows App on iOS/iPadOS using Microsoft
Intune is generally available. See the Supplemental Terms of Use for Microsoft
Azure Previews for legal terms that apply to Azure features that are in beta,
preview, or otherwise not yet released into general availability.
Tip
This article contains information for multiple products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and applications.
Redirection of resources and peripherals from a user's local device to a remote session
from Azure Virtual Desktop or Windows 365 over the Remote Desktop Protocol (RDP),
such as the clipboard, camera, and audio, is normally governed by central configuration
of a host pool and its session hosts. Client device redirection is configured for Windows
App and the Remote Desktop app using a combination of Microsoft Intune app
configuration policies, app protection policies, and Microsoft Entra Conditional Access
on a user's local device.
Apply redirection settings at a more granular level based on criteria you specify.
For example, you might want to have different settings depending on which
security group a user is in, the operating system of device they're using, or if users
use both corporate and personal devices to access a remote session.
If the redirection settings on a client device conflict with the host pool RDP properties
and session host for Azure Virtual Desktop, or Cloud PC for Windows 365, the more
restrictive setting between the two takes effect. For example, if the session host
disallows drive redirection and the client device allowing drive redirection, drive
redirection is disallowed. If the redirection settings on session host and client device are
both the same, the redirection behavior is consistent.
) Important
Intune app protection policies: used to specify security requirements that must be
met by the application and the client device. Use filters to target users based on
specific criteria.
Conditional Access policies: used to control access to Azure Virtual Desktop and
Windows 365 based only if the criteria set in app configuration policies and app
protection policies are met.
Supported platforms and enrollment types
The following table shows which application you can manage based on the device
platform and enrollment type:
ノ Expand table
Android ✅ ✅
ノ Expand table
Android ✅ ✅
Example scenarios
The values you specify in filters and policies depend on your requirements, so you need
to determine what's best for your organization. Here are some example scenarios of
what you need to configure to achieve them.
Scenario 1
Users in a group are allowed drive redirection when connecting from their Windows
corporate device, but drive redirection is disallowed on their iOS/iPadOS or Android
corporate device. To achieve this scenario:
1. Make sure your session hosts or Cloud PCs, and host pools settings are configured
to allow drive redirection.
2. Create device filter for managed apps for iOS and iPadOS, and a separate filter for
Android.
3. For iOS and iPadOS only, create an app configuration policy for managed devices.
4. Create an app configuration policy for managed apps with drive redirection
disabled. You can create a single policy for both iOS/iPadOS and Android, or create
a separate policy for iOS/iPadOS and Android.
5. Create two app protection policies, one for iOS/iPadOS and one for Android.
Scenario 2
Users in a group who have an Android device running the latest version of Android are
allowed drive redirection, but the same users who's device is running an older version of
Android are disallowed drive redirection. To achieve this scenario:
1. Make sure your session hosts or Cloud PCs, and host pools settings are configured
to allow drive redirection.
a. A device filter for managed apps for Android, where the version of version is set
to the latest version number of Android.
b. A device filter for managed apps for Android, where the version of version is set
to a version number older than the latest version of Android.
a. An app configuration policy for managed apps with drive redirection enabled.
Assign it one or more groups with the filter for the latest version number of
Android.
b. An app configuration policy for managed apps with drive redirection disabled.
Assign it one or more groups with the filter for the older version number of
Android.
4. Create an app protection policy, one combined for iOS/iPadOS and Android.
Scenario 3
Users in a group using an unmanaged iOS/iPadOS device to connect to a remote
session are allowed clipboard redirection, but the same users using an unmanaged
Android device are disallowed clipboard redirection. To achieve this scenario:
1. Make sure your session hosts or Cloud PCs, and host pools settings are configured
to allow clipboard redirection.
2. Create two device filters:
a. A device filter for managed apps for iOS and iPadOS, where the device
management type is unmanaged.
b. A device filter for managed apps for Android, where the device management
type is unmanaged.
4. Create an app protection policy, one combined for iOS/iPadOS and Android.
Intune:
Disable all redirection on personal devices.
Require PIN access to app.
Block third-party keyboards.
Specify a minimum device operating system version.
Specify a minimum Windows App and/or Remote Desktop app version number.
Block jailbroken/rooted devices.
Require a mobile threat defense (MTD) solution on devices, with no threats
detected.
Conditional Access:
Block access unless criteria set in Intune mobile application management
policies are met.
Grant access, requiring one or more of the following options:
Require multifactor authentication.
Require an Intune app protection policy.
Prerequisites
Before you can configure redirection settings on a client device using Microsoft Intune
and Conditional Access, you need:
At least one security group containing users to apply the policies to.
To use Windows App with enrolled devices on iOS and iPadOS, you need to add
each app to Intune from the App Store. For more information, see Add iOS store
apps to Microsoft Intune.
A client device running one of the following versions of Windows App or the
Remote Desktop app:
There are more Intune prerequisites for configuring app configuration policies, app
protection policies, and Conditional Access policies. For more information, see:
App configuration policies for Microsoft Intune.
How to create and assign app protection policies.
Use app-based Conditional Access policies with Intune.
) Important
To learn about filters and how to create them, see Use filters when assigning your apps,
policies, and profiles in Microsoft Intune and Managed app filter properties.
To create and apply an app configuration policy for managed devices, follow the steps in
Add app configuration policies for managed iOS/iPadOS devices and use the following
settings:
On the Basics tab, for targeted app, select Windows App from the list. You need to
have added the app to Intune from the App Store for it to show in this list.
On the Settings tab, for the Configuration settings format drop-down list, select
Use configuration designer, then enter the following settings exactly as shown:
ノ Expand table
On the Assignments tab, assign the policy to the security group containing the
users to apply the policy to. You must apply the policy to a group of users to have
the policy take effect. For each group, you can optionally select a filter to be more
specific in the app configuration policy targeting.
Create an app configuration policy for
managed apps
You need to create a separate app configuration policy for managed apps for Windows
App (iOS/iPadOS) and the Windows App (preview) or Remote Desktop app (Android),
which enables you to provide configuration settings. Don't configure both Android and
iOS in the same configuration policy or you won't be able to configure policy targeting
based on managed and unmanaged devices.
To create and apply an app configuration policy for managed apps, follow the steps in
App configuration policies for Intune App SDK managed apps and use the following
settings:
On the Basics tab, select Select public apps, then search for and select Remote
Desktop for Android and Windows App for iOS/iPadOS. Select Select custom
apps, then type in com.microsoft.rdc.androidx.beta in the Bundle or Package ID
field under More Apps for Windows App (preview) for Android.
On the Settings tab, expand General configuration settings, then enter the
following name and value pairs for each redirection setting you want to configure
exactly as shown. These values correspond to the RDP properties listed on
Supported RDP properties, but the syntax is different:
ノ Expand table
audiocapturemode Indicates whether audio 0 : Audio capture from the local device is
input redirection is disabled.
enabled.
1 : Audio capture from the local device
and redirection to an audio application in
the remote session is enabled.
On the Assignments tab, assign the policy to the security group containing the
users to apply the policy to. You must apply the policy to a group of users to have
the policy take effect. For each group, you can optionally select a filter to be more
specific in the app configuration policy targeting.
To create and apply an app protection policy, follow the steps in How to create and
assign app protection policies and use the following settings.
On the Apps tab, select Select public apps, then search for and select Remote
Desktop for Android and Windows App for iOS/iPadOS. Select Select custom
apps, then type in com.microsoft.rdc.androidx.beta in the Bundle or Package ID
field under More Apps for Windows App (preview) for Android.
On the Data protection tab, only the following settings are relevant to Windows
App and the Remote Desktop app. The other settings don't apply as Windows App
and the Remote Desktop app interact with the session host and not with data in
the app. On mobile devices, unapproved keyboards are a source of keystroke
logging and theft.
For iOS and iPadOS, you can configure the following settings:
Restrict cut, copy, and paste between other apps
Third-party keyboards
Tip
On the Conditional launch tab, we recommend you add the following conditions:
ノ Expand table
For version details, see What's new in Windows App, and What's new in the
Remote Desktop client for Android and Chrome OS.
For more information about the available settings, see Conditional launch in iOS
app protection policy settings and Conditional launch in Android app protection
policy settings.
On the Assignments tab, assign the policy to the security group containing the
users to apply the policy to. You must apply the policy to a group of users to have
the policy take effect. For each group, you can optionally select a filter to be more
specific in the app configuration policy targeting.
To create and apply a Conditional Access policy, follow the steps in Set up app-based
Conditional Access policies with Intune. The following settings provide an example, but
you should adjust them based on your requirements:
1. For the first policy to grant access to a remote session only when an app
protection policy is applied with Windows App and the Remote Desktop app:
For Assignments, include the security group containing the users to apply the
policy to. You must apply the policy to a group of users to have the policy
take effect.
For Target resources, select to apply the policy to Cloud apps, then for
Include, select Select apps. Search for and select Azure Virtual Desktop and
Windows 365. You only have Azure Virtual Desktop in the list if you
registered the Microsoft.DesktopVirtualization resource provider on a
subscription in your Microsoft Entra tenant.
For Conditions:
Select Device platforms, then include iOS and Android.
Select Client apps, then include Mobile apps and desktop clients.
For Access controls, select Grant access, then check the box for Require app
protection policy and select the radio button for Require all the selected
controls.
2. For the second policy to block access to a remote session using a web browser:
For Assignments, include the security group containing the users to apply the
policy to. You must apply the policy to a group of users to have the policy
take effect.
For Target resources, select to apply the policy to Cloud apps, then for
Include, select Select apps. Search for and select Azure Virtual Desktop and
Windows 365. You only have Azure Virtual Desktop in the list if you
registered the Microsoft.DesktopVirtualization resource provider on a
subscription in your Microsoft Entra tenant. The cloud app for Windows 365
also covers Microsoft Dev Box.
For Conditions:
Select Device platforms, then include iOS and Android.
Select Client apps, then include Browser.
For Access controls, select Block access, then select the radio button for
Require all the selected controls.
Known issues
Windows App exits without warning if Company Portal and Windows App aren't
installed in the same profile. Install both apps either in a personal profile or both
apps in a work profile.
Feedback
Was this page helpful? Yes No
Tip
This article is shared for services and products that use the Remote Desktop
Protocol (RDP) to provide remote access to Windows desktops and apps.
The Remote Desktop Protocol (RDP) has a number of properties you can set to
customize the behavior of a remote session, such as for device redirection, display
settings, session behavior, and more.
The following sections contain each RDP property available and lists its syntax,
description, supported values, the default value, and connections to which services and
products you can use them with.
How you use these RDP properties depends on the service or product you're using:
ノ Expand table
Azure Virtual Desktop Host pool RDP properties. To learn more, see Customize RDP properties
for a host pool.
7 Note
For each RDP property, replace <value> with an allowed value for that property.
Connections
Here are the RDP properties that you can use to configure connections.
alternate shell
authentication level
Default value: 3
Applies to:
Remote Desktop Services
Remote PC connections
disableconnectionsharing
Syntax: disableconnectionsharing:i:<value>
Description: Determines whether the client reconnects to any existing
disconnected session or initiate a new connection when a new connection is
launched.
Supported values:
0 : Reconnect to any existing session.
1 : Initiate new connection.
Default value: 0
Applies to:
Remote Desktop Services
domain
Syntax: domain:s:<value>
Description: Specifies the name of the Active Directory domain in which the user
account that will be used to sign in to the remote computer is located.
Supported values:
A valid domain name, such as CONTOSO .
Default value: None.
Applies to:
Remote Desktop Services
Remote PC connections
enablecredsspsupport
Syntax: enablecredsspsupport:i:<value>
Description: Determines whether the client will use the Credential Security Support
Provider (CredSSP) for authentication if it's available.
Supported values:
0 : RDP won't use CredSSP, even if the operating system supports CredSSP.
1 : RDP will use CredSSP if the operating system supports CredSSP.
Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
enablerdsaadauth
Syntax: enablerdsaadauth:i:<value>
Description: Determines whether the client will use Microsoft Entra ID to
authenticate to the remote PC. When used with Azure Virtual Desktop, this
provides a single sign-on experience. This property replaces the property
targetisaadjoined.
Supported values:
0 : Connections won't use Microsoft Entra authentication, even if the remote PC
supports it.
1 : Connections will use Microsoft Entra authentication if the remote PC
supports it.
Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
full address
gatewaycredentialssource
Syntax: gatewaycredentialssource:i:<value>
Description: Specifies the authentication method used for Remote Desktop
gateway connections.
Supported values:
0 : Ask for password (NTLM).
1 : Use smart card.
3 : Prompt the user for their credentials and use basic authentication.
4 : Allow user to select later.
5 : Use cookie-based authentication.
Default value: 0
Applies to:
Remote Desktop Services
gatewayhostname
Syntax: gatewayhostname:s:<value>
Description: Specifies the host name of a Remote Desktop gateway.
Supported values:
A valid hostname, IPv4 address, or IPv6 address.
Default value: None.
Applies to:
Remote Desktop Services
gatewayprofileusagemethod
Syntax: gatewayprofileusagemethod:i:<value>
Description: Specifies whether to use the default Remote Desktop gateway
settings.
Supported values:
0 : Use the default profile mode, as specified by the administrator.
Default value: 0
Applies to:
Remote Desktop Services
gatewayusagemethod
Syntax: gatewayusagemethod:i:<value>
Description: Specifies whether to use a Remote Desktop gateway for the
connection.
Supported values:
0 : Don't use a Remote Desktop gateway.
1 : Always use a Remote Desktop gateway.
RD Session Host.
3 : Use the default Remote Desktop gateway settings.
4 : Don't use a Remote Desktop gateway, bypass gateway for local addresses.
kdcproxyname
Syntax: kdcproxyname:s:<value>
Description: Specifies the fully qualified domain name of a KDC proxy.
Supported values:
A valid path to a KDC proxy server, such as kdc.contoso.com .
Default value: None.
Applies to:
Azure Virtual Desktop. For more information, see Configure a Kerberos Key
Distribution Center proxy.
promptcredentialonce
Syntax: promptcredentialonce:i:<value>
Description: Determines whether a user's credentials are saved and used for both
the Remote Desktop gateway and the remote computer.
Supported values:
0 : Remote session doesn't use the same credentials.
1 : Remote session does use the same credentials.
Default value: 1
Applies to:
Remote Desktop Services
targetisaadjoined
Syntax: targetisaadjoined:i:<value>
Description: Allows connections to Microsoft Entra joined session hosts using a
username and password. This property is only applicable to non-Windows clients
and local Windows devices that aren't joined to Microsoft Entra. It is being
replaced by the property enablerdsaadauth.
Supported values:
0 : Connections to Microsoft Entra joined session hosts will succeed for
Windows devices that meet the requirements, but other connections will fail.
1 : Connections to Microsoft Entra joined hosts will succeed but are restricted to
entering user name and password credentials when connecting to session hosts.
Default value: 0
Applies to:
Azure Virtual Desktop. For more information, see Microsoft Entra joined session
hosts in Azure Virtual Desktop.
username
Syntax: username:s:<value>
Description: Specifies the name of the user account that will be used to sign in to
the remote computer.
Supported values:
Any valid username.
Default value: None.
Applies to:
Remote Desktop Services
Session behavior
Here are the RDP properties that you can use to configure session behavior.
autoreconnection enabled
Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
bandwidthautodetect
Syntax: bandwidthautodetect:i:<value>
Description: Determines whether or not to use automatic network bandwidth
detection.
Supported values:
0 : Don't use automatic network bandwidth detection.
Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
compression
Syntax: compression:i:<value>
Description: Determines whether bulk compression is enabled when transmitting
data to the local device.
Supported values:
0 : Disable bulk compression.
Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
networkautodetect
Syntax: networkautodetect:i:<value>
Description: Determines whether automatic network type detection is enabled.
Supported values:
0 : Disable automatic network type detection.
Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
videoplaybackmode
Syntax: videoplaybackmode:i:<value>
Description: Determines whether the connection will use RDP-efficient multimedia
streaming for video playback.
Supported values:
0 : Don't use RDP efficient multimedia streaming for video playback.
1 : Use RDP-efficient multimedia streaming for video playback when possible.
Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
Device redirection
Here are the RDP properties that you can use to configure device redirection. To learn
more, see Redirection over the Remote Desktop Protocol.
audiocapturemode
Syntax: audiocapturemode:i:<value>
Description: Indicates whether audio input redirection is enabled.
Supported values:
0 : Disable audio capture from a local device.
1 : Enable audio capture from a local device and redirect it to a remote session.
Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
To learn how to use this property, see Configure audio and video redirection over the
Remote Desktop Protocol.
audiomode
Syntax: audiomode:i:<value>
Description: Determines whether the local or remote machine plays audio.
Supported values:
0 : Play sounds on the local device.
1 : Play sounds in a remote session.
Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
To learn how to use this property, see Configure audio and video redirection over the
Remote Desktop Protocol.
camerastoredirect
Syntax: camerastoredirect:s:<value>
Description: Configures which cameras to redirect. This setting uses a semicolon-
delimited list of KSCATEGORY_VIDEO_CAMERA interfaces of cameras enabled for
redirection.
Supported values:
* : Redirect all cameras.
To learn how to use this property, see Configure camera, webcam, and video capture
redirection over the Remote Desktop Protocol.
devicestoredirect
Syntax: devicestoredirect:s:<value>
Description: Determines which peripherals that use the Media Transfer Protocol
(MTP) or Picture Transfer Protocol (PTP), such as a digital camera, are redirected
from a local Windows device to a remote session.
Supported values:
* : Redirect all supported devices, including ones that are connected later.
Default value: *
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
To learn how to use this property, see Configure Media Transfer Protocol and Picture
Transfer Protocol redirection on Windows over the Remote Desktop Protocol.
drivestoredirect
Syntax: drivestoredirect:s:<value>
Description: Determines which fixed, removable, and network drives on the local
device will be redirected and available in a remote session.
Supported values:
Empty: Don't redirect any drives.
* : Redirect all drives, including drives that are connected later.
To learn how to use this property, see Configure fixed, removable, and network drive
redirection over the Remote Desktop Protocol.
Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
To learn how to use this property, see Configure camera, webcam, and video capture
redirection over the Remote Desktop Protocol.
keyboardhook
Syntax: keyboardhook:i:<value>
Description: Determines whether Windows key combinations ( Windows , Alt + Tab )
are applied to a remote session.
Supported values:
0 : Windows key combinations are applied on the local device.
RemoteApp when in focus. We recommend you use this value only when
publishing the Remote Desktop Connection app ( mstsc.exe ) from the host pool
on Azure Virtual Desktop. This value is only supported when using the Windows
client.
Default value: 2
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
redirectclipboard
Syntax: redirectclipboard:i:<value>
Description: Determines whether to redirect the clipboard.
Supported values:
0 : Clipboard on local device isn't available in remote session.
Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
To learn how to use this property, see Configure clipboard redirection over the Remote
Desktop Protocol.
redirectcomports
Syntax: redirectcomports:i:<value>
Description: Determines whether serial or COM ports on the local device are
redirected to a remote session.
Supported values:
0 : Serial or COM ports on the local device aren't available in a remote session.
1 : Serial or COM ports on the local device are available in a remote session.
Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
To learn how to use this property, see Configure serial or COM port redirection over the
Remote Desktop Protocol.
1 : Medium compression.
2 : Low compression video with high picture quality.
Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
To learn how to use this property, see Configure camera, webcam, and video capture
redirection over the Remote Desktop Protocol.
redirectlocation
Syntax: redirectlocation:i:<value>
Description: Determines whether the location of the local device is redirected to a
remote session.
Supported values:
0 : A remote session uses the location of the remote computer or virtual
machine.
1 : A remote session uses the location of the local device.
Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
To learn how to use this property, see Configure location redirection over the Remote
Desktop Protocol.
redirectprinters
Syntax: redirectprinters:i:<value>
Description: Determines whether printers available on the local device are
redirected to a remote session.
Supported values:
0 : The printers on the local device aren't redirected to a remote session.
1 : The printers on the local device are redirected to a remote session.
Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
To learn how to use this property, see Configure printer redirection over the Remote
Desktop Protocol.
redirectsmartcards
Syntax: redirectsmartcards:i:<value>
Description: Determines whether smart card devices on the local device will be
redirected and available in a remote session.
Supported values:
0 : Smart cards on the local device aren't redirected to a remote session.
Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
To learn how to use this property, see Configure smart card redirection over the Remote
Desktop Protocol.
redirectwebauthn
Syntax: redirectwebauthn:i:<value>
Description: Determines whether WebAuthn requests from a remote session are
redirected to the local device allowing the use of local authenticators (such as
Windows Hello for Business and security keys).
Supported values:
0 : WebAuthn requests from a remote session aren't sent to the local device for
authentication.
Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
To learn how to use this property, see Configure WebAuthn redirection over the Remote
Desktop Protocol.
usbdevicestoredirect
Syntax: usbdevicestoredirect:s:<value>
Description: Determines which supported USB devices on the client computer are
redirected using opaque low-level redirection to a remote session.
Supported values:
* : Redirect all USB devices that aren't already redirected by high-level
redirection.
{*Device Setup Class GUID*} : Redirect all devices that are members of the
Default value: *
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
To learn how to use this property, see Configure USB redirection on Windows over the
Remote Desktop Protocol.
Display settings
Here are the RDP properties that you can use to configure display settings.
desktop size id
1 : 800×600
2 : 1024×768
3 : 1280×1024
4 : 1600×1200
desktopheight
Syntax: desktopheight:i:<value>
Description: Specifies the resolution height (in pixels) of a remote session.
Supported values:
Numerical value between 200 and 8192 .
Default value: None. Match the local device.
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
desktopscalefactor
Syntax: desktopscalefactor:i:*value*
Description: Specifies the scale factor of the remote session to make the content
appear larger.
Supported values:
Numerical value from the following list: 100 , 125 , 150 , 175 , 200 , 250 , 300 , 400 ,
500
7 Note
desktopwidth
Syntax: desktopwidth:i:<value>
Description: Specifies the resolution width (in pixels) of a remote session.
Supported values:
Numerical value between 200 and 8192 .
Default value: None. Match the local device.
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
dynamic resolution
Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
maximizetocurrentdisplays
Syntax: maximizetocurrentdisplays:i:<value>
Description: Determines which display a remote session uses for full screen on
when maximizing. Requires use multimon set to 1 . Only available on Windows
App for Windows and the Remote Desktop app for Windows.
Supported values:
0 : Session is full screen on the displays initially selected when maximizing.
1 : Session dynamically is full screen on the displays the session window spans
when maximizing.
Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
screen mode id
Default value: 2
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
selectedmonitors
Syntax: selectedmonitors:s:<value>
Description: Specifies which local displays to use in a remote session. The selected
displays must be contiguous. Requires use multimon set to 1 . Only available on
Windows App for Windows, the Remote Desktop app for Windows, and the inbox
Remote Desktop Connection app on Windows.
Supported values:
A comma separated list of machine-specific display IDs. You can retrieve
available IDs by running mstsc.exe /l from the command line. The first ID listed
is set as the primary display in a remote session.
Default value: None. All displays are used.
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
singlemoninwindowedmode
Syntax: singlemoninwindowedmode:i:<value>
Description: Determines whether a multi display remote session automatically
switches to single display when exiting full screen. Requires use multimon set to 1.
Only available on Windows App for Windows and the Remote Desktop app for
Windows.
Supported values:
0 : A remote session retains all displays when exiting full screen.
1 : A remote session switches to a single display when exiting full screen.
Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
smart sizing
Default value: 0
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
use multimon
Default value: 1
Applies to:
Azure Virtual Desktop
Remote Desktop Services
Remote PC connections
RemoteApp
Here are the RDP properties that you can use to configure RemoteApp behavior for
Remote Desktop Services.
remoteapplicationcmdline
Syntax: remoteapplicationcmdline:s:<value>
Description: Optional command line parameters for the RemoteApp.
Supported values:
Valid command-line parameters for the application.
Default value: None.
Applies to:
Remote Desktop Services
remoteapplicationexpandcmdline
Syntax: remoteapplicationexpandcmdline:i:<value>
Description: Determines whether environment variables contained in the
RemoteApp command line parameters should be expanded locally or remotely.
Supported values:
0 : Environment variables should be expanded to the values of the local device.
session.
Default value: 1
Applies to:
Remote Desktop Services
remoteapplicationexpandworkingdir
Syntax: remoteapplicationexpandworkingdir:i:<value>
Description: Determines whether environment variables contained in the
RemoteApp working directory parameter should be expanded locally or remotely.
Supported values:
0 : Environment variables should be expanded to the values of the local device.
session.
The RemoteApp working directory is specified through the shell working
directory parameter.
Default value: 1
Applies to:
Remote Desktop Services
remoteapplicationfile
Syntax: remoteapplicationfile:s:<value>
Description: Specifies a file to be opened in the remote session by the RemoteApp.
For local files to be opened, you must also enable drive redirection for the source
drive.
Supported values:
A valid file path in the remote session.
Default value: None.
Applies to:
Remote Desktop Services
remoteapplicationicon
Syntax: remoteapplicationicon:s:<value>
Description: Specifies the icon file to be displayed in Windows App or the Remote
Desktop app while launching a RemoteApp. If no file name is specified, the client
will use the standard Remote Desktop icon. Only .ico files are supported.
Supported values:
A valid file path to an .ico file.
Default value: None.
Applies to:
Remote Desktop Services
remoteapplicationmode
Syntax: remoteapplicationmode:i:<value>
Description: Determines whether a connection is started as a RemoteApp session.
Supported values:
0 : Don't launch a RemoteApp session.
Default value: 1
Applies to:
Remote Desktop Services
remoteapplicationname
Syntax: remoteapplicationname:s:<value>
Description: Specifies the name of the RemoteApp in Windows App or the Remote
Desktop app while starting the RemoteApp.
Supported values:
A valid application display name, for example Microsoft Excel .
Default value: None.
Applies to:
Remote Desktop Services
remoteapplicationprogram
Syntax: remoteapplicationprogram:s:<value>
Description: Specifies the alias or executable name of the RemoteApp.
Supported values:
A valid application name or alias, for example EXCEL .
Default value: None.
Applies to:
Remote Desktop Services
Feedback
Was this page helpful? Yes No
7 Note
Experience improvements
The improvements made in Windows 11 22H2 address user experience issues on Azure
Virtual Desktop. There are 3 major improvements to the print scenario
Printer redirection
Printer redirection affects whether the printers installed on the PC the user is connecting
from will be available in the remote session. While there is no recommended setting,
this configuration affects the printers that will be available to the user in the remote
session. Therefore, the admin should decide what the correct configuration is for their
users.
1. Go to https://portal.azure.com
2. Under Azure services, click Azure Virtual Desktop.
3. Click on Host pools and click on the host pool you would like to configure.
4. On the host pool configuration page, click on RDP Properties, then click on Device
redirection.
5. Choose your preferred printer redirection setting.
7 Note
Printer redirection affects the default printer behavior. When you choose to have
printers on the local computer be available in the remote session, the default
printer on the local computer will become the default printer in the remote session.
Printer properties are the configuration of a printer on a particular PC. These are things
like the printer driver, the ports where the printer is installed on this PC, and other
printer settings. This configuration is machine-specific, and does not roam with the user
across session hosts.
Known issues
See also
Universal Print discussions on the Microsoft Tech Community at
https://aka.ms/UPDiscussion .
Connect to Azure Virtual Desktop with
thin clients
Article • 05/23/2024
Thin clients are available from several partners you can use to connect to Azure Virtual
Desktop to access your desktops and applications. This article provides links to those
partners where you can read more about connecting to Azure Virtual Desktop. You can
also use a web browser on a thin client to access Azure Virtual Desktop using the web
client.
You can find a list of all the Remote Desktop clients at Remote Desktop clients overview.
ノ Expand table
) Important
If you encounter an issue when trying to connect to Azure Virtual Desktop, you
must verify whether it's unique to your approved partner thin client. You can verify
whether this is a unique issue by trying to reproduce it on any first-party Remote
Desktop client. If you can't reproduce the issue on a first-party client, then you
must contact your client's provider for support.
Next steps
Learn more about Remote Desktop clients at Remote Desktop clients overview.
Feedback
Was this page helpful? Yes No
Azure Virtual Desktop uses the Azure Monitor Logs service to collect, index, and store
data generated by your environment. Because of this, the Azure Monitor pricing model
is based on the amount of data that's brought into and processed (or "ingested") by
your Log Analytics workspace in gigabytes per day. The cost of a Log Analytics
workspace isn't only based on the volume of data collected, but also which Azure
payment plan you've selected and how long you choose to store the data your
environment generates.
This article will explain the following things to help you understand how pricing in Azure
Monitor works:
How to estimate data ingestion and storage costs upfront before you enable this
feature
How to measure and control your ingestion and storage to reduce costs when
using this feature
7 Note
All sizes and pricing listed in this article are just examples to demonstrate how
estimation works. For a more accurate assessment based on your Azure Monitor
Log Analytics pricing model and Azure region, see Azure Monitor pricing .
Your data ingestion and storage costs depend on your environment size, health, and
usage. The example estimates we'll use in this article to calculate the cost ranges you
can expect are based on healthy virtual machines running light to power usage, based
on our virtual machine sizing guidelines, to calculate a range of data ingestion and
storage costs you could expect.
The light usage VM we'll be using in our example includes the following components:
4 vCPUs, 1 disk
16 sessions per day
An average session duration of 2 hours (120 minutes)
100 processes per session
The power usage VM we'll be using in our example includes the following components:
6 vCPUs, 1 disk
6 sessions per day
Average session duration of 4 hours (240 minutes)
200 processes per session
Before you start estimating, it’s important that you understand that each performance
counter sends data at a specific frequency. We set a default sample rate-per-minute
(you can also edit this rate in your settings), but that rate will be applied at different
multiplying factors depending on the counter. The following factors affect the rate:
For the per virtual machine (VM) factor, each counter sends data per VM in your
environment at the default sample rate per minute while the VM is running. You
can estimate the number of records these counters send per day by multiplying
the default sample rate per minute by the number of VMs in your environment,
then multiplying that number by the average VM running time per day.
To summarize:
Default sample rate per minute × number of CPU cores in the VM SKU × number
of VMs × average VM running time per day = number of records sent per day
For the per CPU factor, each counter sends at the default sample rate per minute
per vCPU in each VM in your environment while the VM is running. You can
estimate the number of records the counters will send per day by multiplying the
default sample rate per minute by the number of CPU cores in the VM SKU, then
multiplying that number by the number of minutes the VM runs and the number
of VMs in your environment.
To summarize:
Default sample rate per minute × number of CPU cores in the VM SKU × number
of minutes the VM runs × number of VMs = number of records sent per day
For the per disk factor, each counter sends data at the default sample rate for each
disk in each VM in your environment. The number of records these counters will
send per day equals the default sample rate per minute multiplied by number of
disks in the VM SKU, multiplied by 60 minutes per hour, and finally multiplied by
the average active hours for a VM.
To summarize:
Default sample rate per minute × number of disks in VM SKU × 60 minutes per
hour × number of VMs × average VM running time per day = number of records
sent per day
For the per session factor, each counter sends data at the default sample rate for
each session in your environment while the session is connected. You can estimate
the number of records these counters will send per day can by multiplying the
default sample rate per minute by the average number of sessions per day and the
average session duration.
To summarize:
Default sample rate per minute × sessions per day × average session duration =
number of records sent per day
For the per-process factor, each counter sends data at the default rate for each
process in each session in your environment. You can estimate the number of
records these counters will send per day by multiplying the default sample rate per
minute by the average number of sessions per day, then multiplying that by the
average session duration and the average number of processes per session.
To summarize:
Default sample rate per minute × sessions per day × average session duration ×
average number of processes per session = number of records sent per day
The following table lists the 20 performance counters Azure Virtual Desktop Insights
collects and their default rates:
Counter name Default sample rate Frequency factor
User Input Delay per Process(*)\Max Input Delay 30 seconds Per process
User Input Delay per Session(*)\Max Input Delay 30 seconds Per session
To learn more about input delay performance counters, see User Input Delay
performance counters.
Estimating Windows Event Log ingestion
Windows Event Logs are data sources collected by either the Azure Monitor Agent or
the Log Analytics agent on Windows virtual machines. You can collect events from
standard logs like System and Application as well as custom logs created by applications
you need to monitor.
These are the default Windows Events for Azure Virtual Desktop Insights:
Application
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
System
Microsoft-FSLogix-Apps/Operational
Microsoft-FSLogix-Apps/Admin
Windows Events sends events whenever the environment meets the terms of the event.
Machines in healthy states will send fewer events than machines in unhealthy states.
Since event count is unpredictable, we use a range of 1,000 to 10,000 events per VM per
day based on examples from healthy environments for this estimate. For example, if we
estimate each event record size in this example to be 1,500 bytes, this comes out to
roughly 2 to 15 megabytes of event data per day for the specified environment.
To learn more about configuring Windows event log data collection with the Azure
Monitor Agent, see How to collect events and performance counters from virtual
machines with Azure Monitor Agent.
To learn more about Windows events, see Windows event records properties.
These are the names of the activity logs the diagnostic counter tracks:
WVDCheckpoints
WVDConnections
WVDErrors
WVDFeeds
WVDManagement
WVDAgentHealthStatus
The service sends diagnostic information whenever the environment meets the terms
required to make a record. Since diagnostic record count is unpredictable, we use a
range of 500 to 1000 events per VM per day based on examples from healthy
environments for this estimate.
For example, if we estimate each diagnostic record size in this example to be 200 bytes,
then the total ingested data would be less than 1 MB per VM per day.
To learn more about the activity log categories, see Azure Virtual Desktop diagnostics.
The performance counters the session hosts use is among the largest source of ingested
data for Azure Virtual Desktop Insights. This query will show all performance counters
you've enabled in the environment, not just the default ones for Azure Virtual Desktop
Insights. This information can help you understand which areas to target to reduce
costs.
Run the following custom query template for a Log Analytics workspace to track
frequency and megabytes ingested per performance counter over the last day:
7 Note
Make sure to replace the template's placeholder values with the values your
environment uses, otherwise the query won't work.
Kusto
Events 2-15
In this example, the total ingested data for Azure Virtual Desktop Insights is between 92
to 145 megabytes per VM per day. In other words, every 31 days, each VM ingests
roughly 3 to 5 gigabytes of data.
Using the default Pay-as-you-go model for Log Analytics pricing , you can estimate the
Azure Monitor data collection and storage cost per month. Depending on your data
ingestion, you may also consider the Capacity Reservation model for Log Analytics
pricing.
To learn about managing rights and permissions to the workbook, see Access control.
7 Note
Removing data points will impact their corresponding visuals in Azure Virtual
Desktop Insights.
Use a designated Log Analytics workspace for your Azure Virtual Desktop
resources to ensure that Log Analytics only collects performance counters and
events for the virtual machines in your Azure Virtual Desktop deployment.
Adjust your Log Analytics storage settings to manage costs. You can reduce the
retention period, evaluate whether a fixed storage pricing tier would be more cost-
effective, or set boundaries on how much data you can ingest to limit impact of an
unhealthy deployment. To learn more, see Azure Monitor Logs pricing details.
The performance counters the session hosts use will probably be your largest source of
ingested data for Azure Virtual Desktop Insights. The following custom query template
for a Log Analytics workspace can track frequency and megabytes ingested per
performance counter over the last day:
azure
7 Note
Make sure to replace the template's placeholder values with the values your
environment uses, otherwise the query won't work.
This query will show all performance counters you have enabled on the environment,
not just the default ones for Azure Virtual Desktop Insights. This information can help
you understand which areas to target to reduce costs, like reducing a counter’s
frequency or removing it altogether.
You can also reduce costs by removing performance counters. To learn how to remove
performance counters or edit existing counters to reduce their frequency, see
Configuring performance counters.
Manage diagnostics
Azure Virtual Desktop diagnostics should make up less than 1% of your data storage
costs, so we don't recommend removing them. To manage Azure Virtual Desktop
diagnostics, Use Log Analytics for the diagnostics feature.
Next steps
Learn more about Azure Virtual Desktop Insights at these articles:
This article lists and briefly describes key terms and concepts related to Azure Virtual
Desktop Insights.
Alerts
Any active Azure Monitor alerts that you've configured on the subscription and
classified as severity 0 will appear in the Overview page. To learn how to set up alerts,
see Azure Monitor Log Alerts.
Available sessions
Available sessions shows the number of available sessions in the host pool. The service
calculates this number by multiplying the number of virtual machines (VMs) by the
maximum number of sessions allowed per virtual machine, then subtracting the total
sessions.
Connection success
This item shows connection health. "Connection success" means that the connection
could reach the host, as confirmed by the stack on that virtual machine. A failed
connection means that the connection couldn't reach the host.
Daily alerts
The total number of alerts triggered each day.
Activity type: this category is how the error is categorized by Azure Virtual Desktop
diagnostics. The categories are management activities, feeds, connections, host
registrations, errors, and checkpoints. Learn more about these categories at Use
Log Analytics for the diagnostics feature.
Source: this category gives a more specific description of where the error
happened.
Diagnostics: the service role responsible for monitoring and reporting service
activity to let users observe and diagnose deployment issues.
Client: software running on the end-user machine that provides the interface to
the Azure Virtual Desktop service. It displays the list of published resources and
hosts the Remote Desktop connection once you've made a selection.
Each diagnostics issue or error includes a message that explains what went wrong. To
learn more about troubleshooting errors, see Identify and diagnose Azure Virtual
Desktop issues.
ノ Expand table
CUS Central US
EUS East US
Gateway region code Azure region
EUS2 East US 2
UKN UK North
Gateway region code Azure region
UKS UK South
UKS2 UK South 2
UKW UK West
WUS West US
Input delay
"Input delay" in Azure Virtual Desktop Insights means the input delay per process
performance counter for each session. In the host performance page at
aka.ms/azmonwvdi , this performance counter is configured to send a report to the
service once every 30 seconds. These 30-second intervals are called "samples," and the
report the worst case in that window. The median and p95 values reflect the median and
95th percentile across all samples.
Under Input delay by host, you can select a session host row to filter all other visuals in
the page to that host. You can also select a process name to filter the median input
delay over time chart.
To learn more about how the input delay counter works, see User Input Delay
performance counters.
The following table lists the recommended performance counters and time intervals that
Azure Monitor uses for Azure Virtual Desktop:
ノ Expand table
Memory(*)\Pages/sec 30 seconds
For example, if you select the By user filter, you can check to see each user's connection
attempts in the Attempts column.
If you notice that a connection issue spans multiple hosts, users, resources, or clients, it's
likely that the issue affects the whole system. If it doesn't, it's a smaller issue that lower
priority.
You can also select entries to view additional information. You can view which hosts,
resources, and client versions were involved with the issue. The display will also show
any errors reported during the connection attempts.
Session history
The Sessions item shows the status of all sessions, connected and disconnected. Idle
sessions only shows the disconnected sessions.
Severity 0 alerts
The most urgent items that you need to take care of right away. If you don't address
these issues, they could cause your Azure Virtual Desktop deployment to stop working.
Time to connect
Time to connect is the time between when a user opens a resource to start their session
and when their desktop has loaded and is ready to use. For example, for a RemoteApp,
this is the time it takes to launch the application.
Connection, which is how long it takes for the Azure service to route the user to a
session host.
"Logon," which is how long it takes for the service to perform tasks related to
signing in the user and establishing the session on the session host.
Time to connect is measured with the following checkpoints from Azure Virtual
Desktop service diagnostics data. The checkpoints Insights uses to determine when
the connection is established are different for a desktop versus a RemoteApp
scenario.
For example, Insights measures the time for a desktop experience to launch based on
how long it takes to launch Windows Explorer. Insights also measures the time for a
RemoteApp to launch based on the time taken to launch the first instance of the shell
app for a connection.
7 Note
If a user launches more than one RemoteApp, sometimes the shell app can execute
multiple times during a single connection. For an accurate measurement of time to
connect, you should only use the first execution checkpoint for each connection.
The time it takes for the user to provide credentials is subtracted from their time to
connect to account for situations where a user either takes a while to enter
credentials or use alternative authentication methods to sign in.
When troubleshooting a high time to connect, Azure Monitor will break down total
connection time data into four components to help you identify how to reduce sign-in
time.
7 Note
The components in this section only show the primary connection stages. These
components can run in parallel, which means they won't add up to equal the total
time to connect. The total time to connect is a measurement that Azure Monitor
determines in a separate process.
The following flowchart shows the four stages of the sign-in process:
User route: the time it takes from when the user selects the Azure Virtual Desktop
icon to launch a session to when the service identifies a host to connect to. High
network load, high service load, or unique network traffic routing can lead to high
routing times. To troubleshoot user route issues, look at your network paths.
Stack connected: the time it takes from when the service resolves a target session
host for the user to when the service establishes a connection between the session
host and the user’s remote client. Like user routing, the network load, server load,
or unique network traffic routing can affect connection time. For this component,
you'll also need to pay attention to your network routing. To reduce connection
time, make sure you've appropriately configured all proxy configurations on both
the client and session hosts, and that routing to the service is optimal.
Profiles: the time it takes to load a user’s profile for new sessions. How long
loading takes depends on user profile size or the user profile solutions you're
using (such as User Experience Virtualization). If you're using a solution that
depends on network-stored profiles, excess latency can also lead to longer
profile loading times.
Group Policy Objects (GPOs): the time it takes to apply group policies to new
sessions. A spike in this area of the data is a sign that you have too many group
policies, the policies take too long to apply, or the session host is experiencing
resource issues. One thing you can do to optimize processing times is make
sure the domain controller is close to session hosts as possible.
Shell Start: the time it takes to launch the shell (usually explorer.exe).
FSLogix (Frxsvc): the time it takes to launch FSLogix in new sessions. A long
launch time may indicate issues with the shares used to host the FSLogix user
profiles. To troubleshoot these issues, make sure the shares are collocated with
the session hosts and appropriately scaled for the average number of users
signing in to the hosts. Another area you should look at is profile size. Large
profile sizes can slow down launch times.
Shell start to shell ready: the time from when the shell starts to load to when it's
fully loaded and ready for use. Delays in this phase can be caused by session host
overload (high CPU, memory, or disk activity) or configuration issues.
User report
The user report page lets you view a specific user’s connection history and diagnostic
information. Each user report shows usage patterns, user feedback, and any errors users
have encountered during their sessions. Most smaller issues can be resolved with user
feedback. If you need to dig deeper, you can also filter information about a specific
connection ID or period of time.
The following table lists the required Windows Event Logs for Azure Virtual Desktop
Insights:
ノ Expand table
Next steps
To get started, see Use Azure Virtual Desktop Insights to monitor your deployment.
To estimate, measure, and manage your data storage costs, see Estimate Azure
Monitor costs.
If you encounter a problem, check out our troubleshooting guide for help and
known issues.
You can also set up Azure Advisor to help you figure out how to resolve or prevent
common issues. Learn more at Introduction to Azure Advisor.
If you need help or have any questions, check out our community resources:
Ask questions or make suggestions to the community at the Azure Virtual Desktop
TechCommunity .
Using Azure Virtual Desktop Insights can help you understand your deployments of
Azure Virtual Desktop. It can help with checks such as which client versions are
connecting, opportunities for cost saving, or knowing if you have resource limitations or
connectivity issues. If you make changes, you can continually validate that the changes
have the intended effect, and iterate if needed. This article provides some use cases for
Azure Virtual Desktop Insights and example scenarios using the Azure portal.
Prerequisites
An existing host pool with session hosts, and a workspace configured to use Azure
Virtual Desktop Insights.
You need to have active sessions for a period of time before you can make
informed decisions.
Connectivity
Connectivity issues can have a severe impact on the quality and reliability of the end-
user experience with Azure Virtual Desktop. Azure Virtual Desktop Insights can help you
identify connectivity issues and understand where improvements can be made.
High latency
High latency can cause poor quality and slowness of a remote session. Maintaining ideal
interaction times requires latency to generally be below 100 milliseconds, with a session
broadly becoming of low quality over 200 ms. Azure Virtual Desktop Insights can help
pinpoint gateway regions and users impacted by latency by looking at the round-trip
time, so that you can more easily find cases of user impact that are related to
connectivity.
3. Review the section for Round-trip time and focus on the table for RTT by gateway
region and the graph RTT median and 95th percentile for all regions. In the
example below, most median latencies are under the ideal threshold of 100 ms,
but several are higher. In many cases, the 95th percentile (p95) is substantially
higher than the median, meaning that there are some users experiencing periods
of higher latency.
Tip
You can find a list of the gateway region codes and their corresponding Azure
region at Gateway region codes.
4. For the table RTT by gateway region, select Median, until the arrow next to it
points down, to sort by the median latency in descending order. This order
highlights gateways your users are reaching with the highest latency that could be
having the most impact. Select a gateway to view the graph of its RTT median and
95th percentile, and filter the list of 20 top users by RTT median to the specific
region.
In this example, the SAN gateway region has the highest median latency, and the
graph indicates that over time users are substantially over the threshold for poor
connection quality.
The list of users can be used to identify who is being impacted by these issues. You
can select the magnifying glass icon in the Details column to drill down further
into the data.
There are several possibilities for why latency might be higher than anticipated for some
users, such as a poor Wi-Fi connection, or issues with their Internet Service Provider
(ISP). However, with a list of impacted users, you have the ability to proactively contact
and attempt to resolve end-user experience problems by understanding their network
connectivity.
You should periodically review the round-trip time in your environment and the overall
trend to identify potential performance concerns.
Connection reliability
The reliability of a connection can have a significant impact on the end-user experience.
Azure Virtual Desktop Insights can help you understand disconnection events and
correlations between errors that affect end users.
Connection reliability provides two main views to help you understand the reliability of
your connections:
A graph showing the number of disconnections over the concurrent connections in
a given time range. This graph enables you to easily detect clusters of disconnects
that are impacting connection reliability.
A table of the top 20 disconnection events, listing the top 20 specific time intervals
where the most disconnections occurred. You can select a row in the table to
highlight specific segments of the connection graph to view the disconnections
that occurred at those specific time segments.
You can also analyze connection errors by different pivots to determine the root cause
of disconnects and improve connection reliability. Here are the available pivots:
ノ Expand table
Pivot Description
Subscription Groups events by the subscription that contains related resources. When more
than one subscription has Azure Virtual Desktop resources, it helps to determine
whether issues are scoped to one or more subscriptions.
Resource Groups events by the resource group that contains related resources.
group
Transport Groups events by the network transport layer used for connections, either UDP
or TCP.
Session host Groups events by the IPv4 address of each session host, collated by the first two
IP/16 octets, for example (1.2.3.4).
Client type Groups events by the client used to connect to a remote session, including
platform and processor architecture of the connecting device.
Client version Groups events by the version number of Windows App or the Remote Desktop
app used to connect to a remote session.
Client IP/16 Groups events by the IPv4 address of each client device connecting to a remote
session, collated by the first two octets, for example (1.2.3.4).
Gateway Groups events by the Azure Virtual Desktop gateway region a client device
region connected through. For a list of gateway regions, see Gateway region codes.
To view connection reliability information:
2. From the drop-down lists, select one or more subscriptions, resource groups, host
pools, and specify a time range, then select the Connection Reliability tab. The
table and graph populate with the top 20 disconnection events and a graph of
concurrent connections and disconnections over time.
3. In the graph, review the number of disconnections (shown in red) over the count of
concurrent connections (shown in green).
4. In the table, review the top 20 disconnection events. Select a row to highlight the
specific time segment and neighboring time segments in the graph when the
disconnections occurred.
5. When you select a row in the table, you can select one of the pivots to analyze the
connection errors in further detail. You might need to scroll down to see all the
relevant data available. By reviewing the connection errors across different pivots,
you can look for commonalities of disconnections.
6. Select a specific time slice to view its details with the full list of connections in the
time slice, their start and end dates, their duration, an indication of their success or
failure, and the impacted user and session host.
7. To see the detailed history of a specific connection, select an entry in the Details
section of a time slice. Selecting an entry generates a list of steps in the connection
and any errors.
2. In the search bar, type Azure Virtual Desktop and select the matching service entry
to go to the Azure Virtual Desktop overview.
3. Select Host pools, then select the name of the host pool for which you want to
view session host performance.
4. Select Insights, specify a time range, then select the Host Performance tab.
5. Review the table for Input delay by host and the graph Median input delay over
time to find a summary of the median and 95th percentile user input delay values
for each session host in the host pool. Ideally the user input delay for each host
should be below 100 milliseconds, and a lower value is better.
In the following example, the session hosts have a reasonable median user input
delay, but occasionally values peak above the threshold of 100 ms, implying
potential for impacting end-users.
6. If you find higher than expected user input delay (>100 ms), it can be useful to
then look at the aggregated statistics for CPU, memory, and disk activity for the
session hosts to see if there are periods of higher-than-expected utilization. The
graphs for Host CPU and memory metrics, Host disk timing metrics, and Host
disk queue length show either the aggregate across session hosts, or a selected
session host's resource metrics.
In this example, there are some periods of higher disk read times that correlate
with the higher user input delay.
7. For more information about a specific session host, select the Host Diagnostics
tab.
8. Review the section for Performance counters to see a quick summary of any
devices that crossed the specified thresholds for:
Selecting a parameter allows you to drill down and see the trend for a selected
session host. In the following example, one session host had higher CPU usage (>
60%) for the selected duration (1 minute).
In cases where a session host has extended periods of high resource utilization, it’s
worth considering increasing the Azure VM size of the session host to better
accommodate user workloads.
2. From the drop-down lists, select one or more subscriptions, resource groups, host
pools, and specify a time range, then select the Clients tab.
3. Review the section for Users with potentially outdated clients (all activity types).
A summary table shows the highest version level of each client found connecting
to your environment (marked as Newest) in the selected time range, and the count
of users using outdated versions (in parentheses).
In the below example, the newest version of the Microsoft Remote Desktop Client
for Windows (MSRDC) is 1.2.4487.0, and 993 users are currently using a version
older. It also shows a count of connections and the number of days behind the
latest version the older clients are.
4. To find more information, expand a client for a list of users using an outdated
version of that client, their versions, and the date last seen connecting with that
version. You can export the data using the button in the top right-hand corner of
the table for communication with the users or monitor the propagation of updates.
You should periodically review the versions of clients in use to ensure your users are
getting the best experience.
Cost saving opportunities
Understanding the utilization of session hosts can help illustrate where there's potential
to reduce spend by using a scaling plan, resize virtual machines, or reduce the number
of session hosts in the pool. Azure Virtual Desktop Insights can provide visibility into
usage patterns to help you make the most informed decisions about how best to
manage your resources based on real user usage.
2. From the drop-down lists, select one or more subscriptions, resource groups, host
pools, and specify a time range, then select the Utilization tab.
3. Review the Session history chart, which displays the number of active and idle
(disconnected) sessions over time. Identify any periods of high activity, and periods
of low activity from the peak user session count and the time period in which the
peaks occur. If you find a regular, repeated pattern of activity, it usually implies
there's a good opportunity to implement a scaling plan.
In this example, the graph shows the number of users sessions over the course of a
week. Peaks occur at around midday on weekdays, and there's a noticeable lack of
activity over the weekend. This pattern suggests that there's an opportunity to
scale session hosts to meet demand during the week, and reduce the number of
session hosts over the weekend.
4. Use the Session host count chart to note the average number of active session
hosts over time, and particularly the average number of session hosts that are idle
(no sessions). Ideally session hosts should be actively supporting connected
sessions and active workloads, and powered off when not in use by using a scaling
plan. You'll likely need to keep a minimum number of session hosts powered on to
ensure availability for users at irregular times, so understanding usage over time
can help find an appropriate number of session hosts to keep powered on as a
buffer.
Even if a scaling plan is ultimately not a good fit for your usage patterns, there's
still an opportunity to balance the total number of session hosts available as a
buffer by analyzing the session demand and potentially reducing the number of
idle devices.
In this example, the graph shows there are long periods over the course of a week
where idle session hosts are powered on and therefore increasing costs.
5. Use the drop-down lists to reduce the scope to a single host pool and repeat the
analysis for session history and session host count. At this scope, you can identify
patterns that are specific to the session hosts in a particular host pool to help
develop a scaling plan for that host pool.
In this example, the first graph shows the pattern of user activity throughout a
week between 6AM and 10PM. On the weekend, there's minimal activity. The
second graph shows the number of active and idle session hosts throughout the
same week. There are long periods of time where idle session hosts are powered
on. Use this information to help determine optimal ramp-up and ramp-down times
for a scaling plan.
6. Create a scaling plan based on the usage patterns you identify, then assign the
scaling plan to your host pool.
After a period of time, you should repeat this process to validate that your session hosts
are being utilized effectively. You can make changes to the scaling plan if needed, and
continue to iterate until you find the optimal scaling plan for your usage patterns.
Next steps
Create a scaling plan
Feedback
Was this page helpful? Yes No
Azure Virtual Desktop Insights is a dashboard built on Azure Monitor Workbooks that
helps IT professionals understand their Azure Virtual Desktop environments. This topic
will walk you through how to set up Azure Virtual Desktop Insights to monitor your
Azure Virtual Desktop environments.
) Important
The Log Analytics Agent is currently being deprecated . If you use the Log
Analytics Agent, you'll eventually need to migrate to the Azure Monitor Agent by
August 31, 2024.
Prerequisites
Before you start using Azure Virtual Desktop Insights, you'll need to set up the following
things:
All Azure Virtual Desktop environments you monitor must be based on the latest
release of Azure Virtual Desktop that’s compatible with Azure Resource Manager.
At least one configured Log Analytics Workspace. Use a designated Log Analytics
workspace for your Azure Virtual Desktop session hosts to ensure that
performance counters and events are only collected from session hosts in your
Azure Virtual Desktop deployment.
Enable data collection for the following things in your Log Analytics workspace:
Diagnostics from your Azure Virtual Desktop environment
Recommended performance counters from your Azure Virtual Desktop session
hosts
Recommended Windows Event Logs from your Azure Virtual Desktop session
hosts
The data setup process described in this article is the only one you'll need to
monitor Azure Virtual Desktop. You can disable all other items sending data to
your Log Analytics workspace to save costs.
Anyone monitoring Azure Virtual Desktop Insights for your environment will also
need to have the following Azure role-based access control (RBAC) roles assigned
as a minimum:
Desktop Virtualization Reader assigned on the resource group or subscription
where the host pools, workspaces and session hosts are.
Log Analytics Reader assigned on any Log Analytics workspace used with Azure
Virtual Desktop Insights.
You can also create a custom role to reduce the scope of assignment on the Log
Analytics workspace. For more information, see Manage access to Log Analytics
workspaces.
7 Note
Read access only lets admins view data. They'll need different permissions to
manage resources in the Azure Virtual Desktop portal.
7 Note
Standard data storage charges for Log Analytics will apply. To start, we recommend
you choose the pay-as-you-go model and adjust as you scale your deployment and
take in more data. To learn more, see Azure Monitor pricing .
The configuration workbook sets up your monitoring environment and lets you check
the configuration after you've finished the setup process. It's important to check your
configuration if items in the dashboard aren't displaying correctly, or when the product
group publishes updates that require new settings.
You can learn more about Azure Virtual Desktop diagnostics and the supported
diagnostic tables at Send Azure Virtual Desktop diagnostics to Log Analytics.
1. Under Host pool, check to see whether Azure Virtual Desktop diagnostics are
enabled. If they aren't, an error message will appear that says "No existing
diagnostic configuration was found for the selected host pool." You'll need to
enable the following supported diagnostic tables:
Management Activities
Feed
Connections
Errors
Checkpoints
HostRegistration
AgentHealthStatus
7 Note
If you don't see the error message, you don't need to do steps 2 through 4.
3. Select Deploy.
1. Under Workspace, check to see whether Azure Virtual Desktop diagnostics are
enabled for the Azure Virtual Desktop workspace. If they aren't, an error message
will appear that says "No existing diagnostic configuration was found for the
selected workspace." You'll need to enable the following supported diagnostics
tables:
Management Activities
Feed
Errors
Checkpoints
7 Note
If you don't see the error message, you don't need to do steps 2-4.
3. Select Deploy.
To collect information on your Azure Virtual Desktop session hosts, you must
configure a Data Collection Rule (DCR) to collect performance data and Windows
Event Logs, associate the session hosts with the DCR, install the Azure Monitor
Agent on all session hosts in host pools you're collecting data from, and ensure the
session hosts are sending data to a Log Analytics workspace.
The Log Analytics workspace you send session host data to doesn't have to be the
same one you send diagnostic data to.
To configure a DCR and select a Log Analytics workspace destination using the
configuration workbook:
1. From the Azure Virtual Desktop overview page, select Host pools, then select
the pooled host pool you want to monitor.
2. From the host pool overview page, select Insights, then select Open
Configuration Workbook.
3. Select the Session host data settings tab in the configuration workbook.
4. For Workspace destination, select the Log Analytics workspace you want to
send session host data to.
5. For DCR resource group, select the resource group in which you want to
create the DCR.
6. Select Create data collection rule to automatically configure the DCR using
the configuration workbook. This option only appears once you've selected a
workspace destination and a DCR resource group.
Session hosts
You need to install the Azure Monitor Agent on all session hosts in the host pool
and send data from those hosts to your selected Log Analytics workspace. If the
session hosts don't all meet the requirements, you'll see a Session hosts section at
the top of Session host data settings with the message Some hosts in the host
pool are not sending data to the selected Log Analytics workspace.
7 Note
If you don't see the Session hosts section or error message, all session hosts
are set up correctly. Automated deployment is limited to 1000 session hosts or
fewer.
3. Select Add extension to deploy the Azure Monitor Agent to all the session
hosts in the host pool.
5. Once the agent has installed and the managed identity has been added,
refresh the configuration workbook.
7 Note
For larger host pools (over 1,000 session hosts) or if you encounter
deployment issues, we recommend you install the Azure Monitor Agent when
you create a session host by using an Azure Resource Manager template.
For more information about data collection and usage, see the Microsoft Online Services
Privacy Statement .
7 Note
To learn about viewing or deleting your personal data collected by the service, see
Azure Data Subject Requests for the GDPR. For more information about GDPR, see
the GDPR section of the Service Trust portal .
Next steps
Now that you’ve configured Azure Virtual Desktop Insights for your Azure Virtual
Desktop environment, here are some resources that might help you start monitoring
your environment:
Check out our glossary to learn more about terms and concepts related to Azure
Virtual Desktop Insights.
To estimate, measure, and manage your data storage costs, see Estimate Azure
Virtual Desktop Insights costs.
If you encounter a problem, check out our troubleshooting guide for help and
known issues.
To see what's new in each version update, see What's new in Azure Virtual Desktop
Insights.
Analyze connection quality in Azure
Virtual Desktop
Article • 06/12/2023
) Important
The Connection Graphics Data Logs are currently in preview. See the Supplemental
Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure
features that are in beta, preview, or otherwise not yet released into general
availability.
Azure Virtual Desktop helps users host client sessions on their session hosts running on
Azure. When a user starts a session, they connect from their local device over a network
to access the session host. It's important that the user experience feels as much like a
local session on a physical device as possible. To understand the network connectivity
from a user's device to a session host, see Understanding Azure Virtual Desktop network
connectivity.
You can analyze connection quality in your Azure Virtual Desktop deployment by using
Azure Log Analytics. In this article, we'll talk about how you can measure your
connection network and connection graphics to improve the connection quality of your
end-users.
The round trip time measured in this table is protocol-agnostic and will record the
measured latency for Transmission Control Protocol (TCP) or User Datagram
Protocol (UDP) connections.
Connection network data
The network data you collect for your data tables using the NetworkData table includes
the following information:
The estimated round trip time (milliseconds) is the average estimated round trip
time during each connection time interval. Round trip time is how long a network
request takes to go from the end-user's device to the session host through the
network, then return from the session host to the end-user device.
The time generated is a timestamp in Coordinated Universal Time (UTC) time that
marks when an event the data counter is tracking happened on the virtual machine
(VM). All averages are measured by the time window that ends at the marked
timestamp.
The Resource ID is a unique ID assigned to the Azure Virtual Desktop host pool
associated with the data the diagnostics service collects for this table.
The source system, Subscription ID, Tenant ID, and type (table name).
Frequency
The service generates these network data points every two minutes during an active
session.
The graphics data you collect for your data tables includes the following information:
The Last evaluated connection time interval is the two minutes leading up to the
time graphics indicators fell below the quality threshold.
The end-to-end delay (milliseconds) is the delay in the time between when a
frame is captured on the server until the time frame is rendered on the client,
measured as the sum of the encoding delay on the server, network delay, the
decoding delay on the client, and the rendering time on the client. The delay
reflected is the highest (worst) delay recorded in the last evaluated connection
time interval.
The compressed frame size (bytes) is he compressed size of the frame with the
highest end-to-end delay in the last evaluated connection time interval.
The encoding delay on the server (milliseconds) is the time it takes to encode the
frame with the highest end-to-end delay in the last evaluated connection time
interval on the server.
The decoding delay on the client (milliseconds) is the time it takes to decode the
frame with the highest end-to-end delay in the last evaluated connection time
interval on the client.
The rendering delay on the client (milliseconds) is the time it takes to render the
frame with the highest end-to-end delay in the last evaluated connection time
interval on the client.
The recorded values (one each for client, server, and network) are from the second
with the highest dropped frames in the last evaluated connection time interval.
The estimated available bandwidth (kilobytes per second) is the average
estimated available network bandwidth during the second with the highest end-
to-end delay in the time interval.
The estimated round trip time (milliseconds), which is the average estimated
round trip time during the second with the highest end-to-end delay in the time
interval. Round trip time is how long a network request takes to go from the end-
user's device to the session host through the network, then return from the session
host to the end-user device.
The Correlation ID, which is the ActivityId of a specific Azure Virtual Desktop
connection that's assigned to every diagnostic within that connection.
The time generated, which is a timestamp in UTC time that marks when an event
the data counter is tracking happened on the virtual machine (VM). All averages
are measured by the time window that ends that the marked timestamp.
The Resource ID is a unique ID assigned to the Azure Virtual Desktop host pool
associated with the data the diagnostics service collects for this table.
The source system, Subscription ID, Tenant ID, and type (table name).
Frequency
In contrast to other diagnostics tables that report data at regular intervals throughout a
session, the frequency of data collection for the graphics data varies depending on the
graphical health of a connection. The table won't record data for "Good" scenarios, but
will recording if any of the following metrics are recorded as "Poor" or "Okay," and the
resulting data will be sent to your storage account. Data only records once every two
minutes, maximum. The metrics involved in data collection are listed in the following
table:
Percentage of dropped frames with low frame rate Greater than 10%–15% less than
(less than 15 fps) 15% 10%
Percentage of dropped frames with high frame rage Greater than 20%–50% Less than
(greater than 15 fps) 50% 20%
End-to-end delay per frame Greater than 150 ms– Less than
300 ms 300 ms 150 ms
7 Note
For end-to-end delay per frame, if any frame in a single second is delayed by over
300 ms, the service registers it as "Bad". If all frames in a single second take
between 150 ms and 300 ms, the service marks it as "Okay."
Next steps
Learn more about how to monitor and run queries about connection quality issues
at Monitor connection quality.
Troubleshoot connection and latency issues at Troubleshoot connection quality for
Azure Virtual Desktop.
To check the best location for optimal latency, see the Azure Virtual Desktop
Experience Estimator tool .
For pricing plans, see Azure Log Analytics pricing.
To get started with your Azure Virtual Desktop deployment, check out our tutorial.
To learn about bandwidth requirements for Azure Virtual Desktop, see
Understanding Remote Desktop Protocol (RDP) Bandwidth Requirements for Azure
Virtual Desktop.
To learn about Azure Virtual Desktop network connectivity, see Understanding
Azure Virtual Desktop network connectivity.
Learn how to use Azure Virtual Desktop Insights at Get started with Azure Virtual
Desktop Insights.
Collect and query connection quality
data
Article • 01/06/2023
) Important
The Connection Graphics Data Logs are currently in preview. See the Supplemental
Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure
features that are in beta, preview, or otherwise not yet released into general
availability.
Connection quality is essential for good user experiences, so it's important to be able to
monitor connections for potential issues and troubleshoot problems as they arise. Azure
Virtual Desktop offers tools like Log Analytics that can help you monitor your
deployment's connection health. This article will show you how to configure your
diagnostic settings to let you collect connection quality data and query data for specific
parameters.
Prerequisites
To start collecting connection quality data, you’ll need to set up a Log Analytics
workspace.
7 Note
Normal storage charges for Log Analytics will apply. Learn more at Azure Monitor
Logs pricing details.
1. Sign in to the Azure portal, then go to Azure Virtual Desktop and select Host
pools.
2. Select the host pool you want to collect network data for.
3. Select Diagnostic settings, then create a new setting if you haven't configured
your diagnostic settings yet. If you've already configured your diagnostic settings,
select Edit setting.
4. Select allLogs if you want to collect data for all tables. The allLogs parameter will
automatically add new tables to your data table in the future.
If you'd prefer to view more specific tables, first select Network Data Logs and
Connection Graphics Data Logs Preview, then select the names of the other tables
you want to see.
5. Select where you want to send the collected data. Azure Virtual Desktop Insights
users should select a Log Analytics workspace.
7. Repeat this process for all other host pools you want to measure.
8. To check network data, return to the host pool's resource page, select Logs, then
run one of the queries in Sample queries for Azure Log Analytics. In order for your
query to get results, your host pool must have active users who've connected to
sessions before. Keep in mind that it can take up to 15 minutes for network data to
appear in the Azure portal.
7 Note
For each example, replace the userupn variable with the UPN of the user you want
to look up.
Kusto
// 90th, 50th, 10th Percentile for RTT in 10 min increments
WVDConnectionNetworkData
| summarize
RTTP90=percentile(EstRoundTripTimeInMs,90),RTTP50=percentile(EstRoundTripTim
eInMs,50),RTTP10=percentile(EstRoundTripTimeInMs,10) by
bin(TimeGenerated,10m)
| render timechart
// 90th, 50th, 10th Percentile for BW in 10 min increments
WVDConnectionNetworkData
| summarize
BWP90=percentile(EstAvailableBandwidthKBps,90),BWP50=percentile(EstAvailable
BandwidthKBps,50),BWP10=percentile(EstAvailableBandwidthKBps,10) by
bin(TimeGenerated,10m)
| render timechart
Kusto
Kusto
Kusto
To look up the top 10 users with the highest round trip time:
Kusto
WVDConnectionNetworkData
| join kind=leftouter (
WVDConnections
| distinct CorrelationId, UserName
) on CorrelationId
| summarize
AvgRTT=avg(EstRoundTripTimeInMs),RTT_P95=percentile(EstRoundTripTimeInMs,95)
by UserName
| top 10 by AvgRTT desc
Kusto
WVDConnectionNetworkData
| join kind=leftouter (
WVDConnections
| distinct CorrelationId, UserName
) on CorrelationId
| summarize
AvgBW=avg(EstAvailableBandwidthKBps),BW_P95=percentile(EstAvailableBandwidth
KBps,95) by UserName
| top 10 by AvgBW asc
Next steps
Learn more about connection quality at Connection quality in Azure Virtual Desktop.
Send diagnostic data to Log Analytics
for Azure Virtual Desktop
Article • 04/09/2024
) Important
This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.
Azure Virtual Desktop uses Azure Monitor for monitoring and alerts like many other
Azure services. This lets admins identify issues through a single interface. The service
creates activity logs for both user and administrative actions. Each activity log falls under
the following categories:
ノ Expand table
Category Description
Management Activities Whether attempts to change Azure Virtual Desktop objects using
APIs or PowerShell are successful.
Host registration Whether a session host successfully registered with the service upon
connecting.
Agent Health Status Monitor the health and status of the Azure Virtual Desktop agent
installed on each session host.
Network The average network data for user sessions to monitor for details
including the estimated round trip time.
Connection Graphics Performance data from the Azure Virtual Desktop graphics stream.
Azure Monitor lets you analyze Azure Virtual Desktop data and review virtual machine
(VM) performance counters, all within the same tool. This article will tell you more about
how to enable diagnostics for your Azure Virtual Desktop environment.
7 Note
To learn how to monitor your VMs in Azure, see Monitoring Azure virtual
machines with Azure Monitor. Also, make sure to review the Azure Virtual
Desktop Insights glossary for a better understanding of your user experience on
the session host.
Prerequisites
Before you can use Azure Virtual Desktop with Log Analytics, you need:
A Log Analytics workspace. For more information, see Create a Log Analytics
workspace in Azure portal or Create a Log Analytics workspace with PowerShell.
After you've created your workspace, follow the instructions in Connect Windows
computers to Azure Monitor to get the following information:
The workspace ID
The primary key of your workspace
Access to specific URLs from your session hosts for diagnostics to work. For more
information, see Required URLs for Azure Virtual Desktop where you'll see entries
for Diagnostic output.
Make sure to review permission management for Azure Monitor to enable data
access for those who monitor and maintain your Azure Virtual Desktop
environment. For more information, see Get started with roles, permissions, and
security with Azure Monitor.
2. Navigate to the object (such as a host pool, application group, or workspace) that
you want to capture logs and events for.
3. Select Diagnostic settings in the menu on the left side of the screen.
4. Select Add diagnostic setting in the menu that appears on the right side of the
screen.
The options shown in the Diagnostic Settings page will vary depending on what
kind of object you're editing.
For example, when you're enabling diagnostics for an application group, you'll see
options to configure checkpoints, errors, and management. For workspaces, these
categories configure a feed to track when users subscribe to the list of apps. To
learn more about diagnostic settings see Create diagnostic setting to collect
resource logs and metrics in Azure.
) Important
5. Enter a name for your settings configuration, then select Send to Log Analytics.
The name you use shouldn't have spaces and should conform to Azure naming
conventions. As part of the logs, you can select all the options that you want
added to your Log Analytics, such as Checkpoint, Error, Management, and so on.
6. Select Save.
7 Note
Log Analytics gives you the option to stream data to Event Hubs or archive it in a
storage account. To learn more about this feature, see Stream Azure monitoring
data to an event hub and Archive Azure resource logs to storage account.
How to access Log Analytics
You can access Log Analytics workspaces on the Azure portal or Azure Monitor.
4. From the list, select the workspace you configured for your Azure Virtual Desktop
object.
5. Once in your workspace, select Logs. You can filter out your menu list with the
Search function.
3. Select Logs.
4. Follow the instructions in the logging page to set the scope of your query.
5. You are ready to query diagnostics. All diagnostics tables have a "WVD" prefix.
7 Note
For more detailed information about the tables stored in Azure Monitor Logs, see
the Azure Monitor data reference. All tables related to Azure Virtual Desktop are
prefixed with "WVD."
Log Analytics only reports in these intermediate states for connection activities:
Started: when a user selects and connects to an app or desktop in the Remote
Desktop client.
Connected: when the user successfully connects to the VM where the app or
desktop is hosted.
Completed: when the user or server disconnects the session the activity took place
in.
Example queries
Access example queries through the Azure Monitor Log Analytics UI:
1. Go to your Log Analytics workspace, and then select Logs. The example query UI is
shown automatically.
2. Change the filter to Category.
3. Select Azure Virtual Desktop to review available queries.
4. Select Run to run the selected query.
Learn more about the sample query interface in Saved queries in Azure Monitor Log
Analytics.
The following query list lets you review connection information or issues for a single
user. You can run these queries in the Log Analytics query editor. For each query, replace
userupn with the UPN of the user you want to look up.
Kusto
WVDConnections
|where UserName == "userupn"
|take 100
|sort by TimeGenerated asc, CorrelationId
Kusto
WVDConnections
|where UserName == "userupn"
|take 100
|sort by TimeGenerated asc, CorrelationId
|summarize dcount(CorrelationId) by bin(TimeGenerated, 1d)
Kusto
WVDErrors
| where UserName == "userupn"
|take 100
Kusto
WVDErrors
| where CodeSymbolic =="ErrorSymbolicCode"
| summarize count(UserName) by CodeSymbolic
7 Note
When a user launches a full desktop session, their app usage in the session
isn't tracked as checkpoints in the WVDCheckpoints table.
The ResourcesAlias column in the WVDConnections table shows whether a
user has connected to a full desktop or a published app. The column only
shows the first app they open during the connection. Any published apps the
user opens are tracked in WVDCheckpoints .
The WVDErrors table shows you management errors, host registration issues,
and other issues that happen while the user subscribes to a list of apps or
desktops.
The WVDErrors table also helps you to identify issues that can be resolved by
admin tasks. The value on ServiceError should always equal false for these
types of issues. If ServiceError equals true , you'll need to escalate the issue
to Microsoft. Ensure you provide the CorrelationID for errors you escalate.
When debugging connectivity issues, in some cases client information might
be missing even if the connection events completes. This applies to the
WVDConnections and WVDCheckpoints tables.
Next steps
Enable Insights to monitor Azure Virtual Desktop.
To review common error scenarios that the diagnostics feature can identify for you,
see Identify and diagnose issues.
Session host statuses and health checks
in Azure Virtual Desktop
Article • 03/05/2024
The Azure Virtual Desktop Agent regularly runs health checks on the session host. The
agent assigns these health checks various statuses that include descriptions of how to
fix common issues. This article tells you what each status means and how to act on them
during a health check.
7 Note
If an issue is listed as non-fatal, the service can still run with the issue active.
However, we recommend you resolve the issue as soon as possible to prevent
future issues. If an issue is listed as fatal, it prevents the service from running. You
must resolve all fatal issues to make sure your users can access the session host.
ノ Expand table
Available This status means that the session New user N/A
host passed all health checks and sessions are
is available to accept user load
connections. If a session host has balanced
reached its maximum session limit here.
but has passed health checks, it's
still listed as “Available."
Needs The session host didn't pass one or New user Follow the directions in Error:
Assistance more of the following non-fatal sessions are Session hosts are stuck in
health checks: the Geneva load "Needs Assistance" state to
Monitoring Agent health check, balanced resolve the issue.
the Azure Instance Metadata here.
Service (IMDS) health check, or the
URL health check. In this state,
Session Description Load How to resolve related
host status balancing issues
Shutdown The session host has been shut Not Turn on the session host.
down. If the agent enters a available
shutdown state before connecting for load
to the broker, its status changes to balancing.
Unavailable. If you've shut down
your session host and see an
Unavailable status, that means the
session host shut down before it
could update the status, and
doesn't indicate an issue. You
should use this status with the VM
instance view API to determine the
power state of the VM.
Unavailable The session host is either turned Not If the session host is off, turn it
off or hasn't passed fatal health available back on. If the session host
checks, which prevents user for load didn't pass the domain join
sessions from connecting to this balancing. check or side-by-side stack
session host. listener health checks, refer to
the table in Health check for
ways to resolve the issue. If
the status is still "Unavailable"
after following those
directions, open a support
case.
Upgrade This status means that the Azure New user Follow the instructions in the
Failed Virtual Desktop Agent couldn't sessions are Azure Virtual Desktop Agent
update or upgrade. This status load troubleshooting article.
doesn't affect new nor existing balanced
user sessions. here.
Upgrading This status means that the agent New user If your session host is stuck in
upgrade is in progress. This status sessions are the "Upgrading" state, then
updates to “Available” once the load reinstall the agent.
upgrade is done and the session balanced
host can accept connections again. here.
Health check
The health check is a test run by the agent on the session host. The following table lists
each type of health check and describes what it does.
ノ Expand table
Domain Verifies that the session host is If this check fails, users won't be able to
joined joined to a domain controller. connect to the session host. To solve this
issue, join your session host to a domain.
Geneva Verifies that the session host has a If this check fails, it's semi-fatal. There may
Monitoring healthy monitoring agent by be successful connections, but they'll
Agent checking if the monitoring agent contain no logging information. To resolve
is installed and running in the this issue, make sure a monitoring agent is
expected registry location. installed. If it's already installed, contact
Microsoft support.
Side-by-side Verifies that the side-by-side stack If this check fails, it's fatal, and users won't
(SxS) Stack is up and running, listening, and be able to connect to the session host. Try
Listener ready to receive connections. restarting your virtual machine (VM). If
restarting doesn't work, contact Microsoft
support.
App attach Verifies that the app attach or If this check fails, it isn't fatal. However,
health check MSIX app attach service is certain apps stop working for end-users.
working as intended during
package staging or destaging.
Domain trust Verifies the session host isn't If this check fails, it's fatal. The service won't
check experiencing domain trust issues be able to connect if it can't reach the
that could prevent authentication authentication domain for the session host.
when a user connects to a
session.
Metadata Verifies the metadata service is If this check fails, it isn't fatal.
service check accessible and returns compute
properties.
Next steps
For an overview on troubleshooting Azure Virtual Desktop and the escalation
tracks, see Troubleshooting overview, feedback, and support.
To troubleshoot issues while creating an Azure Virtual Desktop environment and
host pool in an Azure Virtual Desktop environment, see Environment and host pool
creation.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues related to the Azure Virtual Desktop agent or session
connectivity, see Troubleshoot common Azure Virtual Desktop Agent issues.
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see
Azure Virtual Desktop PowerShell.
To go through a troubleshoot tutorial, see Tutorial: Troubleshoot Resource
Manager template deployments.
Feedback
Was this page helpful? Yes No
Diagnostic logs can tell you which agent version is installed for an update, when it was
installed, and if the update was successful. If an update is unsuccessful, it might be
because the session host was turned off during the update. If that happened, you
should turn the session host back on.
This article describes how to use diagnostic logs in a Log Analytics workspace to
monitor agent updates.
1. Create a Log Analytics workspace, if you haven't already. Next, get the workspace
ID and primary key by following the instructions in Use Log Analytics for the
diagnostics feature.
2. Send diagnostics to the Log Analytics workspace you created by following the
instructions in Push diagnostics data to your workspace.
3. Follow the directions in How to access Log Analytics to access the logs in your
workspace.
7 Note
The log query results only cover the last 30 days of data in your deployment.
7 Note
If you haven't enabled the Scheduled Agent Updates feature, you won't see
anything in the NewPackagesAvailable field.
Kusto
WVDAgentHealthStatus
| where TimeGenerated >= ago(30d)
| where SessionHostName == "sessionHostName"
| project TimeGenerated, AgentVersion, SessionHostName,
LastUpgradeTimeStamp, UpgradeState, UpgradeErrorMsg
| sort by TimeGenerated desc
| take 1
3. Copy and paste the following Kusto query to see when the agent has updated for
the specified session host. Make sure to change the sessionHostName parameter
to the name of your session host.
Kusto
WVDAgentHealthStatus
| where TimeGenerated >= ago(30d)
| where SessionHostName == "sessionHostName"
| project TimeGenerated, AgentVersion, SessionHostName,
LastUpgradeTimeStamp, UpgradeState, UpgradeErrorMsg
| summarize arg_min(TimeGenerated, *) by AgentVersion
| sort by TimeGenerated asc
Next steps
For more information about Scheduled Agent Updates and the agent components,
check out the following articles:
) Important
This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.
You can use Azure Service Health to monitor service issues and health advisories for
Azure Virtual Desktop. Azure Service Health can notify you with different types of alerts
(for example, email or SMS), help you understand the effect of an issue, and keep you
updated as the issue resolves. Azure Service Health can also help you mitigate
downtime and prepare for planned maintenance and changes that could affect the
availability of your resources.
To learn more about Azure Service Health, see the Azure Health Documentation.
Next steps
Learn how to configure Azure Virtual Desktop Insights.
How to resolve Azure Advisor
recommendations
Article • 06/08/2021
This article describes how you can resolve recommendations that appear in Azure
Advisor for Azure Virtual Desktop.
"You don't have a validation environment enabled in this subscription. When you made
your host pools, you selected No for "Validation environment" in the Properties tab. To
ensure business continuity through Azure Virtual Desktop service deployments, make
sure you have at least one host pool with a validation environment where you can test
for potential issues.”
You can make this warning message go away by enabling a validation environment in
one of your host pools.
To enable a validation environment:
1. Go to your Azure portal home page and select the host pool you want to change.
2. Next, select the host pool you want to change from a production environment to a
validation environment.
3. In your host pool, select Properties on the left column. Next, scroll down until you
see “Validation environment.” Select Yes, then select Apply.
These changes won't make the warning go away immediately, but it should disappear
eventually. Azure Advisor updates twice a day. Until then, you can postpone or dismiss
the recommendation manually. We recommend you let the recommendation go away
on its own. That way, Azure Advisor can let you know if it comes across any problems as
the settings change.
For this recommendation, the warning message appears for one of these reasons:
We recommend users have fewer than half of their host pools in a validation
environment.
To resolve this warning:
2. Select the host pools you want either want to change from validation to
production.
3. In your host pool, select the Properties tab in the column on the right side of the
screen. Next, scroll down until you see “Validation environment.” Select No, then
select Apply.
These changes won't make the warning go away immediately, but it should disappear
eventually. Azure Advisor updates twice a day. Until then, you can postpone or dismiss
the recommendation manually. We recommend you let the recommendation go away
on its own. That way, Azure Advisor can let you know if it comes across any problems as
the settings change.
You need to unblock specific URLs to make sure that your virtual machine (VM)
functions properly. You can see the list at Safe URL list. If the URLs aren't unblocked,
then your VM won't work properly.
To solve this recommendation, make sure you unblock all the URLs on the Safe URL list.
You can use Service Tag or FQDN tags to unblock URLs, too.
Next steps
If you're looking for more in-depth guides about how to resolve common issues, check
out Troubleshooting overview, feedback, and support for Azure Virtual Desktop.
Troubleshooting overview, feedback,
and support for Azure Virtual Desktop
Article • 04/14/2023
) Important
This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.
This article provides an overview of the issues you may encounter when setting up an
Azure Virtual Desktop environment and provides ways to resolve the issues.
Report issues
To report issues or suggest features for Azure Virtual Desktop with Azure Resource
Manager integration, visit the Azure Virtual Desktop Tech Community . You can use the
Tech Community to discuss best practices or suggest and vote for new features.
When you make a post asking for help or propose a new feature, make sure you
describe your topic in as much detail as possible. Detailed information can help other
users answer your question or understand the feature you're proposing a vote for.
Escalation tracks
Before doing anything else, make sure to check the Azure status page and Azure
Service Health to make sure your Azure service is running properly.
Use the following table to identify and resolve issues you may encounter when setting
up an environment using Remote Desktop client. Once your environment's set up, you
can use our new Diagnostics service to identify issues for common scenarios.
Session host pool Azure Open an Azure support request , then select the appropriate service
Virtual Network (VNET) (under the Networking category).
and Express Route
settings
Session host pool Virtual Open an Azure support request , then select Azure Virtual Desktop
Machine (VM) creation for the service.
when Azure Resource
Manager templates For issues with the Azure Resource Manager templates that are
provided with Azure provided with Azure Virtual Desktop, see Azure Resource Manager
Virtual Desktop aren't template errors section of Host pool creation.
being used
Managing Azure Virtual See Azure Virtual Desktop PowerShell, or open an Azure support
Desktop configuration request , select Azure Virtual Desktop for the service, then select
tied to host pools and the appropriate problem type.
application groups (app
groups)
Deploying and manage See Troubleshooting guide for FSLogix products and if that doesn't
FSLogix Profile Containers resolve the issue, Open an Azure support request , select Azure
Virtual Desktop for the service, select FSLogix for the problem type,
then select the appropriate problem subtype.
Remote desktop clients See Troubleshoot the Remote Desktop client and if that doesn't
malfunction on start resolve the issue, Open an Azure support request , select Azure
Virtual Desktop for the service, then select Remote Desktop clients
for the problem type.
Connected but no feed Troubleshoot using the User connects but nothing is displayed (no
feed) section of Azure Virtual Desktop service connections.
Feed discovery problems Your users need to contact their network administrator.
due to the network
Connecting clients See Azure Virtual Desktop service connections and if that doesn't
solve your issue, see Session host virtual machine configuration.
Responsiveness of remote If issues are tied to a specific application or product, contact the
applications or desktop team responsible for that product.
Licensing messages or If issues are tied to a specific application or product, contact the
errors team responsible for that product.
Issues with third-party Verify that your third-party provider supports Azure Virtual Desktop
authentication methods scenarios and approach them regarding any known issues.
or tools
Issues using Log Analytics For issues with the diagnostics schema, open an Azure support
for Azure Virtual Desktop request .
Issues using Microsoft Contact the Microsoft 365 admin center with one of the Microsoft
365 apps 365 admin center help options.
Next steps
To troubleshoot issues while creating a host pool in an Azure Virtual Desktop
environment, see host pool creation.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues related to the Azure Virtual Desktop agent or session
connectivity, see Troubleshoot common Azure Virtual Desktop Agent issues.
To troubleshoot issues with Azure Virtual Desktop client connections, see Azure
Virtual Desktop service connections.
To troubleshoot issues with Remote Desktop clients, see Troubleshoot the Remote
Desktop client
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see
Azure Virtual Desktop PowerShell.
To learn more about the service, see Azure Virtual Desktop environment.
To go through a troubleshoot tutorial, see Tutorial: Troubleshoot Resource
Manager template deployments.
To learn about auditing actions, see Audit operations with Resource Manager.
To learn about actions to determine errors during deployment, see View
deployment operations.
Host pool creation
Article • 03/31/2023
) Important
This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.
This article covers issues during the initial setup of the Azure Virtual Desktop tenant and
the related session host pool infrastructure.
Provide feedback
Visit the Azure Virtual Desktop Tech Community to discuss the Azure Virtual Desktop
service with the product team and active community members.
Fix: Sign in to the subscription where you'll deploy the session host virtual machines
(VMs) with an account that has at least contributor-level access.
Create a new host pool with the same parameters but fewer VMs and VM cores.
Open the link you see in the statusMessage field in a browser to submit a request
to increase the quota for your Azure subscription for the specified VM SKU.
Fix: To get the latest list of regions, re-register the resource provider:
When you re-register the resource provider, you won't see any specific UI feedback or
update statuses. The re-registration process also won't interfere with your existing
environments.
1. Review errors in the deployment using View deployment operations with Azure
Resource Manager.
2. If there are no errors in the deployment, review errors in the activity log using View
activity logs to audit actions on resources.
3. Once the error is identified, use the error message and the resources in
Troubleshoot common Azure deployment errors with Azure Resource Manager to
address the issue.
4. Delete any resources created during the previous deployment and retry deploying
the template again.
Error
Cause 1: Credentials provided for joining VMs to the domain are incorrect.
Fix 1: See the "Incorrect credentials" error for VMs are not joined to the domain in
Session host VM configuration.
Fix 2: See Error: Domain name doesn't resolve in Session host VM configuration.
Cause: The subscription you're using is a type that can't access required features in the
region where the customer is trying to deploy. For example, MSDN, Free, or Education
subscriptions can show this error.
Fix: Change your subscription type or region to one that can access the required
features.
Error: VMExtensionProvisioningError
Error
{ …{ "provisioningOperation":
"Create", "provisioningState": "Failed", "timestamp": "2019-01-
29T20:53:18.904917Z", "duration": "PT3.0574505S", "trackingId":
"1f460af8-34dd-4c03-9359-9ab249a1a005", "statusCode": "BadRequest",
"statusMessage": { "error": { "code": "InvalidParameter", "message":
"The Admin Username specified is not allowed.", "target": "adminUsername" }
… }
Error
Cause: PowerShell DSC extension was not able to get admin access on the VM.
Fix: Confirm username and password have administrative access on the virtual machine
and run the Azure Resource Manager template again.
Error
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please
list
deployment operations for details. 4 Please see https://aka.ms/arm-debug
for usage details.",
"details": [
{ "code": "Conflict",
"message": "{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n
\"code\":
\"ResourceDeploymentFailure\",\r\n \"message\": \"The resource
operation completed with terminal provisioning state
'Failed'.\",\r\n
\"details\": [\r\n {\r\n \"code\":
\"VMExtensionProvisioningError\",\r\n \"message\": \"VM has
reported a failure when processing extension 'dscextension'.
Error message: \\\"DSC Configuration 'FirstSessionHost'
completed with error(s). Following are the first few:
PowerShell DSC resource MSFT ScriptResource failed to
execute Set-TargetResource functionality with error message:
One or more errors occurred. The SendConfigurationApply
function did not succeed.\\\".\"\r\n }\r\n ]\r\n }\r\n}" }
Cause: PowerShell DSC extension was not able to get admin access on the VM.
Fix: Confirm username and password provided have administrative access on the virtual
machine and run the Azure Resource Manager template again.
Error
{"code":"DeploymentFailed","message":"At least one resource deployment
operation
failed. Please list deployment operations for details. Please see
https://aka.ms/arm-
debug for usage details.","details":[{"code":"Conflict","message":"{\r\n
\"status\":
\"Failed\",\r\n \"error\": {\r\n \"code\":
\"ResourceDeploymentFailure\",\r\n
\"message\": \"The resource operation completed with terminal provisioning
state
'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\":
\"DeploymentFailed\",\r\n
\"message\": \"At least one resource deployment operation failed. Please
list
deployment operations for details. Please see https://aka.ms/arm-debug for
usage
details.\",\r\n \"details\": [\r\n {\r\n \"code\": \"BadRequest\",\r\n
\"message\":
\"{\\r\\n \\\"error\\\": {\\r\\n \\\"code\\\":
\\\"InvalidResourceReference\\\",\\r\\n
\\\"message\\\": \\\"Resource /subscriptions/EXAMPLE/resourceGroups/ernani-
wvd-
demo/providers/Microsoft.Network/virtualNetworks/wvd-vnet/subnets/default
referenced by resource /subscriptions/EXAMPLE/resourceGroups/ernani-wvd-
demo/providers/Microsoft.Network/networkInterfaces/erd. Please make sure
that
the referenced resource exists, and that both resources are in the same
region.\\\",\\r\\n\\\"details\\\": []\\r\\n }\\r\\n}\"\r\n }\r\n ]\r\n }\r\n
]\r\n }\r\n}"}]}
Cause: Part of the resource group name is used for certain resources being created by
the template. Due to the name matching existing resources, the template may select an
existing resource from a different group.
Fix: When running the Azure Resource Manager template to deploy session host VMs,
make the first two characters unique for your subscription resource group name.
Error
Cause: This error is because the NIC created with the Azure Resource Manager template
has the same name as another NIC already in the VNET.
Error
Fix: Remove blocking static route, firewall rule, or NSG. Optionally, open the Azure
Resource Manager template json file in a text editor, take the link to zip file, and
download the resource to an allowed location.
Error: Can't delete a session host from the host pool after
deleting the VM
Cause: You need to delete the session host before you delete the VM.
Fix: Put the session host in drain mode, sign out all users from the session host, then
delete the host.
Next steps
For an overview on troubleshooting Azure Virtual Desktop and the escalation
tracks, see Troubleshooting overview, feedback, and support.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues related to the Azure Virtual Desktop agent or session
connectivity, see Troubleshoot common Azure Virtual Desktop Agent issues.
To troubleshoot issues with Azure Virtual Desktop client connections, see Azure
Virtual Desktop service connections.
To troubleshoot issues with Remote Desktop clients, see Troubleshoot the Remote
Desktop client
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see
Azure Virtual Desktop PowerShell.
To learn more about the service, see Azure Virtual Desktop environment.
To go through a troubleshoot tutorial, see Tutorial: Troubleshoot Resource
Manager template deployments.
To learn about auditing actions, see Audit operations with Resource Manager.
To learn about actions to determine the errors during deployment, see View
deployment operations.
Troubleshoot the Azure Virtual Desktop
quickstart
Article • 05/07/2024
The Azure Virtual Desktop quickstart uses nested templates to deploy Azure resources
for validation and automation in Azure Virtual Desktop. The quickstart creates either two
or three resource groups based on whether the subscription it's running on has existing
Active Directory Domain Services (AD DS) or Microsoft Entra Domain Services or not. All
resource groups start with the same user-defined prefix.
When you run the nested templates, they create three resource groups and a template
that provisions Azure Resource Manager resources. The following lists show each
resource group and the templates they run.
easy-button-roleassignment-job-linked-template
easy-button-prerequisitecompletion-job-linked-template
easy-button-prerequisite-job-linked-template
easy-button-inputvalidation-job-linked-template
easy-button-deploymentResources-linked-template
easy-button-prerequisite-user-setup-linked-template
7 Note
NSG-linkedTemplate
vmCreation-linkedTemplate
Workspace-linkedTemplate
wvd-resources-linked-template
easy-button-wvdsetup-linked-template
easy-button-prerequisite-resources-linked-template
7 Note
This resource group is optional, and will only appear if your subscription doesn't
have Microsoft Entra Domain Services or AD DS.
No subscriptions
In this issue, you see an error message that says "no subscriptions" when opening the
quickstart. This happens when you try to open the feature without an active Azure
subscription.
To fix this issue, check to see if your subscription or the affected user has an active Azure
subscription. If they don't, assign the user the Owner Role-based Access Control (RBAC)
role on their subscription.
To fix this issue, sign in with an Azure account that has Owner permissions, then assign
the Owner RBAC role to the affected account.
This issue happens when you run the feature with a prefix that was already used to start
a deployment. When the feature creates a deployment, it creates an object to represent
the deployment in Azure. Certain values in the object, like the image, become attached
to that object to prevent multiple objects from using the same images.
To fix this issue, you can either delete all resource groups with the existing prefix or use
a new prefix.
This error message appears because Azure doesn't allow certain words in usernames for
public endpoints. For a full list of blocked words, see Resolve reserved resource name
errors.
To resolve this issue, either try a new word or add letters to the blocked word to make it
unique. For example, if the word "admin" is blocked, try using "AVDadmin" instead.
To resolve this issue, make sure you use an account that follows Microsoft's password
guidelines or uses Microsoft Entra Password Protection.
azure
"error": {
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed.
Please list deployment operations for details. Please see
https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "Conflict",
"message": "{\r\n \"status\": \"Failed\",\r\n \"error\":
{\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The
resource operation completed with terminal provisioning state
'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\":
\"VMExtensionProvisioningError\",\r\n \"message\": \"VM has reported
a failure when processing extension 'Microsoft.Powershell.DSC'. Error
message: \\\"DSC Configuration 'AddADDSUser' completed with error(s).
Following are the first few: PowerShell DSC resource MSFT_ScriptResource
failed to execute Set-TargetResource functionality with error message: Some
error occurred in DSC CreateUser SetScript: \\r\\n\\r\\nException
: Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException: Cannot
find an object with \\r\\n identity: 'Adam S' under:
'DC=GT090617,DC=onmicrosoft,DC=com'.\\r\\n at
Microsoft.ActiveDirectory.Management.Commands.ADFactoryUtil.GetObjectFromIde
ntitySearcher(\\r\\n ADObjectSearcher searcher,
ADEntity identityObj, String searchRoot, AttributeSetRequest attrs, \\r\\n
CmdletSessionInfo cmdletSessionInfo, String[]& warningMessages)\\r\\n
at \\r\\n
Microsoft.ActiveDirectory.Management.Commands.ADFactory`1.GetDirectoryObject
FromIdentity(T \\r\\n identityObj, String searchRoot,
Boolean showDeleted)\\r\\n at \\r\\n
Microsoft.ActiveDirectory.Management.Commands.SetADGroupMember`1.ValidateMem
bersParameter()\\r\\nTargetObject : Adam S\\r\\nCategoryInfo
: ObjectNotFound: (Adam S:ADPrincipal) [Add-ADGroupMember],
ADIdentityNotFoundException\\r\\nFullyQualifiedErrorId :
SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Manageme
nt.Commands.AddADGro\\r\\n upMember\\r\\nErrorDetails
: \\r\\nInvocationInfo :
System.Management.Automation.InvocationInfo\\r\\nScriptStackTrace : at
<ScriptBlock>,
C:\\\\Packages\\\\Plugins\\\\Microsoft.Powershell.DSC\\\\2.83.1.0\\\\DSCWork
\\\\DSCADUserCreatio\\r\\n nScripts_2020-04-
28.2\\\\Script-CreateADDSUser.ps1: line 98\\r\\n at
<ScriptBlock>, <No file>: line 8\\r\\n at
ScriptExecutionHelper,
C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\PSDesir
edStateConfi\\r\\n
guration\\\\DscResources\\\\MSFT_ScriptResource\\\\MSFT_ScriptResource.psm1:
line 270\\r\\n at Set-TargetResource,
C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\PSDesir
edStateConfigur\\r\\n
ation\\\\DscResources\\\\MSFT_ScriptResource\\\\MSFT_ScriptResource.psm1:
line 144\\r\\nPipelineIterationInfo : {}\\r\\nPSMessageDetails :
\\r\\n\\r\\n\\r\\n\\r\\n The SendConfigurationApply function did not
succeed.\\\"\\r\\n\\r\\nMore information on troubleshooting is available at
https://aka.ms/VMExtensionDSCWindowsTroubleshoot \"\r\n }\r\n ]\r\n
}\r\n}"
}
]
}
To resolve this issue, uninstall the Microsoft.Powershell.DSC extension, then run the
quickstart again.
azure
{
"status": "Failed",
"error": {
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed.
Please list deployment operations for details. Please see
https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "Conflict",
"message": "{\r\n \"status\": \"Failed\",\r\n \"error\":
{\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The
resource operation completed with terminal provisioning state
'Failed'.\"\r\n }\r\n}"
}
]
}
}
4. Select the Exception tab. You should see an error message that looks like this:
azure
There currently isn't a way to fix this issue permanently. As a workaround, run The Azure
Virtual Desktop quickstart again, but this time don't create a validation user. After that,
create your new users with the manual process only.
Validate that the domain administrator UPN exists for a
new profile
To check if the UPN address is causing the issue with the template:
If the UPN exists on your new subscription, there are two potential causes for the issue:
The quickstart didn't create the domain administrator profile, because the user
already exists. To resolve this, run the quickstart again, but this time enter a
username that doesn't already exist in your identity provider.
The quickstart didn't create the validation user profile. To resolve this issue, run the
quickstart again, but this time don't create any validation users. After that, create
new users with the manual process only.
azure
{
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal
provisioning state 'Failed'."
}
}
2. Under recent jobs there will be a job with failed status. Click on Failed.
This error happens when the Azure admin UPN you entered isn't correct. To resolve this
issue, make sure you're entering the correct username and password, then try again.
azure
{
"status": "Failed",
"error": {
"code": "BadRequest",
"message": "Multiple VMExtensions per handler not supported for OS
type 'Windows'. VMExtension 'Microsoft.Powershell.DSC' with handler
'Microsoft.Powershell.DSC' already added or specified in input."
}
}
To resolve this issue, before you run the quickstart, make sure to remove any currently
running instance of Microsoft.Powershell.DSC from the domain controller VM.
Failure in easy-button-prerequisitecompletion-
job-linked-template
The user group for the validation users is located in the "USERS" container. However, the
user group must be synced to Microsoft Entra ID in order to work properly. If it isn't,
you'll get an error message that looks like this:
azure
{
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal
provisioning state ‘Failed’."
}
}
To make sure the issue is caused by the validation user group not syncing, open the
<prefix>-prerequisites resource group and look for a file named
prerequisiteSetupCompletionRunbook. Select the runbook, then select All Logs.
Next steps
Learn more about the quickstart at Deploy Azure Virtual Desktop with the quickstart.
Feedback
Was this page helpful? Yes No
) Important
Session host update for Azure Virtual Desktop is currently in PREVIEW. This preview
is provided as-is, with all faults and as available, and are excluded from the service-
level agreements (SLAs) or any limited warranties Microsoft provides for Azure
services in general availability. To register for the limited preview, complete this
form: https://forms.office.com/r/ZziQRGR1Lz .
See the Supplemental Terms of Use for Microsoft Azure Previews for legal
terms that apply to Azure features that are in beta, preview, or otherwise not yet
released into general availability.
Session host update in Azure Virtual Desktop enables you to easily update session host
virtual machines (VMs) in a host pool with a session host configuration. This article helps
troubleshoot some issues you could run into.
availability zones for your chosen region and subscription quota and provide a
supported combination. Use the PowerShell cmdlet Get-AzComputeResourceSku
to identify the restrictions for a given combination of a VM SKU and region.
ensure the provided parameters meet the requirements for session host creation.
If the session host configuration fails to create when creating a host pool, you aren't
able to create a session host configuration for this host pool using the Azure portal. You
can use PowerShell to create the session host configuration using the New-
AzWvdSessionHostConfiguration cmdlet. Alternatively, you can delete the host pool and
recreate it.
Failed updates
When you update session hosts using session host update, it's possible that an
individual session host fails to update. In this case, session host update attempts to roll
back the update on that session host. The intention for the rollback is to maintain the
capacity of the entire host pool, even though this session host is rolled back to a
previous version of the session host configuration, rather than forcing the session host
to be unavailable and reducing the capacity of the host pool. Other session hosts in the
host pool that successfully updated aren't rolled back. Session hosts that didn't start
updating aren't updated.
Once a session host fails to update, session host update completes updating the current
batch of session hosts, then marks the update as failed. In this scenario, the only options
are to retry the update or cancel it. If you retry the update, session host update again
attempts to update the session hosts that failed, plus the remaining session hosts not
previously attempted. The existing batch size is used.
If a session host fails to roll back successfully, it isn't available to host session and
capacity is reduced. The session host isn't the same as the other session hosts in the
host pool and it match the session host configuration. You should investigate why the
update of the session host failed and resolve the issue before scheduling a new update.
Once you schedule a new update, session host update attempts to update the session
hosts that failed so they all match, plus any session hosts that weren't started in the
previous update attempt.
ノ Expand table
Status Description
Update failed The update flow is incorrect. For example, an image that's incompatible with the
to initiate virtual machine SKU. You can't retry the update; you need to cancel it and
schedule a new update.
Update failed The update failed while it was in progress. If you retry the update, it continues
with the session host it stopped at previously.
Session host If a session host fails to update, session host update tries to roll back the update
rollback failed on that session host. If the rollback fails and you retry the update, it continues
with the session host it stopped at previously.
You can get any errors for an update by following the steps to Monitor the progress of
an update. When you use Azure PowerShell, the variable $updateProgress contains error
details in the following properties:
$updateProgress.PropertiesUpdateStatus
$updateProgress.UpdateProgressError
$updateProgress.UpdateProgressError.FaultText
Once you identify the issue, you can either retry the update, or cancel it and schedule a
new update.
Here are some example failures that prevent an update from starting:
No session hosts to update: the error HostpoolHasNoSessionHosts is returned when
there are no session hosts to update as part of the session host update. If you
didn't make changes to the session host configuration prior to initiating an update,
this error is returned.
Capacity issues: validation checks for sufficient capacity in your virtual network
subnet and VM core quota. This check does not guarantee capacity during an
update; creation of other resources outside of session host update can result in
errors mid-update associated with capacity limits. Set your batch size to be within
the remaining quota for your subscription.
Parameter consistency with current session hosts: session host update doesn't
support changing the region, subscription, resource group, or domain join type for
a session host. If the session host configuration contains properties in these fields
that differ from the session hosts in the host pool, the update fails to start. You
should remove the session hosts that are inconsistent with the configuration.
Here are some example failures that can occur during an update:
VM creation failures: VM creation can fail for a variety of reasons not specific to
Azure Virtual Desktop, for example the exhaustion of subscription capacity, or
issues with the provided image. You should review the error message provided to
determine the appropriate remediation. Open a support case with Azure support if
you need further assistance.
Agent installation, domain join, and session host health errors or timeout: Agent,
domain join, and other session host health errors that occur in the first validation
batch can often be resolved by reviewing guidance for addressing deployment and
domain join failures for Azure Virtual Desktop, and by ensuring your image doesn't
have the PowerShell DSC extension installed. If the extension is installed on the
image, remove the folder C:\packages\plugin from the image. If the failure is
intermittent, with some session hosts successfully updating and others
encountering an error such as AgentRegistrationFailureGeneric , retrying the
update can often resolve the issue.
Resource modification and access errors: modifying resources that are impacted
in the update can result in errors during an update. Some of the errors that can
result include deletion of resources and resource groups, changes to permissions,
changes to power state, and changes to drain mode. In addition, if your Azure
resources are locked and/or Azure policy limits the Azure Virtual Desktop service
from modifying your session hosts, the update fails. Review Azure activity logs if
you encounter related errors. Open a support case with Azure support if you need
further assistance.
Next steps
Example diagnostic queries for session host update in Azure Virtual Desktop
Feedback
Was this page helpful? Yes No
) Important
This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.
Use this article to troubleshoot issues you're having when configuring the Azure Virtual
Desktop session host virtual machines (VMs).
Provide feedback
Visit the Azure Virtual Desktop Tech Community to discuss the Azure Virtual Desktop
service with the product team and active community members.
Join the VM manually using the process in Join a Windows Server virtual machine
to a managed domain or using the domain join template .
Try pinging the domain name from a command line on the VM.
Review the list of domain join error messages in Troubleshooting Domain Join
Error Messages .
Fix 1: Create VNET peering between the VNET where VMs were provisioned and the
VNET where the domain controller (DC) is running. See Create a virtual network peering
- Resource Manager, different subscriptions.
Cause 2: When using Azure Active Directory Domain Services (Azure AD DS), the virtual
network doesn't have its DNS server settings updated to point to the managed domain
controllers.
Fix 2: To update the DNS settings for the virtual network containing Azure AD DS, see
Update DNS settings for the Azure virtual network.
Cause 3: The network interface's DNS server settings don't point to the appropriate DNS
server on the virtual network.
Fix 3: Take one of the following actions to resolve, following the steps in [Change DNS
servers].
Change the network interface's DNS server settings to Custom with the steps from
Change DNS servers and specify the private IP addresses of the DNS servers on the
virtual network.
Change the network interface's DNS server settings to Inherit from virtual
network with the steps from Change DNS servers, then change the virtual
network's DNS server settings with the steps from Change DNS servers.
Follow these instructions to confirm the components are installed and to check for error
messages.
1. Confirm that the two components are installed by checking in Control Panel >
Programs > Programs and Features. If Azure Virtual Desktop Agent and Azure
Virtual Desktop Agent Boot Loader aren't visible, they aren't installed on the VM.
2. Open File Explorer and navigate to C:\Windows\Temp\ScriptLog.log. If the file is
missing, it indicates that the PowerShell DSC that installed the two components
wasn't able to run in the security context provided.
3. If the file C:\Windows\Temp\ScriptLog.log is present, open it and check for error
messages.
Fix 1: Manually add the missing components to the VMs using Create a host pool with
PowerShell.
Cause 2: PowerShell DSC was able to start and execute but failed to complete as it can't
sign in to Azure Virtual Desktop and obtain needed information.
Fix 2: Confirm the items in the following list.
Manually register the VMs with the Azure Virtual Desktop service.
Confirm account used for connecting to Azure Virtual Desktop has permissions on
the Azure subscription or resource group to create host pools.
Confirm account doesn't have MFA.
Fix 1: Launch Task Manager and, if the Service Tab reports a stopped status for
RDAgentBootLoader service, start the service.
Cause 2: Port 443 may be closed.
1. Confirm port 443 is open by downloading the PSPing tool from Sysinternal tools.
3. Open the command prompt as an administrator and issue the command below:
psping rdbroker.wvdselfhost.microsoft.com:443
If you're having issues with the Azure Virtual Desktop side-by-side stack, type the
qwinsta command from the command prompt to confirm that the side-by-side stack is
installed or enabled.
The output of qwinsta will list rdp-sxs in the output if the side-by-side stack is installed
and enabled.
Examine the registry entries listed below and confirm that their values match. If registry
keys are missing or values are mismatched, make sure you're running a supported
operating system. If you are, follow the instructions in Register session hosts to a host
pool for how to reinstall the side-by-side stack.
registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\rds-sxs\"fEnableWinstation":DWORD=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\ClusterSettings\"SessionDirectoryListener":rdp-sxs
Error: O_REVERSE_CONNECT_STACK_FAILURE
Cause: The side-by-side stack isn't installed on the session host VM.
Fix: Follow these instructions to install the side-by-side stack on the session host VM.
1. Use Remote Desktop Protocol (RDP) to get directly into the session host VM as
local administrator.
2. Install the side-by-side stack by following the steps to Register session hosts to a
host pool.
Not following the correct order of the steps to enable the side-by-side stack
Auto update to Windows 10 Enhanced Versatile Disc (EVD)
Missing the Remote Desktop Session Host (RDSH) role
The instructions in this section can help you uninstall the Azure Virtual Desktop side-by-
side stack. Once you uninstall the side-by-side stack, follow the steps to Register session
hosts to a host pool to reinstall the side-by-side stack.
The VM used to run remediation must be on the same subnet and domain as the VM
with the malfunctioning side-by-side stack.
Follow these instructions to run remediation from the same subnet and domain:
1. Connect with standard Remote Desktop Protocol (RDP) to the VM from where fix
will be applied.
4. From command prompt, use the following command, where <VMname> is the
hostname name of the VM with the malfunctioning side-by-side stack. If this is the
first time you have run PsExec, you'll also need to accept the PsExec License
Agreement to continue by clicking Agree.
5. After the command prompt session opens on the VM with the malfunctioning
side-by-side stack, run the following command and confirm that an entry named
rdp-sxs is available. If not, a side-by-side stack isn't present on the VM so the issue
isn't tied to the side-by-side stack.
Windows Command Prompt
qwinsta
6. Run the following command, which will list Microsoft components installed on the
VM with the malfunctioning side-by-side stack.
7. Run the command below with product names from step above, for example:
9. After all Azure Virtual Desktop components have been uninstalled, restart the VM
that had the malfunctioning side-by-side stack (either with Azure portal or from
the PsExec tool). You can then reinstall the side-by-side stack by following the
steps to Register session hosts to a host pool.
If you see either of these messages, it means the image doesn't have the latest Windows
updates installed or you're setting the Remote Desktop licensing mode through group
policy. Follow the steps in the next sections to check the group policy setting, identify
the version of Windows 10 Enterprise multi-session, and install the corresponding
update.
7 Note
Azure Virtual Desktop only requires an RDS client access license (CAL) when your
host pool contains Windows Server session hosts. To learn how to configure an RDS
CAL, see License your RDS deployment with client access licenses.
7 Note
If you set group policy through your domain, disable this setting on policies that
target these Windows 10 Enterprise multi-session VMs.
2. Enter "About" into the search bar next to the Start menu.
Now that you know your version number, skip ahead to the relevant section.
Version 1809
If your version number says "1809," install the KB4516077 update .
Version 1903
Redeploy the host operating system with the latest version of the Windows 10, version
1903 image from the Azure Gallery.
To learn more about this policy, see Allow log on through Remote Desktop Services.
Next steps
For an overview on troubleshooting Azure Virtual Desktop and the escalation
tracks, see Troubleshooting overview, feedback, and support.
To troubleshoot issues while creating a host pool in an Azure Virtual Desktop
environment, see Environment and host pool creation.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues related to the Azure Virtual Desktop agent or session
connectivity, see Troubleshoot common Azure Virtual Desktop Agent issues.
To troubleshoot issues with Azure Virtual Desktop client connections, see Azure
Virtual Desktop service connections.
To troubleshoot issues with Remote Desktop clients, see Troubleshoot the Remote
Desktop client
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see
Azure Virtual Desktop PowerShell.
To learn more about the service, see Azure Virtual Desktop environment.
To go through a troubleshoot tutorial, see Tutorial: Troubleshoot Resource
Manager template deployments.
To learn about auditing actions, see Audit operations with Resource Manager.
To learn about actions to determine the errors during deployment, see View
deployment operations.
Session host statuses and health checks
in Azure Virtual Desktop
Article • 03/05/2024
The Azure Virtual Desktop Agent regularly runs health checks on the session host. The
agent assigns these health checks various statuses that include descriptions of how to
fix common issues. This article tells you what each status means and how to act on them
during a health check.
7 Note
If an issue is listed as non-fatal, the service can still run with the issue active.
However, we recommend you resolve the issue as soon as possible to prevent
future issues. If an issue is listed as fatal, it prevents the service from running. You
must resolve all fatal issues to make sure your users can access the session host.
ノ Expand table
Available This status means that the session New user N/A
host passed all health checks and sessions are
is available to accept user load
connections. If a session host has balanced
reached its maximum session limit here.
but has passed health checks, it's
still listed as “Available."
Needs The session host didn't pass one or New user Follow the directions in Error:
Assistance more of the following non-fatal sessions are Session hosts are stuck in
health checks: the Geneva load "Needs Assistance" state to
Monitoring Agent health check, balanced resolve the issue.
the Azure Instance Metadata here.
Service (IMDS) health check, or the
URL health check. In this state,
Session Description Load How to resolve related
host status balancing issues
Shutdown The session host has been shut Not Turn on the session host.
down. If the agent enters a available
shutdown state before connecting for load
to the broker, its status changes to balancing.
Unavailable. If you've shut down
your session host and see an
Unavailable status, that means the
session host shut down before it
could update the status, and
doesn't indicate an issue. You
should use this status with the VM
instance view API to determine the
power state of the VM.
Unavailable The session host is either turned Not If the session host is off, turn it
off or hasn't passed fatal health available back on. If the session host
checks, which prevents user for load didn't pass the domain join
sessions from connecting to this balancing. check or side-by-side stack
session host. listener health checks, refer to
the table in Health check for
ways to resolve the issue. If
the status is still "Unavailable"
after following those
directions, open a support
case.
Upgrade This status means that the Azure New user Follow the instructions in the
Failed Virtual Desktop Agent couldn't sessions are Azure Virtual Desktop Agent
update or upgrade. This status load troubleshooting article.
doesn't affect new nor existing balanced
user sessions. here.
Upgrading This status means that the agent New user If your session host is stuck in
upgrade is in progress. This status sessions are the "Upgrading" state, then
updates to “Available” once the load reinstall the agent.
upgrade is done and the session balanced
host can accept connections again. here.
Health check
The health check is a test run by the agent on the session host. The following table lists
each type of health check and describes what it does.
ノ Expand table
Domain Verifies that the session host is If this check fails, users won't be able to
joined joined to a domain controller. connect to the session host. To solve this
issue, join your session host to a domain.
Geneva Verifies that the session host has a If this check fails, it's semi-fatal. There may
Monitoring healthy monitoring agent by be successful connections, but they'll
Agent checking if the monitoring agent contain no logging information. To resolve
is installed and running in the this issue, make sure a monitoring agent is
expected registry location. installed. If it's already installed, contact
Microsoft support.
Side-by-side Verifies that the side-by-side stack If this check fails, it's fatal, and users won't
(SxS) Stack is up and running, listening, and be able to connect to the session host. Try
Listener ready to receive connections. restarting your virtual machine (VM). If
restarting doesn't work, contact Microsoft
support.
App attach Verifies that the app attach or If this check fails, it isn't fatal. However,
health check MSIX app attach service is certain apps stop working for end-users.
working as intended during
package staging or destaging.
Domain trust Verifies the session host isn't If this check fails, it's fatal. The service won't
check experiencing domain trust issues be able to connect if it can't reach the
that could prevent authentication authentication domain for the session host.
when a user connects to a
session.
Metadata Verifies the metadata service is If this check fails, it isn't fatal.
service check accessible and returns compute
properties.
Next steps
For an overview on troubleshooting Azure Virtual Desktop and the escalation
tracks, see Troubleshooting overview, feedback, and support.
To troubleshoot issues while creating an Azure Virtual Desktop environment and
host pool in an Azure Virtual Desktop environment, see Environment and host pool
creation.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues related to the Azure Virtual Desktop agent or session
connectivity, see Troubleshoot common Azure Virtual Desktop Agent issues.
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see
Azure Virtual Desktop PowerShell.
To go through a troubleshoot tutorial, see Tutorial: Troubleshoot Resource
Manager template deployments.
Feedback
Was this page helpful? Yes No
This article describes common management errors and gives suggestions for how to
solve them.
Failed to create Registration token couldn't be created. Try creating it again with a shorter
registration key expiry time (between 1 hour and 1 month).
Failed to delete Registration token couldn't be deleted. Try deleting it again. If it still doesn't
registration key work, use PowerShell to check if the token is still there. If it's there, delete it
with PowerShell.
Failed to change Couldn't change drain mode on the VM. Check the VM status. If the VM isn't
session host drain available, you can't change drain mode.
mode
Failed to Couldn't disconnect the user from the VM. Check the VM status. If the VM
disconnect user isn't available, you can't disconnect the user session. If the VM is available,
sessions check the user session status to see if it's disconnected.
Failed to log off Could not sign users out of the VM. Check the VM status. If unavailable, users
all user(s) within can't be signed out. Check user session status to see if they're already signed
the session host out. You can force sign out with PowerShell.
Failed to unassign Could not unpublish an application group for a user. Check to see if user is
user from available on Azure AD. Check to see if the user is part of a user group that
application group the application group is published to.
There was an Check location of VM used in the create host pool wizard. If image is not
error retrieving available in that location, add image in that location or choose a different VM
the available location.
locations
This issue usually appears because there's a problem with the conditional access policy.
The Azure portal is trying to obtain a token for Microsoft Graph, which is dependent on
SharePoint Online. The customer has a conditional access policy called "Microsoft Office
365 Data Storage Terms of Use" that requires users to accept the terms of use to access
data storage. However, they haven't signed in yet, so the Azure portal can't get the
token.
To solve this issue, before signing in to the Azure portal, the admin first needs to sign in
to SharePoint and accept the Terms of Use. After that, they should be able to sign in to
the Azure portal like normal.
Next steps
To review common error scenarios that the diagnostics feature can identify for you, see
Identify and diagnose issues.
Azure Virtual Desktop PowerShell
Article • 10/12/2023
) Important
This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.
Use this article to resolve errors and issues when using PowerShell with Azure Virtual
Desktop. For more information on Remote Desktop Services PowerShell, see Azure
Virtual Desktop PowerShell.
Provide feedback
Visit the Azure Virtual Desktop Tech Community to discuss the Azure Virtual Desktop
service with the product team and active community members.
Cause: The user specified by the -SignInName parameter can't be found in the Microsoft
Entra tied to the Azure Virtual Desktop environment.
Fix 1: A user with Owner permissions needs to execute the role assignment.
Alternatively, the user needs to be assigned to the User Access Administrator role to
assign a user to an application group.
Cause 2: The account being used has Owner permissions but isn't part of the
environment's Microsoft Entra ID or doesn't have permissions to query the Microsoft
Entra ID where the user is located.
Fix 2: A user with Active Directory permissions needs to execute the role assignment.
Cause: Azure Virtual Desktop supports selecting the location of host pools, application
groups, and workspaces to store service metadata in certain locations. Your options are
restricted to where this feature is available. This error means that the feature isn't
available in the location you chose.
Fix: In the error message, a list of supported regions will be published. Use one of the
supported regions instead.
Cause: There's a location mismatch. All host pools, application groups, and workspaces
have a location to store service metadata. Any objects you create that are associated
with each other must be in the same location. For example, if a host pool is in eastus ,
then you also need to create the application groups in eastus . If you create a workspace
to register these application groups to, that workspace needs to be in eastus as well.
Fix: Retrieve the location the host pool was created in, then assign the application group
you're creating to that same location.
Next steps
For an overview on troubleshooting Azure Virtual Desktop and the escalation
tracks, see Troubleshooting overview, feedback, and support.
To troubleshoot issues while setting up your Azure Virtual Desktop environment
and host pools, see Environment and host pool creation.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues with Azure Virtual Desktop client connections, see Azure
Virtual Desktop service connections.
To troubleshoot issues with Remote Desktop clients, see Troubleshoot the Remote
Desktop client
To learn more about the service, see Azure Virtual Desktop environment.
To learn about auditing actions, see Audit operations with Resource Manager.
To learn about actions to determine the errors during deployment, see View
deployment operations.
Troubleshoot common Azure Virtual
Desktop Agent issues
Article • 08/21/2024
The Azure Virtual Desktop Agent can cause connection issues because of multiple factors:
An error on the broker that makes the agent stop the service.
Problems with updates.
Issues with installing during the agent installation, which disrupts connection to the session
host.
This article guides you through solutions to these common scenarios and how to address
connection issues.
7 Note
For troubleshooting issues related to session connectivity and the Azure Virtual Desktop
agent, we recommend you review the event logs on your session host virtual machines (VMs)
by going to Event Viewer > Windows Logs > Application. Look for events that have one of
the following sources to identify your issue:
WVD-Agent
WVD-Agent-Updater
RDAgentBootLoader
MsiInstaller
2. Select Start. If this option is greyed out for you, you don't have administrator permissions.
You need to get those permissions in order to start the service.
5. If the service stops after you started and refreshed it, you may have a registration failure. For
more information, see INVALID_REGISTRATION_TOKEN or EXPIRED_MACHINE_TOKEN.
Error: INVALID_REGISTRATION_TOKEN or
EXPIRED_MACHINE_TOKEN
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3277 with the description INVALID_REGISTRATION_TOKEN or EXPIRED_MACHINE_TOKEN , the
registration key that has been used isn't recognized as valid.
1. Create a new registration key by following the steps in Generate a registration key.
2. Open a PowerShell prompt as an administrator and run the following commands to add the
new registration key to the registry. Replace <RegistrationToken> with the new registration
token you generated.
PowerShell
$newKey = '<RegistrationToken>'
PowerShell
Restart-Service RDAgentBootLoader
4. Run the following commands to verify that IsRegistered is set to 1 and RegistrationToken is
blank.
PowerShell
Output
IsRegistered : 1
RegistrationToken :
5. Check your session host is no available in the host pool. If it isn't, view the Event Viewer
entries and see if there are any errors that are preventing the agent from starting.
To resolve this issue, check that you can reach the two endpoints referred to as
BrokerResourceIdURI and BrokerResourceIdURIGlobal:
2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RDInfraAgent.
4. Open a web browser and enter your value for BrokerResourceIdURI in the address bar and
add /api/health to the end, for example https://rdbroker-g-us-
r0.wvd.microsoft.com/api/health .
5. Open another tab in the browser and enter your value for BrokerResourceIdURIGlobal in the
address bar and add /api/health to the end, for example
https://rdbroker.wvd.microsoft.com/api/health .
6. If your network isn't blocking the connection to the broker, both pages should load
successfully and show a message stating RD Broker is Healthy, as shown in the following
screenshots:
7. If the network is blocking broker connection, the pages won't load, as shown in the following
screenshot.
You must unblock the required endpoints and then repeat steps 4 to 7. For more information,
see Required URL List.
8. If following the previous steps doesn't resolve your issue, make sure that you don't have any
group policies with ciphers that block the agent to broker connection. Azure Virtual Desktop
uses the same TLS 1.2 ciphers as Azure Front Door. For more information, see Connection
Security.
Error: 3703
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3703 with RD Gateway Url: is not accessible in the description, the agent is unable to reach
the gateway URLs. To successfully connect to your session host, you must allow network traffic to
the URLs from the Required URL List. Also, make sure your firewall or proxy settings don't block
these URLs. Unblocking these URLs is required to use Azure Virtual Desktop.
To resolve this issue, verify whether you can access the required URLs by running the Required URL
Check tool. If you're using Azure Firewall, see Use Azure Firewall to protect Azure Virtual Desktop
deployments. and Azure Firewall DNS settings for more information on how to configure it for
Azure Virtual Desktop.
Error: 3019
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3019, then the agent can't reach the web socket transport URLs. To successfully connect to
your session host and allow network traffic to bypass these restrictions, you must unblock the URLs
listed in the Required URL list. Work with your networking team to make sure your firewall, proxy,
and DNS settings aren't blocking these URLs. You can also check your network trace logs to
identify where the Azure Virtual Desktop service is being blocked. If you open a Microsoft Support
case for this particular issue, make sure to attach your network trace logs to the request.
Error: InstallationHealthCheckFailedException
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3277 with InstallationHealthCheckFailedException in the description, then the stack
listener isn't working because the terminal server has toggled the registry key for the stack listener.
2. If the stack listener isn't working, manually uninstall and reinstall the stack component.
Error: ENDPOINT_NOT_FOUND
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3277 with ENDPOINT_NOT_FOUND in the description, then the broker couldn't find an
endpoint to establish a connection with. This connection issue can happen for one of the following
reasons:
1. Make sure the VM is powered on and hasn't been removed from the host pool.
2. Make sure that the VM hasn't exceeded the max session limit.
3. Make sure the agent service is running and the stack listener is working.
Error: InstallMsiException
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3277 with InstallMsiException in the description, the installer is already running for another
application while you're trying to install the agent, or group policy is blocking msiexec.exe from
running.
1. Open Resultant Set of Policy by running rsop.msc from an elevated command prompt.
2. In the Resultant Set of Policy window that pops up, go to Computer Configuration >
Administrative Templates > Windows Components > Windows Installer > Turn off
Windows Installer. If the state is Enabled, work with your Active Directory team to allow
msiexec.exe to run.
7 Note
This list isn't a comprehensive list of policies, just the ones we're currently aware of.
Error: Win32Exception
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3277 with InstallMsiException in the description, a policy is blocking cmd.exe from
launching. Blocking this program prevents you from running the console window, which is what
you need to use to restart the service whenever the agent updates.
1. Open Resultant Set of Policy by running rsop.msc from an elevated command prompt.
2. In the Resultant Set of Policy window that pops up, go to User Configuration >
Administrative Templates > System > Prevent access to the command prompt. If the state
is Enabled, work with your Active Directory team to allow cmd.exe to run.
3. Under WinStations you may see several folders for different stack versions, select a folder
that matches the version information you saw when running qwinsta.exe in a command
prompt.
Find fReverseConnectMode and make sure its data value is 1. Also make sure that
fEnableWinStation is set to 1.
If fEnableWinStation isn't set to 1, select fEnableWinStation and enter 1 into its value
field.
4. Repeat the previous steps for each folder that matches the version information you saw when
running qwinsta.exe in a command prompt.
Tip
Export the registry key from the machine that you already have working and import
it into all other machines that need this change.
Create a group policy object (GPO) that sets the registry key value for the machines
that need the change.
8. Under ClusterSettings, find SessionDirectoryListener and make sure its data value is rdp-
sxs<version number , where <version number matches the version information you saw when
Error: DownloadMsiException
On your session host VM, go to Event Viewer > Windows Logs > Application. If you see an event
with ID 3277 with DownloadMsiException in the description, there isn't enough space on the disk
for the RDAgent.
2. From an elevated PowerShell prompt run qwinsta.exe and make note of the version number
that appears next to rdp-sxs in the SESSIONNAME column. If the STATE column for rdp-tcp
and rdp-sxs entries isn't Listen, or if rdp-tcp and rdp-sxs entries aren't listed at all, it means
that there's a stack issue.
3. Run the following command to stop the RDAgentBootLoader service:
PowerShell
Stop-Service RDAgentBootLoader
4. Go to Control Panel > Programs > Programs and Features, or on Windows 11 go to the
Settings App > Apps.
5. Uninstall the latest version of the Remote Desktop Services SxS Network Stack or the version
listed in Registry Editor in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations
under the value for ReverseConnectionListener.
6. Back at the PowerShell prompt, run the following commands to add the file path of the latest
installer available on your session host VM for the side-by-side stack to a variable and list its
name:
PowerShell
7. Install the latest installer available on your session host VM for the side-by-side stack by
running the following command:
PowerShell
msiexec /i $sxsMsi
9. From a command prompt run qwinsta.exe again and verify the STATE column for rdp-tcp
and rdp-sxs entries is Listen. If not, you must re-register your VM and reinstall the agent
component.
UrlsAccessibleCheck
If the session host doesn't pass the UrlsAccessibleCheck health check, you'll need to identify which
required URL your deployment is currently blocking. Once you know which URL is blocked, identify
which setting is blocking that URL and remove it.
There are two reasons why the service is blocking a required URL:
You have an active firewall that's blocking most outbound traffic and access to the required
URLs.
Your local hosts file is blocking the required websites.
To resolve a firewall-related issue, add a rule that allows outbound connections to the TCP port
80/443 associated with the blocked URLs.
If your local hosts file is blocking the required URLs, make sure none of the required URLs are in
the Hosts file on your device. You can find the Hosts file location at the following registry key and
value:
Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Type: REG_EXPAND_SZ
Name: DataBasePath
MetaDataServiceCheck
If the session host doesn't pass the MetaDataServiceCheck health check, then the service can't
access the IMDS endpoint. To resolve this issue, you'll need to do the following things:
If your issue is caused by a web proxy, add an exception for 169.254.169.254 in the web proxy's
configuration. To add this exception, open an elevated Command Prompt or PowerShell session
and run the following command:
1. Verify if the Remote Desktop Services Infrastructure Geneva Agent is installed on the session
host. You can verify this in the list of installed programs on the session host. If you see
multiple versions of this agent installed, uninstall older versions and only keep the latest
version installed.
2. If you don't find the Remote Desktop Services Infrastructure Geneva Agent installed on the
session host, please review logs located under C:\Program Files\Microsoft
RDInfra\GenevaInstall.txt and see if installation is failing due to an error.
Decrease the max session limit. This change ensures that resources are more evenly
distributed across session hosts and prevent resource depletion.
Increase the resource capacity of the session host VMs.
To resolve this issue, create session host VMs using a supported operating system.
Error: NAME_ALREADY_REGISTERED
The name of your session host VM has already been registered and is probably a duplicate.
To resolve this issue:
1. Follow the steps in the Remove the session host from the host pool section.
2. Create another VM. Make sure to choose a unique name for this VM.
3. Go to the Azure portal and open the Overview page for the host pool your VM was in.
4. Open the Session Hosts tab and check to make sure all session hosts are in that host pool.
5. Wait for 5-10 minutes for the session host status to say Available.
Follow these instructions in this section if one or more of the following scenarios apply to you:
2. Go to Control Panel > Programs > Programs and Features, or on Windows 11 go to the
Settings App > Apps.
3. Uninstall the following programs, then restart your session host VM:
U Caution
When uninstalling Remote Desktop Services SxS Network Stack, you'll be prompted
that Remote Desktop Services and Remote Desktop Services UserMode Port Redirector
should be closed. If you're connected to the session host VM using RDP, select Do not
close applications then select OK, otherwise your RDP connection won't work.
7 Note
You may see multiple instances of these programs. Make sure to remove all of them.
Step 2: Remove the session host from the host pool
When you remove the session host from the host pool, the session host is no longer registered to
that host pool. This change acts as a reset for the session host registration. To remove the session
host from the host pool:
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. Select Host pools and select the name of the host pool that your session host VM is in.
4. Select Session Hosts to see the list of all session hosts in that host pool.
5. Look at the list of session hosts and tick the box next to the session host that you want to
remove.
6. Select Remove.
2. In the search bar, type Azure Virtual Desktop and select the matching service entry.
3. Select Host pools and select the name of the host pool that your session host VM is in.
7 Note
The expiration date can be no less than an hour and no longer than 27 days from its
generation time and date. Generate a registration key only for as long as you need.
1. Copy the newly generated key to your clipboard or download the file. You'll need this key
later.
1. Sign in to your session host VM as an administrator and run the agent installer and
bootloader for your session host VM:
Tip
For each of the the agent and boot loader installers you downloaded, you may need to
unblock them. Right-click each file and select Properties, then select Unblock, and finally
select OK.
2. When the installer asks you for the registration token, paste the registration key from your
clipboard.
3. Run the boot loader installer.
6. In the search bar, enter Azure Virtual Desktop and select the matching service entry.
7. Select Host pools and select the name of the host pool that your session host VM is in.
8. Select Session Hosts to see the list of all session hosts in that host pool.
9. You should now see the session host registered in the host pool with the status Available.
HKU:\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
=1
HKU:\S-1-5-
18\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 1
HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
=1
This registry key prevents the agent from installing the side-by-side stack, which results in an
installMSIException error. This error leads to the session hosts being stuck in an unavailable state.
1. Remove the DisableRegistryTools key from the three previously listed locations.
2. Uninstall and remove the affected side-by-side stack installation from the Apps & Features
folder.
3. Remove the affected side-by-side stack's registry keys.
Next steps
If the issue continues, create a support case and include detailed information about the problem
you're having and any actions you've taken to try to resolve it. The following list includes other
resources you can use to troubleshoot issues in your Azure Virtual Desktop deployment.
For an overview on troubleshooting Azure Virtual Desktop and the escalation tracks, see
Troubleshooting overview, feedback, and support.
To troubleshoot issues while creating a host pool in an Azure Virtual Desktop environment,
see Environment and host pool creation.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual Desktop, see
Session host virtual machine configuration.
To troubleshoot issues with Azure Virtual Desktop client connections, see Azure Virtual
Desktop service connections.
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see Azure Virtual
Desktop PowerShell.
To learn more about the service, see Azure Virtual Desktop environment.
To go through a troubleshoot tutorial, see Tutorial: Troubleshoot Resource Manager template
deployments.
To learn about auditing actions, see Audit operations with Resource Manager.
To learn about actions to determine the errors during deployment, see View deployment
operations.
Feedback
Was this page helpful? Yes No
) Important
This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without
Azure Resource Manager objects, see this article.
Use this article to resolve issues with Azure Virtual Desktop client connections.
Provide feedback
You can give us feedback and discuss the Azure Virtual Desktop Service with the product
team and other active community members at the Azure Virtual Desktop Tech
Community .
1. Confirm that the user reporting the issues has been assigned to application groups
by using this command line:
PowerShell
3. If the web client is being used, confirm that there are no cached credentials issues.
4. If the user is part of a Microsoft Entra user group, make sure the user group is a
security group instead of a distribution group. Azure Virtual Desktop doesn't
support Microsoft Entra distribution groups.
User loses existing feed and no remote
resource is displayed (no feed)
This error usually appears after a user moved their subscription from one Microsoft
Entra tenant to another. As a result, the service loses track of their user assignments,
since those are still tied to the old Microsoft Entra tenant.
To resolve this, all you need to do is reassign the users to their application groups.
This could also happen if a CSP Provider created the subscription and then transferred
to the customer. To resolve this re-register the Resource Provider.
Next steps
For an overview on troubleshooting Azure Virtual Desktop and the escalation
tracks, see Troubleshooting overview, feedback, and support.
To troubleshoot issues while creating a Azure Virtual Desktop environment and
host pool in a Azure Virtual Desktop environment, see Environment and host pool
creation.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues related to the Azure Virtual Desktop agent or session
connectivity, see Troubleshoot common Azure Virtual Desktop Agent issues.
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see
Azure Virtual Desktop PowerShell.
To go through a troubleshoot tutorial, see Tutorial: Troubleshoot Resource
Manager template deployments.
Basic troubleshooting for the Remote
Desktop client for Windows
Article • 09/27/2024
Tip
Select a button at the top of this article to choose which product you're connecting
to and see the relevant documentation.
This article provides some simple troubleshooting steps to try first for issues you might
encounter when using the Remote Desktop client for Windows to connect to Azure
Virtual Desktop.
Basic troubleshooting
There are a few basic troubleshooting steps you can try if you're having issues
connecting to your desktops or applications:
2. Try to connect to your desktops or applications from the Azure Virtual Desktop
web client. For more information, see Connect to Azure Virtual Desktop with the
Remote Desktop web client.
3. Make sure you're using the latest version of the Remote Desktop client. By default,
the client automatically updates when a new version is available. To check for
updates manually, see Update the client.
4. If the connection fails frequently or you notice performance issues, check the
status of the connection. You can find connection information in the connection
bar, by selecting the signal icon:
Reset password
Password resets can't be done in the product. You should follow your organization's
process to reset your password.
2. Select the three dots at the top right-hand corner to show the menu, then select
About.
3. In the section Reset user data, select Reset. To confirm you want to reset your user
data, select Continue.
Issue isn't listed here
If your issue isn't listed here, ask your Azure Virtual Desktop administrator for support,
or see Troubleshoot the Remote Desktop client for Windows when connecting to Azure
Virtual Desktop for further troubleshooting steps.
Feedback
Was this page helpful? Yes No
This article describes issues you may experience with the Remote Desktop client for
Windows when connecting to Azure Virtual Desktop and how to fix them.
General
In this section you'll find troubleshooting guidance for general issues with the Remote
Desktop client.
If you're using the correct account, make sure your application group is associated with
a workspace.
If you've answered "no" to either of those questions, you'll need to reconfigure your
multi-factor authentication. To reconfigure your multi-factor authentication, follow the
instructions in Enforce Azure Active Directory Multi-Factor Authentication for Azure
Virtual Desktop using Conditional Access.
) Important
If you can access your Azure AD sign-in logs through Log Analytics, you can see if
you've enabled multi-factor authentication and which Conditional Access policy is
triggering the event. The events shown are non-interactive user login events for the VM,
which means the IP address will appear to come from the external IP address that your
VM accesses Azure AD from.
You can access your sign-in logs by running the following Kusto query:
Kusto
1. Ensure no sessions are active and the client process isn't running in the
background by right-clicking on the Remote Desktop icon in the system tray and
selecting Disconnect all sessions.
2. Open File Explorer.
3. Navigate to the %temp%\DiagOutputDir\RdClientAutoTrace folder.
The logs are in the .ETL file format. You can convert these to .CSV or .XML to make them
easily readable by using the tracerpt command. Find the name of the file you want to
convert and make a note of it.
To convert the .ETL file to .CSV, open PowerShell and run the following, replacing
the value for $filename with the name of the file you want to convert (without the
extension) and $outputFolder with the directory in which to create the .CSV file.
PowerShell
$filename = "<filename>"
$outputFolder = "C:\Temp"
cd $env:TEMP\DiagOutputDir\RdClientAutoTrace
tracerpt "$filename.etl" -o "$outputFolder\$filename.csv" -of csv
To convert the .ETL file to .XML, open Command Prompt or PowerShell and run the
following, replacing <filename> with the name of the file you want to convert and
$outputFolder with the directory in which to create the .XML file.
PowerShell
$filename = "<filename>"
$outputFolder = "C:\Temp"
cd $env:TEMP\DiagOutputDir\RdClientAutoTrace
tracerpt "$filename.etl" -o "$outputFolder\$filename.xml"
2. Select the three dots at the top right-hand corner to show the menu, then select
About.
3. In the section Reset user data, select Reset. To confirm you want to reset your user
data, select Continue.
1. Open PowerShell.
2. Change the directory to where the Remote Desktop client is installed, by default
this is C:\Program Files\Remote Desktop .
3. Run the following command to reset user data. You'll be prompted to confirm you
want to reset your user data.
PowerShell
.\msrdcw.exe /reset
You can also add the /f option, where your user data will be reset without
confirmation:
PowerShell
.\msrdcw.exe /reset /f
To configure the policy to enable users to connect again depending on whether your
session hosts are managed with Group Policy or Intune.
1. Open the Group Policy Management Console (GPMC) for session hosts managed
with Active Directory or the Local Group Policy Editor console and edit the policy
that targets your session hosts.
For Intune:
3. Set the policy setting Allow users to connect remotely using Remote Desktop
Services to Enabled.
You're using a device that is Azure AD-joined or hybrid Azure AD-joined to the
same Azure AD tenant as the session host.
The PKU2U protocol is enabled on both the local PC and the session host.
Per-user multi-factor authentication is disabled for the user account as it's not
supported for Azure AD-joined VMs.
Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
\Protocols\TLS 1.2\Client
DisabledByDefault DWORD 0
Enabled DWORD 1
Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
\Protocols\TLS 1.2\Server
DisabledByDefault DWORD 0
Enabled DWORD 1
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
SystemDefaultTlsVersions DWORD 1
SchUseStrongCrypto DWORD 1
You can configure these registry values by opening PowerShell as an administrator and
running the following commands:
PowerShell
New-Item
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Server' -Force
New-ItemProperty -Path
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWORD' -Force
New-ItemProperty -Path
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWORD'
-Force
New-Item
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Client' -Force
New-ItemProperty -Path
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWORD' -Force
New-ItemProperty -Path
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWORD'
-Force
This article describes issues you may experience with the Azure Virtual Desktop Store
app for Windows when connecting to Azure Virtual Desktop and how to fix them.
You can go to the Microsoft Store to check for updates , or you can also manually
search for new updates from the app. For more information, see Update the Azure
Virtual Desktop app.
General
In this section you'll find troubleshooting guidance for general issues with the Azure
Virtual Desktop app.
If you're using the correct account, make sure your application group is associated with
a workspace.
Have you assigned the Virtual Machine User Login role-based access control
(RBAC) permission to the virtual machine (VM) or resource group for each user?
Does your Conditional Access policy exclude multi-factor authentication
requirements for the Azure Windows VM sign-in cloud application?
If you've answered "no" to either of those questions, you'll need to reconfigure your
multi-factor authentication. To reconfigure your multi-factor authentication, follow the
instructions in Enforce Azure Active Directory Multi-Factor Authentication for Azure
Virtual Desktop using Conditional Access.
) Important
If you can access your Azure AD sign-in logs through Log Analytics, you can see if
you've enabled multi-factor authentication and which Conditional Access policy is
triggering the event. The events shown are non-interactive user login events for the VM,
which means the IP address will appear to come from the external IP address that your
VM accesses Azure AD from.
You can access your sign-in logs by running the following Kusto query:
Kusto
1. Ensure no sessions are active and the client process isn't running in the
background by right-clicking on the Remote Desktop icon in the system tray and
selecting Disconnect all sessions.
2. Open File Explorer.
3. Navigate to the %temp%\DiagOutputDir\RdClientAutoTrace folder.
The logs are in the .ETL file format. You can convert these to .CSV or .XML to make them
easily readable by using the tracerpt command. Find the name of the file you want to
convert and make a note of it.
To convert the .ETL file to .CSV, open PowerShell and run the following, replacing
the value for $filename with the name of the file you want to convert (without the
extension) and $outputFolder with the directory in which to create the .CSV file.
PowerShell
$filename = "<filename>"
$outputFolder = "C:\Temp"
cd $env:TEMP\DiagOutputDir\RdClientAutoTrace
tracerpt "$filename.etl" -o "$outputFolder\$filename.csv" -of csv
To convert the .ETL file to .XML, open Command Prompt or PowerShell and run the
following, replacing <filename> with the name of the file you want to convert and
$outputFolder with the directory in which to create the .XML file.
PowerShell
$filename = "<filename>"
$outputFolder = "C:\Temp"
cd $env:TEMP\DiagOutputDir\RdClientAutoTrace
tracerpt "$filename.etl" -o "$outputFolder\$filename.xml"
2. Select the three dots at the top right-hand corner to show the menu, then select
About.
3. In the section Reset user data, select Reset. To confirm you want to reset your user
data, select Continue.
1. Open PowerShell.
2. Change the directory to where the Remote Desktop client is installed, by default
this is C:\Program Files\Remote Desktop .
3. Run the following command to reset user data. You'll be prompted to confirm you
want to reset your user data.
PowerShell
.\msrdcw.exe /reset
You can also add the /f option, where your user data will be reset without
confirmation:
PowerShell
.\msrdcw.exe /reset /f
1. Open the Group Policy Management Console (GPMC) for session hosts managed
with Active Directory or the Local Group Policy Editor console and edit the policy
that targets your session hosts.
3. Set the policy setting Allow users to connect remotely using Remote Desktop
Services to Enabled.
For Intune:
3. Set the policy setting Allow users to connect remotely using Remote Desktop
Services to Enabled.
You're using a device that is Azure AD-joined or hybrid Azure AD-joined to the
same Azure AD tenant as the session host.
The PKU2U protocol is enabled on both the local PC and the session host.
Per-user multi-factor authentication is disabled for the user account as it's not
supported for Azure AD-joined VMs.
The sign-in method you're trying to use isn't allowed
If you come across an error saying The sign-in method you're trying to use isn't
allowed. Try a different sign-in method or contact your system administrator, you
have Conditional Access policies restricting access. Follow the instructions in Enforce
Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using
Conditional Access to enforce Azure Active Directory Multi-Factor Authentication for
your Azure AD-joined VMs.
Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
\Protocols\TLS 1.2\Client
DisabledByDefault DWORD 0
Enabled DWORD 1
Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
\Protocols\TLS 1.2\Server
Value Name Type Value Data
DisabledByDefault DWORD 0
Enabled DWORD 1
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
SystemDefaultTlsVersions DWORD 1
SchUseStrongCrypto DWORD 1
You can configure these registry values by opening PowerShell as an administrator and
running the following commands:
PowerShell
New-Item
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Server' -Force
New-ItemProperty -Path
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWORD' -Force
New-ItemProperty -Path
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWORD'
-Force
New-Item
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Client' -Force
New-ItemProperty -Path
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWORD' -Force
New-ItemProperty -Path
'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWORD'
-Force
This article describes issues you may experience with the Remote Desktop Web client
when connecting to Azure Virtual Desktop and how to fix them.
General
In this section you'll find troubleshooting guidance for general issues with the Remote
Desktop client.
If you're using the correct account, make sure your application group is associated with
a workspace.
If you've answered "no" to either of those questions, you'll need to reconfigure your
multifactor authentication. To reconfigure your multifactor authentication, follow the
instructions in Enforce Microsoft Entra multifactor authentication for Azure Virtual
Desktop using Conditional Access.
) Important
If you can access your Microsoft Entra sign-in logs through Log Analytics, you can see if
you've enabled multifactor authentication and which Conditional Access policy is
triggering the event. The events shown are non-interactive user login events for the VM,
which means the IP address will appear to come from the external IP address that your
VM accesses Microsoft Entra ID from.
You can access your sign-in logs by running the following Kusto query:
Kusto
To resolve this issue, you'll need to either reduce the size of the browser window so a
smaller resolution will be used, or disconnect all existing connections and try connecting
again. If you still encounter this issue after doing these things, contact your admin for
help.
Network
In this section you'll find troubleshooting guidance for network issues with the Remote
Desktop client.
1. Test your internet connection by opening another website in your browser, for
example https://www.bing.com .
PowerShell
nslookup client.wvd.microsoft.com
If neither of these work you most likely have a problem with your network connection.
Contact your network admin for help.
Tip
For the URLs of other Azure environments, such as Azure US Gov and Azure
operated by 21Vianet, see Connect to Azure Virtual Desktop with the Remote
Desktop Web client.
Authentication and identity
In this section you'll find troubleshooting guidance for authentication and identity issues
with the Remote Desktop client.
This article describes issues you may experience with the Remote Desktop client for
macOS when connecting to Azure Virtual Desktop and how to fix them.
General
In this section you'll find troubleshooting guidance for general issues with the Remote
Desktop client.
If you're using the correct account, make sure your application group is associated with
a workspace.
) Important
If you have integrated Microsoft Entra logs with Azure Monitor logs to access your
Microsoft Entra sign-in logs through Log Analytics, you can see if you've enabled
multifactor authentication and which Conditional Access policy is triggering the event.
The events shown are non-interactive user login events for the VM, which means the IP
address will appear to come from the external IP address from which your VM accesses
Microsoft Entra ID.
You can access your sign-in logs by running the following Kusto query:
Kusto
Collect logs
Here's how to collect logs from the Remote Desktop client for macOS:
1. Open Microsoft Remote Desktop and make sure there aren't any connections to
devices or apps.
2. From the macOS menu bar, select Help, followed by Troubleshooting, then select
Logging.
4. For When logging, write the output to, select the drop-down menu, then select
Choose Folder and choose which folder to save the logs to.
6. Use the Remote Desktop client as you normally would. If you have an issue,
reproduce it.
7. Once you're finished, select Stop Logging. You can find the log file in the directory
you chose to save the logs to. You can open the files in a text editor, or provide
them to support.
1. Delete any workspaces from the Remote Desktop client. For more information, see
Edit, refresh, or delete a workspace.
6. Copy the first part of the value for Account, up to the first hyphen, for example
70f0a61f.
10. Try to subscribe to a workspace again. For more information, see Connect to Azure
Virtual Desktop with the Remote Desktop client for macOS.
Display
In this section you'll find troubleshooting guidance for display issues with the Remote
Desktop client.
This article describes issues you may experience with the Remote Desktop client for iOS
and iPadOS when connecting to Azure Virtual Desktop and how to fix them.
General
In this section you'll find troubleshooting guidance for general issues with the Remote
Desktop client.
If you're using the correct account, make sure your application group is associated with
a workspace.
If you've answered "no" to either of those questions, you'll need to reconfigure your
multi-factor authentication. To reconfigure your multi-factor authentication, follow the
instructions in Enforce Azure Active Directory Multi-Factor Authentication for Azure
Virtual Desktop using Conditional Access.
) Important
If you can access your Azure AD sign-in logs through Log Analytics, you can see if
you've enabled multi-factor authentication and which Conditional Access policy is
triggering the event. The events shown are non-interactive user login events for the VM,
which means the IP address will appear to come from the external IP address that your
VM accesses Azure AD from.
You can access your sign-in logs by running the following Kusto query:
Kusto
4. Try to subscribe to a workspace again. For more information, see Connect to Azure
Virtual Desktop with the Remote Desktop client for iOS and iPadOS.
5. Toggle Delete on App Launch to Off once you can connect again.
This article describes issues you may experience with the Remote Desktop client for
Android and Chrome OS when connecting to Azure Virtual Desktop and how to fix
them.
General
In this section you'll find troubleshooting guidance for general issues with the Remote
Desktop client.
If you're using the correct account, make sure your application group is associated with
a workspace.
If you've answered "no" to either of those questions, you'll need to reconfigure your
multi-factor authentication. To reconfigure your multi-factor authentication, follow the
instructions in Enforce Azure Active Directory Multi-Factor Authentication for Azure
Virtual Desktop using Conditional Access.
) Important
If you can access your Azure AD sign-in logs through Log Analytics, you can see if
you've enabled multi-factor authentication and which Conditional Access policy is
triggering the event. The events shown are non-interactive user login events for the VM,
which means the IP address will appear to come from the external IP address that your
VM accesses Azure AD from.
You can access your sign-in logs by running the following Kusto query:
Kusto
This article describes issues you may experience with the Remote Desktop app for
Windows when connecting to Azure Virtual Desktop and how to fix them.
General
In this section you'll find troubleshooting guidance for general issues with the Remote
Desktop app.
If you're using the correct account, make sure your application group is associated with
a workspace.
If you've answered "no" to either of those questions, you'll need to reconfigure your
multi-factor authentication. To reconfigure your multi-factor authentication, follow the
instructions in Enforce Azure Active Directory Multi-Factor Authentication for Azure
Virtual Desktop using Conditional Access.
) Important
If you can access your Azure AD sign-in logs through Log Analytics, you can see if
you've enabled multi-factor authentication and which Conditional Access policy is
triggering the event. The events shown are non-interactive user login events for the VM,
which means the IP address will appear to come from the external IP address that your
VM accesses Azure AD from.
You can access your sign-in logs by running the following Kusto query:
Kusto
To diagnose experience quality issues with your remote sessions, counters have been
provided under the RemoteFX Graphics section of Performance Monitor. This article
helps you pinpoint and fix graphics-related performance bottlenecks during Remote
Desktop Protocol (RDP) sessions using these counters.
7 Note
While counters have RemoteFX in their names, they include remote desktop
graphics in vGPU scenarios as well.
The selected performance counters will appear on the Performance Monitor screen.
7 Note
Each active session on a host has its own instance of each performance counter.
Diagnose issues
Graphics-related performance issues generally fall into four categories:
A high value for any of the Frames Skipped/Second counters implies that the problem is
related to the resource the counter tracks. For example, if the client doesn't decode and
present frames at the same rate the server provides the frames, the Frames
Skipped/Second (Insufficient Client Resources) counter will be high.
If the Output Frames/Second counter matches the Input Frames/Second counter, yet
you still notice unusual lag or stalling, Average Encoding Time may be the culprit.
Encoding is a synchronous process that occurs on the server in the single-session
(vGPU) scenario and on the VM in the multi-session scenario. Average Encoding Time
should be under 33 ms. If Average Encoding Time is under 33 ms but you still have
performance issues, there may be an issue with the app or operating system you are
using.
For more information about diagnosing app-related issues, see User Input Delay
performance counters.
Because RDP supports an Average Encoding Time of 33 ms, it supports an input frame
rate up to 30 frames/second. Note that 33 ms is the maximum supported frame rate. In
many cases, the frame rate experienced by the user will be lower, depending on how
often a frame is provided to RDP by the source. For example, tasks like watching a video
require a full input frame rate of 30 frames/second, but less computationally intensive
tasks like infrequently editing a document result in a much lower value for Input
Frames/Second with no degradation in the user's experience quality.
Mitigation
If server resources are causing the bottleneck, try one of the following approaches to
improve performance:
If network resources are causing the bottleneck, try one of the following approaches to
improve network availability per session:
7 Note
We currently don't support the Source Frames/Second counter. For now, the Source
Frames/Second counter will always display 0.
Next steps
To create a GPU optimized Azure virtual machine, see Configure graphics
processing unit (GPU) acceleration for Azure Virtual Desktop environment.
For an overview of troubleshooting and escalation tracks, see Troubleshooting
overview, feedback, and support.
To learn more about the service, see Windows Desktop environment.
Troubleshoot connections to Microsoft
Entra joined VMs
Article • 10/12/2023
) Important
This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects.
Use this article to resolve issues with connections to Microsoft Entra joined session host
VMs in Azure Virtual Desktop.
All clients
Have you assigned the Virtual Machine User Login role-based access control
(RBAC) permission to the virtual machine (VM) or resource group for each user?
Does your Conditional Access policy exclude multifactor authentication
requirements for the Azure Windows VM sign-in cloud application?
If you've answered "no" to either of those questions, you'll need to reconfigure your
multifactor authentication. To reconfigure your multifactor authentication, follow the
instructions in Enforce Microsoft Entra multifactor authentication for Azure Virtual
Desktop using Conditional Access.
) Important
VM sign-ins don't support per-user enabled or enforced Microsoft Entra multifactor
authentication. If you try to sign in with multifactor authentication on a VM, you
won't be able to sign in and will receive an error message.
If you can access your Microsoft Entra sign-in logs through Log Analytics, you can see if
you've enabled multifactor authentication and which Conditional Access policy is
triggering the event. The events shown are non-interactive user login events for the VM,
which means the IP address will appear to come from the external IP address that your
VM accesses Microsoft Entra ID from.
You can access your sign-in logs by running the following Kusto query:
Kusto
You're using a device that is Microsoft Entra joined or Microsoft Entra hybrid joined
to the same Microsoft Entra tenant as the session host.
The PKU2U protocol is enabled on both the local PC and the session host.
Per-user multifactor authentication is disabled for the user account as it's not
supported for Microsoft Entra joined VMs.
Web client
Provide feedback
Visit the Azure Virtual Desktop Tech Community to discuss the Azure Virtual Desktop
service with the product team and active community members.
Next steps
For an overview on troubleshooting Azure Virtual Desktop and the escalation
tracks, see Troubleshooting overview, feedback, and support.
To troubleshoot issues while creating an Azure Virtual Desktop environment and
host pool in an Azure Virtual Desktop environment, see Environment and host pool
creation.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues related to the Azure Virtual Desktop agent or session
connectivity, see Troubleshoot common Azure Virtual Desktop Agent issues.
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see
Azure Virtual Desktop PowerShell.
To go through a troubleshoot tutorial, see Tutorial: Troubleshoot Resource
Manager template deployments.
Troubleshoot device redirections for
Azure Virtual Desktop
Article • 11/14/2023
) Important
This content applies to Azure Virtual Desktop with Azure Resource Manager Azure
Virtual Desktop objects.
Use this article to resolve issues with device redirections in Azure Virtual Desktop.
WebAuthn redirection
If WebAuthn requests from the session aren't redirected to the local PC, check to make
sure you've fulfilled the following requirements:
If you've answered "yes" to both of the earlier questions but still don't see the option to
use Windows Hello for Business or security keys when accessing Microsoft Entra
resources, make sure you've enabled the FIDO2 security key method for the user
account in Microsoft Entra ID. To enable this method, follow the directions in Enable
FIDO2 security key method.
If a user signs in to the session host with a single-factor credential like username and
password, then tries to access a Microsoft Entra resource that requires MFA, they may
not be able to use Windows Hello for Business. The user should follow these instructions
to authenticate properly:
1. If the user isn't prompted for a user account, they should first sign out.
2. On the account selection page, select Use another account.
3. Next, choose Sign-in options at the bottom of the window.
4. After that, select Sign in with Windows Hello or a security key. They should see an
option to select Windows Hello or security authentication methods.
Provide feedback
Visit the Azure Virtual Desktop Tech Community to discuss the Azure Virtual Desktop
service with the product team and active community members.
Next steps
For an overview on troubleshooting Azure Virtual Desktop and the escalation
tracks, see Troubleshooting overview, feedback, and support.
To troubleshoot issues while creating an Azure Virtual Desktop environment and
host pool in an Azure Virtual Desktop environment, see Environment and host pool
creation.
To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual
Desktop, see Session host virtual machine configuration.
To troubleshoot issues related to the Azure Virtual Desktop agent or session
connectivity, see Troubleshoot common Azure Virtual Desktop Agent issues.
To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see
Azure Virtual Desktop PowerShell.
To go through a troubleshooting tutorial, see Tutorial: Troubleshoot Resource
Manager template deployments.
Troubleshoot Azure Virtual Desktop
Insights
Article • 09/12/2023
This article presents known issues and solutions for common problems in Azure Virtual
Desktop Insights.
) Important
The Log Analytics Agent is currently being deprecated . If you use the Log
Analytics Agent for Azure Virtual Desktop support, you'll eventually need to
migrate to the Azure Monitor Agent by August 31, 2024.
First, make sure you've set up correctly with the configuration workbook as
described in Use Azure Virtual Desktop Insights to monitor your deployment.
If you're missing any counters or events, the data associated with them won't
appear in the Azure portal.
Check your access permissions & contact the resource owners to request
missing permissions; anyone monitoring Azure Virtual Desktop requires the
following permissions:
Read-access to the Azure resource groups that hold your Azure Virtual
Desktop resources
Read-access to the subscription's resource groups that hold your Azure
Virtual Desktop session hosts
Read-access to whichever Log Analytics workspaces you're using
You may need to open outgoing ports in your server's firewall to allow Azure
Monitor to send data to the portal. To learn how to do this, see Firewall
requirements.
If you're not seeing data from recent activity, you may need to wait for 15
minutes and refresh the feed. Azure Monitor has a 15-minute latency period
for populating log data. To learn more, see Log data ingestion time in Azure
Monitor.
If you're not missing any information but your data still isn't displaying properly,
there may be an issue in the query or the data sources. For more information, see
known issues and limitations.
By design, custom Workbook templates will not automatically adopt updates from the
products group. For more information, see Troubleshooting workbook-based insights
and the Workbooks overview.
To save favorite settings, you have to save a custom template of the workbook.
Custom templates won't automatically adopt updates from the product group.
The configuration workbook will sometimes show query failed errors when loading
your selections. Refresh the query, reenter your selection if needed, and the error
should resolve itself.
Some error messages aren't phrased in a user-friendly way, and not all error
messages are described in documentation.
The total sessions performance counter can over-count sessions by a small number
and your total sessions may appear to go above your Max Sessions limit.
Available sessions count doesn't reflect scaling policies on the host pool.
Do you see contradicting or unexpected connection times? While rare, a
connection's completion event can go missing and can impact some visuals and
metrics.
Time to connect includes the time it takes users to enter their credentials; this
correlates to the experience but in some cases can show false peaks.
Next steps
To get started, see Use Azure Virtual Desktop Insights to monitor your deployment.
To estimate, measure, and manage your data storage costs, see Estimate Azure
Monitor costs.
Check out our glossary to learn more about terms and concepts related to Azure
Virtual Desktop Insights.
Troubleshoot Azure Files authentication
with Active Directory
Article • 10/12/2023
This article describes common issues related to Azure Files authentication with an Active
Directory Domain Services (AD DS) domain or Microsoft Entra Domain Services
managed domain, and suggestions for how to fix them.
Here are the most common reasons users may come across issues:
Ignoring any warning messages that appear when creating the account in
PowerShell. Ignoring warnings may cause the new account to have incorrectly
configured settings. To fix this issue, you should delete the domain account that
represents the storage account and try again.
The account is using an incorrect organizational unit (OU). To fix this issue, reenter
the OU information with the following syntax:
PowerShell
DC=ouname,DC=domainprefix,DC=topleveldomain
For example:
PowerShell
DC=storageAccounts,DC=wvdcontoso,DC=com
If the storage account doesn't instantly appear in your Microsoft Entra ID, don't
worry. It usually takes 30 minutes for a new storage account to sync with Microsoft
Entra ID, so be patient. If the sync doesn't happen after 30 minutes, see the next
section.
The Read & Execute and List folder content NTFS permissions.
Next steps
If you need to refresh your memory about the Azure Files setup process, see Set up
FSLogix Profile Container with Azure Files and Active Directory Domain Services or
Microsoft Entra Domain Services.
Troubleshooting connection quality in
Azure Virtual Desktop
Article • 07/01/2024
If you experience issues with graphical quality in your Azure Virtual Desktop connection,
you can use the Network Data diagnostic table to figure out what's going on. Graphical
quality during a connection is affected by many factors, such as network configuration,
network load, or virtual machine (VM) load. The Connection Network Data table can
help you figure out which factor is causing the issue.
In addition, the Azure Virtual Desktop connection depends on the internet connection
of the machine the user is using the service from. Users may lose connection or
experience input delay in one of the following situations:
The user doesn't have a stable local internet connection and the latency is over 200
ms.
The network is saturated or rate-limited.
Reduce the physical distance between end-users and the server. When possible,
your end-users should connect to VMs in the Azure region closest to them.
Check your compute resources by looking at CPU utilization and available memory
on your VM. You can view your compute resources by following the instructions in
Configuring performance counters to set up a performance counter to track
certain information. For example, you can use the Processor Information(_Total)\%
Processor Time counter to track CPU utilization, or the Memory(*)\Available
Mbytes counter for available memory. Both of these counters are enabled by
default in Azure Virtual Desktop Insights. If both counters show that CPU usage is
too high or available memory is too low, your VM size or storage may be too small
to support your users' workloads, and you'll need to upgrade to a larger size.
Next steps
For more information about how to diagnose connection quality, see Connection quality
in Azure Virtual Desktop.
Feedback
Was this page helpful? Yes No
If you're having issues when using RDP Shortpath for public networks, use the
information in this article to help troubleshoot.
You can run avdnettest.exe by double-clicking the file, or running it from the command
line. The output will look similar to this if connectivity is successful:
You have access to TURN servers and your NAT type appears to be 'cone
shaped'.
Shortpath for public networks is very likely to work on this host.
ShortpathTransportNetworkDrop
For TCP we differentiate two different paths - the session host to the gateway, and the
gateway to client - but that doesn’t make sense for UDP since there isn't a gateway. The
other distinction for TCP is that in many cases one of the endpoints, or maybe some
infrastructure in the middle, generates a TCP Reset packet (RST control bit), which causes
a hard shutdown of the TCP connection. This works because TCP RST (and also TCP FIN
for graceful shutdown) is handled by the operating system and also some routers, but
not the application. This means that if an application crashes, Windows will notify the
peer that the TCP connection is gone, but no such mechanism exists for UDP.
ShortpathTransportReliabilityThresholdFailure
This error gets triggered if a specific packet doesn’t get through, even though the
connection isn't dead. The packet is resent up to 50 times, so it's unlikely but can
happen in the following scenarios:
1. The connection was very fast and stable before it suddenly stops working. The
timeout required until a packet is declared lost depends on the round-trip time
(RTT) between the client and session host. If the RTT is very low, one side can try to
resend a packet very frequently, so the time it takes to reach 50 tries can be less
than the usual timeout value of 17 seconds.
2. The packet is very large. The maximum packet size that can be transmitted is
limited. The size of the packet is probed, but it can fluctuate and sometimes shrink.
If that happens, it's possible that the packet being sent is too large and will
consistently fail.
ConnectionBrokenMissedHeartbeatThresholdExceeded
This is an RDP-level timeout. Due to misconfiguration, the RDP level timeout would
sometimes trigger before the UDP-level timeout.
Feedback
Was this page helpful? Yes No
) Important
Call redirection is currently in PREVIEW. See the Supplemental Terms of Use for
Microsoft Azure Previews for legal terms that apply to Azure features that are in
beta, preview, or otherwise not yet released into general availability.
This article describes known issues and troubleshooting instructions for multimedia
redirection for Azure Virtual Desktop and Windows 365.
In the first browser tab a user opens, the extension pop-up might show the
message The extension is not loaded or a message that says video playback or
call redirection isn't supported while redirection is working correctly in the tab. You
can resolve this issue by opening a second tab.
Multimedia redirection only works on Windows. Any other platforms, such as the
macOS, iOS, Android, or connecting to a remote session in a web browser on any
platform, don't support multimedia redirection.
If you aren't using the default Windows size settings for video players, such as not
fitting the player to window, not maximizing the window, parts of video players
might not appear correctly. If you encounter this issue, you should change the
settings back to the default settings.
If your monitor or browser scale factor isn't set to 100%, you might see a grey
pattern appear on the video screen.
If you access a video site, sometimes the video remains in a loading or buffering
state but never actually start playing. For now, you can make videos load again by
signing out of your remote session and signing in again.
When you disconnect from a remote session, call redirection might stop working.
You can make redirection start working again by refreshing the webpage.
If you see issues on a supported WebRTC audio calling site and enabled the Enable
video playback for all sites setting in the multimedia redirection extension pop-
up, disable the setting and try again.
Installing the extension on host machines with the MSI installer prompts users to
either accept the extension the first time they open the browser or display a
warning or error message. If users deny this prompt, it can cause the extension to
not load. To avoid this issue, install the extensions by editing the group policy.
Sometimes the host and client version number disappears from the extension
status message, which prevents the extension from loading on websites that
support it. If you installed the extension correctly, this issue is because your host
machine doesn't have the latest C++ Redistributable installed. To fix this issue,
install the latest supported Visual C++ Redistributable downloads.
If calls aren't going through, certain features don't work as expected while multimedia
redirection is enabled, or multimedia redirection doesn't enable at all, you must submit
a Microsoft support ticket.
If you encounter any video playback issues that this guide doesn't address or resolve,
submit a Microsoft support ticket.
Collect logs
If a web page isn't working as expected with multimedia redirection, you can collect logs
to help troubleshoot the issue. To collect logs:
4. Reproduce the issue on the web page, then select the extension icon again and for
Collect logs, select Stop. Your browser automatically prompts you to download
one or more log files that you can save and use with support cases.
Next steps
For more information about this feature and how it works, see What is multimedia
redirection for Azure Virtual Desktop?.
To learn how to use this feature, see Multimedia redirection for Azure Virtual Desktop.
Feedback
Was this page helpful? Yes No
This article describes known issues and limitations for Teams on Azure Virtual Desktop,
as well as how to log issues and contact support.
For Teams known issues that aren't related to virtualized environments, see Support
Teams in your organization.
To resolve the issue, either redeploy session hosts using the latest marketplace image
where the WebRTC Redirector Service is pre-installed, or install it separately. You can
find the download link and steps at Install the Remote Desktop WebRTC Redirector
Service.
If you encounter issues with calls and meetings, you can start collecting Teams
diagnostic logs with the key combination Ctrl + Alt + Shift + 1. Logs will be written to
%userprofile%\Downloads\MSTeams Diagnostics Log DATE_TIME.txt on the host VM.
Contact Microsoft Teams support
To contact Microsoft Teams support, go to the Microsoft 365 admin center.
Next steps
Learn more about how to set up Teams on Azure Virtual Desktop at Use Microsoft
Teams on Azure Virtual Desktop.
Learn more about the WebRTC Redirector Service for Teams on Azure Virtual Desktop at
What's new in the WebRTC Redirector Service.
Feedback
Was this page helpful? Yes No
Custom image templates in Azure Virtual Desktop enable you to easily create a custom
image that you can use when deploying session host virtual machines (VMs). This article
helps troubleshoot some issues you could run into.
In this resource group is a storage account with a blob container called packerlogs. In
the container is a folder named with a GUID in which you'll find the log file. Entries for
built-in scripts you use to customize your image begin Starting AVD AIB Customization:
{Script name}: {Timestamp}, to help you locate any errors related to the scripts.
To learn how to interpret Azure Image Builder logs, see Troubleshoot Azure VM Image
Builder.
) Important
Microsoft Support doesn't handle issues for any customer created scripts, or any
scripts or templates copied from a Microsoft repository and modified. You are
welcome to collaborate and improve these tools in our GitHub repository , where
you can open an issue. For more information, see Why do we not support
customer or third party scripts?
Script is unavailable
If you see the message Resource <URI> is unavailable. Please check the file exists, and
that Image Builder can access it, check the Uniform Resource Identifier (URI) for your
script. This needs to be a publicly available location, such as GitHub or a web service.
The generation for the source image is shown when you select the image you want to
use. You can check the generation of the VM image definition in the Azure portal, Azure
CLI using the az sig image-definition list reference command, or PowerShell using the
Get-AzGalleryImageDefinition cmdlet.
User Configuration > Administrative Templates > Control Panel > Regional
and Language Options > Restrict Language Pack and Language Feature
Installation
Your session hosts can connect to Windows Update to download languages and
latest cumulative updates.
Feedback
Was this page helpful? Yes No
If you're having issues when using app attach, use the information in this article to help
troubleshoot.
1. Download and install PsExec from Microsoft Sysinternals on a session host in your
host pool.
2. Open PowerShell as an administrator and run the following command, which will
start a new PowerShell session as the system account:
PowerShell
PsExec.exe -s -i powershell.exe
3. Verify that the context of the PowerShell session is the system account by running
the following command:
PowerShell
whoami
Output
nt authority\system
4. Mount an MSIX image from the file share manually by using one of the following
examples, changing the UNC paths to your own values.
PowerShell
Mount-DiskImage -ImagePath \\fileshare\msix\MyApp.vhdx
To mount an MSIX image in .cim format, run the following commands. The
CimDiskImage PowerShell module from the PowerShell Gallery will be
installed, if it's not already.
PowerShell
If the MSIX image mounts successfully, your session hosts have the correct
necessary access to the file share containing your MSIX images.
PowerShell
PowerShell
Get-CimDiskImage | Dismount-CimDiskImage
Next steps
Test MSIX packages with app attach or MSIX app attach.
Feedback
Was this page helpful? Yes No
7 Note
This reference is part of the desktopvirtualization extension for the Azure CLI
(version 2.55.0 or higher). The extension will automatically install the first time you
run an az desktopvirtualization command. Learn more about extensions.
Commands
ノ Expand table
DesktopVirtualization
ノ Expand table
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.DesktopVirtualization/hostPools resource, add the following Bicep to your template.
Bicep
Property values
hostPools
ノ Expand table
Valid characters:
Alphanumerics, underscores, periods,
and hyphens.
kind Metadata used by portal/tooling/etc to render different UX experiences for resources of the same string
type. E.g. ApiApps are a kind of Microsoft.Web/sites type. If supported, the resource provider must
validate and persist this value. Constraints:
Pattern = ^[-\w\._,\(\)]+$
identity Managed service identity (system assigned and/or user assigned identities) ManagedServiceIdentity
managedBy The fully qualified resource ID of the resource that manages this resource. Indicates if this resource is string
managed by another Azure resource. If this is present, complete mode deployment will not delete the
resource if it is removed from the template since it is managed by another resource.
ManagedServiceIdentity
ノ Expand table
Name Description
type Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed).
userAssignedIdentities The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the for
'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identity
The dictionary values can be empty objects ({}) in requests.
ManagedServiceIdentityUserAssignedIdentities
ノ Expand table
UserAssignedIdentity
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
Plan
ノ Expand table
name A user defined name of the 3rd Party Artifact that is being procured. string
(required)
product The 3rd Party artifact that is being procured. E.g. NewRelic. Product maps to the OfferID specified for the artifact at the string
time of Data Market onboarding. (required)
promotionCode A publisher provided promotion code as provisioned in Data Market for the said product/artifact. string
publisher The publisher of the 3rd Party Artifact that is being bought. E.g. NewRelic string
(required)
HostPoolProperties
ノ Expand table
agentUpdate The session host configuration for updating agent, monitoring agent, and stack AgentUpdateProperties
component.
directUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP 'Default'
will attempt this connection type when making connections. This means that this 'Disabled'
connection is possible, but is not guaranteed, as there are other factors that may 'Enabled'
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections
managedPrivateUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP 'Default'
will attempt this connection type when making connections. This means that this 'Disabled'
connection is possible, but is not guaranteed, as there are other factors that may 'Enabled'
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections
managementType The type of management for this hostpool, Automated or Standard. The default value is 'Automated'
Automated. 'Standard'
preferredAppGroupType The type of preferred application group type, default to Desktop Application Group 'Desktop'
'None'
'RailApplications' (required)
publicNetworkAccess Enabled allows this resource to be accessed from both public and private networks, 'Disabled'
Disabled allows this resource to only be accessed via private endpoints 'Enabled'
'EnabledForClientsOnly'
'EnabledForSessionHostsOnly'
publicUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP 'Default'
will attempt this connection type when making connections. This means that this 'Disabled'
connection is possible, but is not guaranteed, as there are other factors that may 'Enabled'
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections
relayUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP 'Default'
will attempt this connection type when making connections. This means that this 'Disabled'
connection is possible, but is not guaranteed, as there are other factors that may 'Enabled'
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections
ssoadfsAuthority URL to customer ADFS server for signing WVD SSO certificates. string
ssoClientId ClientId for the registered Relying Party used to issue WVD SSO certificates. string
ssoClientSecretKeyVaultPath Path to Azure KeyVault storing the secret used for communication to ADFS. string
AgentUpdateProperties
ノ Expand table
maintenanceWindows List of maintenance windows. Maintenance windows are 2 hours long. MaintenanceWindowProperties[]
MaintenanceWindowProperties
ノ Expand table
'Thursday'
'Tuesday'
'Wednesday'
RegistrationInfo
ノ Expand table
Sku
ノ Expand table
capacity If the SKU supports scale out/in then the capacity integer should be included. If scale out/in is not possible for the resource this int
may be omitted.
family If the service has different generations of hardware, for the same SKU, then that can be captured here. string
name The name of the SKU. E.g. P3. It is typically a letter+number code string
(required)
size The SKU size. When the name field is the combination of tier and some other value, this would be the standalone code. string
tier This field is required to be implemented by the Resource Provider if the service has more than one tier, but is not required on a 'Basic'
PUT. 'Free'
'Premium'
'Standard'
Feedback
Was this page helpful? Yes No
Microsoft.DesktopVirtualization hostPools
Article • 08/30/2024
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.DesktopVirtualization/hostPools resource, add the following Bicep to your template.
Bicep
Property values
hostPools
ノ Expand table
Valid characters:
Alphanumerics, underscores, periods,
and hyphens.
kind Metadata used by portal/tooling/etc to render different UX experiences for resources of the same string
type. E.g. ApiApps are a kind of Microsoft.Web/sites type. If supported, the resource provider must
validate and persist this value. Constraints:
Pattern = ^[-\w\._,\(\)]+$
identity Managed service identity (system assigned and/or user assigned identities) ManagedServiceIdentity
managedBy The fully qualified resource ID of the resource that manages this resource. Indicates if this resource is string
managed by another Azure resource. If this is present, complete mode deployment will not delete the
resource if it is removed from the template since it is managed by another resource.
ManagedServiceIdentity
ノ Expand table
Name Description
type Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed).
userAssignedIdentities The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the for
'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identity
The dictionary values can be empty objects ({}) in requests.
ManagedServiceIdentityUserAssignedIdentities
ノ Expand table
UserAssignedIdentity
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
Plan
ノ Expand table
name A user defined name of the 3rd Party Artifact that is being procured. string
(required)
product The 3rd Party artifact that is being procured. E.g. NewRelic. Product maps to the OfferID specified for the artifact at the string
time of Data Market onboarding. (required)
promotionCode A publisher provided promotion code as provisioned in Data Market for the said product/artifact. string
publisher The publisher of the 3rd Party Artifact that is being bought. E.g. NewRelic string
(required)
HostPoolProperties
ノ Expand table
agentUpdate The session host configuration for updating agent, monitoring agent, and stack AgentUpdateProperties
component.
directUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP 'Default'
will attempt this connection type when making connections. This means that this 'Disabled'
connection is possible, but is not guaranteed, as there are other factors that may 'Enabled'
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections
managedPrivateUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP 'Default'
will attempt this connection type when making connections. This means that this 'Disabled'
connection is possible, but is not guaranteed, as there are other factors that may 'Enabled'
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections
managementType The type of management for this hostpool, Automated or Standard. The default value is 'Automated'
Automated. 'Standard'
preferredAppGroupType The type of preferred application group type, default to Desktop Application Group 'Desktop'
'None'
'RailApplications' (required)
publicNetworkAccess Enabled allows this resource to be accessed from both public and private networks, 'Disabled'
Disabled allows this resource to only be accessed via private endpoints 'Enabled'
'EnabledForClientsOnly'
'EnabledForSessionHostsOnly'
publicUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP 'Default'
will attempt this connection type when making connections. This means that this 'Disabled'
connection is possible, but is not guaranteed, as there are other factors that may 'Enabled'
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections
relayUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP 'Default'
will attempt this connection type when making connections. This means that this 'Disabled'
connection is possible, but is not guaranteed, as there are other factors that may 'Enabled'
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections
ssoadfsAuthority URL to customer ADFS server for signing WVD SSO certificates. string
ssoClientId ClientId for the registered Relying Party used to issue WVD SSO certificates. string
ssoClientSecretKeyVaultPath Path to Azure KeyVault storing the secret used for communication to ADFS. string
AgentUpdateProperties
ノ Expand table
maintenanceWindows List of maintenance windows. Maintenance windows are 2 hours long. MaintenanceWindowProperties[]
MaintenanceWindowProperties
ノ Expand table
'Thursday'
'Tuesday'
'Wednesday'
RegistrationInfo
ノ Expand table
Sku
ノ Expand table
capacity If the SKU supports scale out/in then the capacity integer should be included. If scale out/in is not possible for the resource this int
may be omitted.
family If the service has different generations of hardware, for the same SKU, then that can be captured here. string
name The name of the SKU. E.g. P3. It is typically a letter+number code string
(required)
size The SKU size. When the name field is the combination of tier and some other value, this would be the standalone code. string
tier This field is required to be implemented by the Resource Provider if the service has more than one tier, but is not required on a 'Basic'
PUT. 'Free'
'Premium'
'Standard'
Feedback
Was this page helpful? Yes No
Microsoft.DesktopVirtualization hostPools
Article • 08/30/2024
Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.DesktopVirtualization/hostPools resource, add the following Terraform to your template.
Terraform
Property values
hostPools
ノ Expand table
Valid characters:
Alphanumerics, underscores, periods, and hyphens.
parent_id To deploy to a resource group, use the ID of that resource group. string (required)
identity Managed service identity (system assigned and/or user assigned identities) ManagedServiceIdentity
managedBy The fully qualified resource ID of the resource that manages this resource. Indicates string
if this resource is managed by another Azure resource. If this is present, complete
mode deployment will not delete the resource if it is removed from the template
since it is managed by another resource.
ManagedServiceIdentity
ノ Expand table
Name Description V
type Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). "
"
"
Name Description V
identity_ids The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: A
'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}.
The dictionary values can be empty objects ({}) in requests.
ManagedServiceIdentityUserAssignedIdentities
ノ Expand table
UserAssignedIdentity
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
Plan
ノ Expand table
name A user defined name of the 3rd Party Artifact that is being procured. string
(required)
product The 3rd Party artifact that is being procured. E.g. NewRelic. Product maps to the OfferID specified for the artifact at the string
time of Data Market onboarding. (required)
promotionCode A publisher provided promotion code as provisioned in Data Market for the said product/artifact. string
publisher The publisher of the 3rd Party Artifact that is being bought. E.g. NewRelic string
(required)
HostPoolProperties
ノ Expand table
agentUpdate The session host configuration for updating agent, monitoring agent, and stack AgentUpdateProperties
component.
directUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP "Default"
will attempt this connection type when making connections. This means that this "Disabled"
connection is possible, but is not guaranteed, as there are other factors that may "Enabled"
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections
managedPrivateUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP "Default"
will attempt this connection type when making connections. This means that this "Disabled"
connection is possible, but is not guaranteed, as there are other factors that may "Enabled"
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections
managementType The type of management for this hostpool, Automated or Standard. The default value "Automated"
is Automated. "Standard"
preferredAppGroupType The type of preferred application group type, default to Desktop Application Group "Desktop"
"None"
"RailApplications" (required)
publicNetworkAccess Enabled allows this resource to be accessed from both public and private networks, "Disabled"
Disabled allows this resource to only be accessed via private endpoints "Enabled"
"EnabledForClientsOnly"
"EnabledForSessionHostsOnly"
publicUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP "Default"
will attempt this connection type when making connections. This means that this "Disabled"
connection is possible, but is not guaranteed, as there are other factors that may "Enabled"
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections
relayUDP Default: AVD-wide settings are used to determine connection availability, Enabled: UDP "Default"
will attempt this connection type when making connections. This means that this "Disabled"
connection is possible, but is not guaranteed, as there are other factors that may "Enabled"
prevent this connection type, Disabled: UDP will not attempt this connection type when
making connections
ssoadfsAuthority URL to customer ADFS server for signing WVD SSO certificates. string
ssoClientId ClientId for the registered Relying Party used to issue WVD SSO certificates. string
ssoClientSecretKeyVaultPath Path to Azure KeyVault storing the secret used for communication to ADFS. string
AgentUpdateProperties
ノ Expand table
maintenanceWindows List of maintenance windows. Maintenance windows are 2 hours long. MaintenanceWindowProperties[]
RegistrationInfo
ノ Expand table
Sku
ノ Expand table
capacity If the SKU supports scale out/in then the capacity integer should be included. If scale out/in is not possible for the resource this int
may be omitted.
family If the service has different generations of hardware, for the same SKU, then that can be captured here. string
name The name of the SKU. E.g. P3. It is typically a letter+number code string
(required)
size The SKU size. When the name field is the combination of tier and some other value, this would be the standalone code. string
tier This field is required to be implemented by the Resource Provider if the service has more than one tier, but is not required on a "Basic"
PUT. "Free"
"Premium"
"Standard"
Feedback
Was this page helpful? Yes No
Azure Virtual Desktop
Article • 10/31/2023
Azure Virtual Desktop is a comprehensive desktop and app virtualization service running
in the cloud. It is the only virtual desktop infrastructure (VDI) that delivers simplified
management, multi-session Windows 10, optimizations for Microsoft 365 Apps for
enterprise. Deploy and scale your Windows desktops and apps on Azure in minutes, and
get built-in security and compliance features. The Desktop Virtualization APIs allow you
to create and manage your Azure Virtual Desktop environment programmatically. For
more information about Azure Virtual Desktop, see documentation.
MSIXMGR tool parameters
Article • 03/05/2024
This article contains the command line parameters and syntax you can use with the
MSIXMGR tool.
Prerequisites
To use the MSIXMGR tool, you need:
-AddPackage
Add the package at specified file path.
or
-RemovePackage
Remove the package with specified package full name.
-RemovePackage <Package name>
or
-x <Package name>
Here's an example of using the -RemovePackage parameter. You can find the package full
name by running the PowerShell cmdlet Get-AppxPackage.
-FindPackage
Find a package with specific package full name.
Here's an example of using the -FindPackage parameter. You can find the package full
name by running the PowerShell cmdlet Get-AppxPackage.
-ApplyACLs
Apply ACLs to a package folder (an unpacked package). You also need to specify the
following required subparameters:
ノ Expand table
Required Description
parameter
-packagePath The path to the package to unpack OR the path to a directory containing
multiple packages to unpack
-Unpack
Unpack a package in one of the file formats .appx , .msix , .appxbundle , or .msixbundle ,
and extract its contents to a folder. You also need to specify the following required
subparameters:
ノ Expand table
Required Description
parameter
-fileType The type of file to unpack packages to. Valid file types include .vhd , .vhdx ,
.cim . This parameter is only required when unpacking to CIM files.
-packagePath The path to the package to unpack OR the path to a directory containing
multiple packages to unpack.
-rootDirectory Specifies root directory on image to unpack packages to. This parameter is
only required when unpacking to new and existing CIM files.
Here are the optional parameters you can use with the -Unpack parameter:
ノ Expand table
-MountImage
Mount a VHD, VHDX, or CIM image. You also need to specify the following required
subparameters:
ノ Expand table
Required Description
parameter
-fileType The type of file to unpack packages to. Valid file types include VHD , VHDX ,
CIM .
-MountImage -imagePath <Path to the MSIX image> -fileType <VHD | VHDX | CIM>
Here's an example of using the -MountImage parameter:
Here are the optional parameters you can use with the -MountImage parameter:
ノ Expand table
-UnmountImage
Unmount a VHD, VHDX, or CIM image. You also need to specify the following required
subparameters:
ノ Expand table
Required Description
parameter
-fileType The type of file to unpack packages to. Valid file types include VHD , VHDX ,
CIM .
ノ Expand table
-volumeId The GUID of the volume (specified without curly msixmgr.exe -UnmountImage
braces) associated with the image to unmount. This -volumeId 199a2f93-99a8-
parameter is optional only for CIM files. You can 11ee-9b0d-4c445b63adac -
find volume ID by running the PowerShell cmdlet filetype CIM
Get-Volume.
-quietUX
Suppresses user interaction when running the MSIXMGR tool. This parameter is optional
and can be used with any other parameter.
Here's an example of using the -quietUX parameter with the -AddPackage parameter:
Next steps
To learn more about MSIX app attach, check out these articles:
Cloud Adoption Framework: These articles walk through the considerations and
recommendations of each CAF methodology. Use these articles to prepare
decision makers, central IT, and the cloud center of excellence for adoption of
Azure Virtual Desktop as a central part of your technology strategy.
Reference architectures: These reference solutions aid in accelerating deployment
of Azure Virtual Desktop.
Featured Azure products: Learn more about the products that support your virtual
desktop strategy in Azure.
Training modules: Gain the hands-on skills required to implement, maintain, and
support an Azure Virtual Desktop environment.
Migrate existing virtual desktops to Azure: A common use case for Azure Virtual
Desktop is to modernize an existing virtual desktop environment. While the
process can vary, there are several components to a successful migration, like
session hosts, user profiles, images, and applications. If you're migrating existing
VMs, you can review articles on migration to learn how tools like Azure Migrate
can speed up your migration as part of a standard migration process. However,
your migration might consist of bringing your golden image into Azure and
provisioning a new Azure Virtual Desktop host pool with new session hosts. You
can migrate your existing user profiles into Azure and build new host pools and
session hosts as well. A final migration scenario might include migrating your
applications into MSIX app attach format. For all of these migration scenarios, you
need to provision a new host pool because there's currently no direct migration of
other virtual desktop infrastructure (VDI) solutions into Azure Virtual Desktop.
Next steps
The following list of articles will take you to guidance at specific points in the cloud
adoption journey to help you be successful in the cloud adoption scenario.
Feedback
Was this page helpful? Yes No
Azure Virtual Desktop for the
enterprise
Microsoft Entra ID Microsoft Entra Azure Virtual Network Azure Virtual Desktop
Azure Virtual Desktop is a desktop and application virtualization service that runs in
Azure. This article is intended to help desktop infrastructure architects, cloud architects,
desktop administrators, and system administrators explore Azure Virtual Desktop and
build virtualized desktop infrastructure (virtual desktop infrastructure (VDI)) solutions at
enterprise scale. Enterprise-scale solutions generally cover 1,000 or more virtual
desktops.
Architecture
A typical architectural setup for Azure Virtual Desktop is illustrated in the following
diagram:
Dataflow
The diagram's dataflow elements are described here:
The customer manages AD DS and Microsoft Entra ID, Azure subscriptions, virtual
networks, Azure Files or Azure NetApp Files, and the Azure Virtual Desktop host
pools and workspaces.
For more information about FSLogix Profile Container - Azure Files and Azure NetApp
Files best practices, see FSLogix configuration examples.
Components
Azure Virtual Desktop service architecture is similar to Windows Server Remote Desktop
Services (RDS). Although Microsoft manages the infrastructure and brokering
components, enterprise customers manage their own desktop host virtual machines
(VMs), data, and clients.
Web Access: By using the Web Access service within Azure Virtual Desktop you can
access virtual desktops and remote apps through an HTML5-compatible web
browser just as you would with a local PC, from anywhere and on any device. You
can secure web access by using multifactor authentication in Microsoft Entra ID.
Gateway: The Remote Connection Gateway service connects remote users to Azure
Virtual Desktop apps and desktops from any internet-connected device that can
run an Azure Virtual Desktop client. The client connects to a gateway, which then
orchestrates a connection from a VM back to the same gateway.
Azure Virtual Network: With Azure Virtual Network , Azure resources such as
VMs can communicate privately with each other and with the internet. By
connecting Azure Virtual Desktop host pools to an Active Directory domain, you
can define network topology to access virtual desktops and virtual apps from the
intranet or internet, based on organizational policy. You can connect an Azure
Virtual Desktop instance to an on-premises network by using a virtual private
network (VPN), or you can use Azure ExpressRoute to extend the on-premises
network into Azure over a private connection.
Microsoft Entra ID: Azure Virtual Desktop uses Microsoft Entra ID for identity
and access management. Microsoft Entra integration applies Microsoft Entra
security features, such as conditional access, multifactor authentication, and
Intelligent Security Graph , and it helps maintain app compatibility in domain-
joined VMs.
Active Directory Domain Services (Optional): Azure Virtual Desktop VMs can
either be domain joined to an AD DS service or use Deploy Microsoft Entra
joined virtual machines in Azure Virtual Desktop
When using an AD DS domain, the domain must be in sync with Microsoft Entra
ID to associate users between the two services. You can use Microsoft Entra
Connect to associate AD DS with Microsoft Entra ID.
When using Microsoft Entra join, review the supported configurations to ensure
your scenario is supported.
Azure Virtual Desktop session hosts: Session hosts are VMs that users connect to
for their desktops and applications. Several versions of Windows are supported
and you can create images with your applications and customizations. You can
choose VM sizes, including GPU-enabled VMs. Each session host has an Azure
Virtual Desktop host agent, which registers the VM as part of the Azure Virtual
Desktop workspace or tenant. Each host pool can have one or more app groups,
which are collections of remote applications or desktop sessions that you can
access. To see which versions of Windows are supported, see Operating systems
and licenses.
Azure Virtual Desktop workspace: The Azure Virtual Desktop workspace or tenant
is a management construct for managing and publishing host pool resources.
Scenario details
Elastic workforce needs, such as remote work, mergers and acquisitions, short-term
employees, contractors, and partner access.
Specific employees, such as bring your own device (BYOD) and mobile users, call
centers, and branch workers.
Specialized workloads, such as design and engineering, legacy apps, and software
development testing.
Pooled desktop solutions, also called non-persistent desktops, assign users to whichever
session host is currently available, depending on the load-balancing algorithm. Because
users don't always return to the same session host each time they connect, they have
limited ability to customize the desktop environment and don't usually have
administrator access.
7 Note
Persistent and non-persistent terminology in this case is in reference to the
persistence of the user profile. It does not imply that the operating system disk
reverts to a golden image or discards changes on reboot.
Windows servicing
There are several options for updating Azure Virtual Desktop instances. Deploying an
updated image every month guarantees compliance and state.
(1) An application group that contains a published desktop can only contain MSIX
packages mounted to the host pool (the packages will be available in the Start
menu of the session host), it can't contain any other published resources and is
called a desktop application group.
(2) Application groups assigned to the same host pool must be members of the
same workspace.
(3) A user account can be assigned to an application group either directly or via a
Microsoft Entra group. It's possible to assign no users to an application group, but
then it can't service any.
(4) It's possible to have an empty workspace, but it can't service users.
(5) It's possible to have an empty host pool, but it can't service users.
(6) It's possible for a host pool not to have any application groups assigned to it
but it can't service users.
(7) Microsoft Entra ID is required for Azure Virtual Desktop. This is because
Microsoft Entra user accounts and groups must always be used to assign users to
Azure Virtual Desktop application groups. Microsoft Entra ID is also used to
authenticate users into the Azure Virtual Desktop service. Azure Virtual Desktop
session hosts can also be members of a Microsoft Entra domain, and in this
situation the Azure Virtual Desktop-published applications and desktop sessions
will also be launched and run (not just assigned) by using Microsoft Entra
accounts.
(7) Alternatively, Azure Virtual Desktop session hosts can be members of an AD
DS domain, and in this situation the Azure Virtual Desktop-published
applications and desktop sessions will be launched and run (but not assigned)
by using AD DS accounts. To reduce user and administrative overhead, AD DS
can be synchronized with Microsoft Entra ID through Microsoft Entra Connect.
(7) Finally, Azure Virtual Desktop session hosts can, instead, be members of a
Microsoft Entra Domain Services domain, and in this situation the Azure Virtual
Desktop-published applications and desktop sessions will be launched and run
(but not assigned) by using Microsoft Entra Domain Services accounts.
Microsoft Entra ID is automatically synchronized with Microsoft Entra Domain
Services, one way, from Microsoft Entra ID to Microsoft Entra Domain Services
only.
ノ Expand table
Microsoft Entra Identifies the users who are - Member of one and only one
user permitted to launch Microsoft Entra ID
account/group published desktops or - Assigned to one or more
applications application groups (3)
Session host A virtual machine that hosts Member of one and only one host
published desktops or pool
applications
Considerations
These considerations implement the pillars of the Azure Well-Architected Framework,
which is a set of guiding tenets that can be used to improve the quality of a workload.
For more information, see Microsoft Azure Well-Architected Framework.
The numbers in the following sections are approximate. They're based on a variety of
large customer deployments and are subject to change over time.
You can't create more than 500 application groups per single Microsoft Entra
tenant*.
We recommend that you do not publish more than 50 applications per application
group.
ノ Expand table
Azure Virtual Desktop object Per Parent container object Service limit
* If you require more than 500 application groups, submit a support ticket via the Azure
portal.
We recommend that you deploy no more than 5,000 VMs per Azure subscription
per region. This recommendation applies to both personal and pooled host pools,
based on Windows Enterprise single and multi-session. Most customers use
Windows Enterprise multi-session, which allows multiple users to sign in to each
VM. You can increase the resources of individual session-host VMs to
accommodate more user sessions.
For automated session-host scaling tools, the limits are around 2,500 VMs per
Azure subscription per region, because VM status interaction consumes more
resources.
To manage enterprise environments with more than 5,000 VMs per Azure
subscription in the same region, you can create multiple Azure subscriptions in a
hub-spoke architecture and connect them via virtual network peering (using one
subscription per spoke). You could also deploy VMs in a different region in the
same subscription to increase the number of VMs.
Azure Resource Manager subscription API throttling limits don't allow more than
600 Azure VM reboots per hour via the Azure portal. You can reboot all your
machines at once via the operating system, which doesn't consume any Azure
Resource Manager subscription API calls. For more information about counting
and troubleshooting throttling limits based on your Azure subscription, see
Troubleshoot API throttling errors.
You can currently deploy up to 132 VMs in a single ARM template deployment in
the Azure Virtual Desktop portal. To create more than 132 VMs, run the ARM
template deployment in the Azure Virtual Desktop portal multiple times.
Azure VM session-host name prefixes can't exceed 11 characters, due to auto-
assigning of instance names and the NetBIOS limit of 15 characters per computer
account.
By default, you can deploy up to 800 instances of most resource types in a
resource group. Azure Compute doesn't have this limit.
For more information about Azure subscription limitations, see Azure subscription and
service limits, quotas, and constraints.
VM sizing
Virtual machine sizing guidelines lists the maximum suggested number of users per
virtual central processing unit (vCPU) and minimum VM configurations for different
workloads. This data helps estimate the VMs you need in your host pool.
Use simulation tools to test deployments with both stress tests and real-life usage
simulations. Make sure that the system is responsive and resilient enough to meet user
needs, and remember to vary the load sizes when testing.
Cost optimization
Cost optimization is about looking at ways to reduce unnecessary expenses and
improve operational efficiencies. For more information, see Overview of the cost
optimization pillar.
You can architect your Azure Virtual Desktop solution to realize cost savings. Here are
five different options to help manage costs for enterprises:
Contributors
This article is maintained by Microsoft. It was originally written by the following
contributors.
Principal author:
Other contributor:
Next steps
Azure Virtual Desktop partner integrations lists approved Azure Virtual Desktop
partner providers and independent software vendors.
Use the Virtual Desktop Optimization Tool to help optimize performance in a
Windows 10 Enterprise VDI (virtual desktop infrastructure) environment.
For more information, see Deploy Microsoft Entra joined virtual machines in Azure
Virtual Desktop.
Learn more about Active Directory Domain Services.
What is Microsoft Entra Connect?
Related resources
For more information about multiple Active Directory forests architecture, see
Multiple Active Directory forests architecture in Azure Virtual Desktop.
Feedback
Was this page helpful? Yes No
Multiple forests with AD DS and
Microsoft Entra ID
Azure Virtual Desktop Microsoft Entra ID Microsoft Entra Azure ExpressRoute Azure Storage
This article expands on the architecture that's described in the Azure Virtual Desktop at
enterprise scale article. It's intended to help you understand how to integrate multiple
domains and Azure Virtual Desktop by using Microsoft Entra Connect to sync users from
on-premises Active Directory Domain Services (AD DS) to Microsoft Entra ID.
Architecture
Dataflow
In this architecture, the identity flow works as follows:
1. Microsoft Entra Connect syncs users from both CompanyA.com and
CompanyB.com to a Microsoft Entra tenant (NewCompanyAB.onmicrosoft.com).
2. Host pools, workspaces, and app groups are created in separate subscriptions and
spoke virtual networks.
3. Users are assigned to the app groups.
4. Azure Virtual Desktop session hosts in the host pools join the domains
CompanyA.com and CompanyB.com by using the domain controllers (DCs) in
Azure.
5. Users sign in by using either the Azure Virtual Desktop application or the web
client with a User Principal Name (UPN) in the following format:
[email protected], [email protected], or [email protected],
depending on their configured UPN suffix.
6. Users are presented with their respective virtual desktops or applications. For
example, users in CompanyA are presented with a virtual desktop or application in
Workspace A, host pool 1 or 2.
7. FSLogix user profiles are created in Azure Files shares on the corresponding
storage accounts.
8. Group Policy Objects (GPOs) that are synced from on-premises are applied to users
and Azure Virtual Desktop session hosts.
Components
This architecture uses the same components as those listed in Azure Virtual Desktop at
enterprise scale architecture.
Microsoft Entra Connect in staging mode: The Staging server for Microsoft Entra
Connect topologies provides additional redundancy for the Microsoft Entra
Connect instance.
Azure subscriptions, Azure Virtual Desktop workspaces, and host pools: You can
use multiple subscriptions, Azure Virtual Desktop workspaces, and host pools for
administration boundaries and business requirements.
Scenario details
This architecture diagram represents a typical scenario that contains the following
elements:
7 Note
The solution idea Multiple Azure Virtual Desktop forests using Microsoft Entra
Domain Services discusses architecture that uses cloud-managed Microsoft Entra
Domain Services.
Considerations
When you're designing your workload based on this architecture, keep the following
ideas in mind.
Azure Virtual Desktop session hosts join the domain controller in Azure over their
respective hub-spoke virtual network peering.
Azure Storage
The following design considerations apply to user profile containers, cloud cache
containers, and MSIX packages:
You can use both Azure Files and Azure NetApp Files in this scenario. You choose
the right solution based on factors such as expected performance, cost, and so on.
Both Azure Storage accounts and Azure NetApp Files are limited to joining to one
single AD DS at a time. In these cases, multiple Azure Storage accounts or Azure
NetApp Files instances are required.
Microsoft Entra ID
In scenarios with users in multiple on-premises Active Directory forests, only one
Microsoft Entra Connect Sync server is connected to the Microsoft Entra tenant. An
exception to this is a Microsoft Entra Connect server that's used in staging mode.
For more details, see the Staging server section of Microsoft Entra Connect topologies.
Contributors
This article is maintained by Microsoft. It was originally written by the following
contributors.
Principal author:
Next steps
For more information, see the following articles:
Related resources
Azure Virtual Desktop for the enterprise
Solution idea: Multiple forests with Microsoft Entra Domain Services
Feedback
Was this page helpful? Yes No
Multiple forests with AD DS,
Microsoft Entra ID, and Microsoft
Entra Domain Services
Microsoft Entra ID Microsoft Entra Azure Files Azure Virtual Desktop
Solution ideas
This article describes a solution idea. Your cloud architect can use this guidance to
help visualize the major components for a typical implementation of this
architecture. Use this article as a starting point to design a well-architected solution
that aligns with your workload's specific requirements.
This solution idea illustrates how to deploy Azure Virtual Desktop rapidly in a minimum
viable product (MVP) or a proof of concept (POC) environment with the use of Microsoft
Entra Domain Services. Use this idea to both extend on-premises multi-forest Active
Directory Domain Services (AD DS) identities to Azure without private connectivity and
support legacy authentication.
Architecture
Microsoft Entra tenant: companyAB.onmicrosoft.com
Synchronization
Microsoft Entra DC Desktop virtualization Azure Virtual Desktop Azure Virtual Desktop Azure Virtual Desktop
administrators contributors (CompanyA) users (CompanyA) users (CompanyB) users (CompanyAB)
Authentication
Microsoft Entra Role-Based Access Control
ID
Active Directory Domain Services subnet Azure Virtual Desktop subnet Storage
VNet peering account
Azure Virtual Desktop host pool A
Microsoft Entra
Connect Domain join
Synchronization Azure Virtual Azure Virtual Azure Virtual
Desktop host Desktop host Desktop host
Profiles
Active Directory Domain Azure Virtual Desktop host pool B
Services domain controller
Domain Domain join Profiles
Controller Azure Files
Azure Virtual Azure Virtual Azure Virtual
Desktop host Desktop host Desktop host
CompanyA.local
Profiles
Active Directory Domain
Services domain controller Azure Virtual Desktop host pool AB
Domain join
aadds.newcompanyAB.com
Azure Virtual Azure Virtual Azure Virtual
Desktop host Desktop host Desktop host
AD Domain
Services
Domain
Controller
CompanyB.local
Shared-Services-VNet AVD-SPOKE-VNET
Dataflow
The following steps show how the data flows in this architecture in the form of identity.
1. Complex hybrid on-premises Active Directory environments are present, with two
or more Active Directory forests. Domains live in separate forests, with distinct User
Principal Name (UPN) suffixes. For example, CompanyA.local with UPN suffix
CompanyA.com, CompanyB.local with UPN suffix CompanyB.com, and an additional
UPN suffix, newcompanyAB.com.
2. Instead of using customer-managed domain controllers, either on-premises or on
Azure (that is, Azure infrastructure as a service (IaaS) domain controllers), the
environment uses the two cloud-managed domain controllers provided by
Microsoft Entra Domain Services.
3. Microsoft Entra Connect syncs users from both CompanyA.com and
CompanyB.com to the Microsoft Entra tenant, newcompanyAB.onmicrosoft.com.
The user account is represented only once in Microsoft Entra ID, and private
connectivity isn't used.
4. Users then sync from Microsoft Entra ID to the managed Microsoft Entra Domain
Services as a one-way sync.
5. A custom and routable Microsoft Entra Domain Services domain name,
aadds.newcompanyAB.com, is created. The newcompanyAB.com domain is a
registered domain that supports LDAP certificates. We generally recommend that
you not use non-routable domain names, such as contoso.local, because it can
cause issues with DNS resolution.
6. The Azure Virtual Desktop session hosts join the Microsoft Entra Domain Services
domain controllers.
7. Host pools and app groups can be created in a separate subscription and spoke
virtual network.
8. Users are assigned to the app groups.
9. Users sign in by using either the Azure Virtual Desktop application or the web
client, with a UPN in a format such as [email protected],
[email protected], or [email protected], depending on their
configured UPN suffix.
10. Users are presented with their respective virtual desktops or apps. For example,
[email protected] is presented with virtual desktops or apps in host pool A,
jane@companyB is presented with virtual desktops or apps in host pool B, and
joe@newcompanyAB is presented with virtual desktops or apps in host pool AB.
11. The storage account (Azure Files is used for FSLogix) is joined to the managed
domain AD DS. The FSLogix user profiles are created in Azure Files shares.
7 Note
For Group Policy requirements in Microsoft Entra Domain Services, you can
install Group Policy Management tools on a Windows Server virtual machine
that's joined to Microsoft Entra Domain Services.
To extend Group Policy infrastructure for Azure Virtual Desktop from the on-
premises domain controllers, you need to manually export and import it to
Microsoft Entra Domain Services.
Components
You implement this architecture by using the following technologies:
Microsoft Entra ID
Microsoft Entra Domain Services
Azure Files
Azure Virtual Desktop
Azure Virtual Network
Contributors
This article is maintained by Microsoft. It was originally written by the following
contributors.
Principal author:
Next steps
Multiple Active Directory forests architecture with Azure Virtual Desktop
Azure Virtual Desktop for enterprises
Microsoft Entra Connect topologies
Compare different identity options
Azure Virtual Desktop documentation
Related resources
Hybrid architecture design
Multiple forests with AD DS and Microsoft Entra ID
Feedback
Was this page helpful? Yes No
Configure Azure Virtual Desktop with
Terraform
Article • 03/20/2023
Article tested with the following Terraform and Terraform provider versions:
Terraform v1.1.7
AzureRM Provider v.2.99.0
This article provides an overview of how to use Terraform to deploy an ARM Azure
Virtual Desktop environment, not AVD Classic.
New to Azure Virtual Desktop? Start with What is Azure Virtual Desktop?
Configure Terraform: If you haven't already done so, configure Terraform using
one of the following options:
Configure Terraform in Azure Cloud Shell with Bash
Configure Terraform in Azure Cloud Shell with PowerShell
Configure Terraform in Windows with Bash
Configure Terraform in Windows with PowerShell
Terraform
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>2.0"
}
azuread = {
source = "hashicorp/azuread"
}
}
}
provider "azurerm" {
features {}
}
Terraform
resource "azurerm_virtual_desktop_host_pool_registration_info"
"registrationinfo" {
hostpool_id = azurerm_virtual_desktop_host_pool.hostpool.id
expiration_date = var.rfc3339
}
variable "resource_group_location" {
default = "eastus"
description = "Location of the resource group."
}
variable "rg_name" {
type = string
default = "rg-avd-resources"
description = "Name of the Resource group in which to deploy service
objects"
}
variable "workspace" {
type = string
description = "Name of the Azure Virtual Desktop workspace"
default = "AVD TF Workspace"
}
variable "hostpool" {
type = string
description = "Name of the Azure Virtual Desktop host pool"
default = "AVD-TF-HP"
}
variable "rfc3339" {
type = string
default = "2022-03-30T12:43:13Z"
description = "Registration token expiration"
}
variable "prefix" {
type = string
default = "avdtf"
description = "Prefix of the name of the AVD machine(s)"
}
output "azure_virtual_desktop_compute_resource_group" {
description = "Name of the Resource group in which to deploy session
host"
value = azurerm_resource_group.sh.name
}
output "azure_virtual_desktop_host_pool" {
description = "Name of the Azure Virtual Desktop host pool"
value = azurerm_virtual_desktop_host_pool.hostpool.name
}
output "azurerm_virtual_desktop_application_group" {
description = "Name of the Azure Virtual Desktop DAG"
value = azurerm_virtual_desktop_application_group.dag.name
}
output "azurerm_virtual_desktop_workspace" {
description = "Name of the Azure Virtual Desktop workspace"
value = azurerm_virtual_desktop_workspace.workspace.name
}
output "location" {
description = "The Azure region"
value = azurerm_resource_group.sh.location
}
output "AVD_user_groupname" {
description = "Azure Active Directory Group for AVD users"
value = azuread_group.aad_group.display_name
}
3. Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads
the Azure provider required to manage your Azure resources.
Console
Key points:
The -upgrade parameter upgrades the necessary provider plugins to the newest
version that complies with the configuration's version constraints.
Console
Key points:
The terraform plan command creates an execution plan, but doesn't execute it.
Instead, it determines what actions are necessary to create the configuration
specified in your configuration files. This pattern allows you to verify whether the
execution plan matches your expectations before making any changes to actual
resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what is
applied.
To read more about persisting execution plans and security, see the security
warning section .
Console
Key points:
The example terraform apply command assumes you previously ran terraform
plan -out main.tfplan .
If you specified a different filename for the -out parameter, use that same
filename in the call to terraform apply .
If you didn't use the -out parameter, call terraform apply without any parameters.
7. Clean up resources
When you no longer need the resources created via Terraform, do the following steps:
Console
Key points:
The terraform plan command creates an execution plan, but doesn't execute
it. Instead, it determines what actions are necessary to create the
configuration specified in your configuration files. This pattern allows you to
verify whether the execution plan matches your expectations before making
any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan.
Using the -out parameter ensures that the plan you reviewed is exactly what
is applied.
To read more about persisting execution plans and security, see the security
warning section .
Console
Next steps
Learn more about using Terraform in Azure
Windows and Other Services
Article • 08/14/2024
Windows 11
FastTrack provides remote guidance for updating to Windows 11 from Windows 10.
This includes:
7 Note
BitLocker
FastTrack provides remote guidance for:
Assessing the Windows 10/11 environment and hardware for Windows Hello for
Business configuration.
Enabling Windows passwordless authentication using Windows Hello for Business
cloud trust.
Planning guidance for Windows Hello for Business hybrid key or certificate trust.
Windows Autopatch
FastTrack provides remote guidance for:
For PC update:
Windows 365
FastTrack provides remote guidance for onboarding to Windows 365 Enterprise,
Windows 365 Frontline, and Windows 365 Government. Windows 365 takes the
operating system to the Microsoft Cloud, securely streaming the full Windows
experience—including all your apps, data, and settings—to your personal or corporate
devices. Organizations can provision Cloud PCs (devices that are deployed on the
Windows 365 service) instantly across the globe and manage them seamlessly alongside
your physical PC estate using Microsoft Endpoint Manager. This desktop-as-a-service
(DaaS) solution combines the benefits of desktop cloud hosting with the simplicity,
security, and insights of Microsoft 365.
Remote guidance includes:
7 Note
See Microsoft Defender XDR and Microsoft Defender for Endpoint for details
about Microsoft Defender for Endpoint and the security baseline scope as it applies
to Windows 365.
Out of scope
Creation of Azure subscription features including Azure Virtual Networks (VNets),
ExpressRoute, and Site-to-Site (S2S) VPN.
Support for advanced networking topics.
Customizing images for a Cloud PC on behalf of customers.
Standalone use of Configuration Manager for managing Cloud PCs.
Deploying Windows updates for Cloud PCs using Configuration Manager.
Migrating virtual desktop infrastructure (VDI) or Azure Virtual Desktop virtual
machines to Windows 365.
Migrating Configuration Manager or Microsoft Deployment Toolkit (MDT) images
to Azure.
Migrating user profiles to or from Windows PCs.
Configuring network appliances on behalf of customers.
Programmatic actions against Microsoft Graph API.
Support for third-party integrations.
Support for Windows 365 Business.
Contact a Microsoft Partner or Microsoft FastTrack for Azure for assistance with
items out of scope and/or if source environment expectations aren't met. If facing
concerns about app compatibility, contact Microsoft App Assure .
7 Note
Out of scope
Partner integrations.
Third-party app virtualization and deployment.
Creating custom scripts with the Universal Print PowerShell module.
Universal Print developer features (including API).
Configuring Windows servers for printing.
App Assure
App Assure is a service designed to address issues with Windows and Microsoft 365
Apps app compatibility and is available to all Microsoft customers. When you request
the App Assure service, we work with you to address valid app issues. To request App
Assure assistance, complete the App Assure service request .
FastTrack also provides guidance to customers who face compatibility issues when
deploying Windows 365 Cloud PC, Azure Virtual Desktop, and Microsoft Edge and make
every reasonable effort to resolve compatibility issues. We provide remediation
assistance for apps deployed on the following Microsoft products:
FastTrack eligibility criteria doesn’t apply to App Assure services and is subject to
Microsoft’s discretion.
7 Note
App Assure supports Copilot for Microsoft 365 customers by addressing app
compatibility issues encountered when moving to a monthly update channel.
Out of scope
App inventory and testing to determine what does and doesn’t work on Windows
and Microsoft 365 Apps. For more information, see the Windows and Office 365
deployment lab kit. If you're interested in guidance for modernizing endpoints or
deploying Windows 11, request assistance from FastTrack .
Researching third-party ISV apps for Windows compatibility and support
statements.
App packaging-only services. However, the App Assure team packages Windows
apps that we remediated to ensure they can be deployed in the customer's
environment.
Although Android apps on Windows 11 are available to Windows Insiders, App
Assure doesn’t currently support Android apps or devices, including Surface Duo
devices.
Customer responsibilities
Creating an app inventory.
Validating those apps on Windows and Microsoft 365 Apps.
7 Note
Microsoft can’t make changes to your source code. However, the App Assure team
can provide guidance to app developers if the source code is available for your
apps.
Apps that worked on Windows 7, Windows 8.1, Windows 10, and Windows 11 also
work on Windows 10/11.
Apps that worked on Office 2010, Office 2013, Office 2016, and Office 2019 also
work on Microsoft 365 Apps (32-bit and 64-bit versions).
Windows on Arm
Apps that worked on Windows 7, Windows 8.1, Windows 10, and Windows 11 also work
on Windows 10/11 on Arm64 devices.
7 Note
Microsoft Edge
If your web apps or sites work on supported versions of Google Chrome or any version
of Microsoft Edge, they’ll also work on the latest version of Microsoft Edge. As the web
is constantly evolving, be sure to review this published list of known site compatibility-
impacting changes for Microsoft Edge.
7 Note
App Assure helps you configure IE mode to support legacy Internet Explorer web
apps or sites. Support for development to modernize Internet Explorer web apps or
sites to run natively on the Chromium engine isn’t covered under this benefit.
7 Note
7 Note
To contact App Assure for this service, complete the Windows Arm Advisory Service
enrollment form.
7 Note
) Important
Please be aware that Microsoft reserves the right to limit this offer to 15 hours per
Arm developer and to waitlist developers due to high volume.
) Important
Network health
Alignment with Microsoft’s principals of network connectivity is vital to the successful
onboarding of FastTrack Services. As such, FastTrack provides remote guidance to obtain
and interpret data from a customer’s environment subject to the terms of the customer
agreement to verify this alignment. This highlights a company’s network score, which
directly impacts migration velocity, user experience, service performance, and reliability.
FastTrack also guides our customers through necessary remediation steps highlighted
by this data to help improve the network score.
Microsoft Edge
FastTrack provides remote guidance for:
Feedback
Was this page helpful? Yes No
e OVERVIEW
Terminology
g TUTORIAL
Create a tenant
e OVERVIEW
c HOW-TO GUIDE
More information
d TRAINING
i REFERENCE
Pricing calculator
Reference
i REFERENCE
PowerShell
REST API